[Spike] Determine path forward for container level exceptions on Kyverno
Currently there are some shortcomings with the approach we took for container level exceptions. The issue currently is that the existing solution using preconditions on all containers (ephemeralContainers, initContainers, containers) to filter out by name creates challenges when the policy needs to take into account something like pod.spec.securityContext
as well as pod.spec.containers[*].securityContext
.
The current solution involved rewriting particular policies to be broken up into two rules, one targeting the containers' securityContext
and the other targeting the pod's securityContext
. This results in a policy that is slightly different than the original. The main difference being the pod's securityContext
and the containers securityContext
are evaluated by separate rules which removes the ability to take advantage of the hierarchical nature of securityContext
which would allow scenarios where you could specify the securityContext.runAsNonRoot
for each container but omit it at the pod level like:
apiVersion: v1
kind: Pod
metadata:
name: require-run-as-non-root
spec:
containers:
- name: c1
image: nginx
args: ["sleep", "infinity"]
securityContext:
runAsNonRoot: true
initContainers:
- name: init-c1
image: nginx
securityContext:
runAsNonRoot: true