viccuad
commented
2 days ago With release of user-group-psp-policy v0.6.2, the party agreed that this is resolved. Closing.
Closed kkaempf closed 2 days ago
viccuad
commented
2 days ago With release of user-group-psp-policy v0.6.2, the party agreed that this is resolved. Closing.
SURE-7557
Issue description:
Customer is using the user-group-psp-policy (https://github.com/kubewarden/user-group-psp-policy) from Kubewarden to ensure containers do not run as root. Image built with root (userid 0) not getting reported in policy server logs when policy is in monitor mode. However, image get denied while using protect mode without any issues. Customer requires similar message to be available in the PolicyReport object too.
Business impact:
Customer expect the policy to also report non-compliance in audit mode, to be able to provide a report for developers on what to change before enforcing the policy.
Repro steps:
Install do-not-run-as-root clusteradmissionpolicy in Kube-warden(latest version) in monitor mode Apply a deployment using an image with root user (eg: registry.suse.com/suse/sle15:latest) without any securityContext You can see its getting allowed, but no logs specific to the deployment(other than a POST request) are showing in either policy server logs or in policy reports. But if you deploy the same image with securityContext(runAsUser: 0), you can see the invalid user message in the policy server logs. Policyreports still shows as pass
Workaround:
Is workararound available and implemented? no
Actual behavior:
No audit message is available (in monitor mode) in the policy server logs or policy reports when the image(builtin root user) is deployed
Expected behavior:
Proper audit messages should be available in policy server logs and policy reports when policy is in monitor mode