gatekeeper-policy-manager
gatekeeper-policy-manager copied to clipboard
sighupio
No any logs of violations
It would be great to see full log of violations which are not already present and showing a timestamps of events
Hello @night4knight
Could you please give us some more details on the request? maybe an example?
Thank you
Hello, I said about logging appearing events of violations. Maybe it would give more visibility.
Hello @night4knight
Could you please give us some more details on the request? maybe an example?
Thank you
I'm not sure I understand.
If what you mean is to be able to see requests that Gatekeeper is denying in real time (instead of the violations reported by the audit process) AFAIK Gatekeeper does not provide a mechanism to do it.
Maybe we could parse Gatekeeper's logs or something but it would be a little hacky.
There's also this feature in alpha status that could be handy: https://open-policy-agent.github.io/gatekeeper/website/docs/customize-startup/#alpha-emit-admission-and-audit-events
I think you are asking for something like this: https://github.com/open-policy-agent/gatekeeper/issues/580
I've made some progress in the branch feat/list-events but I hit a blocking issue in the Python Kubernetes Client that explodes when the events have the event_time field as null.
Bypassing the issue I can list the relevant events in the backend and then we could show them in the UI.
Here's a sample of what the backend could return:
[
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "K8sLivenessProbe",
"constraint_name": "liveness-probe",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: liveness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a livenessProbe",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "K8sReadinessProbe",
"constraint_name": "readiness-probe",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: readiness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a readinessProbe",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod allows priviledge escalation",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a CPU limit set",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a memory limit set",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod is running as root",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the Pod 'curlero' has an image 'curlimages/curl' using the latest tag",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
}
]
Upstream has merged a pub-sub interface for violations. Maybe we can use that instead of the events.
Ref:
- https://github.com/open-policy-agent/gatekeeper/pull/2538