[Bug]: requiredDropCapabilities is not converted as validating AND mutating

[jaycci]

What happened?

I have a PSP rule with a .spec.requiredDropCapabilities specified. This field is simultaneously a "Validating" and "Mutating" field in PodSecurityPolicy.

Your tool does only generate the "Validating" rules, but not the "Mutating" ones.

So when I insert new objects in the k8s cluster with no "requiredDropCapabilities" specified, these objets are blocked by OPA (because no "requiredDropCapabilities" present) insted of being first mutated by OPA and added the missing field.

What policy engine were you generating policy for

Gatekeeper

Relevant log output

Source object:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: test
spec:
  requiredDropCapabilities:
  - MKNOD

Generated objects:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-k8spspvolumetypes-a8fae
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters: {}

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: psp-k8spspcapabilities-31528
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters:
    allowedCapabilities: []
    requiredDropCapabilities:
      - MKNOD

The object K8sPSPCapabilities is only a "Validating" object (see definition in https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/capabilities/template.yaml).