policy-reporter
policy-reporter copied to clipboard
kyverno
[Bug] Variables in message are not getting evaluated before pushing to webhook/ui
We are using policy-reporter to push policy-violations to a service which then handles the further processing and making sure the owner of the violating resource is informed about the violation.
For this we are adapting our kyverno policies to include some metadata in the violation message. This has always worked fine in the past (kyverno chart version: 2.7.0, kyverno version: v1.9.0 and policy-reporter chart version: 2.13.0)
After upgrading to the latest versions for kyverno and policy-reporter this functionality no longer works.
Policy-reporter pushes the message as is to the configured endpoint without first replacing the variable in {{}}.
Here is a policy to test this with:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/severity: high
policies.kyverno.io/title: Disallow host namespaces
name: disallow-host-namespaces
spec:
admission: true
background: false
failurePolicy: Fail
rules:
- exclude:
resources: {}
generate:
clone: {}
cloneList: {}
match:
resources:
kinds:
- Pod
mutate: {}
name: host-namespaces
validate:
message: |
Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must not be set to true. test:{{request.object.metadata.annotations.test||'none'}}
pattern:
spec:
=(hostIPC): "false"
=(hostNetwork): "false"
=(hostPID): "false"
validationFailureAction: Enforce
webhookTimeoutSeconds: 15
and the following pod to test the validation:
apiVersion: v1
kind: Pod
metadata:
name: test
labels:
app: test
annotations:
test: https://example.com/some-url/1
spec:
hostNetwork: true
containers:
- name: bad-hostnetwork
image: docker.io/library/nginx
imagePullPolicy: IfNotPresent
restartPolicy: Always
Applying this pod against a cluster where kyverno is installed gives the following message:
kubectl apply -f test.yaml -n default
Error from server: error when creating "disallow-host-namespaces/host-namespaces/fail.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/bad-hostnetwork was blocked due to the following policies
disallow-host-namespaces:
host-namespaces: |-
validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must not be set to true. test:https://example.com/some-url/1
. rule host-namespaces failed at path /spec/hostNetwork/
While the push to the endpoint looks like this:
{"message":"Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must not be set to true. test:{{request.object.metadata.annotations.test||'none'}}\n","policy":"disallow-host-namespaces","rule":"host-namespaces","priority":"error","status":"fail","severity":"high","category":"Pod Security Standards (Default)","scored":false,"properties":{"eventName":"disallow-host-namespaces.17a28fa7ec924b5e","resultID":"33991761c902176dd731f6f5b4a88822d330874d","time":"0001-01-01T00:00:00Z"},"resource":{"apiVersion":"","kind":"Pod","name":"test","namespace":"default","uid":""},"creationTimestamp":"0001-01-01T00:00:00Z","source":"Kyverno Event"}
