This message was deleted.
# neuvector-securitya
adamant-kite-43734
04/09/2024, 1:15 PMThis message was deleted.
a
alert-potato-16010
04/10/2024, 7:43 AMIs there anyone using Neuvector Admission Control functionality?, I need to configure some RunAsUser rules but none of them seem to work. I have even tested something like the following
Copy code
- action: deny
comment: DENY 70001 out of default namespace
containers:
- containers
criteria:
- name: user
op: containsAny
path: user
value: "70001"
- name: namespace
op: notContainsAny
path: namespace
value: default
- name: userGroups
op: containsAny
path: userGroups
value: "700001"
disabled: false
rule_mode: ""alert-potato-16010
04/10/2024, 7:48 AMBut this doesn't work if I create a deployment out of "default" namespace:
Copy code
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: user70001
name: user70001
spec:
replicas: 1
selector:
matchLabels:
app: user70001
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: user70001
spec:
securityContext:
runAsNonRoot: true
runAsUser: 70001
runAsGroup: 70001
containers:
- args:
- sleep
- INF
image: <http://docker.io/busybox:1.35|docker.io/busybox:1.35>
name: busyboxalert-potato-16010
04/10/2024, 2:53 PMI was able to manage RunAsUser key rules using customized criterion. None of my tests using "User" criterion worked for me. In my case I prepared a deny rule for userIDs greater than a defined number for all namespaces with few exceptions and added for these namespaces specific rules with specific userIDs.
q
quaint-candle-18606
04/13/2024, 1:01 AMIs it in Protect mode?
a
alert-potato-16010
04/13/2024, 6:55 AMYes, but also tried on another cluster in monitor mode.
5 Views