psp-migration
psp-migration copied to clipboard
[Bug]: allowPriviligeEscalation is optional
What happened?
When a PSP has defined
allowPrivilegeEscalation: false
the psp-migration tool generates
spec:
"=(initContainers)":
- "=(securityContext)":
"=(allowPrivilegeEscalation)": false
"=(ephemeralContainers)":
- "=(securityContext)":
"=(allowPrivilegeEscalation)": false
containers:
- "=(securityContext)":
"=(allowPrivilegeEscalation)": false
but the kyverno policy example show this:
- securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- securityContext:
allowPrivilegeEscalation: "false"
containers:
- securityContext:
allowPrivilegeEscalation: "false"
which means securityContext.allowPriviligeEscalation is not optional.
https://github.com/kyverno/policies/blob/4c145c00af932b75ad33f819d8e31aefff30c9c0/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml#L35C1-L42C50
According to https://github.com/kubernetes/website/issues/30104 it is not clear if allowPrivilegeEscalation defaults to false or true. The last comments seem to think it is true. So allowPrivilegeEscalation should not be optional.
What policy engine were you generating policy for
Kynvero
Relevant log output
No response