appvia
[Bug]: requiredDropCapabilities is not converted as validating AND mutating
What happened?
I have a PSP rule with a .spec.requiredDropCapabilities specified. This field is simultaneously a "Validating" and "Mutating" field in PodSecurityPolicy.
Your tool does only generate the "Validating" rules, but not the "Mutating" ones.
So when I insert new objects in the k8s cluster with no "requiredDropCapabilities" specified, these objets are blocked by OPA (because no "requiredDropCapabilities" present) insted of being first mutated by OPA and added the missing field.
What policy engine were you generating policy for
Gatekeeper
Relevant log output
Source object:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: test
spec:
requiredDropCapabilities:
- MKNOD
Generated objects:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-k8spspvolumetypes-a8fae
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters: {}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: psp-k8spspcapabilities-31528
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedCapabilities: []
requiredDropCapabilities:
- MKNOD
The object K8sPSPCapabilities is only a "Validating" object (see definition in https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/capabilities/template.yaml).
