open-policy-agent
Improvement for SELinux Policy
Hello,
I am integrating some of these policies with the project I am working on and the rego policy for K8sPSPSELinuxV2 is not actually adhering to the specification correctly. Here is the troublemaker: https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/selinux/template.yaml
My findings so far are about the following sections.
This verification for the seLinux context rule field is not implemented
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
SELinux
MustRunAs - Requires seLinuxOptions to be configured. Uses seLinuxOptions as the default. Validates against seLinuxOptions.
RunAsAny - No default provided. Allows any seLinuxOptions to be specified.
The verification is now handled only if there is a seLinuxOptions field set. It should validate the profiles only if MustRunAs is set.
seLinux:
rule: MustRunAs
It should take into account the context set from the rule and ignore any profile validation if rule is:
seLinux:
rule: RunAsAny
I can try adjusting the resources and rego file for this policy and submit a PR.
Setting RunAsAny for this setting is the same as not applying this constraint. Any applied template & constraint increases the resources that Gatekeeper uses so to keep settings simple, and to encourage best practices, we have no intention of adding RunAsAny to this policy.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}