search

kyverno / policies

Kyverno policies for security and best practices
Apache License 2.0
323 stars 233 forks source link

Custom message not working in podSecurity subrule policy #1120

Closed F-Fx closed 1 month ago

F-Fx commented 1 month ago

Kyverno Version

1.8

Kubernetes Version

1.23

Kubernetes Platform

Other (specify in description)

Description

k8s v1.23.17+rke2r1

Message not working in "Restricted Pod Security Standards" policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: podsecurity-subrule-restricted-force
  annotations:
    policies.kyverno.io/title:  
    policies.kyverno.io/category: Pod Security, EKS Best Practices
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/minversion: 1.8.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      The restricted profile of the Pod Security Standards, which is inclusive of
      the baseline profile, is a collection of all the most common configurations
      that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
      may be assigned to the cluster through a single rule. This policy configures the
      restricted profile through the latest version of the Pod Security Standards cluster wide.      
spec:
  background: true
  validationFailureAction: enforce
  rules:
  - name: restricted
    match:
      any:
      - resources:
          kinds:
          - Pod
    exclude:
        any:
        - resources:
            namespaces:
            - calico-system
            - cattle-fleet-system
            - cattle-impersonation-system
            - cattle-system
            - default
            - istio-system
            - kbp-learn
            - kube-node-lease
            - kube-public
            - kube-system
            - kyverno-policy-test
            - local
            - local-path-storage
            - monitoring
            - policy-reporter
            - sec-kyverno-cert01
            - sec-kyverno-lp01
            - test-monitor
            - tigera-operator
            - restrict-root2
    validate:
      message: "TEST MESSAGE TEST MESSAGE"
      podSecurity:
        level: restricted
        version: latest

but in policy like below it`s work fine

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-ns-purpose-label
spec:
  validationFailureAction: enforce
  rules:
  - name: require-ns-purpose-label
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      pattern:
        metadata:
          labels:
            purpose: production
      message: TEST MESSAGE TEST MESSAGE

Steps to reproduce

  1. Install policy bellow
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: podsecurity-subrule-restricted-force
  annotations:
    policies.kyverno.io/title:  
    policies.kyverno.io/category: Pod Security, EKS Best Practices
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/minversion: 1.8.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      The restricted profile of the Pod Security Standards, which is inclusive of
      the baseline profile, is a collection of all the most common configurations
      that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
      may be assigned to the cluster through a single rule. This policy configures the
      restricted profile through the latest version of the Pod Security Standards cluster wide.      
spec:
  background: true
  validationFailureAction: enforce
  rules:
  - name: restricted
    match:
      any:
      - resources:
          kinds:
          - Pod
    exclude:
        any:
        - resources:
            namespaces:
            - calico-system
            - cattle-fleet-system
            - cattle-impersonation-system
            - cattle-system
            - default
            - istio-system
            - kbp-learn
            - kube-node-lease
            - kube-public
            - kube-system
            - kyverno-policy-test
            - local
            - local-path-storage
            - monitoring
            - policy-reporter
            - sec-kyverno-cert01
            - sec-kyverno-lp01
            - test-monitor
            - tigera-operator
            - restrict-root2
    validate:
      message: "TEST MESSAGE TEST MESSAGE"
      podSecurity:
        level: restricted
        version: latest
  1. Try to deploy some pod like bellow
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod-root
spec:
  containers:
  - name: privileged-container
    image: nginx
    securityContext:
      privileged: false
  1. Admission webhook "validate.kyverno.svc-fail" denied the request log but without message "TEST MESSAGE TEST MESSAGE"

Expected behavior

Denied the request log with message "TEST MESSAGE TEST MESSAGE"

Screenshots

No response

Kyverno logs

Error from server: error when creating "test_nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

policy Pod/restrict-root/privileged-pod-root for resource violation: 

podsecurity-subrule-restricted-force:
  restricted: |
    Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:allowPrivilegeEscalation != false ForbiddenDetail:container "privileged-container" must set securityContext.allowPrivilegeEscalation=false})
    ({Allowed:false ForbiddenReason:allowPrivilegeEscalation != false ForbiddenDetail:container "privileged-container" must set securityContext.allowPrivilegeEscalation=false})
    ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "privileged-container" must set securityContext.capabilities.drop=["ALL"]})
    ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "privileged-container" must set securityContext.capabilities.drop=["ALL"]})
    ({Allowed:false ForbiddenReason:runAsNonRoot != true ForbiddenDetail:pod or container "privileged-container" must set securityContext.runAsNonRoot=true})
    ({Allowed:false ForbiddenReason:seccompProfile ForbiddenDetail:pod or container "privileged-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"})
    ({Allowed:false ForbiddenReason:seccompProfile ForbiddenDetail:pod or container "privileged-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"})

