[SURE-7557] Kubewarden user-group-psp-policy does not work in audit mode if container image runs as user 0

[kkaempf]

SURE-7557

Issue description:

Customer is using the user-group-psp-policy (https://github.com/kubewarden/user-group-psp-policy) from Kubewarden to ensure containers do not run as root. Image built with root (userid 0) not getting reported in policy server logs when policy is in monitor mode. However, image get denied while using protect mode without any issues. Customer requires similar message to be available in the PolicyReport object too.

Business impact:

Customer expect the policy to also report non-compliance in audit mode, to be able to provide a report for developers on what to change before enforcing the policy.

Repro steps:

Install do-not-run-as-root clusteradmissionpolicy in Kube-warden(latest version) in monitor mode
Apply a deployment using an image with root user (eg: registry.suse.com/suse/sle15:latest) without any securityContext
You can see its getting allowed, but no logs specific to the deployment(other than a POST request) are showing in either policy server logs or in policy reports.
But if you deploy the same image with securityContext(runAsUser: 0), you can see the invalid user message in the policy server logs. Policyreports still shows as pass

Workaround:

Is workararound available and implemented? no

Actual behavior:

No audit message is available (in monitor mode) in the policy server logs or policy reports when the image(builtin root user) is deployed

Expected behavior:

Proper audit messages should be available in policy server logs and policy reports when policy is in monitor mode