gatekeeper-library icon indicating copy to clipboard operation
gatekeeper-library copied to clipboard
verified publisher icon open-policy-agent

RunAsUserName Policy Constraint for windows pods

Open jsturtevant opened this issue 5 years ago • 0 comments

Describe the solution you'd like A policy that blocks ContainerAdministrator from being set on the WindowsOptions podspec. It is generally a good idea to run your containers with ContainerUser for windows pods. The users are not shared between the Container and host but the ContainerAdministrator does have additional privileges with in the container. In the PR for https://github.com/kubernetes/kubernetes/pull/92355 an agree was made block ContainerAdministrator if RunAsNonRoot was specified.

The pod sec looks like (can also be set per container):

spec:
  securityContext:
    windowsOptions:
      runAsUserName: "ContainerUser"

There are also username limitations to be aware of: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/#windows-username-limitations

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

The following has more information on Windows Security Policies which are currently being defined: kubernetes/kubernetes#64801 (comment)

Environment:

  • Gatekeeper version:
  • Kubernetes version: (use kubectl version):

jsturtevant avatar Aug 05 '20 15:08 jsturtevant