search

elastisys / compliantkubernetes-apps

Elastisys Compliant Kubernetes is an open source, Certified Kubernetes distribution designed according to the ISO27001 controls: providing you with security tooling and observability from day one.
https://elastisys.io/compliantkubernetes/
Apache License 2.0
46 stars 7 forks source link

[0] Change the NetworkPolicy Gatekeeper constraint for delete actions #2073

Closed linus-astrom closed 3 months ago

linus-astrom commented 6 months ago

Description

Change this Gatekeeper constraint to no longer activate on delete actions. As it could otherwise make the Deployments and other Resources be stuck in pending deletion if the associated NetworkPolicy gets deleted before the Deployment is or if both Resources get deleted at the same time depending on the finalizer.

Additional context

No response

Definition of done

Zash commented 5 months ago

Only that particular constraint? Found a chart setting but I believe it applies widely.

https://github.com/elastisys/compliantkubernetes-apps/blob/7de50bb898d0bf647b9bad2e0bc02c77eb3785c3/helmfile.d/upstream/open-policy-agent-gatekeeper/gatekeeper/README.md?plain=1#L131

linus-astrom commented 5 months ago

Only that particular constraint? Found a chart setting but I believe it applies widely.

https://github.com/elastisys/compliantkubernetes-apps/blob/7de50bb898d0bf647b9bad2e0bc02c77eb3785c3/helmfile.d/upstream/open-policy-agent-gatekeeper/gatekeeper/README.md?plain=1#L131

Yes, I would like it to be only the specified constraint as its the one causing problems.

Zash commented 4 months ago

Unable to reproduce this.

Per the validating webhook configuration, this policy should not be involved in deletions at all.

https://github.com/elastisys/compliantkubernetes-apps/blob/f6c941b56f87a73594dac8780d5bc14bb67ec16e/helmfile.d/values/gatekeeper/gatekeeper.yaml.gotmpl#L23-L25

linus-astrom commented 4 months ago

We have found that the Gatekeeper update operation can be used as delete operation under specific circumstances.

For example with the NetworkPolicy constraint, If its set to deny and you have a Deployment and a NetworkPolicy for that Deployment and you delete the NetworkPolicies, then you can normally delete the Deployment afterwards.

But if you have the same situation and the only change is the Deployment uses a finalizer. Then after you delete the NetworkPolicy, you will not be able to fully delete the Deployment and it will be stuck in pending deletion since the Kubernetes API action for finalizers would edit the key .metadata.deletionTimestamp or if the delete is fast enough it will be trying to empty out its metadata.finalizers field. Both actions would be prevented since the update operation can only be done when a Deployment has a NetworkPolicy which was deleted in this case.

Making the update operation act as a delete operation for this Gatekeeper constraint.