From 1c2cb10337db87d36b001ab3c9b8cd2148113610 Mon Sep 17 00:00:00 2001
From: Brett Charrier <brettcharrier@seed-innovations.com>
Date: Tue, 17 Jan 2023 22:17:42 +0000
Subject: [PATCH] Neuvector: Policy violation justifications
---
chart/templates/gatekeeper/values.yaml | 17 ++++++++-------
chart/templates/kyverno/policies/values.yaml | 23 ++++++++++++--------
chart/values.yaml | 2 +-
3 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/chart/templates/gatekeeper/values.yaml b/chart/templates/gatekeeper/values.yaml
index 2ef0bf224e..2c00f27118 100644
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -56,6 +56,7 @@ violations: # Try to keep this in alpha order to make it easier to find keys
- logging/logging-fluent-bit-.*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector needs access to host to inspect network traffic
- neuvector/neuvector-enforcer-pod.*
- neuvector/neuvector-controller-pod.*
{{- end }}
@@ -73,13 +74,6 @@ violations: # Try to keep this in alpha order to make it easier to find keys
{{- end }}
{{- end }}
- {{- if .Values.neuvector.enabled }}
- bannedImageTags:
- parameters:
- excludedResources:
- - neuvector/neuvector-scanner-pod.*
- {{- end }}
-
{{- if .Values.twistlock.enabled }}
hostNetworking:
parameters:
@@ -99,6 +93,7 @@ violations: # Try to keep this in alpha order to make it easier to find keys
- twistlock/twistlock-defender-ds-.*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector needs access to host to inspect network traffic
- neuvector/neuvector-enforcer-pod.*
{{- end }}
{{- end }}
@@ -116,6 +111,7 @@ violations: # Try to keep this in alpha order to make it easier to find keys
# Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
- logging/fluent-bit
{{- if .Values.neuvector.enabled }}
+ # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
- neuvector/neuvector-enforcer-pod.*
- neuvector/neuvector-controller-pod.*
{{- end }}
@@ -185,7 +181,12 @@ violations: # Try to keep this in alpha order to make it easier to find keys
- logging/logging-promtail-.*
{{- end }}
{{- if .Values.neuvector.enabled }}
- # Neuvecotr requires hostpath volume types
+ # Neuvector requires hostpath volume types
+ # Neuvector mounts the following hostPaths:
+ # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+ # `/var/run`: communication to docker daemon
+ # `/proc`: monitoring of proccesses for malicious activity
+ # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
# https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
- neuvector/neuvector-enforcer-pod.*
- neuvector/neuvector-controller-pod.*
diff --git a/chart/templates/kyverno/policies/values.yaml b/chart/templates/kyverno/policies/values.yaml
index a3c1c75dd1..aef3824b45 100644
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -30,6 +30,7 @@ policies:
- twistlock-defender-ds*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector needs access to host to inspect network traffic
- resources:
namespaces:
- neuvector
@@ -71,15 +72,6 @@ policies:
disallow-image-tags:
enabled: true
validationFailureAction: enforce
- {{- if .Values.neuvector.enabled }}
- exclude:
- any:
- - resources:
- namespaces:
- - neuvector
- names:
- - neuvector-scanner-pod*
- {{- end }}
disallow-istio-injection-bypass:
enabled: {{ .Values.istio.enabled }}
@@ -112,6 +104,7 @@ policies:
- logging-fluent-bit*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
- resources:
namespaces:
- neuvector
@@ -493,6 +486,11 @@ policies:
- twistlock-defender-ds*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector mounts the following hostPaths:
+ # `/var/neuvector`: for Neuvector's buffering and persistent state
+ # `/var/run`: communication to docker daemon
+ # `/proc`: monitoring of proccesses for malicious activity
+ # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
- resources:
namespaces:
- neuvector
@@ -540,6 +538,8 @@ policies:
- twistlock-defender-ds*
{{- end }}
{{- if .Values.neuvector.enabled }}
+ # Neuvector mounts the following hostPaths as writeable:
+ # `/var/neuvector`: for Neuvector's buffering and persistent state
- resources:
namespaces:
- neuvector
@@ -657,6 +657,11 @@ policies:
{{- end }}
{{- if .Values.neuvector.enabled }}
# Neuvector requires HostPath volume types
+ # Neuvector mounts the following hostPaths:
+ # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+ # `/var/run`: communication to docker daemon
+ # `/proc`: monitoring of proccesses for malicious activity
+ # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
# https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
- resources:
namespaces:
diff --git a/chart/values.yaml b/chart/values.yaml
index 77dfb10e2a..446fd55ab4 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -574,7 +574,7 @@ neuvector:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
path: "./chart"
- tag: "2.4.0-bb.0"
+ tag: "2.4.0-bb.1"
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
--
GitLab