secureCodeBox icon indicating copy to clipboard operation
secureCodeBox copied to clipboard
verified publisher icon secureCodeBox

Scan Jobs hang if Cluster / Namespace uses Istio

Open J12934 opened this issue 5 years ago • 5 comments

Describe the bug

When the cluster has istio sidecar injection enabled the secureCodeBox cannot properly run its scans in the namespace as the jobs never terminate as the sidecar is still running even hours after the scan has completed.

Depending on the istio config this can also mess with the ability of the operator / lurcher / parsers to talk to the kubernetes API.

To Reproduce Steps to reproduce the behavior:

  1. Start any scan in a istio injection enabled namespace
  2. Scan will never terminate

Expected behavior

Scans should work normally in istio enabled namespaces.

As a temporary workaround, or to wait untill proper sidecar support is added to kubernetes, it would be best to disable the injection via a "sidecar.istio.io/inject": "false"pod label on scan, parse and hook pods, see: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection

Ideally the secureCodeBox Operator could support istio and other service meshes directly and proxy scanner traffic thought the sidecar.

System (please complete the following information):

  • Kubernetes: any version
  • Istio: any version

J12934 avatar Sep 29 '20 07:09 J12934

This makes it impossible to run scans if mTLS is enabled because no scanner will be able to connect to anything inside a cluster.

Envoy has an endpoint to gracefully shutdown the proxy (and thus end the job), this is probably a much better solution than disabling injection.

Is there a way that lurcher can call this endpoint once it's finished, maybe adding a switch for this in the scan spec?

akath19 avatar Oct 19 '20 18:10 akath19

@akath19 yes 👍 that would be the ideal solution, at least until proper sidecar support lands in all supported kubernetes versions.

Our last idea for that was for the lurcher to iterate over the containers in the pod and trigger the shutdown endpoints (might need to do some matching to lookup the correct endpoint for the service mesh, not sure if these are stndardized), but the haven't yet had time to implement this.

J12934 avatar Oct 19 '20 18:10 J12934

We leave this open bc there is an up comming feature in k8s w/ better side car handling. We hope this will help us to fix this.

Weltraumschaf avatar Jul 20 '23 13:07 Weltraumschaf