gatekeeper-library icon indicating copy to clipboard operation
gatekeeper-library copied to clipboard

Published 20 hours ago • verified publisher icon open-policy-agent

chore: adding psp-users CEL policy

Open JaydipGabani opened this issue 8 months ago • 1 comments

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged): Fixes #541

Special notes for your reviewer:

Rego policy nehavior is -

  • filed in below list is reference to securityContext fields - [ runAsUser, runAsGroup, fsGroup, supplementalGroup ]
  • Input:
field:
      rule: MustRunAs
      ranges:
        - min: 100
          max: 200
  • Behavior: if field is missing from object then throw missing violation, else throw violation is field is not in required range
  • Input:
runAsUser:
      rule: MustRunAsNonRoot
  • Behavior: if runAsUser and runAsNonRoot both are missing from object then throw missing violation, else throw violation is runAsUser == 0
  • Input:
field:
      rule: mayRunAs
      ranges:
        - min: 100
          max: 200
  • Behavior: No missing field violation, but is field is present and violating the range then throw the violation
  • Input:
field:
  rule: RunAsAny
  • Behavior: No violations

JaydipGabani avatar May 30 '24 00:05 JaydipGabani