Comments (4)
/sig api-machinery
from kubernetes.
/triage accepted
/assign @cici37
from kubernetes.
Hi @hmonsalv Thanks for raising the issue!
VAP is using validation.policy.admission.k8s.io/validation_failure
as the AuditAnnotation and it seems working fine for the example you provided.(The VAP Annotation Reference)
From the issue description, "validation.policy.admission.k8s.io/validation_failure"
is returned for my-pod-10
and didn't return from my-pod-20
which is expected. prevent-default-namespace/validation_failed
is not the annotation used for ValidatingAdmissionPolicy. Thanks
from kubernetes.
Hi @cici37, thanks for you answer!
I have edited the VAP definition of the example to reproduce the isse, I committed a mistake in the VAP definition that maybe created some confusion.
The default audit annotation validation.policy.admission.k8s.io/validation_failure
is working fine as you commented and is only set for the pod violating the VAP my-pod-10
.
But if you take a look ๐ again to the VAP definition prevent-default-namespace
defined above, you can see I defined a custom audit annotation prevent-default-namespace/validation_failed
with a static value "true"
:
...
auditAnnotations:
- key: "validation_failed"
valueExpression: "'true'"
...
And this custom annotation I would expect that behaves exactly in the same way as the default one, and is only set if the VAP is violated. But as you can see in these audit events this is not the case, and it's set in the event log corresponding to the creation of both pods (no matter if the VAP was violated or not):
โฏ talosctl read /var/log/audit/kube/kube-apiserver.log | grep "my-pod-10" | grep "validation_failed"
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"7703d71a-00e8-4b81-9fb2-d08fbd136fc5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods?fieldManager=kubectl-run","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.65.1"],"userAgent":"kubectl/v1.28.0 (darwin/arm64) kubernetes/855e7c4","objectRef":{"resource":"pods","namespace":"default","name":"my-pod-10","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2024-06-15T15:14:40.823489Z","stageTimestamp":"2024-06-15T15:14:40.830217Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"","mutation.webhook.admission.k8s.io/round_0_index_1":"{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}","mutation.webhook.admission.k8s.io/round_0_index_4":"{\"configuration\":\"opentelemetry-operator-mutation\",\"webhook\":\"mpod.kb.io\",\"mutated\":false}","pod-security.kubernetes.io/enforce-policy":"privileged:latest","prevent-default-namespace/validation_failed":"true","validation.policy.admission.k8s.io/validation_failure":"[{\"message\":\"Pods should not be created in the default namespace\",\"policy\":\"prevent-default-namespace\",\"binding\":\"prevent-default-namespace\",\"expressionIndex\":0,\"validationActions\":[\"Warn\",\"Audit\"]}]"}}
โฏ talosctl read /var/log/audit/kube/kube-apiserver.log | grep "my-pod-20" | grep "validation_failed"
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"7ba57b1d-6cbd-489d-bef1-709f337b9eda","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/testing/pods?fieldManager=kubectl-run","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.65.1"],"userAgent":"kubectl/v1.28.0 (darwin/arm64) kubernetes/855e7c4","objectRef":{"resource":"pods","namespace":"testing","name":"my-pod-20","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2024-06-15T15:15:49.607569Z","stageTimestamp":"2024-06-15T15:15:49.614769Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"","mutation.webhook.admission.k8s.io/round_0_index_1":"{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}","mutation.webhook.admission.k8s.io/round_0_index_4":"{\"configuration\":\"opentelemetry-operator-mutation\",\"webhook\":\"mpod.kb.io\",\"mutated\":false}","pod-security.kubernetes.io/enforce-policy":"privileged:latest","prevent-default-namespace/validation_failed":"true"}}
So I really do think there is kind of a bug with custom audit annotations.
Food for another issue / proposal...
I wanted to use this custom annotation in all my VAP, because that way I would get an annotation in the event log for each VAP violated name_of_the_vap/validation_failed
, as apparently it's actually the only way to know if the action of an apiserver http request is violating more than one VAP, because currently, as event annotations cannot be overwritten, if more than one VAP are violated, the first one will set the default annotation, and other VAP/s that are violated will fail to overwrite the value of the default annotation, so that you will only be able to see in the event log the default annotation validation.policy.admission.k8s.io/validation_failure
with the value (message + VAP + VAP binding) corresponding to the first VAP that was violated. As you can see in the apiserver logs admission annotations are not allowd to be overwritten
(typo in allowd
btw):
W0619 07:11:45.051058 1 dispatcher.go:320] Failed to set admission audit annotation validation.policy.admission.k8s.io/validation_failure to [REDACTED] admission annotations are not allowd to be overwritten, key:"validation.policy.admission.k8s.io/validation_failure", old value: [REDACTED]
But I think this is food for a different issue/proposal that I will open soon, don't want to mix topics in this ๐งต
from kubernetes.
Related Issues (20)
- [Flaking test] TestPolicyAdmission/.v1.bindings/create HOT 1
- [FG:InPlacePodVerticalScaling] Pod Resize - resize stuck "InProgress" when only resizing memory requests HOT 8
- RuntimeHandlerResolver: interface invalid nil checking HOT 5
- When Deployment is editing replicas and strategy simultaneously, it may get stuck and not continue to execute HOT 3
- 1.31 Release Notes: "Known Issues" HOT 1
- Node reboot leaving existing pod using resources stuck with error UnexpectedAdmissionError HOT 5
- kube-apiserver oom, list resource consume too much memory cause json decode HOT 6
- Flaky test failure in staging/src/k8s.io/client-go/util/workqueue HOT 11
- client-go: fake.Clientset doesn't support streaming custom logs HOT 3
- Tracking issue: evaluating dependencies with non-CNCF CLAs HOT 9
- Support HTTP2 probes over cleartext (h2c) HOT 11
- The startup time of the init container is later than that of the application container. HOT 3
- Can't get secrets when adding imagePullSecrets HOT 3
- [Flaking test] [sig-node] Containers should use the image defaults if command and args are blank HOT 1
- kubectl --server-side --dry-run=server - wrong output for converting client side applied manifest HOT 3
- Node Labeling node.kubernetes.io/out-of-service Taint Label Delay HOT 2
- [FG:InPlacePodVerticalScaling] e2e test does not verify resource update in pod status HOT 3
- cronjob schedule with multiple conditions not working - conflict between day (week) and day (month) HOT 5
- NetPol block self pod trafic using an svc and not direct call HOT 12
- kube-apiserver logs watch requests before they end in 1.30 HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes.