kyverno: [BUG] Kyverno ignores system namespaces by default
Software version numbers
- Kubernetes version: n/a
- Kubernetes platform (if applicable; ex., EKS, GKE, OpenShift): n/a
- Kyverno version: 1.4.x
Describe the bug
Kyverno ignores the kyverno and the kube-system namespaces in the default resource filter. This means that no policies are applied to these namespaces, which increases security risks.
We need to tighten this, so only "trusted’ resources are ignored or remove the default filters.
Expected behavior
Kyverno installation should be secure by default.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 20 (14 by maintainers)
Shall we close this issue ?
Everything has been made configurable, we added a documentation page about it. To me it makes sense that kyverno uses safe default values.
Based on the discussion of Dynamic and Customizable Webhooks , the resourceFilters and namespaceSelectors will be deprecated (see https://github.com/kyverno/kyverno/issues/2320) in the future release. Instead, the webhooks will be configured based on the installed policies. That is to say, there will be no admission request in namespace
kube-systemforwarded to Kyverno if there isn’t any policy matching thekube-systemnamespace.@JimBugwadia - do you see any other potential security issue?
Nothing has changed here AFAIK. Default resourceFilters still look like this:
@eddycharly - please feel free to work on this. Currently I’m a little occupied with a few PSS and platform-side issues.
After discussion in 7/20/22 contributors meeting, I think the best thing here is remove the Namespace filters and move them into the Helm chart as Namespace exclusions.
meet the same issue in 1.3.3/1.3.6 version, clusterpolicy for kube-system not work as expected.