Continuous integration

-----------------------|--------

| License

|

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that controls the usage of Containers capabilities:

  • Deprecated PSP
  • Kubernetes container capabilities feature

How the policy works

The following fields take a list of capabilities, specified as the capability name in ALL_CAPS without the CAP_ prefix.

  • allowed_capabilities: provides a list of capabilities that are allowed to be added to a container. The default set of capabilities are implicitly allowed. The empty set means that no additional capabilities may be added beyond the default set. * can be used to allow all capabilities.
  • required_drop_capabilities: the capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. Capabilities listed in required_drop_capabilities must not be included in allowed_capabilities or default_add_capabilities.
  • default_add_capabilities: the capabilities which are added to containers by default, in addition to the runtime defaults. See the documentation of your Container Runtime for the default list of capabilities.

The policy validates Pods at creation time and can also mutate them when either the required_drop_capabilities or the default_add_capabilities values are specified.

Note well: Kubernetes does not allow to change container capabilities after Pod creation time, hence this policy is interested only in CREATE operatoins.

Configuration

The policy can be configured with the following data structure:

allowed_capabilities:
- CHOWN

required_drop_capabilities:
- NET_ADMIN

default_add_capabilities:
- KILL

Examples

Allow only Container Runtime's default capabilities

Each Container Runtime (docker, containerD, CRI-O,...) has a default list of allowed capabilities.

Deploying the policy with an empty configuration ensures no capability can be added to containers.

For example, the following Pod would be rejected by the policy:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
    securityContext:
      capabilities:
        add:
        - NET_ADMIN

Allow only approved capabilities to be added

This configuration allows only approved capabilities to be added to containers:

allowed_capabilities:
- CHOWN
- KILL

This configuration would allow these Pods:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
    securityContext:
      capabilities:
        add:
        - CHOWN
---
apiVersion: v1
kind: Pod
metadata:
  name: hello2
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]

While these Pods would be rejected:

apiVersion: v1
kind: Pod
metadata:
  name: rejected
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
    securityContext:
      capabilities:
        add:
        - BPF
---
apiVersion: v1
kind: Pod
metadata:
  name: init-violation
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
  initContainers:
  - name: init1
    image: busybox
    command: [ "sh", "-c", "echo 'Hello from initContainer" ]
    securityContext:
      capabilities:
        add:
        - MKNOD

Mutate Pods

The policy can mutate Pods at creation time.

Let's take the following configuration:

allowed_capabilities:
- CHOWN,KILL

required_drop_capabilities:
- NET_ADMIN

default_add_capabilities:
- CHOWN

And then try to create this Pod:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
    securityContext:
      capabilities:
        add:
        - KILL

The policy would be changed the Pod specification, leading to the creation of this Pod:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ]
    securityContext:
      capabilities:
        add:
        - KILL
        - CHOWN
        drop:
        - NET_ADMIN

Obtain policy

The policy is automatically published as an OCI artifact inside of this container registry.

Using the policy

The easiest way to use this policy is through the kubewarden-controller.

Issues

Collection of the latest Issues

Versions

Find the latest versions by id

v0.1.9 - Jan 27, 2022

v0.1.8 - Dec 03, 2021

v0.1.7 - Nov 27, 2021

v0.1.6 - Jun 26, 2021

v0.1.5 - Jun 16, 2021

v0.1.4 - Jun 02, 2021

v0.1.3 - May 25, 2021

v0.1.2 - Apr 20, 2021

v0.1.1 - Apr 02, 2021

v0.1.0 - Mar 20, 2021

Information - Updated May 16, 2022

Stars: 3
Forks: 1
Issues: 0

WebAssembly Smart Contracts for the Cosmos SDK

The following packages are maintained here:

WebAssembly Smart Contracts for the Cosmos SDK

Low-level WebAssembly format library

running asserts that involves deserialization

Low-level WebAssembly format library

Rust WebAssembly A* Pathfinding Demo

This is a port of an A* implementation of mine from an old Unity maze project

Rust WebAssembly A* Pathfinding Demo

Rust-generated WebAssembly GitHub action template

A template to bootstrap the creation of a Rust-generated WebAssembly GitHub action

Rust-generated WebAssembly GitHub action template

WebAssembly for Proxies (Rust SDK)

Articles & blog posts from the community

WebAssembly for Proxies (Rust SDK)

Rust Web assembly game 1024

The game logic has been developed by Rust Programming Language

Rust Web assembly game 1024

Spellchecker + WebAssembly

When you absolutely, positively have to have the fastest spellchecker in the room, accept no substitutes

Spellchecker + WebAssembly
Facebook Instagram Twitter GitHub Dribbble
Privacy