Code Monkey home page Code Monkey logo

ingress's People

Contributors

agile6v avatar akx avatar aledbf avatar antoineco avatar aramase avatar asifdxtreme avatar bprashanth avatar caiyixiang avatar chentao11596 avatar denisqsound avatar dependabot[bot] avatar dmitry-j-mikhin avatar elvinefendi avatar esigo avatar gacko avatar gianrubio avatar jcmoraisjr avatar k8s-ci-robot avatar kundan2707 avatar longwuyuan avatar nedvna avatar nicksardo avatar oilbeater avatar rikatz avatar saumyabhushan avatar strongjz avatar tao12345666333 avatar tonglil avatar xdmitriev avatar z1cheng avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

sanketsaurav 416e64726579 aydgelee vvalorous apogorelovwallarm haolipeng skian2007 alexeypetrov13 artem-yazkov arya-huma

ingress's Issues

Wallarm Ingress Controller container fails with a read only file system

Description

It is highly recommended to stick to $subject - CKV_K8S_22.

Wallarm Ingress Controller Helm chart allows us to set controller.containerSecurityContext.readOnlyRootFilesystem but this leads to container restarts due to application failures.

F0503 20:26:13.471636       7 ssl.go:390] unexpected error storing fake SSL Cert: could not create PEM certificate file
/etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem:
read-only file system

When an empty directory is set for container path /etc/ingress-controller/ssl along with a read only file system, we experience the following.

F0517 19:40:33.463422       9 main.go:138] Error creating prometheus collector:  listen unix /tmp/nginx/prometheus-nginx.socket: bind: read-only file system

Once the container path /tmp/nginx path is set with an empty directory, we experience the following.

E0517 19:44:03.872256       7 queue.go:130] "requeuing" err="open /etc/nginx/opentracing.json: read-only file system" key="initial-sync"
I0517 19:44:03.872367       7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"wallarm-ingress", Name:"wallarm-ingress-controller-5dc89958b4-49lnp",
UID:"9d1af921-212c-4e21-9723-d6614dce32cc", APIVersion:"v1", ResourceVersion:"17657554", FieldPath:""}): type: 'Warning' reason: 'RELOAD' Error reloading NGINX:
open /etc/nginx/opentracing.json: read-only file system
I0517 19:44:03.872770       7 status.go:84] "New leader elected" identity="wallarm-ingress-controller-5d6c8455cc-c9l6d"
I0517 19:44:07.202046       7 controller.go:190] "Configuration changes detected, backend reload required"
E0517 19:44:07.205390       7 controller.go:202] Unexpected failure reloading the backend:
open /etc/nginx/opentracing.json: read-only file system
...
E0517 19:45:00.542310       7 queue.go:130] "requeuing" err="open /etc/nginx/opentracing.json: read-only file system" key="neuvector/neuvector-svc-controller-whp8c"
I0517 19:45:00.542302       7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"wallarm-ingress", Name:"wallarm-ingress-controller-5dc89958b4-49lnp",
UID:"9d1af921-212c-4e21-9723-d6614dce32cc", APIVersion:"v1", ResourceVersion:"17657554", FieldPath:""}): type: 'Warning' reason: 'RELOAD' Error reloading NGINX:
open /etc/nginx/opentracing.json: read-only file system
I0517 19:45:01.488782       7 sigterm.go:36] "Received SIGTERM, shutting down"
I0517 19:45:01.488823       7 nginx.go:380] "Shutting down controller queues"
I0517 19:45:01.504594       7 nginx.go:388] "Stopping admission controller"
E0517 19:45:01.504669       7 nginx.go:327] "Error listening for TLS connections" err="http: Server closed"
I0517 19:45:01.504682       7 nginx.go:396] "Stopping NGINX process"
2023/05/17 19:45:01 [notice] 36#36: signal process started
I0517 19:45:02.509588       7 nginx.go:409] "NGINX process has stopped"
I0517 19:45:02.509614       7 sigterm.go:44] Handled quit, delaying controller exit for 10 seconds
I0517 19:45:12.510504       7 sigterm.go:47] "Exiting" code=0

Request for details on the purpose of the Kubernetes API permissions attached to Wallarm Ingress Controller

Description

Wallarm team, can we please know the purpose of each Kubernetes API resource-action permission attached via the ClusterRole and Role?

This would help us identify which API permissions can be dropped based on our requirements (if feasible).

Important

We would especially like to know understand the following.

  • Purpose of listing/watching clusterwide secrets - ClusterRole

  • Why is it required to patch cluster wide event resources as defined here?

Unhandled exception in fetching requests job due to list index out of range in wallarm-appstructure container

Description

We have noticed the following application error log in wallarm-appstructure container of wallarm-ingress-controller-wallarm-tarantool Kubernetes Deployment.

