From c8bbebb953ffcac74d83d8584a120d802e554d5e Mon Sep 17 00:00:00 2001 From: Jordon Leach Date: Thu, 30 Mar 2023 08:52:02 -0400 Subject: [PATCH 1/2] Add kubewarden/resources annotation for ui --- Cargo.lock | 2 +- Cargo.toml | 2 +- artifacthub-pkg.yml | 11 ++++++----- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e0df981..f637209 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,7 +4,7 @@ version = 3 [[package]] name = "allow-privilege-escalation-psp" -version = "0.2.3" +version = "0.2.4" dependencies = [ "anyhow", "k8s-openapi", diff --git a/Cargo.toml b/Cargo.toml index 2908e5e..b12c4f3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "allow-privilege-escalation-psp" -version = "0.2.3" +version = "0.2.4" authors = ["Flavio Castelli "] edition = "2018" diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml index 16e54b5..3f537d5 100644 --- a/artifacthub-pkg.yml +++ b/artifacthub-pkg.yml @@ -4,25 +4,25 @@ # # This config can be saved to its default location with: # kwctl scaffold artifacthub > artifacthub-pkg.yml -version: 0.2.3 +version: 0.2.4 name: allow-privilege-escalation-psp displayName: Allow Privilege Escalation PSP -createdAt: 2023-03-20T18:50:30.095911Z +createdAt: 2023-03-30T12:49:37+00:00 description: Replacement for the Kubernetes Pod Security Policy that controls the allowance of privilege escalation in containers and init containers of a pod license: Apache-2.0 homeURL: https://github.com/kubewarden/allow-privilege-escalation-psp-policy containersImages: - name: policy - image: ghcr.io/kubewarden/policies/psp-allow-privilege-escalation:v0.2.3 + image: ghcr.io/kubewarden/policies/psp-allow-privilege-escalation:v0.2.4 links: - name: policy - url: https://github.com/kubewarden/allow-privilege-escalation-psp-policy/releases/download/v0.2.3/policy.wasm + url: https://github.com/kubewarden/allow-privilege-escalation-psp-policy/releases/download/v0.2.4/policy.wasm - name: source url: https://github.com/kubewarden/allow-privilege-escalation-psp-policy install: | The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl): ```console - kwctl pull ghcr.io/kubewarden/policies/psp-allow-privilege-escalation:v0.2.3 + kwctl pull ghcr.io/kubewarden/policies/psp-allow-privilege-escalation:v0.2.4 ``` maintainers: - name: Kubewarden developers @@ -48,6 +48,7 @@ annotations: required: false type: boolean variable: default_allow_privilege_escalation + kubewarden/resources: 'Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob,Pod' kubewarden/rules: | - apiGroups: - '' From 875c3363c3e5827474259f3ffbe73376952db143 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Thu, 30 Mar 2023 16:08:59 +0200 Subject: [PATCH 2/2] fix: add missing field to artifacthub metadata Cleanup the metadata file: * remove the usage, this is now taken from the README * add the `io.artifacthub.resources` attribute * add other optional metadata attributes used by Artifact HUB Recreate the artifacthub-pkg.yml file using the new metadata Signed-off-by: Flavio Castelli --- artifacthub-pkg.yml | 7 +++- metadata.yml | 90 +++------------------------------------------ 2 files changed, 10 insertions(+), 87 deletions(-) diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml index 3f537d5..3de71fa 100644 --- a/artifacthub-pkg.yml +++ b/artifacthub-pkg.yml @@ -7,13 +7,16 @@ version: 0.2.4 name: allow-privilege-escalation-psp displayName: Allow Privilege Escalation PSP -createdAt: 2023-03-30T12:49:37+00:00 +createdAt: 2023-03-30T14:08:42.693857693Z description: Replacement for the Kubernetes Pod Security Policy that controls the allowance of privilege escalation in containers and init containers of a pod license: Apache-2.0 homeURL: https://github.com/kubewarden/allow-privilege-escalation-psp-policy containersImages: - name: policy image: ghcr.io/kubewarden/policies/psp-allow-privilege-escalation:v0.2.4 +keywords: +- PSP +- privilege escalation links: - name: policy url: https://github.com/kubewarden/allow-privilege-escalation-psp-policy/releases/download/v0.2.4/policy.wasm @@ -48,7 +51,7 @@ annotations: required: false type: boolean variable: default_allow_privilege_escalation - kubewarden/resources: 'Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob,Pod' + kubewarden/resources: Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob,Pod kubewarden/rules: | - apiGroups: - '' diff --git a/metadata.yml b/metadata.yml index d67e239..b06a5e7 100644 --- a/metadata.yml +++ b/metadata.yml @@ -19,95 +19,15 @@ mutating: true contextAware: false executionMode: kubewarden-wapc annotations: + # artifacthub specific: io.artifacthub.displayName: Allow Privilege Escalation PSP + io.artifacthub.resources: Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob,Pod + io.artifacthub.keywords: PSP, privilege escalation + io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/psp-allow-privilege-escalation + # kubewarden specific: io.kubewarden.policy.title: allow-privilege-escalation-psp io.kubewarden.policy.description: Replacement for the Kubernetes Pod Security Policy that controls the allowance of privilege escalation in containers and init containers of a pod io.kubewarden.policy.author: Kubewarden developers io.kubewarden.policy.url: https://github.com/kubewarden/allow-privilege-escalation-psp-policy - io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/psp-allow-privilege-escalation io.kubewarden.policy.source: https://github.com/kubewarden/allow-privilege-escalation-psp-policy io.kubewarden.policy.license: Apache-2.0 - io.kubewarden.policy.usage: | - This policy rejects all the Pods that have at least one container or - init container with the `allowPrivilegeEscalation` security context - enabled. - - The policy can also mutate Pods to ensure they have `allowPrivilegeEscalation` - set to `false` whenever the user is not explicit about that. - This is a replacement of the `DefaultAllowPrivilegeEscalation` configuration - option of the original Kubernetes PSP. - - ## Settings - - The policy can be configured in this way: - - ```yaml - default_allow_privilege_escalation: false - ``` - - Sets the default for the allowPrivilegeEscalation option. The default behavior without this is to allow privilege escalation so as to not break setuid binaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to request allowPrivilegeEscalation explicitly. - - By default `default_allow_privilege_escalation` is set to `true`. - - This policy can inspect Pod resources, but can also operate against "higher order" - Kuberenetes resource like Deployment, ReplicaSet, DaemonSet, ReplicationController, - Job and CronJob. - - It's up to the operator to decide which kind of resources the policy is going to inspect. - That is done when declaring the policy. - - There are pros and cons to both approaches: - - - Have the policy inspect low level resources, like Pod. Different kind of Kubernetes - resources (be them native or CRDs) can create Pods. By having the policy target Pod - objects, there's the guarantee all the Pods are going to be compliant. However, - this could lead to some confusion among end users of the cluster: their high level - Kubernetes resources would be successfully created, but they would stay in a non - reconciled state. For example, a Deployment creating a non-compliant Pod would be - created, but it would never have all its replicas running. The end user would - have to do some debugging to finally understand why this is happening. - - Have the policy inspect higher order resource (e.g. Deployment): the end users - will get immediate feedback about the rejections. However, there's still the - chance that some non compliant pods are created by another high level resource - (be it native to Kubernetes, or a CRD). - - ## Examples - - The following Pod will be rejected because the nginx container has - `allowPrivilegeEscalation` enabled: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: nginx - spec: - containers: - - name: nginx - image: nginx - securityContext: - allowPrivilegeEscalation: true - - name: sidecar - image: sidecar - ``` - - The following Pod would be blocked because one of the init containers - has `allowPrivilegeEscalation` enabled: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: nginx - spec: - containers: - - name: nginx - image: nginx - - name: sidecar - image: sidecar - initContainers: - - name: init-myservice - image: init-myservice - securityContext: - allowPrivilegeEscalation: true - ```