NeuVector process hardening in 5.4.3 causes issues with custom image bases #1935
Comments
|
neuvector/neuvector-helm#487 would potentially provide one avenue around this issue, although it's not the full solve as it just means the end user needs to change the probe to something that is allowed by the enforcer. Potentially an alternative route here would also be to just expose a rest endpoint for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Disclaimer up front: This is not an issue when using the official dockerhub neuvector images.
In 1566650 there was a significant amount of changes to harden processes around the controller and other neuvector system containers. One specific process allow that changed was the healthprobe allow, which previously allowed
catfrom any process path. With the changes herecatis only allowed if it's specifically from/usr/bin/cat.On "rebased image builds" of NeuVector such as Ironbank -
catmay be provided from a different path or multicall binary (coreutils/busybox). In these cases the probes are blocked by th enforcer with logs like this (busybox):2025-04-25T19:48:24.381|DEBU|AGT|probe.(*Probe).IsAllowedShieldProcess: SHD: - id=1ea58c91d3286c5ab569c2ede205150963d9f074239fcdfdaf719acd2ba24747 pid=17263 ppe=&{Name:cat Path:/usr/bin/busybox User:root Uid:0 Hash:[] Action:deny CfgType:0 CreatedAt:0001-01-01 00:00:00 +0000 UTC UpdatedAt:0001-01-01 00:00:00 +0000 UTC Uuid:00000000-0000-0000-0000-000000000000 DerivedGroup: AllowFileUpdate:false ProbeCmds:[]} proc=&{pname:runc ppath:/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc name:cat path:/usr/bin/busybox cmds:[cat /tmp/ready ] user:root pid:17263 ppid:17254 sid:1970 pgid:15722 ruid:0 euid:0 retry:0 inspectTimes:0 startTime:{wall:13977791853356992633 ext:29872800546 loc:0x4dc8fa0} lastScanTime:{wall:13977791853356992633 ext:29872800546 loc:0x4dc8fa0} scanTimes:0 reported:64 action:allow riskyChild:false riskType: execScanDone:false}Or this (coreutils):
2025-04-25T20:45:14.319|DEBU|AGT|probe.(*Probe).IsAllowedShieldProcess: SHD: - id=c95d66a01fea6c59d66d10bcae084aacbde4025d0b35c3741085dfe05831aa07 pid=61161 ppe=&{Name:cat Path:/usr/bin/coreutils User:root Uid:0 Hash:[] Action:deny CfgType:0 CreatedAt:0001-01-01 00:00:00 +0000 UTC UpdatedAt:0001-01-01 00:00:00 +0000 UTC Uuid:00000000-0000-0000-0000-000000000000 DerivedGroup: AllowFileUpdate:false ProbeCmds:[]} proc=&{pname:runc ppath:/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc name:cat path:/usr/bin/coreutils cmds:[/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /tmp/ready ] user:root pid:61161 ppid:61152 sid:1966 pgid:59414 ruid:0 euid:0 retry:0 inspectTimes:0 startTime:{wall:13977795514742820424 ext:62744828455 loc:0x4ed7240} lastScanTime:{wall:13977795514742820424 ext:62744828455 loc:0x4ed7240} scanTimes:0 reported:64 action:allow riskyChild:false riskType: execScanDone:false}If there were a way to allow-list certain processes on the controller this would provide a route to allow the different cat path, but I haven't found a route to do this. I am deploying via the helm chart on EKS if it is helpful.
The text was updated successfully, but these errors were encountered: