-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Update apparmor: add CEL, support securityContext #533
Conversation
Looks like there may be a bug in the Rego side... I'll take a look in a bit |
Rego fixed ... pod-level security context retrieval did not take into account that it was a child of |
@maxsmythe do we want to update the policy version to |
@JaydipGabani SGTM. Is there anything special we need to do for that? Or just update the annotation? |
@maxsmythe Updating annotations and running |
bumped minor version |
Fixes #541 |
17b63a1
to
8c285a1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on CEL
I'm guessing the k8s tests are failing because securityContext.appArmorProfile only exists as of k8s 1.30? |
@maxsmythe we are running tests with kind: 0.17.0 and that seems to have k8s 1.25.3. So I agree, I think that would be the reason as well. |
website/docs/validation/apparmor.md
Outdated
variables.podAppArmor.type == "Localhost" ? "localhost/" + variables.podAppArmor.localhostProfile : "" | ||
- name: appArmorByContainer | ||
expression: | | ||
variables.allContainers.map(container, [container.name, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is container.name unique across containers/ephemeralContainers/initContainers ? We should probably track these separately per-field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, container.name is unique across all containers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I think I still want to change this, as gator
will not have the K8s API server enforcing that rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@maxsmythe I am not sure how this change makes any difference as the cel code it-self doesnt check for unique names across all types of containers. can you explain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, I think I got it.
Signed-off-by: Max Smythe <[email protected]>
Signed-off-by: Max Smythe <[email protected]>
Signed-off-by: Max Smythe <[email protected]>
Signed-off-by: Max Smythe <[email protected]>
Signed-off-by: Max Smythe <[email protected]>
8c285a1
to
4143377
Compare
Signed-off-by: Max Smythe <[email protected]>
Signed-off-by: Max Smythe <[email protected]>
...facthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed.yaml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM
For context... here is how the applicable apparmor profile is derived:
https://github.com/kubernetes/kubernetes/blob/master/pkg/security/apparmor/helpers.go#L55-L76