Open schnatterer opened 3 years ago
Hey, sorry for answering so late, I'll take a look
There currently is no command showing the version, but you can use pip3 show illuminatio
to see it.
Thanks. I can now confirm it's illuminatio 1.4.0 :-)
$ pip3 show illuminatio
Name: illuminatio
Version: 1.4.0
I cannot reproduce the issue here (I only have a GKE 1.17 cluster readily available), can you rerun illuminatio with debug logging for me? illuminatio -v DEBUG run
The error seems to depend on the netpols applied. I worked with this demo repo and applied the first three netpols described in the readme on a bare GKE 1.16 cluster (you could reproduce with the terraform script provided in the same repo).
Please note the commit ID linked in the demo repo above, because the latest commit results in a different issue (#131).
Find attached the output of illuminatio -v DEBUG run > illuminatio.log 2>&1
illuminatio.log
Hi @schnatterer, thanks for reporting this issue.
The attached log seems to be result of antoher issue (most likely old runners/results were present).
However the API exception could be related to the issue I discovered during #134. There was/is a problem that the name metadata for a port of a k8s service object is not mandatory for a single port, but is mandatory for multiple ports. So if a "dummy" pod + service containing multiple ports is created by illuminatio, this could lead to an API exception.
I will try to verify my assumption later. If my assumption is correct, this issue will be fixed by #134 as well.
I was not able to reproduce this issue using the "newest" version (version of PR #134), but I had to execute some steps of the demo repo manually since the old state used to use Helm2, so maybe I missed something, but at least all NetworkPolicies were applied.
Please note that some of the current NetworkPolicies examples of your repo (https://github.com/cloudogu/k8s-security-demos/tree/master/2-network-policies) are still resulting in a failure for a yet unknown reason. The cause therefor is probably not related to this issue or the named port issue.
I will create a follow-up issue to address this and further improve illuminatio using your examples!
Thanks for investigating this. I will have a closer look at all NetPols in the demo repo next time I'm on it (which will probably be in march), try again with the latest version of illuminatio and file a new issue if need be :wink:
OK, I fixed a little something in my demos and can now provide more accurate steps on how to reproduce this error.
cd 2-network-policies
./apply.sh
kubectl apply -f network-policies/1-ingress-production-deny-all.yaml
kubectl apply -f network-policies/2-ingress-production-allow-traefik-nosqlclient.yaml
kubectl apply -f network-policies/3-ingress-production-allow-nosqlclient-mongo.yaml
kubectl apply -f network-policies/4-ingress-production-allow-prometheus-mongodb.yaml
kubectl apply -f network-policies/5-ingress-kube-system.yaml
kubectl apply -f network-policies/6-ingress-monitoring.yaml
kubectl apply -f network-policies/7-egress-default-and-production-namespace.yaml
# File 8 needs "templating" see README.md
ACTUAL_API_SERVER_ADDRESS=$(kubectl get endpoints --namespace default kubernetes --template="{{range .subsets}}{{range .addresses}}{{.ip}}{{end}}{{end}}")
cat network-policies/8-egress-other-namespaces.yaml \
| sed "s|APISERVER|${ACTUAL_API_SERVER_ADDRESS}/32|" \
| kubectl apply -f -
kubectl apply -f network-policies/9-egress-specific-ips-example.yaml
docker run -ti -v ~/.kube/config:/kubeconfig:ro inovex/illuminatio@sha256:168eabe393f0ae114e4d58d8deee7ce69a0726dd894b91211e47e2b07501bf00 illuminatio clean run
The result is still the same as in the original posting as far as I can see
Starting cleaning resources with policies ['on-request', 'always'] Finished cleanUp Starting test generation and run. Generated 52 cases in 1.9518 seconds
FROM TO PORT
default: :
kube-system: :
kube-system:k8s-app=kube-dns : 53
kube-system:k8s-app=kube-dns : 53
monitoring: :
production: :
default: default: -
: kube-system: -24078
: kube-system:k8s-app=kube-dns -845
