Policies fail even after file is updated #235

jeremyhager · 2022-07-11T16:55:21Z

jeremyhager
Jul 11, 2022

Hello, I've been testing conftest and ran into something that makes me think I'm doing something wrong. Every time I update a policy the same error keeps popping up. Any help or pointers are greatly appreciated!

Problem

When running conftest test deployment.yaml from the examples/kubernetes directory, I get the same errors regardless if I update the yaml or not.

Expected behaviour

Once the yaml is updated, I would expect conftest test deployment.yaml to only include 3 errors, removing the error for not run as root. Example after updating:

❯ conftest test deployment.yaml 
FAIL - deployment.yaml - main - Deployment hello-kubernetes must provide app/release labels for pod selectors
FAIL - deployment.yaml - main - hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels
FAIL - deployment.yaml - main - Found deployment hello-kubernetes but deployments are not allowed

5 tests, 2 passed, 0 warnings, 3 failures, 0 exceptions

Steps

Cloned the conftest repo: git clone [email protected]:open-policy-agent/conftest.git
Tested conftest for kubernetes:

❯ conftest test deployment.yaml 
FAIL - deployment.yaml - main - Containers must not run as root in Deployment hello-kubernetes
FAIL - deployment.yaml - main - Deployment hello-kubernetes must provide app/release labels for pod selectors
FAIL - deployment.yaml - main - hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels
FAIL - deployment.yaml - main - Found deployment hello-kubernetes but deployments are not allowed

5 tests, 1 passed, 0 warnings, 4 failures, 0 exceptions

Edited the file to add securityContext.runAsNonRoot: true

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
  labels:
    app.kubernetes.io/name: mysql
    app.kubernetes.io/version: "5.7.21"
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: wordpress
    app.kubernetes.io/managed-by: helm
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes
  template:
    metadata:
      labels:
        app: hello-kubernetes
    spec:
      containers:
      - name: hello-kubernetes
        image: paulbouwer/hello-kubernetes:1.5
        ports:
        - containerPort: 8080
        securityContext:
          runAsNonRoot: true

Tested conftest with updated yaml:

❯ conftest test deployment.yaml
FAIL - deployment.yaml - main - Containers must not run as root in Deployment hello-kubernetes
FAIL - deployment.yaml - main - Deployment hello-kubernetes must provide app/release labels for pod selectors
FAIL - deployment.yaml - main - hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels
FAIL - deployment.yaml - main - Found deployment hello-kubernetes but deployments are not allowed

5 tests, 1 passed, 0 warnings, 4 failures, 0 exceptions

Running --trace

❯ conftest test deployment.yaml --trace
file: deployment.yaml | query: data.main.exception[_][_] == ""
TRAC   Enter __localq0__ = data.main.exception[_][_]; equal(__localq0__, "", _); _
TRAC   | Eval __localq0__ = data.main.exception[_][_]
TRAC   | Fail __localq0__ = data.main.exception[_][_]
file: deployment.yaml | query: data.main.warn
TRAC   Enter data.main.warn = _
TRAC   | Eval data.main.warn = _
TRAC   | Index data.main.warn (matched 1 rule)
TRAC   | Enter data.main.warn
TRAC   | | Eval data.kubernetes.is_service
TRAC   | | Index data.kubernetes.is_service (matched 0 rules)
TRAC   | | Fail data.kubernetes.is_service
TRAC   | Exit data.main.warn = _
TRAC   Redo data.main.warn = _
TRAC   | Redo data.main.warn = _
file: deployment.yaml | query: data.main.exception[_][_] == ""
TRAC   Enter __localq0__ = data.main.exception[_][_]; equal(__localq0__, "", _); _
TRAC   | Eval __localq0__ = data.main.exception[_][_]
TRAC   | Fail __localq0__ = data.main.exception[_][_]
file: deployment.yaml | query: data.main.deny
TRAC   Enter data.main.deny = _
TRAC   | Eval data.main.deny = _
TRAC   | Index data.main.deny (matched 3 rules)
TRAC   | Enter data.main.deny
TRAC   | | Eval data.kubernetes.is_deployment
TRAC   | | Index data.kubernetes.is_deployment (matched 1 rule, early exit)
TRAC   | | Enter data.kubernetes.is_deployment
TRAC   | | | Eval input.kind = "Deployment"
TRAC   | | | Exit data.kubernetes.is_deployment early
TRAC   | | Eval not data.main.required_deployment_labels
TRAC   | | Enter data.main.required_deployment_labels
TRAC   | | | Eval data.main.required_deployment_labels
TRAC   | | | Index data.main.required_deployment_labels (matched 1 rule, early exit)
TRAC   | | | Enter data.main.required_deployment_labels
TRAC   | | | | Eval input.metadata.labels["app.kubernetes.io/name"]
TRAC   | | | | Eval input.metadata.labels["app.kubernetes.io/instance"]
TRAC   | | | | Fail input.metadata.labels["app.kubernetes.io/instance"]
TRAC   | | | | Redo input.metadata.labels["app.kubernetes.io/name"]
TRAC   | | | Fail data.main.required_deployment_labels
TRAC   | | Eval __local16__ = data.main.name
TRAC   | | Index data.main.name (matched 4 rules)
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local9__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Eval sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [__local16__], __local5__)
TRAC   | | Eval msg = __local5__
TRAC   | | Exit data.main.deny
TRAC   | Redo data.main.deny
TRAC   | | Redo msg = __local5__
TRAC   | | Redo sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [__local16__], __local5__)
TRAC   | | Redo __local16__ = data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local9__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local10__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local10__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local11__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local11__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local8__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local8__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | | Redo input.kind = "Deployment"
TRAC   | Enter data.main.deny
TRAC   | | Eval data.kubernetes.is_deployment
TRAC   | | Index data.kubernetes.is_deployment (matched 1 rule, early exit)
TRAC   | | Eval not input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | Enter input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | | Eval input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | | Fail input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | Eval __local14__ = data.main.name
TRAC   | | Index data.main.name (matched 4 rules)
TRAC   | | Eval sprintf("Containers must not run as root in Deployment %s", [__local14__], __local3__)
TRAC   | | Eval msg = __local3__
TRAC   | | Exit data.main.deny
TRAC   | Redo data.main.deny
TRAC   | | Redo msg = __local3__
TRAC   | | Redo sprintf("Containers must not run as root in Deployment %s", [__local14__], __local3__)
TRAC   | | Redo __local14__ = data.main.name
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | Enter data.main.deny
TRAC   | | Eval data.kubernetes.is_deployment
TRAC   | | Index data.kubernetes.is_deployment (matched 1 rule, early exit)
TRAC   | | Eval not data.main.required_deployment_selectors
TRAC   | | Enter data.main.required_deployment_selectors
TRAC   | | | Eval data.main.required_deployment_selectors
TRAC   | | | Index data.main.required_deployment_selectors (matched 1 rule, early exit)
TRAC   | | | Enter data.main.required_deployment_selectors
TRAC   | | | | Eval input.spec.selector.matchLabels.app
TRAC   | | | | Eval input.spec.selector.matchLabels.release
TRAC   | | | | Fail input.spec.selector.matchLabels.release
TRAC   | | | | Redo input.spec.selector.matchLabels.app
TRAC   | | | Fail data.main.required_deployment_selectors
TRAC   | | Eval __local15__ = data.main.name
TRAC   | | Index data.main.name (matched 4 rules)
TRAC   | | Eval sprintf("Deployment %s must provide app/release labels for pod selectors", [__local15__], __local4__)
TRAC   | | Eval msg = __local4__
TRAC   | | Exit data.main.deny
TRAC   | Redo data.main.deny
TRAC   | | Redo msg = __local4__
TRAC   | | Redo sprintf("Deployment %s must provide app/release labels for pod selectors", [__local15__], __local4__)
TRAC   | | Redo __local15__ = data.main.name
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | Exit data.main.deny = _
TRAC   Redo data.main.deny = _
TRAC   | Redo data.main.deny = _
file: deployment.yaml | query: data.main.exception[_][_] == ""
TRAC   Enter __localq0__ = data.main.exception[_][_]; equal(__localq0__, "", _); _
TRAC   | Eval __localq0__ = data.main.exception[_][_]
TRAC   | Fail __localq0__ = data.main.exception[_][_]
file: deployment.yaml | query: data.main.violation
TRAC   Enter data.main.violation = _
TRAC   | Eval data.main.violation = _
TRAC   | Index data.main.violation (matched 1 rule)
TRAC   | Enter data.main.violation
TRAC   | | Eval data.kubernetes.is_deployment
TRAC   | | Index data.kubernetes.is_deployment (matched 1 rule, early exit)
TRAC   | | Enter data.kubernetes.is_deployment
TRAC   | | | Eval input.kind = "Deployment"
TRAC   | | | Exit data.kubernetes.is_deployment early
TRAC   | | Eval __local17__ = data.main.name
TRAC   | | Index data.main.name (matched 4 rules)
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local9__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Eval sprintf("Found deployment %s but deployments are not allowed", [__local17__], __local6__)
TRAC   | | Eval msg = __local6__
TRAC   | | Exit data.main.violation
TRAC   | Redo data.main.violation
TRAC   | | Redo msg = __local6__
TRAC   | | Redo sprintf("Found deployment %s but deployments are not allowed", [__local17__], __local6__)
TRAC   | | Redo __local17__ = data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local9__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local10__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local10__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local11__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local11__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local8__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local8__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | | Redo input.kind = "Deployment"
TRAC   | Exit data.main.violation = _
TRAC   Redo data.main.violation = _
TRAC   | Redo data.main.violation = _

