Disable Policy Enforcement
In the event of an incident response or another situation where you may need to modify Chainguard Enforce to warn about instead of fail a given policy, you can modify the policy configuration.
In an Enforce policy, images that fail to meet requirements will cause the image not to be admitted by default. To instead allow these through and warn the user that this operation did not meet the criteria, you can use the mode
configuration option under ClusterImagePolicy
. When set to warn
, the policy will not block the admission, but instead will allow it through and emit a warning.
Example Warning Policies
The following sets the mode
configuration to warn
.
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: image-policy-keyless-warn
spec:
mode: warn
images:
- glob: registry.local:5000/policy-controller/demo*
authorities:
- keyless:
url: http://fulcio.fulcio-system.svc
ctlog:
url: http://rekor.rekor-system.svc
By specifying the spec.mode
as warn
, even if an image is found to be non-compliant it will be allowed through. At the same time, a warning is issued to the caller informing them that this is not a compliant image.
In the Chainguard Enforce Policy Catalog, review also the CUE “Disallow privilege escalation” policy, which prevents privilege escalation (such as via set-user-ID
or set-group-ID
file mode). This is Linux only policy in v1.25+.
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: disallow-privilege-escalation-cue
annotations:
catalog.chainguard.dev/title: Disallow privilege escalation
catalog.chainguard.dev/labels: cue,workloads
catalog.chainguard.dev/description: |
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should
not be allowed. This is Linux only policy in v1.25+ (spec.os.name != windows)
catalog.chainguard.dev/learnMoreLink: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
spec:
match:
- version: "v1"
resource: "pods"
images: [glob: '**']
authorities: [static: {action: pass}]
mode: warn
policy:
includeSpec: true
type: "cue"
data: |
// Create a schema for SecurityContext where allowPrivilegeEscalation
// is a bool that defaults to true
#SecurityContext: {
allowPrivilegeEscalation: bool | *true
...
}
spec: {
initContainers: [...{
// Apply the schema to the security context in each container.
securityContext: #SecurityContext
// When allowPrivilegeEscalation is true (either specified, or by default)
// then surface our error by "validating" name against our error string.
if securityContext.allowPrivilegeEscalation {
name: "securityContext.allowPrivilegeEscalation must be false"
}
}]
containers: [...{
// Apply the schema to the security context in each container.
securityContext: #SecurityContext
// When allowPrivilegeEscalation is true (either specified, or by default)
// then surface our error by "validating" name against our error string.
if securityContext.allowPrivilegeEscalation {
name: "securityContext.allowPrivilegeEscalation must be false"
}
}]
ephemeralContainers: [...{
// Apply the schema to the security context in each container.
securityContext: #SecurityContext
// When allowPrivilegeEscalation is true (either specified, or by default)
// then surface our error by "validating" name against our error string.
if securityContext.allowPrivilegeEscalation {
name: "securityContext.allowPrivilegeEscalation must be false"
}
}]
}
Again, the mode
configuration is set to warn
. If you are logged into the Enforce Console, you can access the Disallow privilege escalation policy from the Policy Catalog from the Create policy button.
Review Warning Policies
You can review which policies are in Enforce or Warn mode by reviewing the policy table in your Enforce Console.
From your Enforce Console policy table, you can further edit each enforcing policy to a warning policy and vice versa.
Last updated: 2023-03-22 08:49