Neuvector: Policy violation justifications

1c2cb103 · Brett Charrier · Micah Nagel · b10e35fc · 1c2cb103 · 1c2cb103
Commit 1c2cb103 authored 2 years ago by Brett Charrier Committed by Micah Nagel 2 years ago
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -56,6 +56,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
      - logging/logging-fluent-bit-.*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
      - neuvector/neuvector-enforcer-pod.*
      - neuvector/neuvector-controller-pod.*
      {{- end }}
@@ -73,13 +74,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
      {{- end }}
  {{- end }}

-  {{- if .Values.neuvector.enabled }}
-  bannedImageTags:
-    parameters:
-      excludedResources:
-        - neuvector/neuvector-scanner-pod.*
-  {{- end }}
-
  {{- if .Values.twistlock.enabled }}
  hostNetworking:
    parameters:
@@ -99,6 +93,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - twistlock/twistlock-defender-ds-.*
        {{- end }}
        {{- if .Values.neuvector.enabled }}
+        # Neuvector needs access to host to inspect network traffic
        - neuvector/neuvector-enforcer-pod.*
        {{- end }}
  {{- end }}
@@ -116,6 +111,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
        - logging/fluent-bit
        {{- if .Values.neuvector.enabled }}
+        # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
        - neuvector/neuvector-enforcer-pod.*
        - neuvector/neuvector-controller-pod.*
        {{- end }}
@@ -185,7 +181,12 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - logging/logging-promtail-.*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
-        # Neuvecotr requires hostpath volume types
+        # Neuvector requires hostpath volume types
+          # Neuvector mounts the following hostPaths:
+          # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+          # `/var/run`: communication to docker daemon
+          # `/proc`: monitoring of proccesses for malicious activity
+          # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
        # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
        - neuvector/neuvector-enforcer-pod.*
        - neuvector/neuvector-controller-pod.*

--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -30,6 +30,7 @@ policies:
          - twistlock-defender-ds*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
      - resources:
          namespaces:
          - neuvector
@@ -71,15 +72,6 @@ policies:
  disallow-image-tags:
    enabled: true
    validationFailureAction: enforce
-    {{- if .Values.neuvector.enabled }}
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - neuvector
-          names:
-          - neuvector-scanner-pod*
-    {{- end }}

  disallow-istio-injection-bypass:
    enabled: {{ .Values.istio.enabled }}
@@ -112,6 +104,7 @@ policies:
          - logging-fluent-bit*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
      - resources:
          namespaces:
          - neuvector
@@ -493,6 +486,11 @@ policies:
          - twistlock-defender-ds*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
+      # Neuvector mounts the following hostPaths:
+      # `/var/neuvector`: for Neuvector's buffering and persistent state
+      # `/var/run`: communication to docker daemon
+      # `/proc`: monitoring of proccesses for malicious activity
+      # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
      - resources:
          namespaces:
          - neuvector
@@ -540,6 +538,8 @@ policies:
          - twistlock-defender-ds*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
+      # Neuvector mounts the following hostPaths as writeable: 
+      # `/var/neuvector`: for Neuvector's buffering and persistent state
      - resources:
          namespaces:
          - neuvector
@@ -657,6 +657,11 @@ policies:
      {{- end }}
      {{- if .Values.neuvector.enabled }}
      # Neuvector requires HostPath volume types
+        # Neuvector mounts the following hostPaths:
+        # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+        # `/var/run`: communication to docker daemon
+        # `/proc`: monitoring of proccesses for malicious activity
+        # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
      # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
      - resources:
          namespaces:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -574,7 +574,7 @@ neuvector:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
    path: "./chart"
-    tag: "2.4.0-bb.0"
+    tag: "2.4.0-bb.1"

  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress: