Comments (9)
I'll take a first pass at adding these to https://github.com/open-policy-agent/gatekeeper-library, based on the spec in https://kubernetes.io/docs/concepts/security/pod-security-standards/
from gatekeeper-library.
It'd be good to do this in a separate library Repo. I think we've graduated to the point where the library should have its own lifecycle.
from gatekeeper-library.
for anyone landing here, https://github.com/open-policy-agent/gatekeeper/tree/master/library/pod-security-policy is the currently list but is not separated into the buckets from https://kubernetes.io/docs/concepts/security/pod-security-standards/ as of now (privileged, baseline/default, and restricted)
from gatekeeper-library.
Thanks @jsturtevant! The plan is to move the policies in https://github.com/open-policy-agent/gatekeeper/tree/master/library/pod-security-policy to https://github.com/open-policy-agent/gatekeeper-library within their own buckets. Hopefully we will get to this soon.
from gatekeeper-library.
As discussed on the community call, here are some ideas to consider for implementation to support pod security standards:
- create a folder for each bucket: baseline, restricted, privilege under https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-standards (a new folder)
- use kustomize and labels (maybe?) to replicate copies of applicable constraint templates and constraints folders in https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy to these three folders
from gatekeeper-library.
As discussed on the community call, here are some ideas to consider for implementation to support pod security standards:
- create a folder for each bucket: baseline, restricted, privilege under https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-standards (a new folder)
We may run into other common use cases for GK policies. Do we want to create a folder to group these into?
gatekeeper-library/policy-packs/pod-security-standards/{privileged,baseline,restricted}
- use kustomize and labels (maybe?) to replicate copies of applicable constraint templates and constraints folders in https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy to these three folders
The constraints will have to be purpose-built to implement the relevant standard, so will probably live (and be developed) directly in these folders. How to integrate the templates is an interesting problem. We probably don't want them living side-by-side with constraints because:
- Users will probably apply multiple tiers of these standards per cluster, we probably don't want to duplicate templates if they do so
- Users will want to customize these "packs" (adopting that name for "bundle of constraints" for the sake of discussion) to apply to specific namespaces (e.g. "prod" is restricted, "dev" is baseline). That means injecting specific matchers into all constraints in a given pack. We wont want to inject matchers into ConstraintTemplates as that's not a valid thing to do.
How would users consume packs?
Ideally we'd want something where a user can declare "namespace foo is privileged" with a minimum amount of complexity.
The low-level pipeline for that would be:
- Gather any missing templates
- Gather the constraints from the appropriate directory
- Apply a namespace matcher to all the constraints
What would the output device be? Is this going straight to kubectl apply
? Or is there some source-of-truth repository the output will be added to? This matters for templates -- without a cluster to query, it's hard to know how we'd detect "missing templates"
kpt
is targeted at the use case of "apply a bundle of manifests", kind of like how gomod manages golang packages. That makes it seem a likely way of doing this, though I don't know about the part where we're injecting a matcher into all constraints. A kpt function could do that. I'm not sure if there is one ready-made to help with this.
Another option would be to use what @sozercan suggested, writing our own custom binary, though then we'd need to have a pipeline for hosting/delivering that.
None of the above addresses the template problem. I don't think there is a great prepackaged solution here. Kustomize is tempting, but we'd need to include files outside the Kustomize file's base directory. We probably don't want to put anything inside the template tree, as that couples the "packages" directory with our source code, which will hurt maintainability in the future. If we used the custom binary idea, we could scan the library
directory for templates that support the underlying kind as part of a build process.
Another option would be to require the user to add templates manually, that would be a one-time cost. That would sidestep the "missing template" problem.
from gatekeeper-library.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
not stale
from gatekeeper-library.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 6
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- Should apparmor always view unconfined as complaint? HOT 4
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 9
- Add colon in message for consistency
- Example of pod mutation adding init-container HOT 4
- Example k8scontainerlimits does not throw error for a deployment but does on a plain Pod creation HOT 2
- poddisruptionbudget policy query HOT 3
- K8sRequiredResources ConstraintTemplate doesn't work properly HOT 1
- `variables.anyObject` should be used for required labels CEL
- Add CEL code for PSP Policies in library
- Improve Rego testing for library
- K8sPSPHostNetworkingPorts constraint template not handling exemptImages parameter properly HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.