Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

please add the projected volume type in the volumes list #43

Open
caleyg opened this issue Oct 19, 2020 · 3 comments
Open

please add the projected volume type in the volumes list #43

caleyg opened this issue Oct 19, 2020 · 3 comments
Assignees
@Kaizhe

Comments

@caleyg
Copy link

caleyg commented Oct 19, 2020

Is your feature request related to a problem? Please describe.
When running kubectl advise-psp inspect -n test_namespace and that pod requires a projected volumeType of some kind, the psp generated is not included in the list of volumes: in the generated yaml.

Describe the solution you'd like
If a volumeType of projected is detected in the spec its read write property and type should be listed in the psp generated i

Describe alternatives you've considered
No other alternatives were considered other than having to debug the missing pieces while getting the amazon-cloudwatch-agent and fluentbitd daemonsets running in their namespace.
@caleyg
Copy link
Author

caleyg commented Oct 20, 2020

I also found the same to be true for pods that might need to allow for allowPrivilegeEscalation and various allowedCapabilities generally are listed in the pod spec, but also not included in the generated output. If I should create a new issue for each of these I can

@Kaizhe
Copy link
Contributor

Kaizhe commented Oct 22, 2020

@caleyg do you have a sample yaml that I can test with?

@caleyg
Copy link
Author

caleyg commented Oct 22, 2020

thanks for the response! these might be able to help some!

kind: Pod
metadata:
  name: test-projected-volume
spec:
  containers:
  - name: test-projected-volume
    image: busybox
    args:
    - sleep
    - "86400"
    volumeMounts:
    - name: all-in-one
      mountPath: "/projected-volume"
      readOnly: true
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: user
      - secret:
          name: pass

# Create files containing the username and password:
echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt

# Package these files into secrets:
kubectl create secret generic user --from-file=./username.txt
kubectl create secret generic pass --from-file=./password.txt

# create the projected test pod (the above yaml)
kubectl apply -f https://k8s.io/examples/pods/storage/projected.yaml

POD with NET_ADMIN capabilities I haven't tried to add others that might be needed

kind: Pod
metadata:
 name: capabilities
spec:
 containers:
   - name: capabilities
     image: "ubuntu:14.04"
     command:
       - /bin/sleep
       - "300"
     securityContext:
       capabilities:
         add:
           - NET_ADMIN

a privileged pod that would need a generated psp unique to that pod to include allowPrivilegeEscalation: true

apiVersion: v1
kind: Pod
metadata:
  name:      privileged
spec:
  containers:
    - name:  privileged
      image:"ubuntu:14.04"
      securityContext:
        privileged: true

@Kaizhe Kaizhe self-assigned this Apr 2, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@Kaizhe Kaizhe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Kaizhe @caleyg