Kubewarden policy psp-allowed-fsgroups

Replacement for the Kubernetes Pod Security Policy that controls the usage of fsGroup in the pod security context.

Settings

This policy works by defining what fsGroup is allowed in the pod security context.

One of the following setting keys are accepted for this policy:

MustRunAs: contains a list of ranges that define valid ranges for the fsGroup value. At least one range must contain the provided .securityContext.fsGroup. If the pod does not contain a .securityContext, or a .securityContext.fsGroup, then this policy acts as mutating and defaults the fsGroup attribute to the first min value of the list of provided ranges.
MayRunAs: contains a list of ranges that define valid ranges for the fsGroup value. At least one range must contain the provided .securityContext.fsGroup. If the pod does not contain a .securityContext or a .securityContext.fsGroup, then this policy will accept the request.
RunAsAny: always accepts the request.

Configuration examples:

rule: RunAsAny

rule: MayRunAs
ranges:
  - min: 1000
    max: 2000
  - min: 3000
    max: 4000

rule: MustRunAs
ranges:
  - min: 1000 # If no fsGroup is set for the pod, the
              # policy will default it to this value
    max: 2000
  - min: 3000
    max: 4000

Name		Name	Last commit message	Last commit date
Latest commit History 130 Commits
.github/workflows		.github/workflows
src		src
test_data		test_data
.gitignore		.gitignore
CODEOWNERS		CODEOWNERS
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
artifacthub-pkg.yml		artifacthub-pkg.yml
artifacthub-repo.yml		artifacthub-repo.yml
hub.yml		hub.yml
metadata.yml		metadata.yml
questions-ui.yml		questions-ui.yml
renovate.json		renovate.json

License

kubewarden/allowed-fsgroups-psp-policy

Folders and files

Latest commit

History

Repository files navigation

Kubewarden policy psp-allowed-fsgroups

Settings

About

Topics

Resources

License

Stars

Watchers

Forks

Languages