Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NDEV-18111: add mutate policy for adding-capabilities-strict rule #171

Merged
merged 3 commits into from
Oct 14, 2024
Merged

NDEV-18111: add mutate policy for adding-capabilities-strict rule #171

merged 3 commits into from
Oct 14, 2024

Conversation

suhasgummanirmata
Copy link
Contributor

@suhasgummanirmata suhasgummanirmata commented Sep 29, 2024
edited
Loading

Description:

Final Changes:

Replace is not supported in kyverno1.10. So, used a combination of remove and add.

Add a rule to restrict-adding-capabilities-other-than-net-bind-service.

The patchesJson6902 method can be useful when a specific mutation is needed which cannot be performed by patchesStrategicMerge. For example, when needing to mutate a specific object within an array, the index can be specified as part of a patchesJson6902 mutation rule.

One distinction between this and other mutation methods is that patchesJson6902 does not support the use of conditional anchors. Use preconditions instead. Also, mutations using patchesJson6902 to Pods directly are not converted to higher-level controllers such as Deployments and StatefulSets through the use of the auto-gen feature. Therefore, when writing such mutation rules for Pods, it may be necessary to create multiple rules to cover all relevant Pod controllers.

Since we cannot use conditional anchors had to use two pre conditions.

  • Previously, the existing rule for drop all capabilities was clearing all entries in securityContext. Fixed it
Screenshot 2024-09-29 at 11 38 02 AM

Chandan-DK
Chandan-DK reviewed Sep 29, 2024
View reviewed changes
Copy link
Contributor

@Chandan-DK Chandan-DK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add Chainsaw tests for this. Also, is there a reason why we don't explicitly check for Pods? 🤔 It seems like other remediate policies in the library don't check for Pods either. Otherwise, LGTM!

...security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml Show resolved Hide resolved
@Chandan-DK
Copy link
Contributor

@anusha94 - Please approve this PR, we can get it merged and the chainsaw tests will pass

@anusha94 anusha94 merged commit 53231d7 into main Oct 14, 2024
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Chandan-DK Chandan-DK Chandan-DK left review comments

@anusha94 anusha94 anusha94 approved these changes

@puneet-nirmata puneet-nirmata Awaiting requested review from puneet-nirmata

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@suhasgummanirmata @Chandan-DK @anusha94