chore: adding psp-users CEL policy

[JaydipGabani]

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

Rego policy nehavior is -

• filed in below list is reference to securityContext fields - [ runAsUser, runAsGroup, fsGroup, supplementalGroup ]

---

• Input:

field:
      rule: MustRunAs
      ranges:
        - min: 100
          max: 200

• Behavior: if field is missing from object then throw missing violation, else throw violation is field is not in required range

---

• Input:

runAsUser:
      rule: MustRunAsNonRoot

• Behavior: if runAsUser and runAsNonRoot both are missing from object then throw missing violation, else throw violation is runAsUser == 0

---

• Input:

field:
      rule: mayRunAs
      ranges:
        - min: 100
          max: 200

• Behavior: No missing field violation, but is field is present and violating the range then throw the violation

---

• Input:

field:
  rule: RunAsAny

• Behavior: No violations

---

[maxsmythe]

these are not bad containers yet, just containers subject to validation... candidateContainers?

[maxsmythe]

We need to check that runAsNonRoot is both defined and equal to true (this is implied in the Rego check, since not will invert both "missing" and "false" to true.

Also, has(container.securityContext.runAsUser) || has(container.securityContext.runAsNonRoot) should be has(container.securityContext.runAsUser) && has(container.securityContext.runAsNonRoot) , since both conditions need to be satisfied.

[maxsmythe]

we should not assume that container names are globally unique, since tools like gator may not perform that kind of validation.

[maxsmythe]

I think this should be exists() instead of all(), since the constraint is satisfied as long as the user ID lies within at least one of the specified ranges.

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

as above, let's not rely on names being globally unique

[JaydipGabani]

Processing each container type separately.

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[JaydipGabani]

@maxsmythe @ritazh @sozercan PTAL

[maxsmythe]

I think we need map(container, container.image) ?

[maxsmythe]

this still needs fixing

[JaydipGabani]

Fixed it.

[maxsmythe]

I don't think you need a trinary operator (?) here

[maxsmythe]

This reads like it will be true if either there is no global definition for running as non root OR if there is no local definition for running as non root.

This is incorrect. If local is defined but global is not, then there is no violation, as local definition supersedes.

[JaydipGabani]

Updated the code to correct this.

[maxsmythe]

I think the code for this will be much simpler if we:

• have a variable for each rule type (MustRunAs, MayRunAs, etc.) that returns the containers violating the rule.
• if the rule type is not used, this variable will return an empty list.

This will allow you to:

• remove all code duplication (can go back to concatenating all containers again, since you are no longer required to filter based off container name)
• Reduce the nesting/branching for each variable.

Because this will significantly change/shorten the code, I'll stop reviewing here.

[JaydipGabani]

Thanks for the suggestion. Made an update to CEL code, it should now be much more compact. PTAL.

[maxsmythe]

Can we just put the test for kind == Pod into a matchCondition?

I don't think this constraint makes sense for anything other than Pods... we can add the same test to the Rego if necessary.

[JaydipGabani]

wdym by "put test for kind == Pod into a matchCondition?

I removed the condition kind == Pod from CEL and rego.

[maxsmythe]

matchCondition is a field in VAP:

https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/#matching-requests-matchconditions

[JaydipGabani]

Updated CEL to add matchCondition.

[maxsmythe]

Can we use some string/block formatting to make the various declarations more legible? It's hard to parse the assertions without formatting. This is a general comment for all of these larger code blocks.

TBH I can't review without formatting improvements... the statements bleed together.

[JaydipGabani]

Appologies for putting the large code block in one line. Formatted all code large code blocks. Should be easier to parse and read.

[maxsmythe]

thanks!

[JaydipGabani]

@maxsmythe PTAL.