CIS_INVALID_VALUE_SECCOMP_PROFILE Is reporting error when it should not

datreeio / datree

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

https://datree.io

Apache License 2.0

6.39k stars 363 forks source link

CIS_INVALID_VALUE_SECCOMP_PROFILE Is reporting error when it should not #949

Closed Socolin closed 1 year ago

Socolin commented 1 year ago

Since today I'm getting errors on validation about CIS_INVALID_VALUE_SECCOMP_PROFILE on resource kind that seems very weird:

Service
Ingress
AzureIdentityBinding
HorizontalPodAutoscaler

I'm not sure I understand why it's required on those ?

noorul commented 1 year ago

Team, this is a blocker. I don't see a workaround also. It is surprising to see breaking behaviour without even a version change.

noorul commented 1 year ago

It is failing for this sample manifest

apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: sample-vpa
  namespace: gravity
spec:
  resourcePolicy:
    containerPolicies:
    - containerName: '*'
      controlledResources:
      - cpu
      - memory
  targetRef:
    apiVersion: apps/v1
    kind: StatefulSet
    name: sample
  updatePolicy:
    updateMode: Auto

hadar-co commented 1 year ago

@Socolin @noorul an incorrect fix was committed which caused these issues, will be fixed shortly:)

noorul commented 1 year ago

@hadar-co But this kind of mistake impacts everyone. May be policy changes should be gated properly. We have hundreds of repositories dependent on this. Our CI builds are failing and changes to those repositories are blocked.