Important
Notice: Starting from Kubewarden release 1.32.0, all code from this repository has been merged into github.com/kubewarden/policies, which is now a monorepo containing policies. Please refer to that repository for future updates and development. This repository is now archived. Development continues in the new location.
Replacement for the Kubernetes Pod Security Policy that controls the
usage of fsGroup in the pod security context.
This policy works by defining what fsGroup is allowed in the pod security context.
One of the following setting keys are accepted for this policy:
MustRunAs: contains a list of ranges that define valid ranges for thefsGroupvalue. At least one range must contain the provided.securityContext.fsGroup. If the pod does not contain a.securityContext, or a.securityContext.fsGroup, then this policy acts as mutating and defaults thefsGroupattribute to the firstminvalue of the list of provided ranges.MayRunAs: contains a list of ranges that define valid ranges for thefsGroupvalue. At least one range must contain the provided.securityContext.fsGroup. If the pod does not contain a.securityContextor a.securityContext.fsGroup, then this policy will accept the request.RunAsAny: always accepts the request.
Configuration examples:
rule: RunAsAnyrule: MayRunAs
ranges:
- min: 1000
max: 2000
- min: 3000
max: 4000rule: MustRunAs
ranges:
- min: 1000 # If no fsGroup is set for the pod, the
# policy will default it to this value
max: 2000
- min: 3000
max: 4000