GithubHelp home page GithubHelp logo

appvia / psp-migration Goto Github PK

View Code? Open in Web Editor NEW
51.0 7.0 4.0 13.75 MB

Recreation of common Pod Security Policy configuration in other common Kubernetes policy engines

Home Page: https://appvia.github.io/psp-migration

License: MIT License

Shell 5.82% TypeScript 72.78% HTML 17.56% SCSS 1.36% JavaScript 2.47%
podsecuritypolicies podsecuritypolicy kyverno opa kubernetes yaml security gatekeeper kubewarden policy-as-code

psp-migration's Introduction

Kubernetes Pod Security Policy Migration

PodSecurityPolicy is dead, long live ???

CI GitHub issues GitHub forks GitHub stars GitHub contributors GitHub last commit Appvia Community Slack GitHub license

Please see our blog post PodSecurityPolicy is Dead, Long Live...?!

๐Ÿšจ ๐Ÿšง UNDER ACTIVE DEVELOPMENT (pull requests welcome) ๐Ÿšง ๐Ÿšจ

This project is striving to recreate common Pod Security Policy configuration in other common kubernetes policy engines, to better inform the consumer how to migrate before it is removed in Kubernetes 1.25

Installation

Download the right binary for your OS and Arch from the latest release

Or you can try it now in your browser!

Usage

The app takes PodSecurityPolicy on stdIn and output your policy engine of choice on stdOut, you select the policy engine with the --engine=<engine>:

$ cat psp.yaml | ./psp-migration --engine=gatekeeper > output.yaml
# or if you're feeling brave you can pipe it back and forth to the kubernetes api
$ kubectl get -o yaml mypodsecuritypolicy | ./psp-migration -e kubewarden | kubectl apply -f -

Known limitations

  • Generated policy will probably be pretty verbose
  • Generated policy will probably have some unintended side effects, please create an issue when this happens
  • Only takes one PodSecurityPolicy at a time
  • Generated policy may conflict with other policies

Features

โš ๏ธ This table is manually updated, see the automated test suites results โš ๏ธ

Note: โŒ Doesn't mean it doesn't work, it just means the test is currently failing, in most cases the test needs to be updated

PSP field Pod Security Policy Pod Security Standard (baseline) Gatekeeper Kyverno Kubewarden k-rail
privileged โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ
hostPID โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ
hostIPC โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
hostNetwork โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ
hostPorts โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
volumes โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowedHostPaths โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowedFlexVolumes โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
readOnlyRootFilesystem โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
runAsUser โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
runAsGroup โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
supplementalGroups โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
fsgroup โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowPrivilegeEscalation โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
defaultAllowPrivilegeEscalation โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowedCapabilities โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
defaultAddCapabilities โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
requiredDropCapabilities โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
seLinux โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowedProcMountTypes โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
apparmor โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ
seccomp โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
forbiddenSysctls โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ
allowedUnsafeSysctls โœ”๏ธ โŒ โœ”๏ธ โœ”๏ธ โœ”๏ธ โŒ

References

psp-migration's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

jvanz flavio viccuad ngadde

psp-migration's Issues

[Bug]: Volumes aren't converted properly

What happened?

While converting a PSP with any spec.volumes in it, the generated kyverno policy doesn't use the given volumes list, but a hard coded one from kyverno.ts#111, so the output is:

conditions:
            all:
              - key: "{{ request.object.spec.volumes[].keys(@)[] }}"
                operator: AnyNotIn
                value:
                  - name
                  - projected
                  - emptyDir

Regardless of the input object.

