Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No any logs of violations #433

Open
night4knight opened this issue Sep 2, 2022 · 6 comments
Open

No any logs of violations #433

night4knight opened this issue Sep 2, 2022 · 6 comments
Assignees
@ralgozino
Labels
enhancement New feature or request

Comments

@night4knight
Copy link

It would be great to see full log of violations which are not already present and showing a timestamps of events
@ralgozino
Copy link
Member

Hello @night4knight

Could you please give us some more details on the request? maybe an example?

Thank you

@ralgozino ralgozino self-assigned this Sep 2, 2022
@ralgozino ralgozino added the question Further information is requested label Sep 2, 2022
@night4knight
Copy link
Author

Hello, I said about logging appearing events of violations. Maybe it would give more visibility.

Hello @night4knight

Could you please give us some more details on the request? maybe an example?

Thank you

@ralgozino
Copy link
Member

ralgozino commented Sep 21, 2022
edited

I'm not sure I understand.

If what you mean is to be able to see requests that Gatekeeper is denying in real time (instead of the violations reported by the audit process) AFAIK Gatekeeper does not provide a mechanism to do it.

Maybe we could parse Gatekeeper's logs or something but it would be a little hacky.

There's also this feature in alpha status that could be handy: https://open-policy-agent.github.io/gatekeeper/website/docs/customize-startup/#alpha-emit-admission-and-audit-events

I think you are asking for something like this:
open-policy-agent/gatekeeper#580

@ralgozino
Copy link
Member

ralgozino commented Jan 2, 2023
edited

I've made some progress in the branch feat/list-events but I hit a blocking issue in the Python Kubernetes Client that explodes when the events have the event_time field as null.

Bypassing the issue I can list the relevant events in the backend and then we could show them in the UI.

Here's a sample of what the backend could return:

[
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "K8sLivenessProbe",
      "constraint_name": "liveness-probe",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: liveness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a livenessProbe",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "K8sReadinessProbe",
      "constraint_name": "readiness-probe",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: readiness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a readinessProbe",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "SecurityControls",
      "constraint_name": "enforce-deployment-and-pod-security-controls",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod allows priviledge escalation",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "SecurityControls",
      "constraint_name": "enforce-deployment-and-pod-security-controls",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a CPU limit set",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "SecurityControls",
      "constraint_name": "enforce-deployment-and-pod-security-controls",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a memory limit set",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "SecurityControls",
      "constraint_name": "enforce-deployment-and-pod-security-controls",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod is running as root",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  },
  {
    "annotations": {
      "constraint_action": "deny",
      "constraint_api_version": "v1beta1",
      "constraint_group": "constraints.gatekeeper.sh",
      "constraint_kind": "SecurityControls",
      "constraint_name": "enforce-deployment-and-pod-security-controls",
      "event_type": "violation",
      "process": "admission",
      "request_username": "kubernetes-admin",
      "resource_api_version": "v1",
      "resource_group": "",
      "resource_kind": "Pod",
      "resource_name": "curlero",
      "resource_namespace": "default"
    },
    "note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the Pod 'curlero' has an image 'curlimages/curl' using the latest tag",
    "reason": "FailedAdmission",
    "time": "Mon, 02 Jan 2023 18:39:47 GMT",
    "type": "Warning"
  }
]

@ralgozino ralgozino removed the question Further information is requested label May 4, 2023
@ralgozino
Copy link
Member

ralgozino commented May 4, 2023
edited

Listing events is working in the new Go backend version

@ralgozino
Copy link
Member

ralgozino commented Jul 26, 2023
edited

Upstream has merged a pub-sub interface for violations. Maybe we can use that instead of the events.

Ref:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ralgozino ralgozino

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ralgozino @night4knight