Comments (8)
chipzoller
commented on July 21, 2024
@rubroboletus Can you please test with Kyverno 1.4.3 and see if you have the same issue? If so, please respond here with a test manifest for a CronJob or Job that can be used to verify.
from policies.
rubroboletus
commented on July 21, 2024
@chipzoller tested, still in trouble. Pasting also my Pod Probes Policy, added some exclude logic. But fails even with plain policy from here (also tested).
kind: Policy
metadata:
name: require-pod-probes
namespace: rh-test
annotations:
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
policies.kyverno.io/title: Require Pod Probes
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Liveness and readiness probes need to be configured to correctly manage a Pod's
lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
`livenessProbe` is performed by the kubelet to determine if the Pod's containers
are running or need to be restarted. A `readinessProbe` is used by Services
and Deployments to determine if the Pod is ready to receive network traffic.
This policy validates that all containers have liveness and readiness probes by
ensuring the `periodSeconds` field is greater than zero.
spec:
validationFailureAction: audit
rules:
- name: validate-livenessProbe-readinessProbe
exclude:
any:
- resources:
kinds:
- Pod
namespaces:
- tigera-operator
- calico-system
- resources:
kinds:
- Pod
clusterRoles:
- cluster-admin
subjects:
- kind: Group
name: system:masters
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Liveness and readiness probes are required."
pattern:
spec:
containers:
- livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"
kind: CronJob
metadata:
name: hello
namespace: rh-test
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
job was created from CronJob using simple kubectl create job --from=cronjob/hello hello-2 -n rh-test --token $RH_TOKEN command.
That token has RoleBinding "admin" in mentioned namespace, so it will not match the excludes.
Attaching also log from Kyverno pod:
from policies.
chipzoller
commented on July 21, 2024
@rubroboletus A few things I'm seeing
- This is a
Policyand not aClusterPolicywhich means it's namespaced. The exclude clauses which name other Namespaces aren't valid. - You've set
pod-policies.kyverno.io/autogen-controllersand haven't namedJoborCronJobso the auto-gen controller will not generate a complimentary policy to block Pods emanating from those controllers. validationFailureActionis set toauditwhich means it will not block anything even if it were valid, merely report on it.
from policies.
rubroboletus
commented on July 21, 2024
@chipzoller hello, a few things I'm seeing in Kyverno 1.4.3 log, when I try to apply this policy, just changed to ClusterPolicy and action to enforce:
you are right, that I was trying to test it fast for you, so used just Policy, to not break all the Kubernetes, used also by other people. I have not full access to fresh, unused EKS all the day. For testing purpose is "audit" better, so it will not break anything. But we need to enforce it on our production environments and currently it's impossible with 1.4.3 because of the parsing problem, already known, with autogen, (spec.rules[1].match ....). and with 1.4.2 mainly because of autogen is generating nothing when used with any/all rules.
But ok, lets test it without any additional controls ...
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-pod-probes
annotations:
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
policies.kyverno.io/title: Require Pod Probes
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Liveness and readiness probes need to be configured to correctly manage a Pod's
lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
`livenessProbe` is performed by the kubelet to determine if the Pod's containers
are running or need to be restarted. A `readinessProbe` is used by Services
and Deployments to determine if the Pod is ready to receive network traffic.
This policy validates that all containers have liveness and readiness probes by
ensuring the `periodSeconds` field is greater than zero.
spec:
validationFailureAction: enforce
background: false
rules:
- name: validate-livenessProbe-readinessProbe
match:
resources:
kinds:
- Pod
validate:
message: "Liveness and readiness probes are required."
pattern:
spec:
containers:
- livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"
so as you can see, pod for this cronjob / job, definition in earlier comment, is not going to be created. CronJob / Job are created without problem. The ClusterPolicy I have used is from sample policies - https://kyverno.io/policies/best-practices/require_probes/require_probes/. The test above was done on 1.4.2. Lets test it also on 1.4.3.
And nothing changed so far, CronJob is created, Job is created, Pod for CronJob / Job is blocked:
from policies.
chipzoller
commented on July 21, 2024
Can you test this now that 1.5.0 is available and report whether we should keep the issue open?
from policies.
rubroboletus
commented on July 21, 2024
Sorry, tested it on 1.5.1, nothing changed. Used plain policy from sample policies, without any modifications. Then, like previously, created cronjob and using kubectl created job from cronjob. Pod not created, is blocked.
from policies.
chipzoller
commented on July 21, 2024
Going forward, would you mind not posting screenshots of text output but just copying-and-pasting into a code block?
Are you still using the ClusterPolicy and CronJob you posted above? If so, I'll give them another shot.
from policies.
chipzoller
commented on July 21, 2024
@rubroboletus the reason why it's not enforcing on Jobs and CronJobs is because the policy explicitly specifies the Kyverno auto-gen controller is ONLY to create corresponding policies for Deployment, DaemonSet, and StatefulSet resources. This is seen in your posts here and here via this line (L6 in the latter response):
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
You can just remove this annotation and re-create the policy. Kyverno will then create the corresponding rules for ALL Pod controllers. You can verify this by doing a kubectl get [cpol | pol] <policy_name> -o yaml and inspect the auto-generated rules.
I'll go ahead and close for now.
from policies.
Related Issues (20)
- [Bug] Improve policy other/add-node-affinity/add-node-affinity.yaml
- [Sample] Best Practices for PDBs HOT 5
- Require Unique UID per Workload - Hlem Upgrade Issue HOT 1
- Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: HOT 2
- Add RoleBinding not working for EKS(aws k8s cluster) HOT 7
- Block Stale Images
- [Chainsaw Tests] Test generated VAPs of pod security cel policies with Chainsaw HOT 1
- Extend chainsaw tests for additional container types HOT 1
- PolicyException for a pod with multiple violations HOT 4
- [Bug] Generate rule on pod creation triggers twice HOT 1
- [Sample] Add variant of `disallow-capabilities` for service meshes
- Question: exclusions to PodSecurity sub-rule
- Mutate policy on existing resource not working only for k8s tls secret HOT 2
- [Bug] ClusterCleanupPolicy works only the first time ? HOT 2
- [Bug] Sync Secrets failing to keep secrets in sync HOT 4
- [Enhancement] Update CEL policies to make use of optionals and variables to remove redundant expressions HOT 2
- [Enhancement]: Replace enforce/audit (deprecated) with Enforce/Audit on sample policies HOT 1
- [Enhancement]: Replace enforce/audit (deprecated) with Enforce/Audit on sample policies HOT 1
- [Bug] ClusterPolicy with PolicyException does not apply on subsequent updates
- [Bug] Copy secret into every namespace.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.