psp-migration icon indicating copy to clipboard operation
psp-migration copied to clipboard

[Bug]: allowPriviligeEscalation is optional

Open jkleinlercher opened this issue 1 year ago • 0 comments

What happened?

When a PSP has defined

allowPrivilegeEscalation: false

the psp-migration tool generates

          spec:
            "=(initContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            "=(ephemeralContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            containers:
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false

but the kyverno policy example show this:

            - securityContext:
                allowPrivilegeEscalation: "false"
            =(initContainers):
            - securityContext:
                allowPrivilegeEscalation: "false"
            containers:
            - securityContext:
                allowPrivilegeEscalation: "false"

which means securityContext.allowPriviligeEscalation is not optional.

https://github.com/kyverno/policies/blob/4c145c00af932b75ad33f819d8e31aefff30c9c0/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml#L35C1-L42C50

According to https://github.com/kubernetes/website/issues/30104 it is not clear if allowPrivilegeEscalation defaults to false or true. The last comments seem to think it is true. So allowPrivilegeEscalation should not be optional.

What policy engine were you generating policy for

Kynvero

Relevant log output

No response

jkleinlercher avatar Jul 28 '23 10:07 jkleinlercher