UNCLASSIFIED - NO CUI

Skip to content

Missing `autogen` rules result in false positives

Bug

Deployments pass initial validation upon admission despite downstream objects (pods created by controllers) containing violations.

Description

By default, our Kyverno policies have autogen rules set to none. This is causing pods to be denied by policy after the deployments that manage them have been successfully admitted. See the example below where the neuvector-controller deployment is admitted, despite its pods violating the require-drop-all-capabilities policy.

./bb-validate.sh -p require-drop-all-capabilities -c neuvector
[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] No violations found for neuvector.

When deploying neuvector, the following violations can be found on ReplicaSet/neuvector-controller-pod-*, preventing neuvector from deploying successfully:

Events:
  Type     Reason        Age   From                   Message
  ----     ------        ----  ----                   -------
  Warning  FailedCreate  12m   replicaset-controller  Error creating: admission webhook "validate.kyverno.svc-fail" denied the request: 
resource Pod/neuvector/neuvector-controller-pod-5d7b7c5c77-27wpd was blocked due to the following policies 
require-drop-all-capabilities:
  drop-all-capabilities: 'validation failure: Containers must drop all Linux capabilities
    by setting the fields spec.containers[*].securityContext.capabilities.drop, spec.initContainers[*].securityContext.capabilities.drop,
    and spec.ephemeralContainers[*].securityContext.capabilities.drop to `ALL`.'

Adding Deployment,ReplicaSet,DaemonSet,StatefulSet as a default for autogenControllers can mitigate this behavior:

./bb-validate.sh -p require-drop-all-capabilities -c neuvector
[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] Violations for neuvector logged to ./neuvector-require-drop-all-capabilities-violations

$ cat ./neuvector-require-drop-all-capabilities-violations
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/default/neuvector-controller-pod was blocked due to the following policies

require-drop-all-capabilities:
  autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
    capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
    spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
    to `ALL`.'
Edited by Noah Birrer

UNCLASSIFIED - NO CUI