Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to generate host port in policy generation #39

Closed
amitsaha opened this issue May 19, 2020 · 2 comments
Closed

Unable to generate host port in policy generation #39

amitsaha opened this issue May 19, 2020 · 2 comments
Assignees
@Kaizhe
Labels
enhancement New feature or request

Comments

@amitsaha
Copy link

Describe the bug

kube-psp-advisor detects that a specified daemonset wants to use the host network, but unable to detect host port in policy generation

To Reproduce
Steps to reproduce the behavior:

Create a new file called example_ds.yaml with the following contents:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter
  namespace: kube-system
  labels:
    k8s-app: node-exporter
spec:
  selector:
    matchLabels:
      k8s-app: node-exporter
  updateStrategy:
    type: OnDelete
  template:
    metadata:
      labels:
        k8s-app: node-exporter
    spec:
      priorityClassName: system-node-critical
      containers:
        - name: node-exporter
          image: "node-exporter:latest"
          command: ["/opt/prometheus/kubernetes.sh"]
          ports:
            - name: metrics
              containerPort: 22000
              hostPort: 22000
          volumeMounts:
            - name: proc
              mountPath: /host/proc
              readOnly:  true
            - name: sys
              mountPath: /host/sys
              readOnly: true
          resources:
            limits:
              memory: 50Mi
            requests:
              cpu: 100m
              memory: 50Mi
      hostNetwork: true
      hostPID: true
      volumes:
        - name: proc
          hostPath:
            path: /proc
        - name: sys
          hostPath:
            path: /sys

Download kube-psp-advisor from https://github.com/sysdiglabs/kube-psp-advisor/releases/tag/v1.7.0
and run it as:

./kubectl-advise-psp convert --podFile example-ds.yaml --pspFile node-exporter-psp.yaml

The generated psp file will have:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  creationTimestamp: null
  name: pod-security-policy-default-20200519154748
spec:
  allowedHostPaths:
  - pathPrefix: /proc
    readOnly: true
  - pathPrefix: /sys
    readOnly: true
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  hostPID: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - hostPath
  - secret

Expected behavior
I expected the hostPorts to be present in the generated PSP file above.
@Kaizhe Kaizhe self-assigned this May 19, 2020
@Kaizhe Kaizhe added the enhancement New feature or request label May 19, 2020
@Kaizhe
Copy link
Contributor

Kaizhe commented May 19, 2020

@amitsaha thanks for reporting this, I will address it asap.

Kaizhe added a commit that referenced this issue May 20, 2020
@Kaizhe
#39: add support port range generation
5104786 
Signed-off-by: kaizhe <derek0405@gmail.com>
Kaizhe added a commit that referenced this issue May 20, 2020
@Kaizhe
#39: add support port range generation (#40)
7addc41 
Signed-off-by: kaizhe <derek0405@gmail.com>
@Kaizhe
Copy link
Contributor

Kaizhe commented May 20, 2020

addressed in #40

@Kaizhe Kaizhe closed this as completed May 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kaizhe Kaizhe

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amitsaha @Kaizhe