Errors capturing violations
See this thread.
Darrien's Notes:
These are the notes I have to reproduce the output above step by step in case anyone wants to follow along (or new to bbctl):
cd bigbang- deploy my own k3d cluster w/ script
./docs/assets/scripts/developer/k3d-dev.sh - install flux
./scripts/install_flux.sh -u <username> -p <CLI secret> - in my ../overrides/gatekeeper.yaml:
clusterAuditor:
enabled: true
gatekeeper:
enabled: true
kyverno:
enabled: false
kyvernoPolicies:
enabled: false
kyvernoReporter:
enabled: false
- installed bigbang with
helm upgrade --install bigbang ./chart --values ../overrides/registry-values.yaml --values ../bigbang/tests/test-values.yaml --values ../overrides/gatekeeper.yaml --values ../bigbang/chart/ingress-certs.yaml --values ../bigbang/docs/assets/configs/example/dev-sso-values.yaml --create-namespace -
cd ../bbctlthen runbbctl violations --audit | code -after installing bbctl from the code to spit the output into a code window.- in my case:
go run . violations --audit | code -to run directly from the code
- in my case:
Can send a full copy of example output from dogfood and my own test deployment. I am open to suggestions on how we can parse these violations differently.
Here's just a few examples as it stands currently:
- name: authservice-xxx
kind: Pod
namespace: authservice
policy: ""
constraint: container resource management
message: container <update-ca-bundle> has no resource requests
action: dryrun
timestamp: "2024-09-17T22:22:22Z"
- name: neuvector-controller-pod-xxx
kind: Pod
namespace: neuvector
policy: ""
constraint: disallowed user/group
message: 'Container neuvector-controller-pod is attempting to run as disallowed
user 0. Allowed runAsUser: {"rule": "MustRunAsNonRoot"}'
action: dryrun
timestamp: "2024-09-17T22:22:22Z"
- name: authservice-authservice-redis-bb-master-0
kind: Pod
namespace: authservice
policy: ""
constraint: securityContext not configured
message: 'Container metrics is attempting to run without a required securityContext/supplementalGroups.
Allowed supplementalGroups: {"ranges": [{"max": 65535, "min": 1000}], "rule": "MustRunAs"}'
action: dryrun
timestamp: "2024-09-17T22:22:22Z"
- name: tempo-tempo-0
kind: Pod
namespace: tempo
policy: ""
constraint: container resource management
message: 'Seccomp profile ''not configured'' is not allowed for container ''tempo-query''.
Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}'
action: dryrun
timestamp: "2024-09-17T22:22:22Z"
- name: neuvector-scanner-pod-xxx
kind: Pod
namespace: neuvector
policy: ""
constraint: readiness, liveness, and/or startup probe
message: Container <neuvector-scanner-pod> in your <Pod> <neuvector-scanner-pod-xxx> has no <readinessProbe>
action: dryrun
timestamp: "2024-09-17T22:22:22Z"Andrew's Notes:
so it looks like it can parse at least some, but it is getting errors on others. I also some some issues with parsing on kyverno. We should probably look into those.
I reproduced these with:
helm upgrade --install --values registry-values.yaml --values ../bigbang/tests/test-values.yaml --values gatekeeper.yaml --values ../bigbang/chart/ingress-certs.yaml --values ../bigbang/docs/assets/configs/example/dev-sso-values.yaml --create-namespacethen:
bbctl violations --audit | code -gatekeeper.yaml
clusterAuditor: enabled: true gatekeeper: enabled: true kyverno: enabled: false kyvernoPolicies: enabled: false kyvernoReporter: enabled: false
Results:
name: Violations violations: - name: source-controller-68894c776b-r67d8 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 65535, "min": 1000}], "rule": "MustRunAs"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: notification-controller-784cb84c8d-ppfrm kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 65535, "min": 1000}], "rule": "MustRunAs"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: kustomize-controller-7d68486475-7qbs4 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 65535, "min": 1000}], "rule": "MustRunAs"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: helm-controller-57d697b65-hhgsc kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Container manager is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 65535, "min": 1000}], "rule": "MustRunAs"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: source-controller-68894c776b-r67d8 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: container <manager> is not dropping all required capabilities. Container must drop all of ["all"] action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: notification-controller-784cb84c8d-ppfrm kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: container <manager> is not dropping all required capabilities. Container must drop all of ["all"] action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: kustomize-controller-7d68486475-7qbs4 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: container <manager> is not dropping all required capabilities. Container must drop all of ["all"] action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: helm-controller-57d697b65-hhgsc kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: container <manager> is not dropping all required capabilities. Container must drop all of ["all"] action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: source-controller-68894c776b-r67d8 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Seccomp profile ''not configured'' is not allowed for container ''manager''. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: notification-controller-784cb84c8d-ppfrm kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Seccomp profile ''not configured'' is not allowed for container ''manager''. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: kustomize-controller-7d68486475-7qbs4 kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Seccomp profile ''not configured'' is not allowed for container ''manager''. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}' action: dryrun timestamp: "2024-09-09T17:07:31Z" - name: helm-controller-57d697b65-hhgsc kind: Pod namespace: flux-system policy: "" constraint: '%!s(<nil>)' message: 'Seccomp profile ''not configured'' is not allowed for container ''manager''. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}' action: dryrun timestamp: "2024-09-09T17:07:31Z"λ slate bbctl → λ git main → bbctl violations --audit | code - Reading from stdin via: /tmp/code-stdin-pV6 {"time":"2024-09-09T11:08:15.570317489-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.570359728-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.570375805-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.570387258-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.961635192-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.961699667-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.961718549-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:15.961734622-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:17.762883096-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:17.762901498-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:17.762904976-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"} {"time":"2024-09-09T11:08:17.762907734-06:00","level":"INFO","msg":"WARN error parsing constraint name from gatekeeper violations"}
Edited by Darrien Lee