parthi-demod
commented
2 years ago This was discovered as part of SETech assessment. I will dig more into it.
Closed parthi-demod closed 2 years ago
parthi-demod
commented
2 years ago This was discovered as part of SETech assessment. I will dig more into it.
nestorsalceda
commented
2 years ago Hey @parthi-demod I think the issue is related to the GKE Autopilot project, not for the Secure For Cloud one.
I will move this info internally with our PM's so that we can act on this issue.
Thanks for your patience :)
0snug0
commented
2 years ago Hey @parthi-demod can you email me please
eric.lugo@sysdig.com
Encountered following limitation(s)/violation(s) when installing sysdig agent on GKE autopilot. a) no write mode on hostpath b) enabling hostPID is not allowed in autopilot c) hence admission webhook denies the request
server ([denied by autogke-disallow-hostnamespaces]|[denied by autogke-disallow-privilege]|[denied by autogke-no-write-mode-hostpath]): error when creating "/tmp/sysdig-agent-k8s.RJV5a5/sysdig-agent-daemonset-v2.yaml": admission webhook "policycontrollerv2.common-webhooks.networking.gke.io" denied the request: GKE Policy Controller rejected the request because it violates one or more policies: {"[denied by autogke-disallow-hostnamespaces]":["enabling hostPID is not allowed in Autopilot.
Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","enabling hostNetwork is not allowed in Autopilot. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'."],"[denied by autogke-disallow-privilege]":["container sysdig-agent is privileged; not allowed in Autopilot"],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume dev-vol in container sysdig-agent is accessed in write mode; disallowed in Autopilot. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume run-vol in container sysdig-agent is accessed in write mode; disallowed in Autopilot. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume varrun-vol in container sysdig-agent is accessed in write mode; disallowed in Autopilot. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume modprobe-d used in container sysdig-agent uses path /etc/modprobe.d which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume proc-vol used in container sysdig-agent uses path /proc which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume boot-vol used in container sysdig-agent uses path /boot which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume modules-vol used in container sysdig-agent uses path /lib/modules which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume usr-vol used in container sysdig-agent uses path /usr which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume osrel used in container sysdig-agent uses path /etc/os-release which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'.","hostPath volume sys-tracing used in container sysdig-agent uses path /sys/kernel/debug which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'parthi.northcove@gmail.com', groups: 'system:authenticated'."]}