kubernetes.client.exceptions.ApiException: (422) #129
Comments
|
Hey, sorry for answering so late, I'll take a look |
|
There currently is no command showing the version, but you can use |
|
Thanks. I can now confirm it's illuminatio 1.4.0 :-) |
|
I cannot reproduce the issue here (I only have a GKE 1.17 cluster readily available), can you rerun illuminatio with debug logging for me? |
|
The error seems to depend on the netpols applied. I worked with this demo repo and applied the first three netpols described in the readme on a bare GKE 1.16 cluster (you could reproduce with the terraform script provided in the same repo). Please note the commit ID linked in the demo repo above, because the latest commit results in a different issue (#131). Find attached the output of |
|
Hi @schnatterer, The attached log seems to be result of antoher issue (most likely old runners/results were present). However the API exception could be related to the issue I discovered during #134. There was/is a problem that the name metadata for a port of a k8s service object is not mandatory for a single port, but is mandatory for multiple ports. I will try to verify my assumption later. If my assumption is correct, this issue will be fixed by #134 as well. |
|
I was not able to reproduce this issue using the "newest" version (version of PR #134), but I had to execute some steps of the demo repo manually since the old state used to use Helm2, so maybe I missed something, but at least all NetworkPolicies were applied. Please note that some of the current NetworkPolicies examples of your repo (https://github.com/cloudogu/k8s-security-demos/tree/master/2-network-policies) are still resulting in a failure for a yet unknown reason. I will create a follow-up issue to address this and further improve illuminatio using your examples! |
|
Thanks for investigating this. |
|
OK, I fixed a little something in my demos and can now provide more accurate steps on how to reproduce this error.
cd 2-network-policies
./apply.sh
kubectl apply -f network-policies/1-ingress-production-deny-all.yaml
kubectl apply -f network-policies/2-ingress-production-allow-traefik-nosqlclient.yaml
kubectl apply -f network-policies/3-ingress-production-allow-nosqlclient-mongo.yaml
kubectl apply -f network-policies/4-ingress-production-allow-prometheus-mongodb.yaml
kubectl apply -f network-policies/5-ingress-kube-system.yaml
kubectl apply -f network-policies/6-ingress-monitoring.yaml
kubectl apply -f network-policies/7-egress-default-and-production-namespace.yaml
# File 8 needs "templating" see README.md
ACTUAL_API_SERVER_ADDRESS=$(kubectl get endpoints --namespace default kubernetes --template="{{range .subsets}}{{range .addresses}}{{.ip}}{{end}}{{end}}")
cat network-policies/8-egress-other-namespaces.yaml \
| sed "s|APISERVER|${ACTUAL_API_SERVER_ADDRESS}/32|" \
| kubectl apply -f -
kubectl apply -f network-policies/9-egress-specific-ips-example.yaml
# The latest version built on 2021-03-08
docker run -ti -v ~/.kube/config:/kubeconfig:ro inovex/illuminatio@sha256:168eabe393f0ae114e4d58d8deee7ce69a0726dd894b91211e47e2b07501bf00 illuminatio clean runThe result is still the same as in the original posting as far as I can see |
|
is there any update to this ? |
|
i think this can be solved if the created illuminatio pods contains ports field when is created |
|
Hi @aasyria, I am currently not actively working on this project anymore, but if you want to submit a PR I'll happily review it. |
Tried this demo on a plain k8s 1.16 cluster on GKE.
Freshly installed illuminatio today, so I presume it's version
1.4.0(BTW can I query the version via CLI?).Did a
illuminatio clean runwhich resulted in the following error.The text was updated successfully, but these errors were encountered: