Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Reports are not created for validate.podSecurity rules #10210

Closed
2 tasks done
JimBugwadia opened this issue May 9, 2024 · 3 comments · Fixed by #10255
Closed
2 tasks done

[Bug] Reports are not created for validate.podSecurity rules #10210

JimBugwadia opened this issue May 9, 2024 · 3 comments · Fixed by #10255
Assignees
@JimBugwadia
Labels
bug Something isn't working release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped. reports Issues related to policy reports. validate.podSecurity podSecurity sub-rule type
Milestone
Kyverno Release 1...

Comments

@JimBugwadia
Copy link
Member

Kyverno Version

1.12.0

Description

Install the latest and apply this policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psa
spec:
  background: true
  validationFailureAction: Enforce
  rules:
  - name: baseline
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: restricted
        version: latest

Check for reports:

kubectl get polr -A -w

Check the report controller logs:

kubectl -n kyverno logs deploy/kyverno-reports-controller
2024-05-08T22:07:38Z	ERROR	EventGenerator	event/controller.go:129	dropping event	{"key": "&Event{ObjectMeta:{kube-apiserver-minikube.17cda2d2ac592605  kube-system    0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},EventTime:2024-05-08 22:07:38.816381969 +0000 UTC m=+12.714888757,Series:nil,ReportingController:kyverno-scan,ReportingInstance:kyverno-scan-kyverno-reports-controller-759d4f6488-sf8vp,Action:Resource Passed,Reason:PolicyViolation,Regarding:{Pod kube-system kube-apiserver-minikube 3075c729-74b1-4d2d-b162-2069188dde51 v1  },Related:nil,Note:policy psa/baseline fail: Validation rule 'baseline' failed. It violates PodSecurity \"restricted:latest\": (Forbidden reason: allowPrivilegeEscalation != false, field error list: [spec.containers[0].securityContext.allowPrivilegeEscalation: Required value])(Forbidden reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop: Required value])(Forbidden reason: host namespaces, field error list: [spec.hostNetwork is forbidden, forbidden values found: true])(Forbidden reason: hostPath volumes, field error list: [spec.volumes[0].hostPath is forbidden, forbidden values found: /etc/ssl/certs, spec.volumes[1].hostPath is forbidden, forbidden values found: /etc/ca-certificates, spec.volumes[2].hostPath is forbidden, forbidden values found: /var/lib/minikube/certs, spec.volumes[3].hostPath is forbidden, forbidden values found: /usr/local/share/ca-certificates, spec.volumes[4].hostPath is forbidden, forbidden values found: /usr/share/ca-certificates])(Forbidden reason: restricted volume types, field error list: [spec.volumes[0].hostPath: Forbidden, spec.volumes[1].hostPath: Forbidden, spec.volumes[2].hostPath: Forbidden, spec.volumes[3].hostPath: Forbidden, spec.volumes[4].hostPath: Forbidden])(Forbidden reason: runAsNonRoot != true, field error list: [spec.containers[0].securityContext.runAsNonRoot: Required value]),Type:Warning,DeprecatedSource:{ },DeprecatedFirstTimestamp:0001-01-01 00:00:00 +0000 UTC,DeprecatedLastTimestamp:0001-01-01 00:00:00 +0000 UTC,DeprecatedCount:0,}", "error": "Event \"kube-apiserver-minikube.17cda2d2ac592605\" is invalid: message: Invalid value: \"\": can have at most 1024 characters"}
github.com/kyverno/kyverno/pkg/event.(*controller).processNextWorkItem
	github.com/kyverno/kyverno/pkg/event/controller.go:129
github.com/kyverno/kyverno/pkg/event.(*controller).Run.func1
	github.com/kyverno/kyverno/pkg/event/controller.go:100
github.com/kyverno/kyverno/pkg/event.(*controller).Run.(*Group).StartWithContext.func2
	k8s.io/apimachinery@v0.29.2/pkg/util/wait/wait.go:63
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1
	k8s.io/apimachinery@v0.29.2/pkg/util/wait/wait.go:72

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@JimBugwadia JimBugwadia added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 9, 2024
@JimBugwadia JimBugwadia added this to the Kyverno Release 1.12.2 milestone May 9, 2024
@realshuting realshuting added reports Issues related to policy reports. validate.podSecurity podSecurity sub-rule type and removed triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 9, 2024
@MariamFahmy98 MariamFahmy98 self-assigned this May 9, 2024
@MariamFahmy98
Copy link
Collaborator

MariamFahmy98 commented May 13, 2024
edited

I am not able to reproduce this issue. Here are the steps I followed:

  1. Create a bad pod:
apiVersion: v1
kind: Pod
metadata:
  name: badpod01
spec:
  hostIPC: true
  containers:
  - name: container01
    image: dummyimagename
  1. Create a policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psa
spec:
  background: true
  validationFailureAction: Enforce
  rules:
  - name: baseline
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: baseline
        version: latest
  1. Get reports:
$ kubectl get polr   
NAME                                   KIND   NAME       PASS   FAIL   WARN   ERROR   SKIP   AGE
45ac862c-70a2-4880-a02e-04e04be513ff   Pod    badpod01   0      1      0      0       0      3m18s
  1. Check the events:
$ kubectl get events | grep badpod01
4m59s       Warning   PolicyViolation           pod/badpod01              policy psa/baseline fail: Validation rule 'baseline' failed. It violates PodSecurity "baseline:latest": (Forbidden reason: host namespaces, field error list: [spec.hostIPC is forbidden, forbidden values found: true])
5m28s       Warning   PolicyViolation           clusterpolicy/psa         Pod default/badpod01: [baseline] fail; Validation rule 'baseline' failed. It violates PodSecurity "baseline:latest": (Forbidden reason: host namespaces, field error list: [spec.hostIPC is forbidden, forbidden values found: true])
4m59s       Warning   PolicyViolation           clusterpolicy/psa         Pod default/badpod01: [baseline] fail; Validation rule 'baseline' failed. It violates PodSecurity "baseline:latest": (Forbidden reason: host namespaces, field error list: [spec.hostIPC is forbidden, forbidden values found: true])

I tested it against the main branch.

@thorker
Copy link

thorker commented May 16, 2024

Got the same problem with "is invalid: message: Invalid value: "": can have at most 1024 characters".
In my case there are more violations in the message block like this ones:

(Forbidden reason: allowPrivilegeEscalation != false, field error list: [spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation: Required value])
(Forbidden reason: allowPrivilegeEscalation != false, field error list: [spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation: Required value])
(Forbidden reason: unrestricted capabilities, field error list: [spec.template.spec.containers[0].securityContext.capabilities.drop: Required value])
(Forbidden reason: unrestricted capabilities, field error list: [spec.template.spec.containers[0].securityContext.capabilities.drop: Required value])
(Forbidden reason: runAsNonRoot != true, field error list: [spec.template.spec.containers[0].securityContext.runAsNonRoot: Required value])
(Forbidden reason: seccompProfile, field error list: [spec.template.spec.containers[0].securityContext.seccompProfile.type: Required value])
(Forbidden reason: seccompProfile, field error list: [spec.template.spec.containers[0].securityContext.seccompProfile.type: Required value])

Maybe you can reproduce it with a pod with more violations.

@JimBugwadia
Copy link
Member Author

@MariamFahmy98 - did you also try the restricted level, as in my example?

@realshuting realshuting added the release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped. label May 16, 2024
@JimBugwadia JimBugwadia mentioned this issue May 18, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JimBugwadia JimBugwadia

Labels
bug Something isn't working release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped. reports Issues related to policy reports. validate.podSecurity podSecurity sub-rule type
Projects
None yet
Milestone
Kyverno Release 1.12.2
Development

Successfully merging a pull request may close this issue.

truncate event messages to 1024 chars JimBugwadia/kyverno
4 participants
@JimBugwadia @realshuting @thorker @MariamFahmy98