2023-05-23 13:08:55,710 INFO     wallarm-appstructure[1] Creating the new Wallarm API client (host: us1.api.wallarm.com, port: 443, ca_verify: True, Node version: (4, 6))
2023-05-23 13:08:55,710 INFO     wallarm-appstructure[1] Wallarm API observing job started
2023-05-23 13:09:55,766 INFO     wallarm-appstructure[1] Wallarm API: Fetching client's ID...
2023-05-23 13:09:56,023 INFO     wallarm-appstructure[1] Wallarm API: Client's ID -> 11332
2023-05-23 13:09:56,126 INFO     wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:56,126 INFO     wallarm-appstructure[1] Creating the new Wallarm API client (host: us1.api.wallarm.com, port: 443, ca_verify: True, Node version: (4, 6))
2023-05-23 13:09:56,126 INFO     wallarm-appstructure[1] Upload statistic job started
2023-05-23 13:09:56,127 INFO     wallarm-appstructure[1] AppStructure Client's activity is enabled
2023-05-23 13:09:56,168 ERROR    wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 54, in run
    self.process()
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 80, in process
    self.stats.add_request(request, stats_logger=self.stats_logger)
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/stats_storage.py", line 60, in add_request
    request, self._stats[instance], stats_logger=stats_logger
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/request_preprocessor.py", line 111, in call
    for entry in request.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 264, in entries
    for entry in result.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 78, in entries
    for e in value.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 72, in entries
    types = cast(Dict[str, EntryParserT], self.value_types())
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 49, in value_types
    types = self.data[1][9]
IndexError: list index out of range
2023-05-23 13:09:57,169 INFO     wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:57,171 ERROR    wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 54, in run
    self.process()
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 80, in process
    self.stats.add_request(request, stats_logger=self.stats_logger)
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/stats_storage.py", line 60, in add_request
    request, self._stats[instance], stats_logger=stats_logger
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/request_preprocessor.py", line 111, in call
    for entry in request.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 264, in entries
    for entry in result.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 78, in entries
    for e in value.entries():
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 72, in entries
    types = cast(Dict[str, EntryParserT], self.value_types())
  File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 49, in value_types
    types = self.data[1][9]
IndexError: list index out of range
2023-05-23 13:09:58,172 INFO     wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:58,174 ERROR    wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):

No container level failures recorded.

Wallarm team, why do we experience the above?

Wallarm Ingress Controller Tarantool container fails with a read only file system

Description

It is highly recommended to stick to $subject - CKV_K8S_22.

Wallarm Ingress Controller Helm chart allows us to set controller.containerSecurityContext.readOnlyRootFilesystem but this leads to container restarts due to application failures.

2023-05-03 20:26:29.564 [1] main/101/init.lua C> Tarantool 1.10.14-0-g95447943d
2023-05-03 20:26:29.564 [1] main/101/init.lua C> log level 4
2023-05-03 20:26:29.575 [1] snapshot/101/main xlog.c:878 !> open, [./00000000000000000000.snap.inprogress]:
Read-only file system
2023-05-03 20:26:29.576 [1] main/101/init.lua F> failed to create a checkpoint
2023-05-03 20:26:29.575 [1] main/101/init.lua xlog.c:879 !> SystemError failed to create file
'./00000000000000000000.snap.inprogress': Read-only file system
2023-05-03 20:26:29.576 [1] main/101/init.lua F> failed to create a checkpoint

Use a non-root user with a high UID to avoid host conflict

Description

Suggesting $subject as currently user with ID 101 is in violation of Kubernetes policy - https://docs.bridgecrew.io/docs/bc_k8s_37.

Container controller with user ID 10001

  • Can be set via Helm input value - controller.image.runAsUser
  • Container controller failure - container restarts are experienced
F0504 08:52:08.389642       8 ssl.go:390] unexpected error storing fake SSL Cert: could not create PEM certificate file
/etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied

Related issue: kubernetes/ingress-nginx#4061

Container cron with user ID 10001

It was noticed that a connection failure doesn't resolve.

{"channel":"stdout","iteration":14,"job.command":"timeout 3h /opt/wallarm/ruby/usr/share/wallarm-common/export-metrics -l STDOUT",
"job.position":2,"job.schedule":"* * * * *","level":"info",
"msg":"2023-05-04 09:01:00 ERROR export-metrics[153]: Can't export metrics (Errno::ECONNREFUSED): Failed to open TCP connection to 127.0.0.1:10246 (Connection refused - connect(2)
for \"127.0.0.1\" port 10246)","time":"2023-05-04T09:01:00Z"}

Container collectd with user ID 10001

Connection failure doesn't resolve

[2023-05-04 08:46:28] curl_json plugin: curl_easy_perform failed with status 7: Failed to connect to 127.0.0.1 port 10246: Connection refused (http://127.0.0.1:10246/wallarm-status)
[2023-05-04 08:46:28] read-function of plugin `curl_json-wallarm_nginx-http://127.0.0.1:10246/wallarm-status' failed. Will suspend it for 20.000 seconds.
[2023-05-04 08:46:48] curl_json plugin: curl_easy_perform failed with status 7: Failed to connect to 127.0.0.1 port 10246: Connection refused (http://127.0.0.1:10246/wallarm-status)
[2023-05-04 08:46:48] read-function of plugin `curl_json-wallarm_nginx-http://127.0.0.1:10246/wallarm-status' failed. Will suspend it for 40.000 seconds.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.