Skip to content

Questions about katapolicygen #8425

New issue
New issue
Open
Open
Questions about katapolicygen#8425
Labels
Service AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.
@cYKatherine

Description

@cYKatherine
cYKatherine
opened on Jan 20, 2025

Describe the bug

Hello team, I'm using az confcom katapolicygen --yaml "pod.yaml" --print-policy to generate a security policy for my yaml file.

There is limited documentation so I'm confused about the behaviours:

When generating the security policy using az confcom katapolicygen --yaml "pod.yaml" --print-policy, it works when my deployment yaml file has nginx:latest as spec.containers.image: After the policy is generated and running kubectl apply -f pod.yaml the pod started correctly.

However, when I set spec.containers.image with our image (which is also public) the pod won't start and complains about the policy doesn't allow it.

Can you kindly advise why is that so? What is the restriction for the image? And if there is any more detailed documentation for katapolicygen can you kindly point me to it please? Thank you very much.

Related command

az confcom katapolicygen --yaml "pod.yaml" --print-policy

Errors

Image

Name: kafka-golang-consumer
Namespace: kafka
Priority: 0
Runtime Class Name: kata-cc-isolation
Service Account: workload-identity-sa
Node: aks-nodepool2-21553532-vmss000001/10.224.0.5
Start Time: Thu, 16 Jan 2025 18:44:30 +1100
Labels: app.kubernetes.io/name=kafka-golang-consumer
azure.workload.identity/use=true
Annotations: io.katacontainers.config.agent.policy:
IyBDb3B5cmlnaHQgKGMpIDIwMjMgTWljcm9zb2Z0IENvcnBvcmF0aW9uCiMKIyBTUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMAojCnBhY2thZ2UgYWdlbnRfcG9saW...
Status: Running
IP: 10.244.2.152
IPs:
IP: 10.244.2.152
Containers:
skr:
Container ID: containerd://76de8cd3b02fa12a9d4dd6464799e890d8881279133169b1d0a79ed04152e7cc
Image: mcr.microsoft.com/aci/skr:2.7
Image ID: mcr.microsoft.com/aci/skr@sha256:b584057158c1f700edcdb0b3122628541da450acac48bd80512ee88c34f7649d
Port:
Host Port:
Command:
/skr.sh
State: Running
Started: Thu, 16 Jan 2025 18:44:39 +1100
Ready: True
Restart Count: 0
Environment:
Port: 9000
AZURE_CLIENT_ID: af61fb08-db6a-42a4-a340-e367af8e547e
AZURE_TENANT_ID: 67714990-53f7-4cc5-b369-edabfd7d01d9
AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
Mounts:
/opt/confidential-containers/share/kata-containers/reference-info-base64 from endor-loc (rw)
/var/run/secrets/azure/tokens from azure-identity-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5z6vg (ro)
uid2-operator:
Container ID: containerd://ad7c057825a1c1c0d353323330e9c27b12c44cf998a6763c3d94dfc075ae4420
Image: ghcr.io/iabtechlab/uid2-operator:5.43.11-azure-cc
Image ID: ghcr.io/iabtechlab/uid2-operator@sha256:7795c1414a2e2b3ffe0fa71328a27502d0380d9d060803c09a1566f5c04ad397
Ports: 8080/TCP, 9080/TCP
Host Ports: 0/TCP, 0/TCP
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: StartError
Message: failed to create containerd task: failed to create shim task: "CreateContainerRequest is blocked by policy: agent_policy:94: allow_create_container_input: input = {"OCI":{"Annotations":{"io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ad7c057825a1c1c0d353323330e9c27b12c44cf998a6763c3d94dfc075ae4420","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.container-name":"uid2-operator","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.image-name":"ghcr.io..............eges":false,"OOMScoreAdj":1000,"Rlimits":[],"SelinuxLabel":"","Terminal":false,"User":{"AdditionalGids":[1000],"GID":1000,"UID":1000,"Username":""}} agent_policy:493: allow_process_common: s_name = kafka-golang-consumer agent_policy:544: allow_user: input uid = 1000 policy uid = 0": unknown
Warning BackOff 15s (x5 over 51s) kubelet Back-off restarting failed container uid2-operator in pod kafka-golang-consumer_kafka(d8f4820c-a92d-4e6e-bff1-5e0a642d34c0)

Issue script & Debug output

NA

Expected behavior

The pod should start correctly

Environment Summary

azure-cli 2.67.0 *

core 2.67.0 *
telemetry 1.1.0

Extensions:
aks-preview 13.0.0b2
confcom 0.3.5

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.67.0_1/libexec/bin/python'
Extensions directory '/Users/katherine.chen/.azure/cliextensions'

Python (Darwin) 3.12.8 (main, Dec 3 2024, 18:42:41) [Clang 15.0.0 (clang-1500.1.0.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Service AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions