Comments (4)
Hi @fseldow! - Not specific to unconfined
, but for backwards compatibility we want to preserve the templates existing behavior. So any potentially breaking change would probably need to be gated with a new parameter, for which the default would maintain the template's current behavior.
from gatekeeper-library.
Hi @apeabody thx for discussion.
In my draft pr: https://github.com/open-policy-agent/gatekeeper-library/pull/476/files#diff-12f0a346e8a71d42c3220276be2c51872b8195d0838c33ec2a24d09657c74937
The result change will happen only when input parameter does not include unconfined
but the container is set as unconfined
. We used to view it as non-complaint. After the change it will become complaint.
In other word, the parameter allowedProfile will by default include unconfined
then
Will it also be viewed as breaking change? because from my side, it will not suddenly casue complaint resources to be non-complaint or deny the curd of pods
from gatekeeper-library.
Thanks for raising this @fseldow!
After looking at the docs, if this annotation is set to unconfined for a specific container, it means that the container will not be subject to any AppArmor profile restrictions. This configuration effectively disables AppArmor protection for the container, allowing it to run with the default permissions and capabilities granted by the Kubernetes cluster and the underlying operating system.
+1 to adding a new parameter in the policy to enable this behavior to allow compliance for unconfined, while ensuring the default behavior when the new parameter is no set is non compliant.
from gatekeeper-library.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 10
- Add colon in message for consistency
- Example of pod mutation adding init-container HOT 4
- Example k8scontainerlimits does not throw error for a deployment but does on a plain Pod creation HOT 2
- poddisruptionbudget policy query HOT 3
- K8sRequiredResources ConstraintTemplate doesn't work properly HOT 1
- `variables.anyObject` should be used for required labels CEL
- Add CEL code for PSP Policies in library
- Improve Rego testing for library HOT 1
- K8sPSPHostNetworkingPorts constraint template not handling exemptImages parameter properly HOT 6
- Could we include `system:authenticated` in the set of disallowed subjects in k8sdisallowanonymous template? HOT 1
- create a new set of tests with vap generation
- Instance of k8sdisallowanonymous with no parameters yields no violations HOT 1
- Recent updates to `k8spsphostnetworkingports` & `k8spspprocmount` break functionality HOT 2
- Incorrect PodDisruptionBudget ConstraintTemplate description
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.