Part of PSP(Pod Security Policy) spec is not visible (ex. hostIPC: false, priviledged: false ... and so on)
Can you tell me why I can't check it?
[psp.yaml]
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: default
spec:
allowPrivilegeEscalation: false
hostIPC: false
hostNetwork: false
hostPID: false
privileged: false
readOnlyRootFilesystem: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
requiredDropCapabilities:
- NET_RAW
"default-psp.yaml" 21L
[psp create]
[root@master01 ~]# kubectl create -f default-psp.yaml
podsecuritypolicy.policy/default created
[root@master01 ~]# kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
default false RunAsAny MustRunAsNonRoot RunAsAny RunAsAny false
[root@master01 ~]#
[psp check]
[root@master01 ~]# kubectl get psp default -o json
{
"apiVersion":"v1",
"items":[
{
"apiVersion":"policy/v1beta1",
"kind":"PodSecurityPolicy",
"metadata":{
"creationTimestamp":"2021-05-04T04:12:52Z",
"managedFields":[
{
"apiVersion":"policy/v1beta1",
"fieldsType":"FieldsV1",
"fieldsV1":{
"f:spec":{
"f:allowPrivilegeEscalation":{
},
"f:fsGroup":{
"f:rule":{
}
},
"f:requiredDropCapabilities":{
},
"f:runAsUser":{
"f:rule":{
}
},
"f:seLinux":{
"f:rule":{
}
},
"f:supplementalGroups":{
"f:rule":{
}
}
}
},
"manager":"kubectl",
"operation":"Update",
"time":"2021-05-04T04:12:52Z"
}
],
"name":"default",
"resourceVersion":"163847",
"selfLink":"/apis/policy/v1beta1/podsecuritypolicies/default",
"uid":"b8ed1cf3-7cb8-4f03-a5d4-d1f6d8fb51a0"
},
"**""spec":{
"allowPrivilegeEscalation":false,
"fsGroup":{
"rule":"RunAsAny"
},
"requiredDropCapabilities":[
"NET_RAW"
],
"runAsUser":{
"rule":"MustRunAsNonRoot"
},
"seLinux":{
"rule":"RunAsAny"
},
"supplementalGroups":{
"rule":"RunAsAny""**"
}
}
}
],
"kind":"List",
"metadata":{
"resourceVersion":"",
"selfLink":""
}
}
kube version: 1.18.6
This is related to the underlying data representation of Go and json encoding.
All fields of bool
datatype act the same way when encoded into json:
Somebody already mentioned this as an issue: go/issues/13284. I will only mention the explaination, read the whole issue for details and context:
This is working as intended. false is the zero value of booleans, and your json struct tag has omitempty. As you can see from t2, if you don't use omitempty, the value isn't omitted.
You can see that if you set these fields to true
, they are being shown.
You cannot do anything about it. Just remember that if the field does not show up, its value is false.
If you really think this is an issue and it should not work this way, open an issue on k8s github repo and ask the developers directly about this problem.