Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about katapolicygen #8425

Open
cYKatherine opened this issue Jan 20, 2025 · 2 comments
Open

Questions about katapolicygen #8425

cYKatherine opened this issue Jan 20, 2025 · 2 comments
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.

Comments

@cYKatherine
Copy link

cYKatherine commented Jan 20, 2025
edited
Loading

Describe the bug

Hello team, I'm using az confcom katapolicygen --yaml "pod.yaml" --print-policy to generate a security policy for my yaml file.

There is limited documentation so I'm confused about the behaviours:

When generating the security policy using az confcom katapolicygen --yaml "pod.yaml" --print-policy, it works when my deployment yaml file has nginx:latest as spec.containers.image: After the policy is generated and running kubectl apply -f pod.yaml the pod started correctly.

However, when I set spec.containers.image with our image (which is also public) the pod won't start and complains about the policy doesn't allow it.

Can you kindly advise why is that so? What is the restriction for the image? And if there is any more detailed documentation for katapolicygen can you kindly point me to it please? Thank you very much.

Related command

az confcom katapolicygen --yaml "pod.yaml" --print-policy

Errors

Image

Name: kafka-golang-consumer
Namespace: kafka
Priority: 0
Runtime Class Name: kata-cc-isolation
Service Account: workload-identity-sa
Node: aks-nodepool2-21553532-vmss000001/10.224.0.5
Start Time: Thu, 16 Jan 2025 18:44:30 +1100
Labels: app.kubernetes.io/name=kafka-golang-consumer
azure.workload.identity/use=true
Annotations: io.katacontainers.config.agent.policy:
IyBDb3B5cmlnaHQgKGMpIDIwMjMgTWljcm9zb2Z0IENvcnBvcmF0aW9uCiMKIyBTUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMAojCnBhY2thZ2UgYWdlbnRfcG9saW...
Status: Running
IP: 10.244.2.152
IPs:
IP: 10.244.2.152
Containers:
skr:
Container ID: containerd://76de8cd3b02fa12a9d4dd6464799e890d8881279133169b1d0a79ed04152e7cc
Image: mcr.microsoft.com/aci/skr:2.7
Image ID: mcr.microsoft.com/aci/skr@sha256:b584057158c1f700edcdb0b3122628541da450acac48bd80512ee88c34f7649d
Port:
Host Port:
Command:
/skr.sh
State: Running
Started: Thu, 16 Jan 2025 18:44:39 +1100
Ready: True
Restart Count: 0
Environment:
Port: 9000
AZURE_CLIENT_ID: af61fb08-db6a-42a4-a340-e367af8e547e
AZURE_TENANT_ID: 67714990-53f7-4cc5-b369-edabfd7d01d9
AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
Mounts:
/opt/confidential-containers/share/kata-containers/reference-info-base64 from endor-loc (rw)
/var/run/secrets/azure/tokens from azure-identity-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5z6vg (ro)
uid2-operator:
Container ID: containerd://ad7c057825a1c1c0d353323330e9c27b12c44cf998a6763c3d94dfc075ae4420
Image: ghcr.io/iabtechlab/uid2-operator:5.43.11-azure-cc
Image ID: ghcr.io/iabtechlab/uid2-operator@sha256:7795c1414a2e2b3ffe0fa71328a27502d0380d9d060803c09a1566f5c04ad397
Ports: 8080/TCP, 9080/TCP
Host Ports: 0/TCP, 0/TCP
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: StartError
Message: failed to create containerd task: failed to create shim task: "CreateContainerRequest is blocked by policy: agent_policy:94: allow_create_container_input: input = {"OCI":{"Annotations":{"io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ad7c057825a1c1c0d353323330e9c27b12c44cf998a6763c3d94dfc075ae4420","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.container-name":"uid2-operator","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.image-name":"ghcr.io..............eges":false,"OOMScoreAdj":1000,"Rlimits":[],"SelinuxLabel":"","Terminal":false,"User":{"AdditionalGids":[1000],"GID":1000,"UID":1000,"Username":""}} agent_policy:493: allow_process_common: s_name = kafka-golang-consumer agent_policy:544: allow_user: input uid = 1000 policy uid = 0": unknown
Warning BackOff 15s (x5 over 51s) kubelet Back-off restarting failed container uid2-operator in pod kafka-golang-consumer_kafka(d8f4820c-a92d-4e6e-bff1-5e0a642d34c0)

Issue script & Debug output

NA

Expected behavior

The pod should start correctly

Environment Summary

azure-cli 2.67.0 *

core 2.67.0 *
telemetry 1.1.0

Extensions:
aks-preview 13.0.0b2
confcom 0.3.5

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.67.0_1/libexec/bin/python'
Extensions directory '/Users/katherine.chen/.azure/cliextensions'

Python (Darwin) 3.12.8 (main, Dec 3 2024, 18:42:41) [Clang 15.0.0 (clang-1500.1.0.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response
@cYKatherine cYKatherine added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jan 20, 2025
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 20, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Jan 20, 2025
@yonzhan yonzhan added Service Attention This issue is responsible by Azure service team. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 20, 2025
@cYKatherine
Copy link
Author

Updates:

Found the issue, it was because our image was run under non-root user.

Added

      securityContext:
        runAsUser: 1000

to the yaml file and it fixes the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cYKatherine @yonzhan