Giter Site home page Giter Site logo

kubewarden / selinux-psp-policy Goto Github PK

View Code? Open in Web Editor NEW
1.0 6.0 3.0 184 KB

Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux

Home Page: https://kubewarden.io

License: Apache License 2.0

Makefile 2.58% Rust 97.42%
kubernetes webassembly kubernetes-security kubewarden-policy hacktoberfest policy-as-code pod-security-policy

selinux-psp-policy's Introduction

Kubewarden Policy Repository Stable

Kubewarden policy psp-selinux

Description

Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux in the pod security context and on containers, init containers and ephemeral containers. This policy will inspect the .spec.securityContext.seLinuxOptions of the pod if the container has no specific .spec.securityContext.seLinuxOptions. In other words, the seLinuxOptions of the container, init container and ephemeral containers take precendence over the pod seLinuxOptions, if any.

Settings

This policy works by defining what seLinuxOptions can be set at the pod level and at the container level.

One of the following setting keys are accepted for this policy:

  • MustRunAs: contains the desired value for the seLinuxOptions parameter. If the pod does not contain a .securityContext, or a .securityContext.seLinuxOptions, then this policy acts as mutating and defaults the seLinuxOptions attribute to the one provided in the configuration. In all cases, pod containers, init container and ephemeral containers .seLinuxOptions are checked for compatibility if they override the Pod Security Context seLinuxOptions value.
  • RunAsAny: always accepts the request.

Configuration examples:

rule: RunAsAny
rule: MustRunAs
user: user
role: role
type: type
level: s0:c0,c6

selinux-psp-policy's People

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

jvanz khaledemaradev fabriziosestito

selinux-psp-policy's Issues

deserializing the level doesn't appear to work 

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: selinux
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: s0:c123,c456
policy-server-default-65c545df7d-wbzwl policy-server-default Dec 16 13:45:33.325 ERROR policy_server::worker_pool: cannot spawn worker error="[registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1: settings of policy registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.1 are invalid: Some(\"Error invoking settings validation callback: Error(GuestCallFailure(\\\"Guest call failed: Error decoding validation payload {\\\\\\\"level\\\\\\\":\\\\\\\"s0:c123,c456\\\\\\\",\\\\\\\"role\\\\\\\":\\\\\\\"object_r\\\\\\\",\\\\\\\"rule\\\\\\\":\\\\\\\"MustRunAs\\\\\\\",\\\\\\\"type\\\\\\\":\\\\\\\"svirt_sandbox_file_t\\\\\\\",\\\\\\\"user\\\\\\\":\\\\\\\"system_u\\\\\\\"}: Error(\\\\\\\"invalid type: string \\\\\\\\\\\\\\\"s0:c123,c456\\\\\\\\\\\\\\\", expected struct SELinuxLevel\\\\\\\", line: 0, column: 0)\\\"))\")]"

I tried various permutations of:

...
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: 
      level: s0
      sensitivity: c123
      categories: c456

to little success, no idea what I'm doing here really

Feature Request: missing question.yml

Is your feature request related to a problem?

The policy has settings and in order to be able to properly show it in the UI we need the question.yml file.

Solution you'd like

Add the question.yml used by the UI.

Alternatives you've considered

No response

Anything else?

Related to rancher/kubewarden-ui#207

only reads seLinuxOptions at the pod level

this doesn't work

apiVersion: v1
kind: Pod
metadata:
    name: nginx-selinux-allowed
    labels:
        app: nginx-selinux
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

this does

apiVersion: v1
kind: Pod
metadata:
    name: nginx-selinux-allowed
    labels:
        app: nginx-selinux
spec:
  containers:
  - name: nginx
    image: nginx
  securityContext:
    seLinuxOptions:
      level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u

selinux policy doesn't allow a valid pod

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: selinux
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.5
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    rule: MustRunAs
    user: system_u
    role: object_r
    type: svirt_sandbox_file_t
    level: s0:c123,c456

rejects what should be allowed with:
Error from server: error when creating "tests/seLinux/allowed.yaml": admission webhook "selinux.kubewarden.admission" denied the request: Request rejected by policy selinux. The policy attempted to mutate the request, but it is currently configured to not allow mutations.

apiVersion: v1
kind: Pod
metadata:
    name: nginx-selinux-allowed
    labels:
        app: nginx-selinux
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS:
- Architecture:

Anything else?

No response

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

cargo
Cargo.toml
  • anyhow 1.0
  • k8s-openapi 0.22.0
  • kubewarden-policy-sdk 0.11.0
  • serde 1.0
  • serde_json 1.0
  • slog 2.7
github-actions
.github/workflows/release.yml
  • kubewarden/github-actions v3.3.0
  • kubewarden/github-actions v3.3.0
.github/workflows/test.yml
  • kubewarden/github-actions v3.3.0
  • Check this box to trigger a request for Renovate to run again on this repository

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.