Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update PSS with 1.25 changes #380

Open
chipzoller opened this issue Aug 28, 2022 · 1 comment
Open

Update PSS with 1.25 changes #380

chipzoller opened this issue Aug 28, 2022 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@chipzoller
Copy link
Contributor

As of 1.25, in a Pod the spec.os is now enforced and obeyed whereas previously it was null. See blog here. Need to update PSS policies so for the three mentioned controls in the Restricted profile it only takes effect if the spec.os is ≠ windows.

@chipzoller chipzoller added the enhancement New feature or request label Aug 28, 2022
@chipzoller chipzoller self-assigned this Aug 28, 2022
@chipzoller
Copy link
Contributor Author

Kyverno 1.8.0 is the first version that will be able to get the API server's version (by requesting /version). Prior to kubelet 1.24, spec.os could be set yet wasn't enforced. This means to update the PSS policies appropriately with the relaxed controls for running on Windows requires minimum version of Kyverno 1.8.0 or else it could mean policy circumvention.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant