Added security policy validator in custom controller by [VenkataReddy] #196
Conversation
|
|
@CBVenkataReddy how did you generate the YAML files for controllers? |
I have used "kustomize" for customizing the manifests & generating YAML files "kustomize build config/default" |
| @@ -670,7 +672,7 @@ func (dm *KubeArmorDaemon) WatchSecurityPolicies() { | |||
| if policy.Metadata["policyName"] == secPolicy.Metadata["policyName"] && | |||
| policy.Metadata["namespaceName"] == secPolicy.Metadata["namespaceName"] && | |||
| policy.Metadata["generation"] == secPolicy.Metadata["generation"] { | |||
| exist = true | |||
| //exist = true | |||
There was a problem hiding this comment.
why this line is disabled?
There was a problem hiding this comment.
Here the condition basically checks weather policy exists or not, if it exists then it continue without applying security policies to containers (UpdateSecurityPolicy).
Controller validates KubeArmrorPolicy schema based on the validation it updates the status,
After controller status updation KubeArmror gets event (MODIFIED) as policy exit condition becomes true and sets "exist = true" and continue back to check another events in infinite loop.
Inside the controllers/kubearmorpolicy_controller.go and controllers/kubearmorhostpolicy_controller.go file we have the function ”Reconcile”, Here the function “Reconcile” act as a security policy validator at the Kubernetes side in order to check syntax and semantics errors. So business logic (below 1 & 2 points) for validating the syntax and semantics errors will be part of “Reconcile” function.
1.check policies already applied in kubernetes at the controller.
2. Update the policy status for valid(OK)/invalid(Not OK),
delete the invalid policy and return the fail code when a new policy is applied and there are some issues in the policy.
Fixes: #104