Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The operator fails to scan GKE autopilot clusters #850

Open
czunker opened this issue Aug 30, 2023 · 4 comments
Open

The operator fails to scan GKE autopilot clusters #850

czunker opened this issue Aug 30, 2023 · 4 comments

Comments

@czunker
Copy link
Contributor

czunker commented Aug 30, 2023

Describe the bug
When the operator is deployed in a GKE autopilot cluster, it does not report any assets.

https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview

This needs to be fixed because the new default for GKE clusters is autopilot: https://cloud.google.com/blog/products/containers-kubernetes/gke-autopilot-is-now-default-mode-of-cluster-operation

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'
  2. Select '....'
  3. Scroll down to '....'
  4. Note the error

Expected behavior
The operator should scan the same workloads as in other clusters.

@mariuskimmina
Copy link
Contributor

Seems that the problem is that we have this volume

Volumes: []corev1.Volume{
  {
    Name: "root",
    VolumeSource: corev1.VolumeSource{
      HostPath: &corev1.HostPathVolumeSource{Path: "/", Type: &unsetHostPath},
    },
  },

Which gets mounted here:

VolumeMounts: []corev1.VolumeMount{
  {
    Name:      "root",
    ReadOnly:  true,
    MountPath: "/mnt/host/",
  },

Which causes the following error

hostPath volume root used in container cnspec uses path / which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].

I see that we are currently relying on this volume for scanning

		Spec: &v1.InventorySpec{
			Assets: []*asset.Asset{
				{
					Id:   "host",
					Name: node.Name,
					Connections: []*providers.Config{
						{
							Host:       "/mnt/host",
							Backend:    providers.ProviderType_FS,
							PlatformId: fmt.Sprintf("//platformid.api.mondoo.app/runtime/k8s/uid/%s/node/%s", clusterUID, node.UID),
						},
					},
					Labels: map[string]string{
						"k8s.mondoo.com/kind": "node",
					},
					ManagedBy: "mondoo-operator-" + clusterUID,
				},
			},
		},
	}

I don't have a solution currenlty, just wanted to share my insights from taking a first look at this problem.

I assume we should at least be able to build better handling around this case as this currently prevents the cronjob from being created at all.

@mariuskimmina
Copy link
Contributor

Seeing that if node scanning fails we just stop and don't even attempt to scan kubernetes ressources - I wonder if for autopilot clusters we could be fine with being unable to scan the nodes (currently I don't see a way to make that work) but still scan the resources in the cluster

nodes := nodes.DeploymentHandler{
  Mondoo:                 mondooAuditConfig,
  KubeClient:             r.Client,
  MondooOperatorConfig:   config,
  ContainerImageResolver: r.ContainerImageResolver,
  IsOpenshift:            r.RunningOnOpenShift,
}

result, reconcileError = nodes.Reconcile(ctx)
if reconcileError != nil {
  log.Error(reconcileError, "Failed to set up nodes scanning")
}
if reconcileError != nil || result.Requeue {
  return result, reconcileError
}

workloads := k8s_scan.DeploymentHandler{
  Mondoo:                 mondooAuditConfig,
  KubeClient:             r.Client,
  MondooOperatorConfig:   config,
  ContainerImageResolver: r.ContainerImageResolver,
  ScanApiStore:           r.ScanApiStore,
}

result, reconcileError = workloads.Reconcile(ctx)
if reconcileError != nil {
  log.Error(reconcileError, "Failed to set up Kubernetes resources scanning")
}
if reconcileError != nil || result.Requeue {
  return result, reconcileError
}

@mariuskimmina
Copy link
Contributor

Turning off node scanning already allows the resources to show up

image

@czunker
Copy link
Contributor Author

czunker commented Sep 11, 2023

Thanks @mariuskimmina, for digging deeper into this.

It's good to know what to look for. Perhaps other ways to scan a now work in GKE autopilot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants