Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fsgroup cel #523

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fsgroup cel #523

wants to merge 2 commits into from

Conversation

ritazh
Copy link
Member

@ritazh ritazh commented May 11, 2024

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

@ritazh ritazh requested a review from a team as a code owner May 11, 2024 01:24
@ritazh ritazh force-pushed the fsgroup-cel branch 2 times, most recently from 862f610 to 3b3f636 Compare May 13, 2024 22:31
expression: '!has(object.spec.securityContext) ? "" : !has(object.spec.securityContext.fsGroup) ? "" : object.spec.securityContext.fsGroup'
- name: input_fsGroup_allowed
expression: |
!has(variables.params.rule) ? true : variables.params.rule == "RunAsAny" ? true : variables.params.rule == "MayRunAs" && variables.fsGroup == "" ? true : (variables.params.rule == "MayRunAs" || variables.params.rule == "MustRunAs") && has(variables.params.ranges) && size(variables.params.ranges) > 0 ? variables.params.ranges.all(range, range.min <= variables.fsGroup && range.max >= variables.fsGroup) : false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like there might be a bug in respective rego code. If input.params.rule is missing the policy will deny create violations for all objects with rego code. However, desired behavior is where we dont want to throw violations when params.rule is missing.

thoughts? @ritazh @maxsmythe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct for completeness. Though the constraint is pretty useless without the rule specified.

For completeness, we can add the check has_field(input.parameters, "rule") in rego but technically it is not backward compatible if users have missing rule today.

For this, do we want to bump major or minor?

Major version bump required: Whenever there is a breaking change in the policy e.g. updating template Kind, updating existing parameter schema, adding the requires-sync-data annotation to sync new data, or any other breaking changes
Minor version bump required: Whenever there is a backward compatible change in the policy e.g. adding a parameter, updating Rego logic

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Major version just to be on safe side of things.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot parse the phrase "deny create violations" what is the behavior you are describing?

This line in the violation[] rule shows if parameters.rule is unset, no violation will be thrown:

has_field(input.parameters, "rule")

Perhaps write a test case that shows the situation-of-concern to validate whether there actually is drift?

Copy link
Member Author

@ritazh ritazh Sep 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxsmythe I added has_field(input.parameters, "rule") in the rego https://github.com/open-policy-agent/gatekeeper-library/pull/523/files#diff-54ba54eb002245f40e88e03c102ebf4b4783d7f3f501cf73a5996119e48e062fR8 to ensure consistency between rego and cel. without it, rego will return a violation for a constraint with unspecified rule. Is this the right behavior? or should unspecified rule not return a violation.
If it does not return a violation, then the change would be considered as not backward compat. do we keep the same behavior for both cel and rego or do we correct this and bump the major version?

Copy link
Contributor

@maxsmythe maxsmythe Sep 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just make VAP-CEL return a violation if the parameter is undefined?

Technically the constraint is invalid if a required parameter is missing. I know we have returned violations for these kinds of problems before (e.g. RAM limits that cannot be canonicalized).

I'm also okay with calling the current Rego behavior a bug and changing it via patch/minor version update.

My logic there is that if there are any users who failed to set this parameter, they will have effectively created a DenyAll constraint for Pods... it seems unlikely that that was their intent or that they would keep a constraint in that condition.

TL;DR changing the CEL to conform to the Rego or vice versa both work for me.

src/pod-security-policy/fsgroup/src.cel Outdated Show resolved Hide resolved
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after we settle on minor or major version bump is needed for this teamplate.

library/pod-security-policy/fsgroup/template.yaml Outdated Show resolved Hide resolved
library/pod-security-policy/fsgroup/template.yaml Outdated Show resolved Hide resolved
library/pod-security-policy/fsgroup/template.yaml Outdated Show resolved Hide resolved
Copy link

stale bot commented Nov 14, 2024

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 14, 2024
@ritazh ritazh removed the stale label Nov 14, 2024
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add CEL code for PSP Policies in library
3 participants