Skip to content

kubewarden/allow-privilege-escalation-psp-policy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

141 Commits

.github/workflows

.github/workflows

 
 

src

src

 
 

test_data

test_data

 
 

.gitignore

.gitignore

 
 

CODEOWNERS

CODEOWNERS

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

artifacthub-pkg.yml

artifacthub-pkg.yml

 
 

artifacthub-repo.yml

artifacthub-repo.yml

 
 

e2e.bats

e2e.bats

 
 

hub.yml

hub.yml

 
 

metadata.yml

metadata.yml

 
 

questions-ui.yml

questions-ui.yml

 
 

renovate.json

renovate.json

 
 

Repository files navigation

This policy rejects all the Pods that have at least one container or init container with the allowPrivilegeEscalation security context enabled.

The policy can also mutate Pods to ensure they have allowPrivilegeEscalation set to false whenever the user is not explicit about that. This is a replacement of the DefaultAllowPrivilegeEscalation configuration option of the original Kubernetes PSP.

Settings

The policy can be configured in this way:

default_allow_privilege_escalation: false

Sets the default for the allowPrivilegeEscalation option. The default behavior without this is to allow privilege escalation so as to not break setuid binaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to request allowPrivilegeEscalation explicitly.

By default default_allow_privilege_escalation is set to true.

This policy can inspect Pod resources, but can also operate against "higher order" Kuberenetes resource like Deployment, ReplicaSet, DaemonSet, ReplicationController, Job and CronJob.

It's up to the operator to decide which kind of resources the policy is going to inspect. That is done when declaring the policy.

There are pros and cons to both approaches:

  • Have the policy inspect low level resources, like Pod. Different kind of Kubernetes resources (be them native or CRDs) can create Pods. By having the policy target Pod objects, there's the guarantee all the Pods are going to be compliant. However, this could lead to some confusion among end users of the cluster: their high level Kubernetes resources would be successfully created, but they would stay in a non reconciled state. For example, a Deployment creating a non-compliant Pod would be created, but it would never have all its replicas running. The end user would have to do some debugging to finally understand why this is happening.
  • Have the policy inspect higher order resource (e.g. Deployment): the end users will get immediate feedback about the rejections. However, there's still the chance that some non compliant pods are created by another high level resource (be it native to Kubernetes, or a CRD).

Examples

The following Pod will be rejected because the nginx container has allowPrivilegeEscalation enabled:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      allowPrivilegeEscalation: true
  - name: sidecar
    image: sidecar

The following Pod would be blocked because one of the init containers has allowPrivilegeEscalation enabled:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  - name: sidecar
    image: sidecar
  initContainers:
  - name: init-myservice
    image: init-myservice
    securityContext:
      allowPrivilegeEscalation: true

About

A Kubewarden Pod Security Policy that controls usage of allowPrivilegeEscalation

kubewarden.io

Topics

kubernetes webassembly hacktoberfest policy-as-code pod-security-policy kubernetes-security kubewarden-policy

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

8 watching

Forks

7 forks
Report repository

Releases 18

Release v0.2.6 Latest
Jul 7, 2023
+ 17 releases

Packages 2

 
 

Contributors 10

Languages