policy is applied randomly while using "kubectl run" to create a one-shot pod instead of a deployment

[next-ramses]

Bug Report

General Information

• Environment description: minikube v1.30.0
• Kernel version: 6.11.0-13-generic

To Reproduce

1. Load this policy to block "apt" comand:

cat <<EOF | kubectl apply -f -
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-pkg-mgmt-tools-exec
spec:
selector:
matchLabels:
app: nginx
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
action:
Block
EOF

2. Run the following command to create one-shot pods in a loop:

while [ x ]; do
kubectl run nginx -i --tty --image=nginx --labels="app=nginx" --restart=Never --rm -- apt
done

You can see the same command is blocked sometimes and sometimes not.

Expected behavior

I expected a consistent behaviour, e.g the "apt" command is always blocked.

[daemon1024]

The way KubeArmor handles containers today is by polling the containerd socket and we expect this inconsistency to happen due to potential delay in receiving the information.

We are implementing alternate mechanisms, this will make the behaviour more consistent.
The following will reduce inconsistency but not remove it
#1906
#1674
The following will remove the inconsistency altogether
#1390
because we will make sure to get the information before the container starts.

That said, rest assured you won't see the inconsistency in enforcement once the enforcement is ready. This is only due to the latency we get the information about the container itself.