Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: run against higher order k8s kinds #39

Merged
merged 1 commit into from
May 29, 2023
Merged

feat: run against higher order k8s kinds #39

merged 1 commit into from
May 29, 2023

Conversation

KhaledEmaraDev
Copy link
Contributor

Description

Fix #27

Test

To test this pull request, you can run the following commands:

Additional Information

Tradeoff

Potential improvement

@KhaledEmaraDev KhaledEmaraDev requested a review from a team as a code owner May 5, 2023 13:11
@jvanz jvanz added the kind/enhancement New feature or request label May 5, 2023
jvanz
jvanz requested changes May 5, 2023
View reviewed changes
src/mutate.rs Outdated Show resolved Hide resolved
@jvanz jvanz self-requested a review May 23, 2023 16:23
jvanz
jvanz requested changes May 23, 2023
View reviewed changes
src/validate.rs Show resolved Hide resolved
viccuad
viccuad requested changes May 25, 2023
View reviewed changes
Copy link
Member

@viccuad viccuad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (some linter errors, also missing commiting artifacthub-pkg.yml to history)

Yet, is there a specific reason why we don't validate ephemeral containers? I cannot recall one, they have a securityContext, hence we can set capabilities for them (and an attacker can use it for privilege escalation). I suppose it's because the policy predates their inclusion and the analogous PSP didn't do it either for the same reason.

I would take that line from the readme (or add the reason if there's any), and open an issue to check for caps on ephemeral containers.

viccuad
viccuad approved these changes May 26, 2023
View reviewed changes
Copy link
Member

@viccuad viccuad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, I'm ok merging as it is. Still needs linters fixes, please fix those.

Opened #41 to also check ephemeral containers.

@jvanz
Copy link
Member

jvanz commented May 26, 2023
edited
Loading

Approving, I'm ok merging as it is. Still needs linters fixes, please fix those.

@KhaledEmaraDev, please, do it.

@KhaledEmaraDev
Copy link
Contributor Author

@jvanz @viccuad Done.

@KhaledEmaraDev KhaledEmaraDev requested a review from jvanz May 26, 2023 14:06
@jvanz jvanz merged commit dc9e2b8 into kubewarden:main May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvanz jvanz jvanz approved these changes

@viccuad viccuad viccuad approved these changes

Assignees

@KhaledEmaraDev KhaledEmaraDev

Labels
kind/enhancement New feature or request
Projects
Kubewarden
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update policy capabilities-psp-policy to target high level resources capabilities-psp-policy
3 participants
@KhaledEmaraDev @jvanz @viccuad