My wild guess is that the hard coded list should be replaced with smth like exactly done in the capabilities section at kyverno.ts#190

How to reproduce:

$ echo "foobarYouCanTypeAnything" | ./psp-migration-linux-x64 -e kyverno
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psp-volumes-27205
spec:
  rules:
    - preconditions:
        all:
          - key: "{{ request.object.spec.volumes[].keys(@)[] | length(@) }}"
            operator: GreaterThan
            value: 0
      validate:
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.volumes[].keys(@)[] }}"
                operator: AnyNotIn
                value:
                  - name
                  - projected
                  - emptyDir
        message: Rejected by psp-volumes-0 rule
      match:
        resources:
          kinds:
            - Pod
      name: psp-volumes-0
  validationFailureAction: enforce

What policy engine were you generating policy for

Kynvero

Relevant log output

No response

[Bug]: convertion not wroked for kyverno

What happened?

psp is

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

What policy engine were you generating policy for

No response

Relevant log output

cat vault-injector.yaml | ~/psp-migration-linux-x64 -e kyverno
/snapshot/psp-migration/dist/kyverno.js:234
        let securityContext = { securityContext: { runAsUser: `>=${PSP.spec.runAsUser.ranges[0].min} & <=${PSP.spec.runAsUser.ranges[0].max}` } };
                                                                                            ^

TypeError: Cannot read properties of undefined (reading '0')
    at transform_kyverno (/snapshot/psp-migration/dist/kyverno.js:234:93)
    at transform (/snapshot/psp-migration/dist/index.js:41:48)
    at Object.<anonymous> (/snapshot/psp-migration/dist/run.js:45:43)
    at Module._compile (pkg/prelude/bootstrap.js:1930:22)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.runMain (pkg/prelude/bootstrap.js:1983:12)
    at node:internal/main/run_main_module:17:47

[Bug]: Update README to reflect the release of 1.25

What happened?

Now that Kubernetes 1.25 and Pod Security Admission are released and stable, I thought a couple changes to the README could help newcomers more easily understand the continued relevance and benefits of the project. In particular:

  • References to 1.25 like "before it is removed in Kubernetes 1.25" should probably be removed or updated
  • Now that Pod Security Admission / Pod Security Standards are stable, it could be helpful to address them more prominently in the README. The linked blog does have some great discussion under "What about PodSecurityStandards?", but it could be helpful to have some similar language close to the top of the README too.

I'd be happy to take a stab at these changes in a PR, but I wanted to open this issue first to solicit feedback, as it would require some nontrivial copy changes.

