New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Successor of #21) Add an allow list parameter, allowedSysctls, to the Forbidden sysctl constraint template #253
(Successor of #21) Add an allow list parameter, allowedSysctls, to the Forbidden sysctl constraint template #253
Conversation
…constraint template The `K8sPSPForbiddenSysctls` constraint template allows limiting sysctls available to pods using a deny list. This change adds another option, `allowedSysctls`, which allows a constraint to specify an allow list in addition to, or instead of, the deny list. The matching logic is as follows: 1. When specified, any sysctl not in the allow list is considered to be forbidden. 2. The allow list can be omitted. 3. The deny list takes precedence. Signed-off-by: Oren Shomron <shomron@gmail.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
014f9dd
to
a221e5a
Compare
artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/template.yaml
Outdated
Show resolved
Hide resolved
artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/template.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
…ctls Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
…sctls Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
aa4ba29
to
033c03f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after nit!
violation[{"msg": msg, "details": {}}] { | ||
sysctl := input.review.object.spec.securityContext.sysctls[_].name | ||
not allowed_sysctl(sysctl) | ||
msg := sprintf("The sysctl %v is not explictly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add a comment that input.parameters.allowedSysctls
in sprintf()
is load-bearing.
Without that line, this change would be backwards-incompatible and that seems non-obvious. Adding a comment will help prevent accidentally breaking this requirement in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, what specifically do you mean by "load-bearing"?
artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/README.md
Outdated
Show resolved
Hide resolved
90164cb
to
533eb35
Compare
…s 1.0.0 Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
533eb35
to
4fc2715
Compare
Sorry, I accidentally removed a review request from @sozercan |
Hi, @maxsmythe @ritazh @sozercan cloud you please take a look again and merge this? |
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
95d768c
to
e56c451
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR is a successor of #21 and adds description for the new field, as per #21 (comment).
Quoting PR description from #21: