search

kyverno / policies

Kyverno policies for security and best practices
Apache License 2.0
330 stars 240 forks source link

Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: #979

Closed amentee closed 6 months ago

amentee commented 6 months ago

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

Minikube

Description

I referred one policy from https://kyverno.io/policies/other/allowed-image-repos/allowed-image-repos/ and tried testing on minikube setup on my Mac book. I was setting the policy in Enforce mode and even after putting right image in the pod definition , it gives me below error.

Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Pod/default/allowed was blocked due to the following policies 

allowed-image-repos:
  good-repos: 'All images in this Pod must come from an authorized repository.

Steps to reproduce

  1. Install the kyverno using helm instruction present at - https://kyverno.io/docs/installation/methods/
  2. After that create a policy file with below contents 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: allowed-image-repos
  annotations:
    policies.kyverno.io/title: Allowed Image Repositories
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      In addition to restricting the image registry from which images are pulled, in some cases
      and environments it may be required to also restrict which image repositories are used, 
      for example in some restricted Namespaces. This policy ensures that the only allowed
      image repositories present in a given Pod, across any container type, come from the
      designated list.      
spec:
  validationFailureAction: Enforce 
  background: true 
  rules:
    - name: good-repos
      match:
        any:
        - resources:
            kinds:
              - Pod
      validate:
        message: >-
          All images in this Pod must come from an authorized repository.          
        deny:
          conditions:
            all:
            - key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"
              operator: AnyNotIn
              value:
              - "gcr.io/datadoghq/agent"
  1. After that create the policy by running kubectl apply -f .yml
  2. After that create below pod definition file
apiVersion: v1
kind: Pod
metadata:
  name: allowed
spec:
  containers:
    - name: allowed
      image: "gcr.io/datadoghq/agent" 
      resources:
        limits:
          cpu: "10m"
          memory: "30Mi"

Since it is using correct image , the pod should be created. And if I change the image to something else it should fail . That is the expected but its not happening unfortunately

Expected behavior

Pod should get created if right image is used and policy report should show the count of Pass as 1.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

JimBugwadia commented 6 months ago

See discussion at: https://kubernetes.slack.com/archives/CLGR9BJU9/p1714154326018659

amentee commented 6 months ago

Thanks @JimBugwadia for the help. Closing the issue now