[Security Hardened Kubernetes Cluster] Additional checks for namespaces marked for deletion

[georgibaltiev]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:
This PR enhances the already present evaluation of a Namespace' sNetworkPolicies, by checking if the namespace is marked for deletion with a .deletionTimestamp. If the namespace is marked for deletion, and has neither pods on it deployed nor any allow-all network policies, security finding results are marked as Warning instead of Failed

Which issue(s) this PR fixes:
Fixes #638

Special notes for your reviewer:

Release note:

[Rule 2000 of the Security Hardened Kubernetes Cluster ruleset] Namespaces marked for deletion without any pods will be marked as `Warning` findings instead of `Failed`

[gardener-prow]

@georgibaltiev: The label(s) kind/todo cannot be applied, because the repository doesn't have them.

In response to this:

How to categorize this PR?

/kind TODO

What this PR does / why we need it:
This PR enhances the already present evaluation of a Namespace' sNetworkPolicies, by checking if the namespace is marked for deletion with a .deletionTimestamp. If the namespace is marked for deletion, and has no pods on it deployed, security finding results are marked as Warning instead of Failed

Which issue(s) this PR fixes:
Fixes #638

Special notes for your reviewer:

Release note:

[Rule 2000 of the Security Hardened Kubernetes Cluster ruleset] Namespaces marked for deletion without any pods will be marked as `Warning` findings instead of `Failed`

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dimityrmirchev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[georgibaltiev]

/hold
as I've noticed a bug with one of the unit tests

[georgibaltiev]

/unhold
the bug has been resolved

[AleksandarSavchev]

Thanks! Have some minor suggestions

[AleksandarSavchev]

Suggested change

	namespaceDeletionWithoutPodsMessage = "namespace is marked for deletion - no pods are deployed on it"
	namespaceDeletionWithPodsMessage = "namespace is marked for deletion - there are still pods deployed on it"
	namespaceDeletionWithoutPodsDetails = "namespace is marked for deletion with no present pods"
	namespaceDeletionWithPodsDetails = "namespace is marked for deletion with present pods"
	ingressTrafficNotDeniedMessage = "Ingress traffic is not denied by default."
	egressTrafficNotDeniedMessage = "Egress traffic is not denied by default."

The "not denied by default" message is repeated several times, we can store it in a const.

[AleksandarSavchev]

Suggested change

	pods, err := kubeutils.GetPods(ctx, r.Client, namespace.Name, labels.NewSelector(), 300)
	if err != nil {
	checkResults = append(checkResults, rule.ErroredCheckResult(err.Error(), rule.NewTarget()))
	break
	}
	pods, err := kubeutils.GetPods(ctx, r.Client, namespace.Name, labels.NewSelector(), 300)
	if err != nil {
	return rule.Result(r, rule.ErroredCheckResult(err.Error(), target)), nil
	}

We should return on errored CheckResult here. I think it would only error here if there is a problem with the client. WDYT?

[georgibaltiev]

My assumption was based on the fact that there could be issues with the GetPods function, related to a specific namespace, for example the user not having permissions to access it, but I am not sure if those use cases are relevant, if even possible. This was my reasoning as to why I want to check all namespaces, even if one of them errors. WDYT?

[AleksandarSavchev]

Sure, the user might not have permissions for a specific namespace. On a side note the break here is not needed.

We tell the user to use an admin kubeconfig when running diki. Most likely there will be a lot of errored rules when such permissions are missing. I do not think we should cater to this case.

[georgibaltiev]

Okay, that makes sense.

[AleksandarSavchev]

Suggested change

	if len(pods) > 0 {
	if len(pods) > 0 {

[AleksandarSavchev]

Suggested change

	checkResults = append(checkResults, rule.FailedCheckResult("Ingress traffic is not denied by default.", target))
	checkResults = append(checkResults, rule.FailedCheckResult(ingressTrafficNotDeniedMessage, target))

• other applicable places.

[AleksandarSavchev]

same as above

[AleksandarSavchev]

Suggested change

	ObjectMeta: metav1.ObjectMeta{
	Name: "deny-all",
	Namespace: "plain-namespace",
	},
	ObjectMeta: metav1.ObjectMeta{
	Name: "foo",
	Namespace: "plain-namespace",
	},

I see that most of the entries use the same name & namespace. We can have the ObjectMeta be set in the test func and only pass the Spec here.

[AleksandarSavchev]

Suggested change

	Entry("should warn fail an allow-all network policy is configured for the ingress traffic and there are no pods present",
	Entry("should fail when an allow-all network policy is configured for the ingress traffic and there are no pods present",

[AleksandarSavchev]

Suggested change

	Entry("should warn fail an allow-all network policy is configured for the egress traffic and there are no pods present",
	Entry("should fail when an allow-all network policy is configured for the egress traffic and there are no pods present",

[AleksandarSavchev]

Can also have only the spec passed here.