search

cruise-automation / k-rail

Kubernetes security tool for policy enforcement
Apache License 2.0
444 stars 55 forks source link

exempt_policies pod_no_exec and execute to pod/container fails #60

Closed curx closed 4 years ago

curx commented 4 years ago

Version: cruise/k-rail:release-v1.3.1

To Reproduce on a fresh k-rail rollout, re-configure configMap k-rail-exemptions, like:

...
data:
  config.yml: |
    - exempt_policies:
      - '*'
      group: '*'
      namespace: kube-system
      resource_name: '*'
      username: '*'
    - exempt_policies:
      - 'pod_no_exec'
      group: '*'
      namespace: test
      resource_name: '*'
      username: '*'
...

Start an pod in test namespace, e.g. with a busybox image and exec to the container

Expected behavior kubectl -n test exec should work as normal

Actual behavior error is raised:

kubectl -n test exec -t -i  test-exec -- sh
Error from server (InternalError): Internal error occurred: add operation does not apply: doc is missing path: "/metadata/annotations": missing value

AdmissionReview:

{
  "kind": "AdmissionReview",
  "apiVersion": "admission.k8s.io/v1beta1",
  "request": {
    "uid": "3bd81ba7-f13e-4518-ab8b-fc8d0b350589",
    "kind": {
      "group": "",
      "version": "v1",
      "kind": "PodExecOptions"
    },
    "resource": {
      "group": "",
      "version": "v1",
      "resource": "pods"
    },
    "subResource": "exec",
    "requestKind": {
      "group": "",
      "version": "v1",
      "kind": "PodExecOptions"
    },
    "requestResource": {
      "group": "",
      "version": "v1",
      "resource": "pods"
    },
    "requestSubResource": "exec",
    "name": "test-exec",
    "namespace": "test",
    "operation": "CONNECT",
    "userInfo": {
      "username": "admin",
      "uid": "admin",
      "groups": [
        "system:masters",
        "system:authenticated"
      ]
    },
    "object": {
      "kind": "PodExecOptions",
      "apiVersion": "v1",
      "stdin": true,
      "stdout": true,
      "tty": true,
      "container": "test-exec",
      "command": [
        "sh"
      ]
    },
    "oldObject": null,
    "dryRun": false,
    "options": null
  }
}

Thanks, Thorsten

dustin-decker commented 4 years ago

Thanks for the report Thorsten, we have just run into this as well. I think I have a fix in https://github.com/cruise-automation/k-rail/pull/61 and will release it soon.

Cheers

dustin-decker commented 4 years ago

What version of Kubernetes are you running?

dustin-decker commented 4 years ago

The fix should be in the v1.3.2 release

curx commented 4 years ago

What version of Kubernetes are you running?

it's v1.17.3 on k3s

curx commented 4 years ago

LGTM and is working again.

Thanks @dustin-decker