Description
Kyverno Version
1.13.4
Description
Hello,
I have came across issue when defining exceptions for podSecurity subrules.
With policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted
spec:
background: true
validationFailureAction: Audit
rules:
- name: podsecurity-subrule-restricted
match:
any:
- resources:
kinds:
- Pod
validate:
podSecurity:
level: restricted
version: latest
exclude:
- controlName: Running as Non-root
images:
- busybox:*and resource:
---
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
securityContext:
runAsNonRoot: false
containers:
- image: busybox:latest
name: testKyverno reports:
Message: Validation rule 'podsecurity-subrule-restricted' failed. It violates PodSecurity "restricted:latest": (Forbidden reason: runAsNonRoot != true, field error list: [spec.securityContext.runAsNonRoot is forbidden, forbidden values found: false])
Policy: podsecurity-subrule-restricted
Properties:
Controls: runAsNonRoot
Controls JSON: [{"ID":"runAsNonRoot","Name":"Running as Non-root","Images":["docker.io/busybox:latest"]}]
Standard: restricted
Version: latest
Result: fail
Rule: podsecurity-subrule-restricted
I included only relevant part, I am aware that presented resource lacks other securityContext values, and actual message would cover them too. The thing is this behaviour is very surprising because these exceptions work for any other control covered by podSecurity. That's why I wanted to highlight this particular one. In addition runAsNonRoot is defined at both pod and container level. Exception does not work only on pod level. I checked that by defining exclude part like:
- controlName: Running as Non-root
images:
- busybox:*
restrictedField: spec.securityContext.runAsNonRoot # doesn't work
values:
- "false"
- controlName: Running as Non-root
images:
- busybox:*
restrictedField: spec.containers[*].securityContext.runAsNonRoot # works
values:
- "false"And as mentioned it is only not taken into consideration for pod level runAsNonRoot control, what seems unexpected. Therefore I report this as a bug.
I didn't find anything relevant reported in admission controller or reports controller logs.
Regards
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.