Closed chrisns closed 2 years ago
Hi! Thanks for reporting this! It seems that the policy definition is just missing:
settings:
run_as_user:
rule: "RunAsAny"
run_as_group:
rule: "RunAsAny"
With that, the pod gets rejected as expected.
From the definition of the PSP, there doesn't seem to be a default value for their RunAsUser
and RunAsGroup
, so I suppose their intent is to be explicit, and we are just copying that intent in this policy.
Also, just realized that there's no defaults because they would take effect if ClusterAdmissionPolicy.mutating
is true.
Added a line in README.md with the info.
run_as_group shouldn't be required then. its not a mandatory field of a psp: this is a valid psp:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: policy
spec:
privileged: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: MustRunAs
ranges:
- min: 100
max: 200
volumes:
- '*'
so I should be able to have:
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: supplementalgroups
spec:
policyServer: default
module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.5
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
settings:
supplemental_groups:
rule: "MustRunAs"
ranges:
- min: 100
max: 200
run_as_user:
rule: "RunAsAny"
without the added
run_as_group:
rule: "RunAsAny"
Tagged a new v0.1.6
version, with the fix that would support the settings without
run_as_group:
rule: "RunAsAny"
confirmed this fixes, thanks!
Is there an existing issue for this?
Current Behavior
does not block
Expected Behavior
pod should be rejected
Steps To Reproduce
No response
Environment
Anything else?
No response