Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy rule validation failure for a valid policy #641

Closed
nyrahul opened this issue Mar 6, 2022 · 0 comments · Fixed by #643
Closed

policy rule validation failure for a valid policy #641

nyrahul opened this issue Mar 6, 2022 · 0 comments · Fixed by #643
Assignees
@daemon1024
Labels
bug Something isn't working important

Comments

@nyrahul
Copy link
Contributor

nyrahul commented Mar 6, 2022

Bug Report

Trying to apply a policy with valid file.matchPaths rule, but it fails.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-1760649700
  namespace: default
spec:
  severity: 1
  selector:
    matchLabels:
      app: cartservice
  file:
    matchPaths:
    - path: /usr/lib/libstdc++.so.6.0.28
      fromSource:
      - path: /app/cartservice
  action: Block

Policy validation fails during policy apply giving following error:

❯ k apply -f sample.yaml
The KubeArmorPolicy "autopol-system-1760649700" is invalid: spec.file.matchPaths.path: Invalid value: "/usr/lib/libstdc++.so.6.0.28": spec.file.matchPaths.path in body should match '^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$'

The problem seems to be with the filename libstdc++.so.6.0.28. If I remove ++ from the filename then the policy apply works.

General Information

  • Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...)
    any
  • Kernel version (run uname -a)
    any
  • Orchestration system version in use (e.g. kubectl version, ...)
    any

To Reproduce

  1. Install sample k8s cluster with kubearmor daemonset (follow deployment-guide).
  2. Apply above yaml policy kubectl apply -f sample.yaml

Expected behavior

kubectl apply should return successfully and the policy should be applied.
@nyrahul nyrahul added bug Something isn't working good first issue Good for newcomers important and removed good first issue Good for newcomers labels Mar 6, 2022
@daemon1024 daemon1024 self-assigned this Mar 7, 2022
@daemon1024 daemon1024 mentioned this issue Mar 7, 2022
Merged
nam-jaehyun added a commit to dku-boanlab/KubeArmor that referenced this issue Mar 8, 2022
@nam-jaehyun
update deployment yamls (kubearmor#641)
1d7776e 
Signed-off-by: Jaehyun Nam <[email protected]>
@nam-jaehyun nam-jaehyun mentioned this issue Mar 8, 2022
Merged
@daemon1024 daemon1024 mentioned this issue Mar 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daemon1024 daemon1024

Labels
bug Something isn't working important
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pkg: update path and dir validation regex daemon1024/KubeArmor
2 participants
@nyrahul @daemon1024