Epic: port PSP policies to Kubewarden

[flavio]

This is an epic that keeps track of porting the missing PSP policies to Kubewarden.

Currently, mutating admission policies cannot be done with tinygo, yet they can be done using rust or swift.

To implement

Polices are sorted by decreasing priority:

• [x] host namespaces
• [x] sysctl
• [x] allowed host paths
• [x] user and groups
• [x] selinux
• [x] volumes
• [x] fsgroups
• [x] allowed proc mount types
• [x] flex volume
• [x] readonly root filesystem

To extend

• [x] default allow privilege escalation

[ereslibre]

This is now done. I am going to double check that we have implemented all PSP's in the different splitted policies.

[flavio]

I've compared what we have with this exhaustive list.

• [x] privileged
• [x] hostPID
• [x] hostIPC
• [x] hostNetwork
• [x] hostPorts
• [x] volumes
• [x] allowedHostPaths
• [x] allowedFlexVolumes
• [x] readOnlyRootFilesystem
• [x] runAsUser
• [x] runAsGroup
• [x] supplementalGroups
• [x] fsgroup
• [x] allowPrivilegeEscalation
• [x] defaultAllowPrivilegeEscalation
• [x] allowedCapabilities
• [x] defaultAddCapabilities
• [x] requiredDropCapabilities
• [x] seLinux
• [x] allowedProcMountTypes
• [x] apparmor
• [x] seccomp
• [x] forbiddenSysctls
• [x] allowedUnsafeSysctls

It looks like we have to implement only two policies: the readOnlyRootFilesystem and the defaultAllowPrivilegeEscalation. In some cases I think we can solve that by extending one of the already existing policies we have. I'll file dedicated issues for that

[ereslibre]

Sigh, sorry for not doing this. And thanks for having checked.

[jvanz]

@flavio don't we miss the seccomp policy as well? We have the policy to check the annotation, but should not we have the policy to verify the request's securityContext ?

[ereslibre]

Yes, we are missing seccomp.

[flavio]

@jvanz yes, please file a dedicated issue inside of the policy-hub repo, then start working on that as we discussed during the daily :+1: :pray:

[ereslibre]

This is now completed 🎉