Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Sample] Add require-run-as-nonroot policy that use CEL expressions #824

Closed
2 tasks done
MariamFahmy98 opened this issue Dec 4, 2023 · 3 comments · Fixed by #923
Closed
2 tasks done

[Sample] Add require-run-as-nonroot policy that use CEL expressions #824

MariamFahmy98 opened this issue Dec 4, 2023 · 3 comments · Fixed by #923
Assignees
@MariamFahmy98
Labels
sample Sample policy

Comments

@MariamFahmy98
Copy link
Contributor

Problem Statement

Currently, all PSS policies are written in CEL expressions except the require-run-as-nonroot policy. We need to include it as well.

Refer to this comment, for more information.

Solution Description

N/A

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

No response

Troubleshooting
@MariamFahmy98 MariamFahmy98 added the sample Sample policy label Dec 4, 2023
@chipzoller
Copy link
Contributor

The Slack thread in reference seems to be here, but I don't see any follow-up on your part. Would like to see how we can resolve and get this in with the objective being the complete set of PSS policies implemented as CEL subrules.

@jayme-github
Copy link
Contributor

jayme-github commented Feb 28, 2024
edited
Loading

I've re-added @MariamFahmy98 's policy from 853bff9#diff-3416b7bb0c4cce31c5d5833e936ec552ea9d1426fadb6f2ec3b81bce4cb910a8 together with tests from pod-security/restricted/require-run-as-nonroot/ and it passes kyverno and chainsaw for me. Maybe this was just a glitch in kuttl?

@MariamFahmy98
Copy link
Contributor Author

I've re-added @MariamFahmy98 's policy from 853bff9#diff-3416b7bb0c4cce31c5d5833e936ec552ea9d1426fadb6f2ec3b81bce4cb910a8 together with tests from pod-security/restricted/require-run-as-nonroot/ and it passes kyverno and chainsaw for me. Maybe this was just a glitch in kuttl?

Feel free to create a PR that adds the test.

jayme-github added a commit to jayme-github/kyverno-policies that referenced this issue Mar 1, 2024
@jayme-github
Add require-run-as-nonroot policy that use CEL expressions
78749a0 
Add an additional test where securityContext is present but runAsNonRoot
is not.

Fixes: kyverno#824
Signed-off-by: jayme-github <[email protected]>
jayme-github added a commit to jayme-github/kyverno-policies that referenced this issue Mar 6, 2024
@jayme-github
Add require-run-as-nonroot policy that use CEL expressions
b7bdc7d 
Add an additional test where securityContext is present but runAsNonRoot
is not.

Fixes: kyverno#824
Signed-off-by: jayme-github <[email protected]>
@jayme-github jayme-github mentioned this issue Mar 6, 2024
Merged
3 tasks
chipzoller added a commit that referenced this issue Mar 9, 2024
@jayme-github @chipzoller
Add require-run-as-nonroot policy that use CEL expressions (#923)
29e8f83 
* Add require-run-as-nonroot policy that use CEL expressions

Add an additional test where securityContext is present but runAsNonRoot
is not.

Fixes: #824
Signed-off-by: jayme-github <[email protected]>

* Fix rule name to match policy name

Signed-off-by: jayme-github <[email protected]>

---------

Signed-off-by: jayme-github <[email protected]>
Co-authored-by: Chip Zoller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MariamFahmy98 MariamFahmy98

Labels
sample Sample policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add require-run-as-nonroot policy that use CEL expressions jayme-github/kyverno-policies
3 participants
@jayme-github @chipzoller @MariamFahmy98