Exclude feature: all ns, Nimbus policy status not updated

After applying csib-1-all-ns-selector.yaml, I observed the following issues

NimbusPolicy status was not updated.


$ kubectl get si,sib,np,csib,cwnp,ksp,netpol,pol,cpol -A
NAME                                                       STATUS    AGE
securityintent.intent.security.nimbus.com/escape-to-host   Created   17m

NAMESPACE NAME STATUS AGE POLICIES chainsaw-hardy-boar nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
default nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
istio-system nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
k0s-autopilot nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-node-lease nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-public nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kubearmor nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kyverno nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
nimbus nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m

NAMESPACE NAME STATUS AGE INTENTS CLUSTERNIMBUSPOLICY clustersecurityintentbinding.intent.security.nimbus.com/escape-to-host-binding Created 17m 1 escape-to-host-binding

NAMESPACE NAME STATUS AGE POLICIES clusternimbuspolicy.intent.security.nimbus.com/escape-to-host-binding Created 17m 0


- KubeArmor adapterdid not create any policies for any nimbuspolicy even though it supports `escape-to-host` securityintent:

https://github.com/5GSEC/nimbus/blob/5a4217460ea4adb01a0a1afab9e4634b7b924e1a/pkg/adapter/idpool/idpool.go#L27

```json
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmor adapter started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmorPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
No-op for ClusterNimbusPolicy
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"istio-system"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kyverno"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"nimbus"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kubearmor"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"chainsaw-hardy-boar"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"k0s-autopilot"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-node-lease"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-public"}

Kyverno adapter failed to create its KyvernoClusterPolicy. Additionally, it did not create any policies, including KyvernoPolicies (namespace-scoped) or KyvernoClusterPolicies (global-scoped). Again it also supports escape-to-host securityintent.

https://github.com/5GSEC/nimbus/blob/5a4217460ea4adb01a0a1afab9e4634b7b924e1a/pkg/adapter/idpool/idpool.go#L44-L47

{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"Kyverno adapter started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoClusterPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
{"level":"error","ts":"2024-06-04T14:52:56+05:30","msg":"failed to create KyvernoClusterPolicy","KyvernoClusterPolicy.Name":"escape-to-host-binding-escapetohost","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: spec.rules[0].match.any[0].selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string(nil), MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: The requirements are not specified in selector","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKcp\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:220\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:75\nmain.main\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/opt/homebrew/opt/go/libexec/src/runtime/proc.go:271"}

Originally posted by @anurag-rajawat in https://github.com/5GSEC/nimbus/issues/108#issuecomment-2147104019

5GSEC / nimbus

Exclude feature: all ns, Nimbus policy status not updated #178