https://github.com/kubewarden/pod-privileged-policy

A Kubewarden Policy that limits the ability to create privileged containers
https://github.com/kubewarden/pod-privileged-policy

hacktoberfest kubernetes kubernetes-security kubewarden-policy pod-security-policy policy-as-code webassembly

Last synced: 6 months ago
JSON representation

A Kubewarden Policy that limits the ability to create privileged containers

• Host: GitHub
• URL: https://github.com/kubewarden/pod-privileged-policy
• Owner: kubewarden
• License: apache-2.0
• Created: 2020-12-01T21:16:10.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-12-11T09:55:56.000Z (6 months ago)
• Last Synced: 2024-12-11T10:36:46.743Z (6 months ago)
• Topics: hacktoberfest, kubernetes, kubernetes-security, kubewarden-policy, pod-security-policy, policy-as-code, webassembly
• Language: Rust
• Homepage: https://kubewarden.io
• Size: 358 KB
• Stars: 8
• Watchers: 7
• Forks: 6
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        
[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)

[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)

Given the following scenario:

> As an operator of a Kubernetes cluster used by multiple users,

> I want to have tight control over who can schedule privileged containers.

Kubernetes containers can be run in privileged mode by providing a well crafted

[SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).

Cluster administrators can prevent regular users to create privileged containers

by using a Kubernetes built-in feature called [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).

However, Pod Security Polices are going to be [deprecated](https://github.com/kubernetes/enhancements/issues/5)

in the near future.

Pod Security Policies could be replaced by using policies provided by an

external Admission Controller, like Kubewarden.

This policy inspects the [AdmissionReview](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request)

objects generated by the Kubernetes API server and either accept or reject them.

The policy can be used to inspect `CREATE` and `UPDATE` requests of `Pod` resources.

It will reject any pod with containers, init container or ephemeral containers

configured as privileged in their [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).

# Settings

The policy has two configurations:

- `skip_init_containers`: if set to `true` instructs the policy to ignore that

  some init container is configured as privileged. Default value is `false`

- `skip_ephemeral_containers`: if set to `true` instructs the policy to ignore

  that some ephemeral container is configured as privileged. Default value is

  `false`

The main containers of the pod will always be validated.

The user is responsible to configure the policy defining the resources targeted

by the policy. Otherwise, the policy will not be able to run. The current supported

resources are listed in the metadata.yml file. See more information about how to

configure a policy in the [Kubewarden documentation](https://docs.kubewarden.io/).

# Examples

Let's define the policy and see how the validation works:

```console

kubectl apply -f - <