Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: rework examples section in the README file. #80

Merged
merged 3 commits into from
Jan 19, 2024
Merged

chore: rework examples section in the README file. #80

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cf80588
chore: rework examples section in the README file.
jvanz Jan 18, 2024
21b90fd
Apply suggestions from code review
jvanz Jan 19, 2024
eb67d46
Apply suggestions from code review
jvanz Jan 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
163 changes: 154 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,70 @@ configure a policy in the [Kubewarden documentation](https://docs.kubewarden.io/

# Examples

The following Pod specification doesn't have any security context defined:
Let's define the policy and see how the validation works:

```yaml
```console
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
annotations:
io.kubewarden.policy.category: PSP
io.kubewarden.policy.severity: medium
name: pod-privileged-policy
spec:
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.3.1
settings: {}
rules:
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
- apiGroups:
- ''
apiVersions:
- v1
resources:
- replicationcontrollers
operations:
- CREATE
- UPDATE
- apiGroups:
- apps
apiVersions:
- v1
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
operations:
- CREATE
- UPDATE
- apiGroups:
- batch
apiVersions:
- v1
resources:
- jobs
- cronjobs
operations:
- CREATE
- UPDATE
mutating: false
EOF
```

After the policy is running and active, we apply the following Pod specification which doesn't
have any security context defined. Therefore, it should be accepted by the policy
and it can be scheduled by the users of the cluster:

```console
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
Expand All @@ -51,29 +112,113 @@ spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
```
EOF

This workload can be scheduled by all the users of the cluster.
pod/nginx created
```

This Pod specification has one of its containers running in
However, the next Pod specification has one of its containers running in
privileged mode and it will be rejected by the policy:

```yaml
```console
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
runtimeClassName: containerd-runc
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
- name: sleeping-sidecar
image: alpine
command: ["sleep", "1h"]
EOF

Error from server: error when creating "STDIN": admission webhook "clusterwide-pod-privileged-policy.kubewarden.admission" denied the request: Privileged container is not allowed
```

The next pod does not have a privileged container. But there is a init
container requesting privileged access. Therefore, this will be rejected by the
policy as well:


```console
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
initContainers:
- name: nginx-init
image: nginx
securityContext:
privileged: true
- name: sleeping-sidecar-init
image: alpine
command: ["sleep", "1h"]
containers:
- name: sleeping-sidecar
image: alpine
command: ["sleep", "1h"]
EOF

Error from server: error when creating "STDIN": admission webhook "clusterwide-pod-privileged-policy.kubewarden.admission" denied the request: Privileged init container is not allowed
```

However, if this privileged init container is expected and it must be run with
privileged access, you can instruct the policy to ignore init containers:

```console
kubectl patch clusteradmissionpolicies pod-privileged-policy -p '{"spec":{"settings":{"skip_init_containers":true}}}' --type "merge"
clusteradmissionpolicy.policies.kubewarden.io/pod-privileged-policy patched
```

Now the workload with privileged init container should be accepted:

```console
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
initContainers:
- name: nginx-init
image: nginx
securityContext:
privileged: true
- name: sleeping-sidecar-init
image: alpine
command: ["sleep", "1h"]
containers:
- name: sleeping-sidecar
image: alpine
command: ["sleep", "1h"]
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
initContainers:
- name: nginx-init
image: nginx
securityContext:
privileged: true
- name: sleeping-sidecar-init
image: alpine
command: ["sleep", "1h"]
containers:
- name: sleeping-sidecar
image: alpine
command: ["sleep", "1h"]
EOF

pod/nginx created
```


Loading