New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Allow specifying a container within a Pod in Policy Exceptions #8570
Comments
I've run in to this same issue with the |
Leaving this here in case it helps someone else. This policy adds an exception for kube-system for PSA and also for Istio sidecars Seccomp configs. piVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: psa
spec:
background: true
validationFailureAction: Audit
rules:
- name: restricted
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- filebeat
validate:
podSecurity:
level: restricted
version: latest
exclude:
- controlName: Seccomp
images:
- repo.org.com/docker-hub/istio/proxyv2:* Kudos to the wonderful people at Kyvernos Slack Channel for prodding me in the right direction. ❤️ |
@MariamFahmy98 Am I correct that the goal here is to allow Policy Exceptions for psa validation subrules in general? |
There is another issue for allowing pod security exemption in exceptions. Here's the PR: #8580 This issue is for allowing the selection of a specific container name within the deployment to be excluded. |
We raise various sysctl knobs in our thanks |
Part of #8663? |
Seems related but not the same. |
I am very new to all of this, but I think its essentially the issue we are having We use linkerd, and the baseline policy shows every one of our pods failing the
|
We have the same issue in our clusters with linkerd enabled and the baseline policy |
hi @chipzoller , thanks for sharing the blog, i've tried creating similar policy
but the creation of this following pod was not denied. What could be the reason?
my kyverno version is |
Works for me: k create -f temp1.yaml
Error from server: error when creating "temp1.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/pod-with-net-admin was blocked due to the following policies
podsecurity-subrule-baseline:
baseline: |
Validation rule 'baseline' failed. It violates PodSecurity "baseline:latest": ({Allowed:false ForbiddenReason:non-default capabilities ForbiddenDetail:container "your-container-name" must not include "NET_ADMIN" in securityContext.capabilities.add}) |
thanks for validating @chipzoller . me and my team guest that the policy will exempts the pod when exclusion are found, which is weird and does not align with the description here
|
No service mesh when I tested. |
i see, can i ask you if it's not too much to retest with the following linkerd-injected definition of the same pod
|
I see, yes in this case it was allowed in Kyverno 1.11.4 but blocked (correct) in 1.12.0-rc.5 when I tested. I was looking for where this was addressed but maybe it was part of some other change. In any case, the policy with your Pod works as intended on 1.12. |
thanks a lot @chipzoller |
Problem Statement
If we have a policy that disallows certain capabilities, and we have a deployment with two containers:
We need the policy exception to be applied only on the sidecar container.
Solution Description
We need to find a way to let the user specify a container within a pod in policy exceptions.
Alternatives
No response
Additional Context
No response
Slack discussion
No response
Research
The text was updated successfully, but these errors were encountered: