feat(policy): reject explicit hostUsers opt-out in userns namespaces#2691
Conversation
The user-namespace rollout is mutate-only: add-security-context.yaml injects hostUsers: false through a +(hostUsers) conditional anchor, which only fills in an absent value. A workload that explicitly sets hostUsers: true keeps it, silently, in a namespace that still carries the opt-in label. Add a disallow-host-users validate rule mirroring the mutate rule's scope (same namespaceSelector, same cnpg.io/cluster exclude) and the file's existing =(hostNetwork): false idiom, so an absent value passes and an explicit true is rejected at admission. Part of #1807
Nothing executed the fixtures under tests/, so tests/validate-replica-floor had never actually run in CI and a policy regression could ship green. Add a 'kyverno test ./tests' step to the existing static validate job and broaden the k8s paths filter from the single cilium fixture to tests/**. The CLI is pinned to v1.18.2, the version the kyverno Helm release runs, so a policy that passes here is evaluated by the same engine that admits it in production. Also add values.yaml to the new fixture: the CLI does not read namespace labels from Namespace objects in resources.yaml, so a namespaceSelector rule reports every resource 'Excluded' and the whole fixture — including its fail case — passes vacuously without it. Part of #1807
Validation recordEngine parity. Local CLI and the pinned CI CLI are both v1.18.2, matching the RED/GREEN — the fixture has teethThe first version of this fixture passed vacuously and I nearly shipped it. Two negative controls prove the assertions can fail:
A third control confirms the CI invocation fails closed: CI wiring
Tried and evaluated as a user — against live productionExported all 15 running pods from the five opted-in namespaces and ran the policy against their real specs:
Scope noteThe |
@codex review for admission-policy correctness: the |
|
Codex Review: Didn't find any major issues. Swish! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Why
The platform's user-namespace hardening can be switched off silently. It is applied by a mutate rule that only fills in the setting when a workload hasn't specified one — so any workload that explicitly asks for the old, less-isolated behaviour simply keeps it. No error, no report, nothing surfaced. The namespace still carries its "hardened" label and still looks correct.
Defence-in-depth that can degrade invisibly is worse than none, because it reports as present while being absent.
What
Adds an admission rule that rejects a workload explicitly opting out of user namespaces in a namespace that has graduated through a user-namespace pilot — the same guard the platform already applies to the other host-isolation settings. Databases keep their existing exemption, and workloads that say nothing are unaffected.
Verified against live production: all five opted-in namespaces are already compliant, so nothing running today is blocked by this.
Fixes #2690
Part of #1807