search

kubewarden / seccomp-psp-policy

A Kubewarden Pod Security Policy that controls usage of Seccomp profiles
https://kubewarden.io
Apache License 2.0
4 stars 4 forks source link

inverted logic on if statement? #4

Closed chrisns closed 2 years ago

chrisns commented 2 years ago

I think perhaps the logic on this if statement is inverted? https://github.com/kubewarden/seccomp-psp-policy/blob/11cf8d7e14d72a786a3ed19bef0791070e46b73a/src/settings.rs#L27-L29

trying to follow the readme

kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-seccomp
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - runtime/default
      - docker/default
      - localhost/test
    profile_types:
      - RuntimeDefault
      - Localhost
    localhost_profiles:
      - test
EOF

the policy doesn't get past pending

$ kubectl get clusteradmissionpolicies.policies.kubewarden.io
NAME          POLICY SERVER   MUTATING   STATUS
psp-seccomp   default         false      pending

looking at the policy-server logs I see

ERROR policy_server::worker_pool: cannot spawn worker error="[registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0: settings of policy registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0 are invalid: Some(\"Invalid Seccomp profile type: Localhost\")]"

so i tried without localhost

kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-seccomp
spec:
  policyServer: default
  module: registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - runtime/default
      - docker/default
      - localhost/test
    profile_types:
      - RuntimeDefault
      - Localhost
    localhost_profiles:
      - test
EOF

ERROR policy_server::worker_pool: cannot spawn worker error="[registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0: settings of policy registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0 are invalid: Some(\"Invalid Seccomp profile type: RuntimeDefault\")]"
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: seccomp
spec:
  module: registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      scope: "Namespaced"
      operations:
      - CREATE
      - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - runtime/default
    profile_types:
      - RuntimeDefault
EOF

policy-server-default-7ff756f64-knvvs policy-server-default Dec 14 21:57:43.345 ERROR policy_server::worker_pool: cannot spawn worker error="[registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0: settings of policy registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0 are invalid: Some(\"Invalid Seccomp profile type: RuntimeDefault\")]"
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: seccomp
spec:
  module: registry://ghcr.io/kubewarden/policies/seccomp-psp:v0.1.0
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      scope: "Namespaced"
      operations:
      - CREATE
      - UPDATE
  mutating: false
  settings:
    allowed_profiles:
      - runtime/default
EOF

does however work

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: nginx-seccomp-allowed
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
spec:
  containers:
  - name: nginx
    image: nginx
EOF

Error from server: error when creating "tests/seccomp/allowed.yaml": admission webhook "seccomp.kubewarden.admission" denied the request: Resource violations: Invalid container seccomp profile types: RuntimeDefault
jvanz commented 2 years ago

Yes, the if statement is inverted. :facepalm:. I'm fixing this now...

The last issue in your description is another issue. I'll open another bug for it and describe the root cause.

chrisns commented 2 years ago

Cool. Good to know I'm not going (more) mad 😃