8000 [Bug] podSecurity exception for Running as Non-root control doesn't work · Issue #12888 · kyverno/kyverno · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Bug] podSecurity exception for Running as Non-root control doesn't work #12888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
etutuit opened this issue Apr 25, 2025 · 2 comments
Open
2 tasks done

[Bug] podSecurity exception for Running as Non-root control doesn't work #12888

etutuit opened this issue Apr 25, 2025 · 2 comments
Labels
bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. validate.podSecurity podSecurity sub-rule type
Milestone
Kyverno Release 1...

Comments

@etutuit
Copy link
etutuit commented Apr 25, 2025

Kyverno Version

1.13.4

Description

Hello,

I have came across issue when defining exceptions for podSecurity subrules.

With policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: podsecurity-subrule-restricted
spec:
  background: true
  validationFailureAction: Audit
  rules:
  - name: podsecurity-subrule-restricted
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: restricted
        version: latest
        exclude:
        - controlName: Running as Non-root
          images:
          - busybox:*

and resource:

---
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  securityContext:
    runAsNonRoot: false
  containers:
  - image: busybox:latest
    name: test

Kyverno reports:

  Message:    Validation rule 'podsecurity-subrule-restricted' failed. It violates PodSecurity "restricted:latest": (Forbidden reason: runAsNonRoot != true, field error list: [spec.securityContext.runAsNonRoot is forbidden, forbidden values found: false])
  Policy:     podsecurity-subrule-restricted
  Properties:
    Controls:       runAsNonRoot
    Controls JSON:  [{"ID":"runAsNonRoot","Name":"Running as Non-root","Images":["docker.io/busybox:latest"]}]
    Standard:       restricted
    Version:        latest
  Result:           fail
  Rule:             podsecurity-subrule-restricted

I included only relevant part, I am aware that presented resource lacks other securityContext values, and actual message would cover them too. The thing is this behaviour is very surprising because these exceptions work for any other control covered by podSecurity. That's why I wanted to highlight this particular one. In addition runAsNonRoot is defined at both pod and container level. Exception does not work only on pod level. I checked that by defining exclude part like:

- controlName: Running as Non-root
  images:
  - busybox:*
  restrictedField: spec.securityContext.runAsNonRoot # doesn't work
  values:
  - "false"
- controlName: Running as Non-root
  images:
  - busybox:*
  restrictedField: spec.containers[*].securityContext.runAsNonRoot # works
  values:
  - "false"

And as mentioned it is only not taken into consideration for pod level runAsNonRoot control, what seems unexpected. Therefore I report this as a bug.

I didn't find anything relevant reported in admission controller or reports controller logs.

Regards

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@etutuit etutuit added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Apr 25, 2025
@dosubot dosubot bot added the validate.podSecurity podSecurity sub-rule type label Apr 25, 2025
@realshuting realshuting added this to the Kyverno Release 1.14.2 milestone May 7, 2025
@realshuting
Copy link
Member

Hi @YTGhost - can you please take a look?

@YTGhost
Copy link
Member
YTGhost commented May 7, 2025

Hi @YTGhost - can you please take a look?

Of course, I'll take a look at it this weekend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. validate.podSecurity podSecurity sub-rule type
Projects
None yet
Milestone
Kyverno Release 1.14.2
Development

No branches or pull requests
3 participants
@etutuit @realshuting @YTGhost
0