UNCLASSIFIED - NO CUI

Skip to content

Resolve "Missing `autogen` rules result in false positives"

Manuel Ucles requested to merge 112-missing-autogen-rules into main

General MR

Summary

Deployments pass initial validation upon admission despite downstream objects (pods created by controllers) containing violations. Adding Deployment,ReplicaSet,DaemonSet,StatefulSet as a default for autogenControllers stop the false postive behavior of passing the validation even though their are violations down stream.

Relevant logs/screenshots

after autogen rules

[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] Violations for neuvector logged to ./neuvector-require-drop-all-capabilities-violations
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/default/neuvector-controller-pod was blocked due to the following policies

require-drop-all-capabilities:
  autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
    capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
    spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
    to `ALL`.'

Linked Issue

issue

Upgrade Notices

N/A

For #112 (closed)

Edited by Michael Martin

Merge request reports