System info

conftest:

❯ conftest --version
Conftest: 0.33.0
OPA: 0.42.0

OS:

MacOS Monterey
Version 12.4

Further troubleshooting

I know this post is long, but I also wanted to add some other info here:

Move all policies except deny.rego and kubernetes.rego to a different folder, ie:

❯ tree .
.
├── deployment+service.yaml
├── deployment.yaml
├── policy
│   ├── deny.rego
│   └── kubernetes.rego
└── service.yaml

Comment out other rules in deny.rego so only input.spec.template.spec.securityContext.runAsNonRoot remains:

package main

import data.kubernetes

name = input.metadata.name

deny[msg] {
	kubernetes.is_deployment
	not input.spec.template.spec.securityContext.runAsNonRoot

	msg = sprintf("Containers must not run as root in Deployment %s", [name])
}

# required_deployment_selectors {
# 	input.spec.selector.matchLabels.app
# 	input.spec.selector.matchLabels.release
# }

# deny[msg] {
# 	kubernetes.is_deployment
# 	not required_deployment_selectors

# 	msg = sprintf("Deployment %s must provide app/release labels for pod selectors", [name])
# }

Update yaml file to include securityContext.runAsNonRoot: true as above

# ...
    spec:
      containers:
      - name: hello-kubernetes
        image: paulbouwer/hello-kubernetes:1.5
        ports:
        - containerPort: 8080
        securityContext:
          runAsNonRoot: true

Run conftest test deployment.yaml --trace, same error:

