Closed chrisns closed 2 years ago
I can reproduce this problem. Your first example should work fine.
Fixed by https://github.com/kubewarden/selinux-psp-policy/commit/536ce7d2f4790530c8e5f515d3ed9ae604880507, tagged as v0.1.2. In the process of being released to the Kubewarden Hub.
Thank you @chrisns!
Also, a comment regarding your first manifest. It was not right completely, this policy is mutating, so it will enforce whatever you set if you choose MustRunAs
(if no security context is provided by the pod), so you need:
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: selinux
spec:
policyServer: default
module: registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true # <<< this is `true`
settings:
rule: MustRunAs
user: system_u
role: object_r
type: svirt_sandbox_file_t
level: s0:c123,c456
I tried various permutations of:
to little success, no idea what I'm doing here really