search

SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

Network Policy Reconciler - Update Buffer Fails #244

Closed Neumann-Nils closed 4 years ago

Neumann-Nils commented 4 years ago

Description

When i.e. deleting a network policy that is not managed by Karydia, the logs will print out an error message:

{"component":"networkpolicy_reconciler","level":"info","msg":"[INFO] Start network policy reconciler (syncNetworkPolicyHandler) for 'test-np' in namespace 'default'","time":"2019-12-18T16:16:06Z"}
{"component":"networkpolicy_reconciler","level":"error","msg":"[ERROR] Failed to get karydia network policy 'test-np'","time":"2019-12-18T16:16:06Z"}
{"component":"networkpolicy_reconciler","level":"warning","msg":"[WARN] Failed to get default network policy 'test-np'","time":"2019-12-18T16:16:06Z"}
{"component":"networkpolicy_reconciler","level":"info","msg":"[INFO] Successfully reconciled network policy 'karydia-default-network-policy' in namespace 'default'","time":"2019-12-18T16:16:06Z"}
{"component":"networkpolicy_reconciler","level":"info","msg":"[INFO] Successfully synced network policy 'default/test-np'","time":"2019-12-18T16:16:06Z"}

This error message states that the self-managed network policy cannot be found by Karydia. However, Karydia should not handle this network policy, as it is no default network policy of Karydia.

Steps to reproduce

  1. Create a new network policy 
    cat <<EOF | kubectl apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: test-np
spec:
podSelector:
matchLabels: {}
EOF
  2. Delete the newly created network policy 
    kubectl delete networkpolicy test-np
  3. Check the logs of Karydia 
    kubectl logs -n karydia $(kubectl get pods -n karydia -l app=karydia -o jsonpath='{.items[0].metadata.name}') -f -c karydia

Expected behavior

Karydia should ignore network policy that are not managed as a karydia-default-network-policy. Thus, there should be no error, when a networkpolicy is deleted that is not managed by Karydia. A correct log should look like this:

{"component":"networkpolicy_reconciler","level":"info","msg":"[INFO] Start network policy reconciler (syncNetworkPolicyHandler) for 'test-np' in namespace 'default'","time":"2019-12-18T16:40:43Z"}
{"component":"networkpolicy_reconciler","level":"info","msg":"[INFO] Successfully reconciled network policy 'karydia-default-network-policy' in namespace 'default'","time":"2019-12-18T16:40:43Z"}