What policy engine were you generating policy for

No response

Relevant log output

No response

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Detected dependencies

git-submodules
.gitmodules
  • submodules/gatekeeper-library master@5a5cd361b484e6d0e94112529e192899a583b049
  • submodules/bats master@12c23eda62065af5e4c80cc81a28a4ce4af34224
github-actions
.github/workflows/autoapprove.yaml
  • hmarr/auto-approve-action v3
.github/workflows/ci.yml
  • actions/checkout v4.1.3@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
  • tanmen/jest-reporter v1@40415c4070fff13c080ce295929c7ff89cc656b8
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • peaceiris/actions-gh-pages v4@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
  • MOZGIII/install-ldid-action v1@d5ab465f3a66a4d60a59882b935eb30e18e8d043
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • helm/kind-action v1.10.0@0025e74a8c7512023d06dc019c617aa3cf561fde
  • azure/setup-helm v3.5@5119fcb9089d432beecbf79bb2c7915207344b78
  • dorny/test-reporter v1.9.0@c40d89d5e987cd80f3a32b3c233556e22bdca958
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • marvinpinto/action-automatic-releases v1.2.1@919008cf3f741b179569b7a6fb4d8860689ab7f0
  • actions/download-artifact v4.1.6@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395
  • github/codeql-action v3.25.2@8f596b4ae3cb3c588a5c46780b86dd53fef16c52
  • github/codeql-action v3.25.2@8f596b4ae3cb3c588a5c46780b86dd53fef16c52
  • actions/checkout v4@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
  • lukaszraczylo/semver-generator 1.10.177@e709f61317d2f60fd549a73abdcbbd800d08a1b3
npm
package.json
  • js-yaml ^4.1.0
  • yargs ^17.3.1
  • @kubernetes/client-node 0.17.0
  • @types/jest 29.5.12
  • @types/materialize-css 1.0.14
  • @types/node 18.19.31
  • @types/yargs 17.0.32
  • ace-builds 1.33.1
  • copy-webpack-plugin 12.0.2
  • crypto-browserify 3.12.0
  • css-loader 7.1.1
  • file-loader 6.2.0
  • git-rev-sync 3.0.2
  • github-fork-ribbon-css 0.2.3
  • jest 29.7.0
  • jquery 3.7.1
  • materialize-css 1.0.0
  • npm-run-all 4.1.5
  • pkg 5.8.1
  • sass 1.75.0
  • sass-loader 14.2.1
  • stream-browserify 3.0.0
  • style-loader 4.0.0
  • ts-jest 29.1.2
  • ts-loader 9.5.1
  • typescript 5.4.5
  • webpack 5.91.0
  • webpack-cli 5.1.4
  • webpack-dev-server 5.0.4
nvm
.nvmrc
  • node 18
regex
tests/allowPrivilegeEscalation/kubewarden.yaml
  • ghcr.io/kubewarden/policies/allow-privilege-escalation-psp v0.2.6
tests/allowedCapabilities/kubewarden.yaml
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
tests/allowedFlexVolumes/kubewarden.yaml
  • ghcr.io/kubewarden/policies/flexvolume-drivers-psp v0.1.7
tests/allowedHostPaths/kubewarden.yaml
  • ghcr.io/kubewarden/policies/hostpaths-psp v0.1.10
tests/allowedProcMountTypes/kubewarden.yaml
  • ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp v0.1.9
tests/allowedUnsafeSysctls/kubewarden.yaml
  • ghcr.io/kubewarden/policies/sysctl-psp v0.1.12
tests/apparmor/kubewarden.yaml
  • ghcr.io/kubewarden/policies/apparmor-psp v0.1.13
tests/defaultAddCapabilities/kubewarden.yaml
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
tests/defaultAllowPrivilegeEscalation/kubewarden.yaml
  • ghcr.io/kubewarden/policies/allow-privilege-escalation-psp v0.2.6
tests/forbiddenSysctls/kubewarden.yaml
  • ghcr.io/kubewarden/policies/sysctl-psp v0.1.12
tests/fsgroup/kubewarden.yaml
  • ghcr.io/kubewarden/policies/allowed-fsgroups-psp v0.1.10
tests/hostIPC/kubewarden.yaml
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
tests/hostNetwork/kubewarden.yaml
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
tests/hostPID/kubewarden.yaml
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
tests/hostPorts/kubewarden.yaml
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
tests/privileged/kubewarden.yaml
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
tests/readOnlyRootFilesystem/kubewarden.yaml
  • ghcr.io/kubewarden/policies/readonly-root-filesystem-psp v0.1.6
tests/requiredDropCapabilities/kubewarden.yaml
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
tests/runAsGroup/kubewarden.yaml
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
tests/runAsUser/kubewarden.yaml
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
tests/seLinux/kubewarden.yaml
  • ghcr.io/kubewarden/policies/selinux-psp v0.1.12
tests/seccomp/kubewarden.yaml
  • ghcr.io/kubewarden/policies/seccomp-psp v0.1.4
tests/supplementalGroups/kubewarden.yaml
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
tests/volumes/kubewarden.yaml
  • ghcr.io/kubewarden/policies/volumes-psp v0.1.11
src/__tests__/__snapshots__/index.spec.ts.snap
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/allow-privilege-escalation-psp v0.2.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/flexvolume-drivers-psp v0.1.7
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/hostpaths-psp v0.1.10
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp v0.1.9
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/sysctl-psp v0.1.12
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/apparmor-psp v0.1.13
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/allow-privilege-escalation-psp v0.2.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/sysctl-psp v0.1.12
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/allowed-fsgroups-psp v0.1.10
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/readonly-root-filesystem-psp v0.1.6
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/selinux-psp v0.1.12
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/seccomp-psp v0.1.4
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/volumes-psp v0.1.11
src/kubewarden.ts
  • ghcr.io/kubewarden/policies/pod-privileged v0.3.2
  • ghcr.io/kubewarden/policies/readonly-root-filesystem-psp v0.1.6
  • ghcr.io/kubewarden/policies/host-namespaces-psp v0.1.6
  • ghcr.io/kubewarden/policies/volumes-psp v0.1.11
  • ghcr.io/kubewarden/policies/apparmor-psp v0.1.13
  • ghcr.io/kubewarden/policies/seccomp-psp v0.1.4
  • ghcr.io/kubewarden/policies/selinux-psp v0.1.12
  • ghcr.io/kubewarden/policies/capabilities-psp v0.1.15
  • ghcr.io/kubewarden/policies/flexvolume-drivers-psp v0.1.7
  • ghcr.io/kubewarden/policies/hostpaths-psp v0.1.10
  • ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp v0.1.9
  • ghcr.io/kubewarden/policies/sysctl-psp v0.1.12
  • ghcr.io/kubewarden/policies/user-group-psp v0.5.0
  • ghcr.io/kubewarden/policies/allowed-fsgroups-psp v0.1.10
  • ghcr.io/kubewarden/policies/allow-privilege-escalation-psp v0.2.6
tests/kind-config-gatekeeper.yaml
  • kindest/node v1.27.3
tests/kind-config-krail.yaml
  • kindest/node v1.27.3
tests/kind-config-kubewarden.yaml
  • kindest/node v1.27.3
tests/kind-config-kyverno.yaml
  • kindest/node v1.24.3
tests/kind-config-pss.yaml
  • kindest/node v1.27.3
  • Check this box to trigger a request for Renovate to run again on this repository

