Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cel expressions of hostprocess containers updated #1109

Merged
merged 2 commits into from
Aug 6, 2024
Merged

cel expressions of hostprocess containers updated #1109

merged 2 commits into from
Aug 6, 2024

Conversation

siddhikhapare
Copy link
Contributor

@siddhikhapare siddhikhapare commented Aug 4, 2024
edited
Loading

Related Issue(s)

Partially Fixes #1058
Fixes #1095

Description

I have updated the disallow-host-process policy to include a CEL variable, allContainers, which combines all container types and ensures the hostProcess field is either not set or set to false for each container.

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@siddhikhapare
cel expressions of hostprocess containers updated
2dc7548 
Signed-off-by: siddhikhapare <siddhikhapare77@gmail.com>
@siddhikhapare
lint error resolved
194b73b 
Signed-off-by: siddhikhapare <siddhikhapare77@gmail.com>
@siddhikhapare
Copy link
Contributor Author

@chipzoller Could you please review my PR? Thanks.

@chipzoller
Copy link
Contributor

Waiting for CI to run. Seems like Actions are hung.

@siddhikhapare
Copy link
Contributor Author

Waiting for CI to run. Seems like Actions are hung.

Okay.

@siddhikhapare
Copy link
Contributor Author

siddhikhapare commented Aug 5, 2024
edited
Loading

@chipzoller HostProcess requirements specify configurations for Windows containers that need privileged access to the host, including settings such as hostProcess, hostNetwork, and specific user roles like runAsUserName and runAsNonRoot. If Pod Security Standards define security profiles within a policy, do we still need to explicitly mention the other requirements for HostProcess Pod configuration such as hostNetwork and user roles in policy? This point confuses me, and I would appreciate some clarification. I referred k8s doc

@chipzoller
Copy link
Contributor

All this policy is concerned with is implementing the exact checks for the specified control. It should only be a CEL version of this policy.

@chipzoller
Copy link
Contributor

Closing then re-opening to see if CI will get unstuck.

@chipzoller chipzoller closed this Aug 5, 2024
@chipzoller chipzoller reopened this Aug 5, 2024
@chipzoller chipzoller merged commit 530fc9d into kyverno:main Aug 6, 2024
281 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller approved these changes

@MariamFahmy98 MariamFahmy98 Awaiting requested review from MariamFahmy98

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@siddhikhapare @chipzoller