: kube-system:app=traefik -21018
: monitoring: -36768
: monitoring:app=prometheus,component=server -30450
illuminatio-inverted-namespace=monitoring:app=prometheus,component=server monitoring:app.kubernetes.io/name=kube-state-metrics -8080
illuminatio-inverted-namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server monitoring:app.kubernetes.io/name=kube-state-metrics -8080
namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server monitoring:app.kubernetes.io/name=kube-state-metrics -8080
: monitoring:app=prometheus,component=node-exporter -10097
: monitoring:app=prometheus,component=alertmanager -46497
: monitoring:app=prometheus,component=kube-state-metrics -34036
illuminatio-inverted-production:run=nosqlclient production: -mongodb
illuminatio-inverted-namespace=kube-system:illuminatio-inverted-app=traefik production: -3000
illuminatio-inverted-production:illuminatio-inverted-run=nosqlclient production: -mongodb
illuminatio-inverted-namespace=monitoring:app=prometheus,component=server production: -metrics
namespace=kube-system:illuminatio-inverted-app=traefik production: -3000
namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server production: -metrics
production:illuminatio-inverted-run=nosqlclient production: -mongodb
illuminatio-inverted-namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server production: -metrics
illuminatio-inverted-namespace=kube-system:app=traefik production: -3000
production:run=nginx production:run=nginx -
illuminatio-inverted-production:run=nosqlclient production:app.kubernetes.io/name=mongodb -mongodb
illuminatio-inverted-production:illuminatio-inverted-run=nosqlclient production:app.kubernetes.io/name=mongodb -mongodb
illuminatio-inverted-namespace=monitoring:app=prometheus,component=server production:app.kubernetes.io/name=mongodb -metrics
namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server production:app.kubernetes.io/name=mongodb -metrics
production:illuminatio-inverted-run=nosqlclient production:app.kubernetes.io/name=mongodb -mongodb
illuminatio-inverted-namespace=monitoring:illuminatio-inverted-app=prometheus,illuminatio-inverted-component=server production:app.kubernetes.io/name=mongodb -metrics
namespace=kube-system:illuminatio-inverted-app=traefik production:run=nosqlclient -3000
illuminatio-inverted-namespace=kube-system:illuminatio-inverted-app=traefik production:run=nosqlclient -3000
illuminatio-inverted-namespace=kube-system:app=traefik production:run=nosqlclient -3000
: kube-system:k8s-app=kube-dns 53
: kube-system:k8s-app=kube-dns 53
namespace=monitoring:app=prometheus,component=server kube-system:app=traefik 9100
: kube-system:app=traefik 80
: kube-system:app=traefik 443
namespace=monitoring:app=prometheus,component=server monitoring:app.kubernetes.io/name=kube-state-metrics 8080
namespace=monitoring:app=prometheus,component=server monitoring:app=prometheus,component=node-exporter metrics
namespace=kube-system:app=traefik monitoring:app=prometheus,component=server 9090
: monitoring:app=prometheus,component=alertmanager 9093
monitoring:app=prometheus,component=server monitoring:app=prometheus,component=alertmanager
: monitoring:app=prometheus,component=kube-state-metrics 8080
monitoring:app=prometheus,component=server monitoring:app=prometheus,component=kube-state-metrics *
production:run=nosqlclient production:app.kubernetes.io/name=mongodb mongodb
namespace=monitoring:app=prometheus,component=server production:app.kubernetes.io/name=mongodb metrics
namespace=kube-system:app=traefik production:run=nosqlclient 3000
Traceback (most recent call last):
File "/usr/local/bin/illuminatio", line 8, in
is there any update to this ?
i think this can be solved if the created illuminatio pods contains ports field when is created
Hi @aasyria, I am currently not actively working on this project anymore, but if you want to submit a PR I'll happily review it.
Tried this demo on a plain k8s 1.16 cluster on GKE.
Freshly installed illuminatio today, so I presume it's version
1.4.0
(BTW can I query the version via CLI?).Did a
illuminatio clean run
which resulted in the following error.