Custom message not working in podSecurity subrule policy
Closed this issue · 2 comments
F-Fx commented
Kyverno Version
1.8
Kubernetes Version
1.23
Kubernetes Platform
Other (specify in description)
Description
k8s v1.23.17+rke2r1
Message not working in "Restricted Pod Security Standards" policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted-force
annotations:
policies.kyverno.io/title:
policies.kyverno.io/category: Pod Security, EKS Best Practices
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/minversion: 1.8.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The restricted profile of the Pod Security Standards, which is inclusive of
the baseline profile, is a collection of all the most common configurations
that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
may be assigned to the cluster through a single rule. This policy configures the
restricted profile through the latest version of the Pod Security Standards cluster wide.
spec:
background: true
validationFailureAction: enforce
rules:
- name: restricted
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- calico-system
- cattle-fleet-system
- cattle-impersonation-system
- cattle-system
- default
- istio-system
- kbp-learn
- kube-node-lease
- kube-public
- kube-system
- kyverno-policy-test
- local
- local-path-storage
- monitoring
- policy-reporter
- sec-kyverno-cert01
- sec-kyverno-lp01
- test-monitor
- tigera-operator
- restrict-root2
validate:
message: "TEST MESSAGE TEST MESSAGE"
podSecurity:
level: restricted
version: latest but in policy like below it`s work fine
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-ns-purpose-label
spec:
validationFailureAction: enforce
rules:
- name: require-ns-purpose-label
match:
any:
- resources:
kinds:
- Namespace
validate:
pattern:
metadata:
labels:
purpose: production
message: TEST MESSAGE TEST MESSAGESteps to reproduce
- Install policy bellow
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted-force
annotations:
policies.kyverno.io/title:
policies.kyverno.io/category: Pod Security, EKS Best Practices
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/minversion: 1.8.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The restricted profile of the Pod Security Standards, which is inclusive of
the baseline profile, is a collection of all the most common configurations
that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
may be assigned to the cluster through a single rule. This policy configures the
restricted profile through the latest version of the Pod Security Standards cluster wide.
spec:
background: true
validationFailureAction: enforce
rules:
- name: restricted
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- calico-system
- cattle-fleet-system
- cattle-impersonation-system
- cattle-system
- default
- istio-system
- kbp-learn
- kube-node-lease
- kube-public
- kube-system
- kyverno-policy-test
- local
- local-path-storage
- monitoring
- policy-reporter
- sec-kyverno-cert01
- sec-kyverno-lp01
- test-monitor
- tigera-operator
- restrict-root2
validate:
message: "TEST MESSAGE TEST MESSAGE"
podSecurity:
level: restricted
version: latest - Try to deploy some pod like bellow
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod-root
spec:
containers:
- name: privileged-container
image: nginx
securityContext:
privileged: false- Admission webhook "validate.kyverno.svc-fail" denied the request log but without message "TEST MESSAGE TEST MESSAGE"
Expected behavior
Denied the request log with message "TEST MESSAGE TEST MESSAGE"
Screenshots
No response
Kyverno logs
Error from server: error when creating "test_nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
policy Pod/restrict-root/privileged-pod-root for resource violation:
podsecurity-subrule-restricted-force:
restricted: |
Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:allowPrivilegeEscalation != false ForbiddenDetail:container "privileged-container" must set securityContext.allowPrivilegeEscalation=false})
({Allowed:false ForbiddenReason:allowPrivilegeEscalation != false ForbiddenDetail:container "privileged-container" must set securityContext.allowPrivilegeEscalation=false})
({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "privileged-container" must set securityContext.capabilities.drop=["ALL"]})
({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "privileged-container" must set securityContext.capabilities.drop=["ALL"]})
({Allowed:false ForbiddenReason:runAsNonRoot != true ForbiddenDetail:pod or container "privileged-container" must set securityContext.runAsNonRoot=true})
({Allowed:false ForbiddenReason:seccompProfile ForbiddenDetail:pod or container "privileged-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"})
({Allowed:false ForbiddenReason:seccompProfile ForbiddenDetail:pod or container "privileged-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"})Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.
F-Fx commented
Describe output of installed policy
Name: podsecurity-subrule-restricted-force
Namespace:
Labels: <none>
Annotations: kyverno.io/kubernetes-version: 1.24
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/category: Pod Security, EKS Best Practices
policies.kyverno.io/description:
The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common c...
policies.kyverno.io/minversion: 1.8.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Restricted Pod Security Standards
API Version: kyverno.io/v1
Kind: ClusterPolicy
Metadata:
Creation Timestamp: 2024-08-07T06:41:10Z
Generation: 9
Resource Version: 275694070
UID: c306065f-8735-4c56-a311-a2c4ae7233e1
Spec:
Background: true
Rules:
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Match:
Any:
Resources:
Kinds:
Pod
Name: restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Validation Failure Action: enforce
Status:
Autogen:
Rules:
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Resources:
Generate:
Clone:
Clone List:
Match:
Any:
Resources:
Kinds:
DaemonSet
Deployment
Job
StatefulSet
Resources:
Mutate:
Name: autogen-restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Resources:
Generate:
Clone:
Clone List:
Match:
Any:
Resources:
Kinds:
CronJob
Resources:
Mutate:
Name: autogen-cronjob-restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Conditions:
Last Transition Time: 2024-08-07T06:41:11Z
Message:
Reason: Succeeded
Status: True
Type: Ready
Ready: true
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning PolicyViolation 6m kyverno-admission Pod restrict-root/privileged-pod-root: [restricted] fail (blocked)chipzoller commented
Custom messages do not work with the podSecurity subrule. The message is automatically provided by the PSA libraries. To use custom messages you must use traditional validate rules similar to how the policies Helm chart.