[Bug]: requiredDropCapabilities is not converted as validating AND mutating

What happened?

I have a PSP rule with a .spec.requiredDropCapabilities specified. This field is simultaneously a "Validating" and "Mutating" field in PodSecurityPolicy.

Your tool does only generate the "Validating" rules, but not the "Mutating" ones.

So when I insert new objects in the k8s cluster with no "requiredDropCapabilities" specified, these objets are blocked by OPA (because no "requiredDropCapabilities" present) insted of being first mutated by OPA and added the missing field.

What policy engine were you generating policy for

Gatekeeper

Relevant log output

Source object:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: test
spec:
  requiredDropCapabilities:
  - MKNOD

Generated objects:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-k8spspvolumetypes-a8fae
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters: {}

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: psp-k8spspcapabilities-31528
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters:
    allowedCapabilities: []
    requiredDropCapabilities:
      - MKNOD

The object K8sPSPCapabilities is only a "Validating" object (see definition in https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/capabilities/template.yaml).

runAsUser.rule = MustRunAsNonRoot doesn't work as expected

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

A bug happened!

What policy engine(s) are you using?

  • Kyverno
  • Kubewarden
  • Gatekeeper

Input PSP

# https://github.com/kubernetes/website/blob/main/content/en/examples/policy/example-psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Gatekeeper output

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-k8spspallowedusers-97934
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters:
    runAsUser:
      rule: MustRunAsNonRoot

Kubewarden output

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-usergroup-070cd
spec:
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.3
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    run_as_user:
      rule: MustRunAsNonRoot
    supplemental_groups:
      rule: RunAsAny

Kyverno output

Cannot read properties of undefined (reading '0')

GIT

54f53bc

[FeatureRequest]: use any in match filter due to deprecation

Is there an existing issue for this?

  • I have searched the existing issues

What is the idea?

According to https://kyverno.io/docs/writing-policies/match-exclude/#resource-filters :

Specifying resource filters directly under match and exclude has been marked for deprecation and will be removed in a future release. It is highly recommended you specify them under any or all blocks.

However the psp-migration tool returns filters like this:

      match:
        resources:
          kinds:
            - Pod

should be

      match:
        any:
        - resources:
            kinds:
              - Pod

[FeatureRequest]: fix ci for external PRs

Is there an existing issue for this?

  • I have searched the existing issues

What is the idea?

ci fails for external prs because the test report publisher doesn't have permission

[Bug]: allowPriviligeEscalation is optional

What happened?

When a PSP has defined

allowPrivilegeEscalation: false

the psp-migration tool generates

          spec:
            "=(initContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            "=(ephemeralContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            containers:
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false

but the kyverno policy example show this:

            - securityContext:
                allowPrivilegeEscalation: "false"
            =(initContainers):
            - securityContext:
                allowPrivilegeEscalation: "false"
            containers:
            - securityContext:
                allowPrivilegeEscalation: "false"

which means securityContext.allowPriviligeEscalation is not optional.

https://github.com/kyverno/policies/blob/4c145c00af932b75ad33f819d8e31aefff30c9c0/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml#L35C1-L42C50

According to kubernetes/website#30104 it is not clear if allowPrivilegeEscalation defaults to false or true. The last comments seem to think it is true. So allowPrivilegeEscalation should not be optional.

