kuberneteskubernetes-podpodsecuritypolicy

How to check PSP(pod security policy) spec in Kubernetes


Part of PSP(Pod Security Policy) spec is not visible (ex. hostIPC: false, priviledged: false ... and so on)

Can you tell me why I can't check it?

[psp.yaml]

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
spec:
  allowPrivilegeEscalation: false
  hostIPC: false
  hostNetwork: false
  hostPID: false
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  requiredDropCapabilities:
  - NET_RAW
"default-psp.yaml" 21L

[psp create]

[root@master01 ~]# kubectl create -f default-psp.yaml
podsecuritypolicy.policy/default created
[root@master01 ~]# kubectl get psp
NAME      PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
default   false          RunAsAny   MustRunAsNonRoot   RunAsAny   RunAsAny   false
[root@master01 ~]#

[psp check]

[root@master01 ~]# kubectl get psp default -o json
{
    "apiVersion":"v1",
    "items":[
        {
            "apiVersion":"policy/v1beta1",
            "kind":"PodSecurityPolicy",
            "metadata":{
                "creationTimestamp":"2021-05-04T04:12:52Z",
                "managedFields":[
                    {
                        "apiVersion":"policy/v1beta1",
                        "fieldsType":"FieldsV1",
                        "fieldsV1":{
                            "f:spec":{
                                "f:allowPrivilegeEscalation":{
                                    
                                },
                                "f:fsGroup":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:requiredDropCapabilities":{
                                    
                                },
                                "f:runAsUser":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:seLinux":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:supplementalGroups":{
                                    "f:rule":{
                                        
                                    }
                                }
                            }
                        },
                        "manager":"kubectl",
                        "operation":"Update",
                        "time":"2021-05-04T04:12:52Z"
                    }
                ],
                "name":"default",
                "resourceVersion":"163847",
                "selfLink":"/apis/policy/v1beta1/podsecuritypolicies/default",
                "uid":"b8ed1cf3-7cb8-4f03-a5d4-d1f6d8fb51a0"
            },
            "**""spec":{
                "allowPrivilegeEscalation":false,
                "fsGroup":{
                    "rule":"RunAsAny"
                },
                "requiredDropCapabilities":[
                    "NET_RAW"
                ],
                "runAsUser":{
                    "rule":"MustRunAsNonRoot"
                },
                "seLinux":{
                    "rule":"RunAsAny"
                },
                "supplementalGroups":{
                    "rule":"RunAsAny""**"
                }
            }
        }
    ],
    "kind":"List",
    "metadata":{
        "resourceVersion":"",
        "selfLink":""
    }
}

kube version: 1.18.6


Solution

  • This is related to the underlying data representation of Go and json encoding.

    All fields of bool datatype act the same way when encoded into json:

    Somebody already mentioned this as an issue: go/issues/13284. I will only mention the explaination, read the whole issue for details and context:

    This is working as intended. false is the zero value of booleans, and your json struct tag has omitempty. As you can see from t2, if you don't use omitempty, the value isn't omitted.

    You can see that if you set these fields to true, they are being shown.

    You cannot do anything about it. Just remember that if the field does not show up, its value is false.

    If you really think this is an issue and it should not work this way, open an issue on k8s github repo and ask the developers directly about this problem.