kube-psp-advisor icon indicating copy to clipboard operation
kube-psp-advisor copied to clipboard

Published 20 hours ago verified publisher icon sysdiglabs

please add the projected volume type in the volumes list

Open caleyg opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe. When running kubectl advise-psp inspect -n test_namespace and that pod requires a projected volumeType of some kind, the psp generated is not included in the list of volumes: in the generated yaml.

Describe the solution you'd like If a volumeType of projected is detected in the spec its read write property and type should be listed in the psp generated i

Describe alternatives you've considered No other alternatives were considered other than having to debug the missing pieces while getting the amazon-cloudwatch-agent and fluentbitd daemonsets running in their namespace.

caleyg avatar Oct 19 '20 21:10 caleyg

I also found the same to be true for pods that might need to allow for allowPrivilegeEscalation and various allowedCapabilities generally are listed in the pod spec, but also not included in the generated output. If I should create a new issue for each of these I can

caleyg avatar Oct 20 '20 16:10 caleyg

@caleyg do you have a sample yaml that I can test with?

Kaizhe avatar Oct 22 '20 18:10 Kaizhe

thanks for the response! these might be able to help some!

kind: Pod
metadata:
  name: test-projected-volume
spec:
  containers:
  - name: test-projected-volume
    image: busybox
    args:
    - sleep
    - "86400"
    volumeMounts:
    - name: all-in-one
      mountPath: "/projected-volume"
      readOnly: true
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: user
      - secret:
          name: pass

# Create files containing the username and password:
echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt

# Package these files into secrets:
kubectl create secret generic user --from-file=./username.txt
kubectl create secret generic pass --from-file=./password.txt

# create the projected test pod (the above yaml)
kubectl apply -f https://k8s.io/examples/pods/storage/projected.yaml

POD with NET_ADMIN capabilities I haven't tried to add others that might be needed

kind: Pod
metadata:
 name: capabilities
spec:
 containers:
   - name: capabilities
     image: "ubuntu:14.04"
     command:
       - /bin/sleep
       - "300"
     securityContext:
       capabilities:
         add:
           - NET_ADMIN

a privileged pod that would need a generated psp unique to that pod to include allowPrivilegeEscalation: true

apiVersion: v1
kind: Pod
metadata:
  name:      privileged
spec:
  containers:
    - name:  privileged
      image:"ubuntu:14.04"
      securityContext:
        privileged: true

caleyg avatar Oct 22 '20 20:10 caleyg