Slack discussion

No response

Troubleshooting

F-Fx commented 1 month ago

Describe output of installed policy

Name:         podsecurity-subrule-restricted-force
Namespace:    
Labels:       <none>
Annotations:  kyverno.io/kubernetes-version: 1.24
              kyverno.io/kyverno-version: 1.8.0
              policies.kyverno.io/category: Pod Security, EKS Best Practices
              policies.kyverno.io/description:
                The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common c...
              policies.kyverno.io/minversion: 1.8.0
              policies.kyverno.io/severity: medium
              policies.kyverno.io/subject: Pod
              policies.kyverno.io/title: Restricted Pod Security Standards
API Version:  kyverno.io/v1
Kind:         ClusterPolicy
Metadata:
  Creation Timestamp:  2024-08-07T06:41:10Z
  Generation:          9
  Resource Version:    275694070
  UID:                 c306065f-8735-4c56-a311-a2c4ae7233e1
Spec:
  Background:  true
  Rules:
    Exclude:
      Any:
        Resources:
          Namespaces:
            calico-system
            cattle-fleet-system
            cattle-impersonation-system
            cattle-system
            default
            istio-system
            kbp-learn
            kube-node-lease
            kube-public
            kube-system
            kyverno-policy-test
            local
            local-path-storage
            monitoring
            policy-reporter
            sec-kyverno-cert01
            sec-kyverno-lp01
            test-monitor
            tigera-operator
            restrict-root2
    Match:
      Any:
        Resources:
          Kinds:
            Pod
    Name:  restricted
    Validate:
      Message:  TEST MESSAGE TEST MESSAGE
      Pod Security:
        Level:                restricted
        Version:              latest
  Validation Failure Action:  enforce
Status:
  Autogen:
    Rules:
      Exclude:
        Any:
          Resources:
            Namespaces:
              calico-system
              cattle-fleet-system
              cattle-impersonation-system
              cattle-system
              default
              istio-system
              kbp-learn
              kube-node-lease
              kube-public
              kube-system
              kyverno-policy-test
              local
              local-path-storage
              monitoring
              policy-reporter
              sec-kyverno-cert01
              sec-kyverno-lp01
              test-monitor
              tigera-operator
              restrict-root2
        Resources:
      Generate:
        Clone:
        Clone List:
      Match:
        Any:
          Resources:
            Kinds:
              DaemonSet
              Deployment
              Job
              StatefulSet
        Resources:
      Mutate:
      Name:  autogen-restricted
      Validate:
        Message:  TEST MESSAGE TEST MESSAGE
        Pod Security:
          Level:    restricted
          Version:  latest
      Exclude:
        Any:
          Resources:
            Namespaces:
              calico-system
              cattle-fleet-system
              cattle-impersonation-system
              cattle-system
              default
              istio-system
              kbp-learn
              kube-node-lease
              kube-public
              kube-system
              kyverno-policy-test
              local
              local-path-storage
              monitoring
              policy-reporter
              sec-kyverno-cert01
              sec-kyverno-lp01
              test-monitor
              tigera-operator
              restrict-root2
        Resources:
      Generate:
        Clone:
        Clone List:
      Match:
        Any:
          Resources:
            Kinds:
              CronJob
        Resources:
      Mutate:
      Name:  autogen-cronjob-restricted
      Validate:
        Message:  TEST MESSAGE TEST MESSAGE
        Pod Security:
          Level:    restricted
          Version:  latest
  Conditions:
    Last Transition Time:  2024-08-07T06:41:11Z
    Message:               
    Reason:                Succeeded
    Status:                True
    Type:                  Ready
  Ready:                   true
Events:
  Type     Reason           Age   From               Message
  ----     ------           ----  ----               -------
  Warning  PolicyViolation  6m    kyverno-admission  Pod restrict-root/privileged-pod-root: [restricted] fail (blocked)
chipzoller commented 1 month ago

Custom messages do not work with the podSecurity subrule. The message is automatically provided by the PSA libraries. To use custom messages you must use traditional validate rules similar to how the policies Helm chart.