Closed mueller-ma closed 3 months ago
This is fixed in audit-scanner main, yet to be released.
audit-scanner with the fixes behaves correctly:
{"level":"error","error":"no matches for /v1, Resource=pods/ephemeralcontainers","policy":"clusterwide-reproducer","time":"2024-07-11T11:10:07+02:00","message":"failed to obtain unknown GroupVersion resources. The policy may be misconfigured, skipping as error..."}
(just in case, the correct rules is for ephemeralcontainers
and not pods/ephemeralcontainers
).
I wish that GitHub would automatically show which commits/PRs are part of which tags, would simplify this. Meanwhile, one can see if a specific PR is part of an unreleased draft GH release.. There are 3rd party GH actions that can label PRs as part of a tag or not that we could use.
The audit-scanner release will surely be part of 1.15 in a week or 2, closing as there's nothing to do. Feel free to reopen if there's any doubt.
Well, the audit-scanner doesn't crash anymore with that fix, but this policy is still broken, isn't it? The invalid rule has been produced by kwctl:
$ kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.9
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
annotations:
io.kubewarden.policy.category: PSP
io.kubewarden.policy.severity: medium
name: allowed-proc-mount-types-psp
spec:
module: registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.9
settings: {}
rules:
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
- pods/ephemeralcontainers
operations:
- CREATE
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
- pods/ephemeralcontainers
operations:
- UPDATE
mutating: false
There's also no kwctl scaffold example on artifacthub.io:
Argh, sorry, indeed, the policy metadata needs to be fixed.
There's also no kwctl scaffold example on artifacthub.io
This is generated by kwctl when we build the artifacthub-pkg.yml, and the current release of the policy predates the kwctl that fills this instructions. Will release a new version of the policy with the fix and the instructions.
The new version 0.1.10 of this policy is now released on artifacthub and GitHub with the updated rules metadata.
Closing :).
Can you double-check if that fix has been included in 0.1.10? For me it doesn't look so as it still says pods/ephemeralcontainers
:
$ kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.10
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
annotations:
io.kubewarden.policy.category: PSP
io.kubewarden.policy.severity: medium
name: allowed-proc-mount-types-psp
spec:
module: registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.10
settings: {}
rules:
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
- pods/ephemeralcontainers
operations:
- CREATE
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- UPDATE
mutating: false
Reopening, we have to update the UPDATE rules too
PR merged, and released as v0.1.11
with correct metadata.
Is there an existing issue for this?
Current Behavior
The following policy crashes the audit-scanner (I removed some fields like metadata and namespaceSelector):
Log from audit scanner:
The crash should be fixed by https://github.com/kubewarden/audit-scanner/issues/307, but the policy is still invalid.
Expected Behavior
The policy should be valid.
Steps To Reproduce
No response
Environment
Anything else?
No response