azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

'IngressHttpsOnly: Policy should support “networking.k8s.io/v1" API'

Open ivanthelad opened this issue 2 years ago • 8 comments

The policy checks the ingress rules and enforces HTTPS rules.

The policy checks only the old ingress API format, the “networking.k8s.io/v1beta1”. This API group is deprecated in K8s 1.22 and replaced by the “networking.k8s.io/v1” where the ingress class definition is moved from the metadata.annotations to the spec.

ivanthelad avatar Jun 08 '22 08:06 ivanthelad

closing. inspecting the rego expressions shows it does support the new api https://store.policy.core.windows.net/kubernetes/ingress-https-only/v1/template.yaml

ivanthelad avatar Jun 08 '22 08:06 ivanthelad

Indeed the re_match("^(extensions|networking.k8s.io)$", input.review.kind.group) matches to the new type as well but the following expressions violate_allow_http check the ingress.metadata.annotations["kubernetes.io/ingress.class"].

This annotation doesn't exist or isn't required in the new v1 API. As this field is not mandatory (it is replaced by spec.ingressClassName) hence if it is missing then the policy will mark any ingress rule as valid and doesn't check if TLS is configured.,

Here is an example ingress rule which bypasses the policy and creates a rule to HTTP:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: testing
  namespace: testingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /test
        pathType: Prefix
        backend:
          service:
            name: sample-service
            port:
              number: 80

And here is the kubectl printout after creation:

$> kubectl get ingress -n testingress
NAME      CLASS   HOSTS   ADDRESS       PORTS   AGE
testing   nginx   *       10.32.49.11   80      36s

szasza576 avatar Jun 10 '22 06:06 szasza576

reopening issue

ivanthelad avatar Jun 10 '22 07:06 ivanthelad

Currently, azure policy does not support check two linked k8s resource together. (reading the ingressClass when validating ingress). It may need a long term change for it. For a short term fix, will directly view ingressClassName: nginx as nginx ingress controller. However, other ingressClass name will still bypass.

fseldow avatar Jun 10 '22 08:06 fseldow

There is no additional requirement to check linked resources. I mentioned the API change where the ingress class name was moved from metadata.annotations["kubernetes.io/ingress.class"] to spec.ingressClassName

The constraint template shall be updated accordingly and this shall be enough for the time being.

szasza576 avatar Jun 10 '22 08:06 szasza576

ingressClassName in fact can be customer defined. You can also name the ingress class as nginx1, nginx2. Or maybe name other ingress controller's ingress class as nginx. But as you said, add judgement of spec.ingressClassName=="nginx" can help avoid most of the bypass. Will make this change.

fseldow avatar Jun 10 '22 09:06 fseldow

The current policy also just checks only the "nginx" and "azure/application-gateway". All other ingress classes are "All allowed".

So this changed doesn't add or neither remove functionality but the update is necessary to be compatible with the v1 API format.

szasza576 avatar Jun 10 '22 09:06 szasza576

Seems this has been fixed https://store.policy.core.windows.net/kubernetes/ingress-https-only/v1/template.yaml @szasza576 can you validate this change isNginxController(ingress) { ingress.spec.ingressClassName == "nginx" }

ivanthelad avatar Jun 30 '22 13:06 ivanthelad

Closing this issue as it seems a fix has been deployed.

nehakulkarni123 avatar Sep 10 '22 03:09 nehakulkarni123

Sorry about the delayed response. Yes it is working fine now. Thank you.

szasza576 avatar Sep 29 '22 07:09 szasza576