UNCLASSIFIED - NO CUI

fix: prevent null names in disallow-nodeport-services kyverno policy

Jonathan Braswellrequested to merge
3209-fix-disallow-nodeport-services-condition into master

General MR

Summary

Guard the disallow-nodeport-services policy's NodePort gateway exclude entry behind a non-empty check and tighten the outer condition so the exclude block only renders when at least one entry will be produced.

I think the user is probably using a different version of flux, because I wasn't able to reproduce their bug as written, but it did uncover a different issue.

By default, this yaml is rendered:

        disallow-nodeport-services:
          exclude:
            any:
            - resources:
                kinds:
                - Service
                names: null
                namespaces:
                - istio-system
            - resources:
                kinds:
                - Service
                names:
                - passthrough-ingressgateway
                - public-ingressgateway
                namespaces:
                - istio-gateway

When the ClusterPolicy is created, the null names field is just omitted, creating an exclusion that allows any NodePort services to be created in the istio-system namespace. This is almost certainly not intended:

      - resources:
          kinds:
          - Service
          namespaces:
          - istio-system

So, this fix should address the user's issue as well as the unintended exclusion in the istio-system namespace. I'm also not sure why anyone would have gateways in the istio-system namespace, but perhaps that's an artifact of the migration to the istio-gateway chart in 3.x?

Relevant logs/screenshots

After the fix, I'm no longer able to create a dummy nodeport service in the istio-system namespace. Before the fix, this succeeded.

$ kubectl apply -f - <<EOF
> apiVersion: v1
> kind: Service
> metadata:
>   name: dummy-service
>   namespace: istio-system
> spec:
>   type: NodePort
>   selector:
>     app: dummy
>   ports:
>     - port: 80
>       targetPort: 80
>       protocol: TCP
> EOF
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Service/istio-system/dummy-service was blocked due to the following policies 

disallow-nodeport-services:
  validate-nodeport: 'validation error: Services of type NodePort are not allowed.
    rule validate-nodeport failed at path /spec/type/'

Linked Issue

Closes #3209 (closed)

Upgrade Notices

N/A

Edited by Jonathan Braswell

Merge request reports

UNCLASSIFIED - NO CUI