[Sample] add-capabilities policy doesn't check "ephemeralcontainers" and "initcontainers"

marcoval123 commented 1 year ago

Problem Statement

The following policy only checks and mutate if pod contains containers: https://kyverno.io/policies/psp-migration/add-capabilities/add-capabilities/

Note that, a pod could contains ephemeralcontainers, initcontainers and containers. For exemple, this policy "https://kyverno.io/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/" is checking for all containers types.

Solution Description

We need policy example to mutate and check capabilities when a pod contains a ephemeralcontainers, initcontainers or containers.

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

No response

Troubleshooting

[X] I have read and followed the documentation AND the troubleshooting guide.
[X] I have verified the policy does not exist in the samples library.

chipzoller commented 1 year ago

Yes, we don't modify absolutely every policy to include this, but, for example, the PSS policies do have these checks. You can easily modify this or any other policy to your liking with these similar checks.

chipzoller commented 9 months ago

This policy, and others like it which use foreach methods to mutate containers, can be modified by simply adding another loop but for initContainers:

      - list: request.object.spec.initContainers[] || `[]`
        preconditions:
          all:
          - key: SETFCAP
            operator: AnyNotIn
            value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"
        patchesJson6902: |-
          - path: /spec/initContainers/{{elementIndex}}/securityContext/capabilities/add/-
            op: add
            value: SETFCAP

kyverno / policies