search

kubewarden / selinux-psp-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux
https://kubewarden.io
Apache License 2.0
1 stars 3 forks source link

deserializing the level doesn't appear to work #2

Closed chrisns closed 2 years ago

chrisns commented 2 years ago 
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: selinux
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: s0:c123,c456
policy-server-default-65c545df7d-wbzwl policy-server-default Dec 16 13:45:33.325 ERROR policy_server::worker_pool: cannot spawn worker error="[registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1: settings of policy registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1 are invalid: Some(\"Error invoking settings validation callback: Error(GuestCallFailure(\\\"Guest call failed: Error decoding validation payload {\\\\\\\"level\\\\\\\":\\\\\\\"s0:c123,c456\\\\\\\",\\\\\\\"role\\\\\\\":\\\\\\\"object_r\\\\\\\",\\\\\\\"rule\\\\\\\":\\\\\\\"MustRunAs\\\\\\\",\\\\\\\"type\\\\\\\":\\\\\\\"svirt_sandbox_file_t\\\\\\\",\\\\\\\"user\\\\\\\":\\\\\\\"system_u\\\\\\\"}: Error(\\\\\\\"invalid type: string \\\\\\\\\\\\\\\"s0:c123,c456\\\\\\\\\\\\\\\", expected struct SELinuxLevel\\\\\\\", line: 0, column: 0)\\\"))\")]"

I tried various permutations of:

...
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: 
      level: s0
      sensitivity: c123
      categories: c456

to little success, no idea what I'm doing here really

ereslibre commented 2 years ago

I can reproduce this problem. Your first example should work fine.

ereslibre commented 2 years ago

Fixed by https://github.com/kubewarden/selinux-psp-policy/commit/536ce7d2f4790530c8e5f515d3ed9ae604880507, tagged as v0.1.2. In the process of being released to the Kubewarden Hub.

Thank you @chrisns!

ereslibre commented 2 years ago

Also, a comment regarding your first manifest. It was not right completely, this policy is mutating, so it will enforce whatever you set if you choose MustRunAs (if no security context is provided by the pod), so you need:

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: selinux
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true # <<< this is `true`
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: s0:c123,c456