Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pepr policies do not trigger if allowPrivilegeEscalation is null #527

Open
JaseKoonce opened this issue Jul 1, 2024 · 0 comments · May be fixed by #698
Open

Pepr policies do not trigger if allowPrivilegeEscalation is null #527

JaseKoonce opened this issue Jul 1, 2024 · 0 comments · May be fixed by #698
Assignees
@noahpb
Labels
bug Something isn't working policy-engine Issues pertaining to UDS Policy Engine (Pepr) security
Milestone
0.27.0

Comments

@JaseKoonce
Copy link

Environment

Kubernetes distro being used: EKS

Steps to reproduce

  1. Without any Exemptions create a pod without setting allowPrivilegeEscalation.

Expected result

allowPrivilegeEscalation defaults to true when not set, so I would expect to be unable to apply the manifest file.

Actual Result

You are allowed to apply the manifest files without Pepr triggering.

Visual Proof (screenshots, videos, text, etc)

image

Severity/Priority

Medium

Additional Context

Issue is caused by the filtering allowing both undefined and false, when it should only allow false for allowPrivilegeEscalation.
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/policies/security.ts#L34-L36
@JaseKoonce JaseKoonce added the possible-bug Something may not be working label Jul 1, 2024
@mjnagel mjnagel added security bug Something isn't working policy-engine Issues pertaining to UDS Policy Engine (Pepr) and removed possible-bug Something may not be working labels Jul 1, 2024
@noahpb noahpb self-assigned this Aug 20, 2024
@mjnagel mjnagel added this to the 0.27.0 milestone Aug 21, 2024
@noahpb noahpb linked a pull request Aug 23, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahpb noahpb

Labels
bug Something isn't working policy-engine Issues pertaining to UDS Policy Engine (Pepr) security
Projects
None yet
Milestone
0.27.0
Development

Successfully merging a pull request may close this issue.

fix: default ctx.allowPrivilegeEscalation to false if undefined defenseunicorns/uds-core
3 participants
@mjnagel @noahpb @JaseKoonce