You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Part of Kubernetes PSP replacement.
We want to replicate the restricted PSP securityContext mutations using Gatekeeper.
This is convenient for them as it involves less for them when migrating from PSP to PSA + Gatekeeper.
Below is a description of the fields that the restricted PSP might mutate (information taken from here):
spec.runAsUser might assign spec.[init]containers[*].securityContext.runAsNonRoot: true (we don't have mustRunAs specified so it won't assign spec...runAsUser)
Is your feature request related to a problem? Please describe.
Part of Kubernetes PSP replacement.
We want to replicate the
restricted
PSP securityContext mutations using Gatekeeper.This is convenient for them as it involves less for them when migrating from PSP to PSA + Gatekeeper.
Below is a description of the fields that the restricted PSP might mutate (information taken from here):
spec.fsGroup
might assignspec.securityContext.fsGroup: 1
spec.supplementalGroups
might assignspec.securityContext.supplementalGroups: 1
spec.runAsGroup
might assignspec.[init]containers[*].securityContext.runAsGroup: 1
spec.allowPrivilegeEscalation
might assignspec.[init]containers[*].securityContext.allowPrivilegeEscalation: false
spec.runAsUser
might assignspec.[init]containers[*].securityContext.runAsNonRoot: true
(we don't havemustRunAs
specified so it won't assignspec...runAsUser
)spec.requiredDropCapabilities
might assignspec.[init]containers[*].securityContext.capabilities.drop: ["ALL"]
metadata.annotations['apparmor.security.beta.kubernetes.io/defaultProfileName']
might assignmetadata.annotations['apparmor.security.beta.kubernetes.io/<container name>']: $defaultProfileName
metadata.annotations['seccomp.security.alpha.kubernetes.io/defaultProfileName']
might assignspec.[init]containers[*].securityContext.seccompProfile: runtime/default
Describe the solution you'd like
Definition of done:
The mutations that can be done by the restricted PSP, is now instead done with Gatekeeper.
The text was updated successfully, but these errors were encountered: