Giter VIP home page Giter VIP logo

allow-privilege-escalation-psp-policy's Introduction

Continuous integration License
Continuous integration License: Apache 2.0

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that limits the usage of the allowPrivilegeEscalation.

How the policy works

This policy rejects all the Pods that have at least one container or init container with the allowPrivilegeEscalation security context enabled.

The policy can also mutate Pods to ensure they have allowPrivilegeEscalation set to false whenever the user is not explicit about that. This is a replacement of the DefaultAllowPrivilegeEscalation configuration option of the original Kubernetes PSP.

Configuration

The policy can be configured in this way:

default_allow_privilege_escalation: false

Sets the default for the allowPrivilegeEscalation option. The default behavior without this is to allow privilege escalation so as to not break setuid binaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to request allowPrivilegeEscalation explicitly.

By default default_allow_privilege_escalation is set to true.

Examples

The following Pod will be rejected because the nginx container has allowPrivilegeEscalation enabled:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      allowPrivilegeEscalation: true
  - name: sidecar
    image: sidecar

The following Pod would be blocked because one of the init containers has allowPrivilegeEscalation enabled:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  - name: sidecar
    image: sidecar
  initContainers:
  - name: init-myservice
    image: init-myservice
    securityContext:
      allowPrivilegeEscalation: true

Obtain policy

The policy is automatically published as an OCI artifact inside of this container registry.

Using the policy

The easiest way to use this policy is through the kubewarden-controller.

allow-privilege-escalation-psp-policy's People

Contributors

cynthia-sg avatar ereslibre avatar flavio avatar jvanz avatar olblak avatar renovate-bot avatar renovate[bot] avatar viccuad avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.