supplementalGroups - Githubissues

kubewarden / user-group-psp-policy

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that controls containers user and groups

https://kubewarden.io

Apache License 2.0

7 stars 4 forks source link

supplementalGroups #12

Closed chrisns closed 2 years ago

chrisns commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: supplementalgroups
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.5
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    supplemental_groups: 
      rule: "MustRunAs"
      ranges:
        - min: 100
          max: 200

does not block

apiVersion: v1
kind: Pod
metadata:
  name: nginx-supplementalgroups-disallowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 250
  containers:
    - name: nginx
      image: nginx

Expected Behavior

pod should be rejected

Steps To Reproduce

No response

Environment

- OS:
- Architecture:

Anything else?

No response

viccuad commented 2 years ago

Hi! Thanks for reporting this! It seems that the policy definition is just missing:

 settings:
    run_as_user:
      rule: "RunAsAny"
    run_as_group:
      rule: "RunAsAny"

With that, the pod gets rejected as expected.

From the definition of the PSP, there doesn't seem to be a default value for their RunAsUser and RunAsGroup, so I suppose their intent is to be explicit, and we are just copying that intent in this policy.

viccuad commented 2 years ago

Also, just realized that there's no defaults because they would take effect if ClusterAdmissionPolicy.mutating is true.

Added a line in README.md with the info.

chrisns commented 2 years ago

run_as_group shouldn't be required then. its not a mandatory field of a psp: this is a valid psp:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: policy
spec:
  privileged: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: MustRunAs
    ranges:
      - min: 100
        max: 200
  volumes:
    - '*'

so I should be able to have:

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: supplementalgroups
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.5
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    supplemental_groups: 
      rule: "MustRunAs"
      ranges:
        - min: 100
          max: 200
    run_as_user:
      rule: "RunAsAny"

without the added

    run_as_group:
      rule: "RunAsAny"

viccuad commented 2 years ago

Tagged a new v0.1.6 version, with the fix that would support the settings without

    run_as_group:
      rule: "RunAsAny"

chrisns commented 2 years ago

confirmed this fixes, thanks!