❯ conftest test deployment.yaml --trace
file: deployment.yaml | query: data.main.exception[_][_] == ""
TRAC   Enter __localq0__ = data.main.exception[_][_]; equal(__localq0__, "", _); _
TRAC   | Eval __localq0__ = data.main.exception[_][_]
TRAC   | Fail __localq0__ = data.main.exception[_][_]
file: deployment.yaml | query: data.main.deny
TRAC   Enter data.main.deny = _
TRAC   | Eval data.main.deny = _
TRAC   | Index data.main.deny (matched 1 rule)
TRAC   | Enter data.main.deny
TRAC   | | Eval data.kubernetes.is_deployment
TRAC   | | Index data.kubernetes.is_deployment (matched 1 rule, early exit)
TRAC   | | Enter data.kubernetes.is_deployment
TRAC   | | | Eval input.kind = "Deployment"
TRAC   | | | Exit data.kubernetes.is_deployment early
TRAC   | | Eval not input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | Enter input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | | Eval input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | | Fail input.spec.template.spec.securityContext.runAsNonRoot
TRAC   | | Eval __local2__ = data.main.name
TRAC   | | Index data.main.name (matched 1 rule)
TRAC   | | Enter data.main.name
TRAC   | | | Eval true
TRAC   | | | Eval __local1__ = input.metadata.name
TRAC   | | | Exit data.main.name
TRAC   | | Eval sprintf("Containers must not run as root in Deployment %s", [__local2__], __local0__)
TRAC   | | Eval msg = __local0__
TRAC   | | Exit data.main.deny
TRAC   | Redo data.main.deny
TRAC   | | Redo msg = __local0__
TRAC   | | Redo sprintf("Containers must not run as root in Deployment %s", [__local2__], __local0__)
TRAC   | | Redo __local2__ = data.main.name
TRAC   | | Redo data.main.name
TRAC   | | | Redo __local1__ = input.metadata.name
TRAC   | | | Redo true
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | Redo data.kubernetes.is_deployment
TRAC   | | | Redo input.kind = "Deployment"
TRAC   | Exit data.main.deny = _
TRAC   Redo data.main.deny = _
TRAC   | Redo data.main.deny = _

Answered by anderseknert

Jul 11, 2022

Hi @jeremyhager! I have not been involved in authoring that policy, but it seems to check for the securityContext only on the spec itself, an not the individual containers, i.e. input.spec.template.spec.securityContext.runAsNonRoot. I believe this is valid configuration, but if you'd rather want to check each container instead, perhaps in order to allow some containers without the setting, you could do something like:

deny[msg] {
	kubernetes.is_deployment
	container := input.spec.template.spec.containers[_]
        not container.securityContext.runAsNonRoot

	msg = sprintf("Container %s must not run as root in Deployment %s", [container.name, name])
}

(you might want to repeat the process…

View full answer

anderseknert · 2022-07-11T21:53:34Z

anderseknert
Jul 11, 2022
Maintainer

Hi @jeremyhager! I have not been involved in authoring that policy, but it seems to check for the securityContext only on the spec itself, an not the individual containers, i.e. input.spec.template.spec.securityContext.runAsNonRoot. I believe this is valid configuration, but if you'd rather want to check each container instead, perhaps in order to allow some containers without the setting, you could do something like:

deny[msg] {
	kubernetes.is_deployment
	container := input.spec.template.spec.containers[_]
        not container.securityContext.runAsNonRoot

	msg = sprintf("Container %s must not run as root in Deployment %s", [container.name, name])
}

(you might want to repeat the process for initContainers as well, by the way)

1 reply

jeremyhager Jul 12, 2022
Author

🤦‍♂️Thank you @anderseknert ! This was the fix, after updating the deployment.yaml to be under spec, and not the container, sure enough the policy passed for that. I knew I was missing something, appreciate the heads up too.

Thanks again!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Open Policy Agent

Policies fail even after file is updated #235

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Open Policy Agent

Policies fail even after file is updated #235

jeremyhager Jul 11, 2022

Problem

Expected behaviour

Steps

System info

Further troubleshooting

Replies: 1 comment · 1 reply

anderseknert Jul 11, 2022 Maintainer

jeremyhager Jul 12, 2022 Author

jeremyhager
Jul 11, 2022

Replies: 1 comment 1 reply

anderseknert
Jul 11, 2022
Maintainer

jeremyhager Jul 12, 2022
Author