psp-migration icon indicating copy to clipboard operation
psp-migration copied to clipboard

Published 20 hours ago verified publisher icon appvia

runAsUser.rule = MustRunAsNonRoot doesn't work as expected

Open chrisns opened this issue 2 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

What happened?

A bug happened!

What policy engine(s) are you using?

  • [X] Kyverno
  • [X] Kubewarden
  • [X] Gatekeeper

Input PSP

# https://github.com/kubernetes/website/blob/main/content/en/examples/policy/example-psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Gatekeeper output

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-k8spspallowedusers-97934
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters:
    runAsUser:
      rule: MustRunAsNonRoot

Kubewarden output

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-usergroup-070cd
spec:
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.3
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    run_as_user:
      rule: MustRunAsNonRoot
    supplemental_groups:
      rule: RunAsAny

Kyverno output

Cannot read properties of undefined (reading '0')

GIT

54f53bc5fe4d8d264ce15f202ef8e43ae01cff6e

chrisns avatar Dec 21 '21 02:12 chrisns