New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Large policies are not consistently applied in whitelisting mode #1657
Comments
Following are some of my observations:
PFA the updated policy test-policy-updated.yaml.txt Hope this helps. |
Hi @nyrahul, thank you for your response, however the policy I supplied was meant as a mere example for the purpose of reporting the issue. We're having similar problems with a different policy of about ~200 lines, without any overlap. |
Hello @nyrahul, would you mind clarifying the status of this issue? Can the project spare any effort to fix this at the moment? Is this considered something to be fixed at all? |
We pulled it up for triage today.
It would be great to have some recommendations from folks who have ran into this problem. |
hello @nyrahul The policy we use is this ide-policy.json which is much smaller than the policy that we have given in the issue. Potentially we could also try to further reduce this policy but we would need to understand under what limit we must go to be sure that everything works properly. Considering that the problem does not appear every time and is not easy to reproduce |
General Information
kubearmor/kubearmor
andkubearmor/kubearmor-init
image versionsv1.2.1
To Reproduce
Create a large kubearmor policy (my policy is about 500 lines) that match the pod created in the previous step and as a whitelist allows access to various files and folders in the pod including the one that is opened by the script
test-policy.json
Apply pod manifest
Expected behavior
we expect the pod to be created without problems and that the script, can have access to the file without any problem
Current behavior
very often it happens that the script fails to reach the file because it is blocked by the policy, even if the file is present in the whitelist
The text was updated successfully, but these errors were encountered: