-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No any logs of violations #433
Comments
Hello @night4knight Could you please give us some more details on the request? maybe an example? Thank you |
Hello, I said about logging appearing events of violations. Maybe it would give more visibility.
|
I'm not sure I understand. If what you mean is to be able to see requests that Gatekeeper is denying in real time (instead of the violations reported by the audit process) AFAIK Gatekeeper does not provide a mechanism to do it. Maybe we could parse Gatekeeper's logs or something but it would be a little hacky. There's also this feature in alpha status that could be handy: https://open-policy-agent.github.io/gatekeeper/website/docs/customize-startup/#alpha-emit-admission-and-audit-events I think you are asking for something like this: |
I've made some progress in the branch Bypassing the issue I can list the relevant events in the backend and then we could show them in the UI. Here's a sample of what the backend could return: [
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "K8sLivenessProbe",
"constraint_name": "liveness-probe",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: liveness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a livenessProbe",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "K8sReadinessProbe",
"constraint_name": "readiness-probe",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: readiness-probe, Message: Rejecting \"Pod/curlero\" for not specifying a readinessProbe",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod allows priviledge escalation",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a CPU limit set",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod does not have a memory limit set",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the 'curlero' Pod is running as root",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
},
{
"annotations": {
"constraint_action": "deny",
"constraint_api_version": "v1beta1",
"constraint_group": "constraints.gatekeeper.sh",
"constraint_kind": "SecurityControls",
"constraint_name": "enforce-deployment-and-pod-security-controls",
"event_type": "violation",
"process": "admission",
"request_username": "kubernetes-admin",
"resource_api_version": "v1",
"resource_group": "",
"resource_kind": "Pod",
"resource_name": "curlero",
"resource_namespace": "default"
},
"note": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: enforce-deployment-and-pod-security-controls, Message: container 'curlero' in the Pod 'curlero' has an image 'curlimages/curl' using the latest tag",
"reason": "FailedAdmission",
"time": "Mon, 02 Jan 2023 18:39:47 GMT",
"type": "Warning"
}
] |
Listing events is working in the new Go backend version |
Upstream has merged a pub-sub interface for violations. Maybe we can use that instead of the events. Ref: |
It would be great to see full log of violations which are not already present and showing a timestamps of events
The text was updated successfully, but these errors were encountered: