UNCLASSIFIED - NO CUI

Skip to content

cmd/violations: update command

Daniel Dides requested to merge dd/violations into main

General MR

Summary

Update violations command with additional logging and fix any broken logic.

Relevant logs/screenshots

violations was not detecting kyverno CRDs. The existing code was searching for a label that was not present in my fresh, unmodified bigb-bang cluster.

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
    meta.helm.sh/release-name: kyverno-kyverno
    meta.helm.sh/release-namespace: kyverno
  creationTimestamp: "2024-05-23T20:47:36Z"
  generation: 1
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno-kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-kyverno-crds
    app.kubernetes.io/version: 3.1.4
    helm.sh/chart: crds-3.1.4
    helm.toolkit.fluxcd.io/name: kyverno
    helm.toolkit.fluxcd.io/namespace: bigbang
  name: clusterpolicies.kyverno.io

Also added debugging logging to the violations command to detect the existence of gatekeeper and kyverno and report which it notices.

Example:

danieldides@BPH-MAC14 ~/P/b/p/bbctl (dd/violations)> bbctl violations --audit
time=2024-06-06T16:17:05.282-05:00 level=DEBUG msg="Logger setup complete"
time=2024-06-06T16:17:05.282-05:00 level=DEBUG msg="Command line settings: {...}"
time=2024-06-06T16:17:06.249-05:00 level=DEBUG msg="Gatekeeper exists in cluster. Checking for Gatekeeper violations."
k8spspseccomp.constraints.gatekeeper.sh

Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'tempo-query'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}

Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'tempo'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}

Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'istio-proxy'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}

Linked Issue

Closes #59 (closed)

Upgrade Notices

N/A

Edited by Daniel Dides

Merge request reports

UNCLASSIFIED - NO CUI