search

open-policy-agent / gatekeeper-library

📚 The OPA Gatekeeper policy library
https://open-policy-agent.github.io/gatekeeper-library
Apache License 2.0
617 stars 316 forks source link

feat: Update apparmor: add CEL, support securityContext #533

Open maxsmythe opened 1 month ago

maxsmythe commented 1 month ago

For context... here is how the applicable apparmor profile is derived:

https://github.com/kubernetes/kubernetes/blob/master/pkg/security/apparmor/helpers.go#L55-L76

maxsmythe commented 1 month ago

Looks like there may be a bug in the Rego side... I'll take a look in a bit

maxsmythe commented 1 month ago

Rego fixed ... pod-level security context retrieval did not take into account that it was a child of spec

JaydipGabani commented 1 month ago

@maxsmythe do we want to update the policy version to 1.1.0 since we are updating rego and adding cel as well?

maxsmythe commented 1 month ago

@JaydipGabani SGTM. Is there anything special we need to do for that? Or just update the annotation?

JaydipGabani commented 1 month ago

@JaydipGabani SGTM. Is there anything special we need to do for that? Or just update the annotation?

@maxsmythe Updating annotations and running make generate-all should work. It will generate files for artifact-hub as well.

maxsmythe commented 1 month ago

bumped minor version

JaydipGabani commented 1 month ago

Fixes #541

maxsmythe commented 1 month ago

I'm guessing the k8s tests are failing because securityContext.appArmorProfile only exists as of k8s 1.30?

JaydipGabani commented 1 month ago

@maxsmythe we are running tests with kind: 0.17.0 and that seems to have k8s 1.25.3. So I agree, I think that would be the reason as well.