From dd1f03d8916628d39f4f6992fd2425a040983f1e Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez-Fernandez Date: Wed, 14 Aug 2024 07:22:59 -0700 Subject: [PATCH] fix(core): ensure only cluster policy is updated on new ns The `if` condition in `GetSecurityPolicies(..)` returns true if `matchClusterSecurityPolicyRule(..)` evaluates to `true`. That function doesn't check whether the passed policy is a cluster policy, and since the `matchExpressions` is empty for container policies, it ends up adding one namespace (whatever comes back in the k8s client response first that hasn't been added yet) to NamespaceList of all existing container policies, it then returns `true` and the policy is added to the `GetSecurityPolicies(..)` response. Over time, as `matchClusterSecurityPolicyRule(..)` is called, the list of `NamespaceList` in each regular policy keeps increasing, causing the container policy to be applied in namespaces where was not intended. The `matchClusterSecurityPolicyRule(..)` is corrected to apply only on cluster policies. Fixes: #1840 Signed-off-by: Carlos Rodriguez-Fernandez --- KubeArmor/core/kubeUpdate.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go index 082b029acb..1d7ebb0d42 100644 --- a/KubeArmor/core/kubeUpdate.go +++ b/KubeArmor/core/kubeUpdate.go @@ -960,6 +960,11 @@ func (dm *KubeArmorDaemon) WatchK8sPods() { } func matchClusterSecurityPolicyRule(policy tp.SecurityPolicy) bool { + + if len(policy.Spec.Selector.Identities) > 0 { // if is not a Cluster policy + return false + } + hasInOperator := false excludedNamespaces := make(map[string]bool)