Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: allowPriviligeEscalation is optional #298

Open
jkleinlercher opened this issue Jul 28, 2023 · 0 comments
Open

[Bug]: allowPriviligeEscalation is optional #298

jkleinlercher opened this issue Jul 28, 2023 · 0 comments
Labels
bug Something isn't working triage Triage

Comments

@jkleinlercher
Copy link

What happened?

When a PSP has defined

allowPrivilegeEscalation: false

the psp-migration tool generates

          spec:
            "=(initContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            "=(ephemeralContainers)":
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false
            containers:
              - "=(securityContext)":
                  "=(allowPrivilegeEscalation)": false

but the kyverno policy example show this:

            - securityContext:
                allowPrivilegeEscalation: "false"
            =(initContainers):
            - securityContext:
                allowPrivilegeEscalation: "false"
            containers:
            - securityContext:
                allowPrivilegeEscalation: "false"

which means securityContext.allowPriviligeEscalation is not optional.

https://github.com/kyverno/policies/blob/4c145c00af932b75ad33f819d8e31aefff30c9c0/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml#L35C1-L42C50

According to kubernetes/website#30104 it is not clear if allowPrivilegeEscalation defaults to false or true. The last comments seem to think it is true. So allowPrivilegeEscalation should not be optional.

What policy engine were you generating policy for

Kynvero

Relevant log output

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkleinlercher