Skip to content

[🐛] kubernetes-monitor does not automatically delete project after deployment deletion despite logs indicating otherwise  #1537

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[🐛] kubernetes-monitor does not automatically delete project after deployment deletion despite logs indicating otherwise #1537
@Aeternitaas

Description

@Aeternitaas
Aeternitaas
opened on Oct 16, 2024
  • Version 2.16.0
  • Running on AWS EKS
  • Enterprise Plan

Expected behaviour

According to this documentation, there is a closed beta feature that says Snyk Projects should automatically be imported/deleted when a Deployment is created/deleted when running on an Enterprise plan.

Actual behaviour

The Snyk Project is imported perfectly fine upon creation of a new Kubernetes Deployment, however the deletion feature isn't working as intended. When a Kubernetes Deployment is deleted, the snyk-monitor kubectl logs reports:

snyk-monitor-xxx snyk-monitor {"name":"kubernetes-monitor","hostname":"snyk-monitor-xxx","pid":7,"level":30,"workloadName":"debug-deployment","workload":{"type":"Deployment","name":"debug deployment","namespace":"default"},"msg":"removing workloads from upstream","time":"2024-10-16T18:40:17.337Z","v":0}
snyk-monitor-xxx snyk-monitor {"name":"kubernetes-monitor","hostname":"snyk-monitor-xxx","pid":7,"level":30,"workloadLocator":{"type":"Deployment","name":"debug-deployment","namespace":"default","userLocator":"INTEGRATION_ID","cluster":"test-cluster"},"attempt":1,"msg":"workload deleted successfully","time":"2024-10-16T18:40:17.676Z","v":0}

Steps to reproduce

  1. Create a namespace called security if it isn't already created
  2. Install version 2.16.0 of the kubernetes-monitor with Helm. Rename the deployment to snyk-monitor and deploy it to the security namespace.
  3. Use the following ConfigMaps and attach it to the snyk-monitor deployment:
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: snyk-monitor-excluded-namespaces
  namespace: security
  labels:
    app.kubernetes.io/name: snyk-monitor
    helm.sh/chart: snyk-monitor-2.16.0
    app.kubernetes.io/instance: snyk-monitor
    app.kubernetes.io/managed-by: Helm
data:
  excludedNamespaces: |-
    kube-node-lease
    kube-public
    kube-system
    admin
    security
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: snyk-monitor-workload-policies
  namespace: security
  labels:
    app.kubernetes.io/name: snyk-monitor
    helm.sh/chart: snyk-monitor-2.16.0
    app.kubernetes.io/instance: snyk-monitor
    app.kubernetes.io/managed-by: Helm
data:
  workload-events.rego: |-
    package snyk

    orgs := ["<ADD_YOUR_ORG_ID_HERE>"]

    default workload_events = false

    workload_events {
      input.kind != "Job"
      input.kind != "Pod"
    }
  1. Create a test deployment with a vulnerability and wait for Snyk to create a Project.
  2. Verify that the Snyk Project has been created.
  3. Delete the Deployment and verify that the Project has not been deleted.

Screenshots

None

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions