Audit-scanner is not skipping namespaces
viccuad opened this issue · 1 comments
viccuad commented
With the current helm-charts from main, which deploy the following Cronjob:
apiVersion: batch/v1
kind: CronJob
metadata:
annotations:
meta.helm.sh/release-name: kubewarden-controller
meta.helm.sh/release-namespace: kubewarden
creationTimestamp: "2023-07-14T14:07:26Z"
generation: 1
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: kubewarden-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubewarden-controller
app.kubernetes.io/part-of: kubewarden
app.kubernetes.io/version: v1.7.0-rc1
helm.sh/chart: kubewarden-controller-1.6.0-rc1
name: audit-scanner
namespace: kubewarden
resourceVersion: "6174"
uid: b260ecb1-ad00-437d-b97e-e0b75d869af4
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 5
jobTemplate:
metadata:
creationTimestamp: null
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- command:
- /audit-scanner
- --loglevel
- info
- -i calico-system
- -i cattle-alerting
- -i cattle-fleet-local-system
- -i cattle-fleet-system
- -i cattle-global-data
- -i cattle-global-nt
- -i cattle-impersonation-system
- -i cattle-istio
- -i cattle-logging
- -i cattle-monitoring-system
- -i cattle-neuvector-system
- -i cattle-pipeline
- -i cattle-prometheus
- -i cattle-system
- -i cert-manager
- -i ingress-nginx
- -i kube-node-lease
- -i kube-public
- -i kube-system
- -i longhorn-system
- -i rancher-operator-system
- -i security-scan
- -i tigera-operator
image: ghcr.io/kubewarden/audit-scanner:v1.7.0-rc1
imagePullPolicy: IfNotPresent
name: audit-scanner
resources:
limits:
cpu: 500m
memory: 50Mi
requests:
cpu: 250m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Never
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: audit-scanner
serviceAccountName: audit-scanner
terminationGracePeriodSeconds: 30
schedule: '*/3 * * * *'
successfulJobsHistoryLimit: 3
suspend: false
status:
lastScheduleTime: "2023-07-14T14:57:00Z"
lastSuccessfulTime: "2023-07-14T14:57:05Z"
The audit-scanner is still scanning namespaces such as cert-manager, kube-system, etc:
audit-scanner-28155777-s5flm {"level":"info","time":"2023-07-14T14:57:01Z","message":"cluster wide scan started"}
audit-scanner-28155777-s5flm {"level":"info","time":"2023-07-14T14:57:01Z","message":"scan finished"}
audit-scanner-28155777-s5flm {"level":"info","dict":{"report name":"polr-clusterwide","report ns":"","summary":"{\"pass\":0,\"fail\":0,\"warn\":0,\"error\":0,\"skip\":0}"},"time":"2023-07-14T14:57:01Z","message":"updated ClusterPolicyReport"}
audit-scanner-28155777-s5flm {"level":"info","time":"2023-07-14T14:57:01Z","message":"all-namespaces scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"cert-manager","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"cert-manager","dict":{"policies to evaluate":0,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"error","error":"resource not found","namespace":"cert-manager","time":"2023-07-14T14:57:01Z","message":"error getting previous PolicyReport from store"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"cert-manager","time":"2023-07-14T14:57:01Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"default","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"default","dict":{"policies to evaluate":6,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"info","dict":{"report name":"polr-ns-default","report ns":"default","report resourceVersion":"3280","summary":"{\"pass\":5,\"fail\":1,\"warn\":0,\"error\":0,\"skip\":0}"},"time":"2023-07-14T14:57:01Z","message":"updated PolicyReport"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"default","time":"2023-07-14T14:57:01Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-node-lease","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-node-lease","dict":{"policies to evaluate":0,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"error","error":"resource not found","namespace":"kube-node-lease","time":"2023-07-14T14:57:01Z","message":"error getting previous PolicyReport from store"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-node-lease","time":"2023-07-14T14:57:01Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-public","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-public","dict":{"policies to evaluate":0,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"error","error":"resource not found","namespace":"kube-public","time":"2023-07-14T14:57:01Z","message":"error getting previous PolicyReport from store"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-public","time":"2023-07-14T14:57:01Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-system","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-system","dict":{"policies to evaluate":0,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"error","error":"resource not found","namespace":"kube-system","time":"2023-07-14T14:57:01Z","message":"error getting previous PolicyReport from store"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"kube-system","time":"2023-07-14T14:57:01Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"policy-reporter","time":"2023-07-14T14:57:01Z","message":"namespace scan started"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"policy-reporter","dict":{"policies to evaluate":6,"policies skipped":0},"time":"2023-07-14T14:57:01Z","message":"policy count"}
audit-scanner-28155777-s5flm {"level":"info","dict":{"report name":"polr-ns-policy-reporter","report ns":"policy-reporter","report resourceVersion":"6155","summary":"{\"pass\":12,\"fail\":0,\"warn\":0,\"error\":0,\"skip\":0}"},"time":"2023-07-14T14:57:02Z","message":"updated PolicyReport"}
audit-scanner-28155777-s5flm {"level":"info","dict":{"report name":"polr-ns-policy-reporter","report ns":"policy-reporter","report resourceVersion":"6156","summary":"{\"pass\":18,\"fail\":0,\"warn\":0,\"error\":0,\"skip\":0}"},"time":"2023-07-14T14:57:02Z","message":"updated PolicyReport"}
audit-scanner-28155777-s5flm {"level":"info","dict":{"report name":"polr-ns-policy-reporter","report ns":"policy-reporter","report resourceVersion":"6158","summary":"{\"pass\":24,\"fail\":0,\"warn\":0,\"error\":0,\"skip\":0}"},"time":"2023-07-14T14:57:02Z","message":"updated PolicyReport"}
audit-scanner-28155777-s5flm {"level":"info","namespace":"policy-reporter","time":"2023-07-14T14:57:02Z","message":"namespace scan finished"}
audit-scanner-28155777-s5flm {"level":"info","time":"2023-07-14T14:57:02Z","message":"all-namespaces scan finished"}
viccuad commented
The fix for this is:
--- a/charts/kubewarden-controller/templates/_helpers.tpl
+++ b/charts/kubewarden-controller/templates/_helpers.tpl
@@ -102,7 +102,8 @@ Create the name of the service account to use for kubewarden-controller
- --loglevel
- info
{{- range .Values.global.skipNamespaces }}
-- {{ printf "-i %s" . }}
+- {{ printf "-i" . }}
+- {{ printf "%s" . }}
{{- end -}}
{{- range .Values.auditScanner.skipAdditionalNamespaces }}
- {{ printf "-i %s" . }}