Open tmyhu opened 2 weeks ago
maxsmythe
commented
1 week ago Can you give an example of the input that raises the example violation?
@JaydipGabani I see a bug in the CEL variation of the code -- we will not throw a violation for hostNetwork if all containers in the pod are exempt. This does not mirror the Rego behavior, where hostNetwork is not affected by exempt containers. Can we make the hostNetwork test a separate violation?
tmyhu
commented
1 week ago This is an example pod that uses one of the exempt images but still raises the violation:
apiVersion: v1
kind: Pod
metadata:
labels:
beat.k8s.elastic.co/name: filebeat8
beat.k8s.elastic.co/version: 8.13.2
common.k8s.elastic.co/type: beat
name: filebeat8-beat-filebeat-zs4m5
namespace: logging
spec:
automountServiceAccountToken: true
containers:
- args:
- -e
- -c
- /etc/beat.yml
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: docker.elastic.co/beats/filebeat:8.13.2
imagePullPolicy: IfNotPresent
name: filebeat
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
securityContext:
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/share/filebeat/data
name: beat-data
- mountPath: /etc/beat.yml
name: config
readOnly: true
subPath: beat.yml
- mountPath: /var/log/containers
name: varlogcontainers
readOnly: true
- mountPath: /var/log/pods
name: varlogpods
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-m4kkk
readOnly: true
dnsPolicy: ClusterFirstWithHostNet
enableServiceLinks: true
hostNetwork: true
nodeName: REDACTED
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: filebeat8
serviceAccountName: filebeat8
terminationGracePeriodSeconds: 30
volumes:
- hostPath:
path: /var/lib/logging/filebeat8/filebeat-data
type: DirectoryOrCreate
name: beat-data
- name: config
secret:
defaultMode: 292
optional: false
secretName: filebeat8-beat-filebeat-config
- hostPath:
path: /var/log/containers
type: ""
name: varlogcontainers
- hostPath:
path: /var/log/pods
type: ""
name: varlogpods
- name: kube-api-access-m4kkk
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
ritazh
commented
1 week ago hostNetwork violation does not check for exemptImages.
tmyhu
commented
1 week ago So are you saying this is intentional since the CEL version is now being updated to behave the same? It would sure be useful to define exceptions for hostNetwork via the exemptImages parameter but if that's not desired, at least the description should be updated to reflect this and prevent others from falling into the same trap as me?
ritazh
commented
1 week ago So are you saying this is intentional since the CEL version is now being updated to behave the same? It would sure be useful to define exceptions for hostNetwork via the
exemptImagesparameter but if that's not desired, at least the description should be updated to reflect this and prevent others from falling into the same trap as me?
Yes. @JaydipGabani can you pls update the description based on this feedback in your PR?
Using the
exemptImagesparameter with aK8sPSPHostNetworkingPortsconstraint does not seem to work, containers with the given images are still flagged as violations.Example constraint:
Example violation:
Note that I looked at how the other templates handle this and tried to randomly add the same lines into this template at L96:
That seemed to solve the problem in my case, all violations for filebeat and node-exporter containers disappeared. Not sure what a clean solution would look like though 🤷♂️