What policy engine were you generating policy for

Kynvero

Relevant log output

No response

[Bug]: Some PSPs fields are not migrated

What happened?

The psp-migration is not able to generate some Kubewarden policies directly from the kubectl output. Consider the following PSP:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: pod-security-policy-restricted-psp
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
  allowedHostPaths:
    # This allows "/foo", "/foo/", "/foo/bar" etc., but
    # disallows "/fool", "/etc/foo" etc.
    # "/foo/../" is never valid.
    - pathPrefix: "/foo"
      readOnly: true  # only allow read-only mounts
  allowPrivilegeEscalation: false
  # This is redundant with non-root + disallow privilege escalation,
  # but we can provide it for defense in depth.
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  hostIPC: false
  hostNetwork: false
  hostPID: false
  privileged: false
  readOnlyRootFilesystem: false
  # Required to prevent escalations to root.
  requiredDropCapabilities:
    - ALL
  runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
  seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  # Allow core volume types.
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    # Assume that persistentVolumes set up by the cluster admin are safe to use.
    - 'persistentVolumeClaim'

After applied, when we tried to generate the Kubewarden policies from the kubectl get psp command, the migration tool generate this:

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-volumes-022aa
spec:
  module: registry://ghcr.io/kubewarden/policies/volumes-psp:v0.1.6
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowedTypes:
      - configMap
      - emptyDir
      - projected
      - secret
      - downwardAPI
      - persistentVolumeClaim

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-apparmor-d2d41
spec:
  module: registry://ghcr.io/kubewarden/policies/apparmor-psp:v0.1.9
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - runtime/default

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-seccomp-588b4
spec:
  module: registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.1
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - docker/default
      - runtime/default
    profile_types:
      - RuntimeDefault
    localhost_profiles: []

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities-60e87
spec:
  module: registry://ghcr.io/kubewarden/policies/capabilities-psp:v0.1.9
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowed_capabilities: []
    required_drop_capabilities:
      - ALL

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-allowedhostpaths-fdbc0
spec:
  module: registry://ghcr.io/kubewarden/policies/hostpaths-psp:v0.1.5
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowedHostPaths:
      - pathPrefix: /foo
        readOnly: true

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-usergroup-6b429
spec:
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.2.0
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    run_as_user:
      rule: MustRunAsNonRoot
    supplemental_groups:
      ranges:
        - max: 65535
          min: 1
      rule: MustRunAs

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-fsgroup-a48cf
spec:
  module: registry://ghcr.io/kubewarden/policies/allowed-fsgroups-psp:v0.1.4
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    ranges:
      - max: 65535
        min: 1
    rule: MustRunAs

---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-defaultallowprivilegeescalation-13e07
spec:
  module: >-
    registry://ghcr.io/kubewarden/policies/allow-privilege-escalation-psp:v0.1.11
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    default_allow_privilege_escalation: false

Note that the hostIPC, hostNetwork, hostPID, privileged, readOnlyRootFilesystem fields are not being converted to the correspondent Kubewarden policy. However, if I use the original yaml file used to deploy the PSP the migration tool is able to create the policies.

What policy engine were you generating policy for

Kubewarden

Relevant log output

No response

[Bug]: requiredDropCapabilities transation to Kyverno Policies seems incorrect

What happened?

PSP with such an option as below, afaik don't require to strict drop of capabilities in Pod manifest. It just prevents creating Pods with such capabilities.

requiredDropCapabilities:
  - CHOWN

Policy created with psp-migrator for Kyverno - require to strict drop capability in Pod manifest

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: tenant-nonroot-psp-requireddropcapabilities
spec:
  rules:
    - validate:
        pattern:
          spec:
            containers:
              - securityContext:
                  capabilities:
                    drop:
                      - CHOWN

So there is a significant difference in logic between the original PSP and migrated Kyverno Policy
(Or maybe I just misunderstood something?)

What policy engine were you generating a policy for

Kyverno

Relevant log output

No response

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.