chore: adding psp-users CEL policy

[JaydipGabani]

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

Rego policy nehavior is -

• filed in below list is reference to securityContext fields - [ runAsUser, runAsGroup, fsGroup, supplementalGroup ]

---

• Input:

field:
      rule: MustRunAs
      ranges:
        - min: 100
          max: 200

• Behavior: if field is missing from object then throw missing violation, else throw violation is field is not in required range

---

• Input:

runAsUser:
      rule: MustRunAsNonRoot

• Behavior: if runAsUser and runAsNonRoot both are missing from object then throw missing violation, else throw violation is runAsUser == 0

---

• Input:

field:
      rule: mayRunAs
      ranges:
        - min: 100
          max: 200

• Behavior: No missing field violation, but is field is present and violating the range then throw the violation

---

• Input:

field:
  rule: RunAsAny

• Behavior: No violations

---

[maxsmythe]

these are not bad containers yet, just containers subject to validation... candidateContainers?

[maxsmythe]

We need to check that runAsNonRoot is both defined and equal to true (this is implied in the Rego check, since not will invert both "missing" and "false" to true.

Also, has(container.securityContext.runAsUser) || has(container.securityContext.runAsNonRoot) should be has(container.securityContext.runAsUser) && has(container.securityContext.runAsNonRoot) , since both conditions need to be satisfied.

[maxsmythe]

we should not assume that container names are globally unique, since tools like gator may not perform that kind of validation.

[maxsmythe]

I think this should be exists() instead of all(), since the constraint is satisfied as long as the user ID lies within at least one of the specified ranges.

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

as above, let's not rely on names being globally unique

[JaydipGabani]

Processing each container type separately.

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[maxsmythe]

Same comment about all() vs. exists()

[JaydipGabani]

@maxsmythe @ritazh @sozercan PTAL

[maxsmythe]

I think we need map(container, container.image) ?

[maxsmythe]

I don't think you need a trinary operator (?) here

[maxsmythe]

This reads like it will be true if either there is no global definition for running as non root OR if there is no local definition for running as non root.

This is incorrect. If local is defined but global is not, then there is no violation, as local definition supersedes.

[JaydipGabani]

Updated the code to correct this.

[maxsmythe]

I think the code for this will be much simpler if we:

• have a variable for each rule type (MustRunAs, MayRunAs, etc.) that returns the containers violating the rule.
• if the rule type is not used, this variable will return an empty list.

This will allow you to:

• remove all code duplication (can go back to concatenating all containers again, since you are no longer required to filter based off container name)
• Reduce the nesting/branching for each variable.

Because this will significantly change/shorten the code, I'll stop reviewing here.

[JaydipGabani]

Thanks for the suggestion. Made an update to CEL code, it should now be much more compact. PTAL.