search

kubewarden / allowed-proc-mount-types-psp-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of /proc mount types
https://kubewarden.io
Apache License 2.0
7 stars 5 forks source link

Policy crashes audit-scanner #57

Closed mueller-ma closed 3 months ago

mueller-ma commented 3 months ago

Is there an existing issue for this?

Current Behavior

The following policy crashes the audit-scanner (I removed some fields like metadata and namespaceSelector):


apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
spec:
  backgroundAudit: true
  mode: protect
  module: registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.9
  mutating: false
  policyServer: default
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    - pods/ephemeralcontainers
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - UPDATE
    resources:
    - pods
    - pods/ephemeralcontainers
  settings: {}
  timeoutSeconds: 10

Log from audit scanner:

{"level":"info","RunUID":"74252385-2dd0-43bb-bbff-eee72855ff61","time":"2024-07-08T13:44:17Z","message":"clusterwide resources scan started"}
{"level":"fatal","error":"no matches for /v1, Resource=pods/ephemeralcontainers","time":"2024-07-08T13:44:17Z","message":"Error on cmd.Execute()"}

The crash should be fixed by https://github.com/kubewarden/audit-scanner/issues/307, but the policy is still invalid.

Expected Behavior

The policy should be valid.

Steps To Reproduce

No response

Environment

- OS: Linux
- Architecture: arm64
- Kubernetes: v1.28.10+rke2r1

Anything else?

No response

viccuad commented 3 months ago

This is fixed in audit-scanner main, yet to be released.

audit-scanner with the fixes behaves correctly:

{"level":"error","error":"no matches for /v1, Resource=pods/ephemeralcontainers","policy":"clusterwide-reproducer","time":"2024-07-11T11:10:07+02:00","message":"failed to obtain unknown GroupVersion resources. The policy may be misconfigured, skipping as error..."}

(just in case, the correct rules is for ephemeralcontainers and not pods/ephemeralcontainers).

I wish that GitHub would automatically show which commits/PRs are part of which tags, would simplify this. Meanwhile, one can see if a specific PR is part of an unreleased draft GH release.. There are 3rd party GH actions that can label PRs as part of a tag or not that we could use.

The audit-scanner release will surely be part of 1.15 in a week or 2, closing as there's nothing to do. Feel free to reopen if there's any doubt.

mueller-ma commented 3 months ago

Well, the audit-scanner doesn't crash anymore with that fix, but this policy is still broken, isn't it? The invalid rule has been produced by kwctl:

$ kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.9
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: PSP
    io.kubewarden.policy.severity: medium
  name: allowed-proc-mount-types-psp
spec:
  module: registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.9
  settings: {}
  rules:
  - apiGroups:
    - ''
    apiVersions:
    - v1
    resources:
    - pods
    - pods/ephemeralcontainers
    operations:
    - CREATE
  - apiGroups:
    - ''
    apiVersions:
    - v1
    resources:
    - pods
    - pods/ephemeralcontainers
    operations:
    - UPDATE
  mutating: false

There's also no kwctl scaffold example on artifacthub.io:

grafik

viccuad commented 3 months ago

Argh, sorry, indeed, the policy metadata needs to be fixed.

There's also no kwctl scaffold example on artifacthub.io

This is generated by kwctl when we build the artifacthub-pkg.yml, and the current release of the policy predates the kwctl that fills this instructions. Will release a new version of the policy with the fix and the instructions.

viccuad commented 3 months ago

The new version 0.1.10 of this policy is now released on artifacthub and GitHub with the updated rules metadata.

Closing :).

mueller-ma commented 3 months ago

Can you double-check if that fix has been included in 0.1.10? For me it doesn't look so as it still says pods/ephemeralcontainers:

$ kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.10
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: PSP
    io.kubewarden.policy.severity: medium
  name: allowed-proc-mount-types-psp
spec:
  module: registry://ghcr.io/kubewarden/policies/allowed-proc-mount-types-psp:v0.1.10
  settings: {}
  rules:
  - apiGroups:
    - ''
    apiVersions:
    - v1
    resources:
    - pods
    - pods/ephemeralcontainers
    operations:
    - CREATE
  - apiGroups:
    - ''
    apiVersions:
    - v1
    resources:
    - pods
    operations:
    - UPDATE
  mutating: false
mueller-ma commented 3 months ago

Also see: https://github.com/search?q=repo%3Akubewarden%2Fallowed-proc-mount-types-psp-policy%20ephemeralcontainers&type=code

flavio commented 3 months ago

Reopening, we have to update the UPDATE rules too

viccuad commented 3 months ago

PR merged, and released as v0.1.11 with correct metadata.