fix(core): ensure only cluster policy is updated on new ns

The `if` condition in `GetSecurityPolicies(..)` returns true if `matchClusterSecurityPolicyRule(..)` evaluates to `true`. That function doesn't check whether the passed policy is a cluster policy, and since the `matchExpressions` is empty for container policies, it ends up adding one namespace (whatever comes back in the k8s client response first that hasn't been added yet) to NamespaceList of all existing container policies, it then returns `true` and the policy is added to the `GetSecurityPolicies(..)` response. Over time, as `matchClusterSecurityPolicyRule(..)` is called, the list of `NamespaceList` in each regular policy keeps increasing, causing the container policy to be applied in namespaces where was not intended. The `matchClusterSecurityPolicyRule(..)` is corrected to apply only on cluster policies. Fixes: #1840 Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
kubearmor · Aug 14, 2024 · dd1f03d · dd1f03d
1 parent 7e7b1c3
commit dd1f03d
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -960,6 +960,11 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 }
 
 func matchClusterSecurityPolicyRule(policy tp.SecurityPolicy) bool {
+
+	if len(policy.Spec.Selector.Identities) > 0 { // if is not a Cluster policy
+		return false
+	}
+
 	hasInOperator := false
 	excludedNamespaces := make(map[string]bool)