search

cruise-automation / k-rail

Kubernetes security tool for policy enforcement
Apache License 2.0
443 stars 54 forks source link

Bug in Namespace Process Sharing #80

Closed ChrisCooney1 closed 4 years ago

ChrisCooney1 commented 4 years ago

Creating a deployment, via the Kubernetes Terraform provider, causes KRail to reject a deployment that has share-process-namespace to false. Version of K-Rail is release-v1.5.0.

Example Deployment:

resource "kubernetes_deployment" "deployment" {
  metadata {
    labels = {
      name = "name"
    }

    name      = "name"
    namespace = "namespace"
  }

  spec {
    replicas = 1
    template {
      metadata {
        labels = {
          app = "name"
        }
      }

      spec {
        container {
          image             = "image"
          name              = "name"
          image_pull_policy = "Always"
        }
        share_process_namespace = false # also tried setting this to null.
      }
    }
  }
}
Deployment deployment had violation: No ShareProcessNamespace: sharing the process namespace among containers in a Pod is forbidden.

Looking at the policy, it seems to simply check if the value is present in the YAML and reject on that basis, rather than looking at the actual value. Is this correct?

dustin-decker commented 4 years ago

Thanks, also reported in https://github.com/cruise-automation/k-rail/issues/81