Missing `autogen` rules result in false positives
Bug
Deployments pass initial validation upon admission despite downstream objects (pods created by controllers) containing violations.
Description
By default, our Kyverno policies have autogen rules set to none
. This is causing pods to be denied by policy after the deployments that manage them have been successfully admitted. See the example below where the neuvector-controller
deployment is admitted, despite its pods
violating the require-drop-all-capabilities
policy.
./bb-validate.sh -p require-drop-all-capabilities -c neuvector
[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] No violations found for neuvector.
When deploying neuvector, the following violations can be found on ReplicaSet/neuvector-controller-pod-*
, preventing neuvector
from deploying successfully:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 12m replicaset-controller Error creating: admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/neuvector/neuvector-controller-pod-5d7b7c5c77-27wpd was blocked due to the following policies
require-drop-all-capabilities:
drop-all-capabilities: 'validation failure: Containers must drop all Linux capabilities
by setting the fields spec.containers[*].securityContext.capabilities.drop, spec.initContainers[*].securityContext.capabilities.drop,
and spec.ephemeralContainers[*].securityContext.capabilities.drop to `ALL`.'
Adding Deployment,ReplicaSet,DaemonSet,StatefulSet
as a default for autogenControllers
can mitigate this behavior:
./bb-validate.sh -p require-drop-all-capabilities -c neuvector
[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] Violations for neuvector logged to ./neuvector-require-drop-all-capabilities-violations
$ cat ./neuvector-require-drop-all-capabilities-violations
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Deployment/default/neuvector-controller-pod was blocked due to the following policies
require-drop-all-capabilities:
autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
to `ALL`.'