Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): ensure only cluster policy is updated on new ns #1837

Merged
merged 1 commit into from
Aug 16, 2024
Merged

fix(core): ensure only cluster policy is updated on new ns #1837

merged 1 commit into from
Aug 16, 2024

Conversation

carlosrodfern
Copy link
Contributor

@carlosrodfern carlosrodfern commented Aug 13, 2024
edited
Loading

Regular policies are mistakenly modified and applied at cluster level over time

Purpose of PR?:

Fixes: #1840

Does this PR introduce a breaking change? No

If the changes in this PR are manually verified, list down the scenarios covered::
Built and deployed, and verified that the policy is not applied on different namespaces or even the same namespace with no matching labels.

Additional information for reviewer? :

Checklist:

  • Bug fix. Fixes Container policies incorrectly applied at cluster level #1840
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@carlosrodfern
fix(core): ensure only cluster policy is updated on new ns
dd1f03d 
The `if` condition in `GetSecurityPolicies(..)` returns true if
`matchClusterSecurityPolicyRule(..)` evaluates to `true`. That function doesn't
check whether the passed policy is a cluster policy, and since the
`matchExpressions` is empty for container policies, it ends up adding one
namespace (whatever comes back in the k8s client response first that hasn't been
added yet) to NamespaceList of all existing container policies, it then returns
`true` and the policy is added to the `GetSecurityPolicies(..)` response. Over
time, as `matchClusterSecurityPolicyRule(..)` is called, the list of
`NamespaceList` in each regular policy keeps increasing, causing the container
policy to be applied in namespaces where was not intended.

The `matchClusterSecurityPolicyRule(..)` is corrected to apply only on cluster
policies.

Fixes: kubearmor#1840

Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
@carlosrodfern carlosrodfern changed the title fix(core): incorrect cluster policies matching fix(core): ensure only cluster policy is updated on new ns Aug 14, 2024
Prateeknandle
Prateeknandle approved these changes Aug 14, 2024
View reviewed changes
Copy link
Collaborator

@Prateeknandle Prateeknandle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @carlosrodfern for this quick fix.

DelusionalOptimist
DelusionalOptimist approved these changes Aug 16, 2024
View reviewed changes
Copy link
Member

@DelusionalOptimist DelusionalOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @carlosrodfern! 🙌

@DelusionalOptimist DelusionalOptimist merged commit 5c70d14 into kubearmor:main Aug 16, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Prateeknandle Prateeknandle Prateeknandle approved these changes

@DelusionalOptimist DelusionalOptimist DelusionalOptimist approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Container policies incorrectly applied at cluster level
3 participants
@carlosrodfern @DelusionalOptimist @Prateeknandle