Comments (4)
You only need to specify the control names:
podSecurity:
- controlName: "Volume Types"
- controlName: "HostPath Volumes"
- controlName: "Running as Non-root"
- controlName: "Running as Non-root user"
Here is the Policy Report result of your Pod (I used the default
Namespace) after creating the PolicyException:
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
creationTimestamp: "2024-05-17T19:19:21Z"
generation: 3
labels:
app.kubernetes.io/managed-by: kyverno
name: 5a3afc40-f471-4bb2-b1b1-187ce31ce056
namespace: default
ownerReferences:
- apiVersion: v1
kind: Pod
name: promtail-djwbc
uid: 5a3afc40-f471-4bb2-b1b1-187ce31ce056
resourceVersion: "921422"
uid: 6b2c1d8a-233b-4933-945f-d0a255b85bdd
results:
- message: rule skipped due to policy exception kyverno/promtail-exceptions
policy: pod-security-standards
properties:
exception: promtail-exceptions
result: skip
rule: restricted
scored: true
source: kyverno
timestamp:
nanos: 0
seconds: 1715973915
scope:
apiVersion: v1
kind: Pod
name: promtail-djwbc
namespace: default
uid: 5a3afc40-f471-4bb2-b1b1-187ce31ce056
summary:
error: 0
fail: 0
pass: 0
skip: 1
warn: 0
from policies.
In the HostPath Volumes control in the baseline profile, there is no provision for specifying acceptable values (i.e., a "whitelist"). The control is absolute. Therefore, no amount of values you specify will be evaluated so you have to exclude the entire control. As for other controls, there's no sense in customizing those values because they're boolean.
from policies.
I've also attempted to use the following variations of the PolicyException objects:
Policy Exception variation 2
---
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: promtail-exceptions
namespace: kyverno
spec:
exceptions:
- policyName: pod-security-standards
ruleNames:
- restricted
match:
any:
- resources:
kinds:
- Pod
namespaces:
- promtail
podSecurity:
- controlName: "Volume Types"
restrictedField: spec.volumes[*]
values:
- "spec.volumes[*].hostPath"
- controlName: "HostPath Volumes"
restrictedField: spec.volumes[*].hostPath
values:
- "/run/promtail"
- "/var/log/pods"
- "/var/lib/docker/containers"
- controlName: "Running as Non-root"
restrictedField: spec.securityContext.runAsNonRoot
values:
- "true"
- controlName: "Running as Non-root"
restrictedField: spec.containers[*].securityContext.runAsNonRoot
values:
- "true"
- controlName: "Running as Non-root user"
restrictedField: spec.securityContext.runAsUser
values:
- "0"
Policy Exception variation 3
---
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: promtail-exceptions
namespace: promtail
spec:
exceptions:
- policyName: pod-security-standards
ruleNames:
- restricted
match:
any:
- resources:
kinds:
- Pod
podSecurity:
- controlName: "Volume Types"
restrictedField: spec.volumes[*]
values:
- "spec.volumes[*].hostPath"
- controlName: "HostPath Volumes"
restrictedField: spec.volumes[*].hostPath
values:
- "/run/promtail"
- "/var/log/pods"
- "/var/lib/docker/containers"
- controlName: "Running as Non-root"
restrictedField: spec.securityContext.runAsNonRoot
values:
- "true"
- controlName: "Running as Non-root"
restrictedField: spec.containers[*].securityContext.runAsNonRoot
values:
- "true"
- controlName: "Running as Non-root user"
restrictedField: spec.securityContext.runAsUser
values:
- "0"
from policies.
@chipzoller - Thank you for your response. I guess I am a bit confused. When I was following the linkerd, the example encourages using more filtering (which i agree with). Here is the example for linkerd:
validate:
podSecurity:
level: baseline
version: latest
exclude:
- controlName: Capabilities
images:
- "*/istio/proxyv2*"
- "*/linkerd/proxy-init*"
restrictedField: spec.initContainers[*].securityContext.capabilities.add
values:
- NET_ADMIN
- NET_RAW
I understand that rules does not require further filterin. But I am now curious as to why the filters I've added in PolicyException did not work.
from policies.
Related Issues (20)
- [Enhancement]: Replace enforce/audit (deprecated) with Enforce/Audit on sample policies HOT 1
- [Bug] ClusterPolicy with PolicyException does not apply on subsequent updates
- Block Large Images
- [Sample] Mount volumes for ephemeral containers HOT 1
- disallow-capabilities: simplify CEL expressions
- disallow-host-namespaces: simplify CEL expressions
- disallow-host-path: simplify CEL expressions
- disallow-host-ports: simplify CEL expressions
- disallow-host-ports-range: simplify CEL expressions
- disallow-host-process: simplify CEL expressions
- disallow-privileged-containers: simplify CEL expressions HOT 3
- disallow-proc-mount: simplify CEL expressions HOT 2
- disallow-selinux: simplify CEL expressions
- restrict-seccomp: simplify CEL expressions
- restrict-sysctls: simplify CEL expressions
- All tested images to be stored in Kyverno org HOT 2
- Custom message not working in podSecurity subrule policy HOT 2
- [Bug] Generating network policy for existing namespace fails. As well as data template synchronization. HOT 3
- Refresh Environment Variables in Pods HOT 4
- [Bug] Kyverno verifyimage policy does'nt working correctly HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.