Aquasec drift prevention blocks execution of inventory script on the automation job pod

[HarishAmeen]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX is open source software provided for free and that I might not receive a timely response.
• I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

Hi Team,

In our Kubernetes cluster (based on AKS), Aquasec enforcers are deployed which has Drift Prevention policy - "prevent running executable not in original image" enabled. Due to this, whenever any job template is triggered that uses our Azure inventory (or Demo Inventory), it fails at the step when inventory is tried parsing and below error is shown in the job stdout.

[WARNING]:  * Failed to parse /runner/inventory/hosts with script plugin:
problem running /runner/inventory/hosts --list ([Errno 13] Permission denied:
'/runner/inventory/hosts')
[WARNING]:  * Failed to parse /runner/inventory/hosts with yaml plugin: We were
unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)  Syntax Error while loading
YAML.   did not find expected key  The error appears to be in
'/runner/inventory/hosts': line 3, column 40, but may be elsewhere in the file
depending on the exact syntax problem.  The offending line appears to be:  #
-*- coding: utf-8 -*- print('{"all": {"hosts": ["localhost"]}, "_meta":
{"hostvars": {"localhost": {"ansible_connection": "local",
"ansible_python_interpreter": "{{ ansible_playbook_python }}",
"remote_host_enabled": "true", "remote_host_id": 1, "remote_tower_enabled":
"true", "remote_tower_id": 1}}}}')                                        ^
here We could be wrong, but this one looks like it might be an issue with
missing quotes. Always quote template expression brackets when they start a
value. For instance:      with_items:       - {{ foo }}  Should be written as:
with_items:       - "{{ foo }}"
[WARNING]:  * Failed to parse /runner/inventory/hosts with ini plugin: host
range must be begin:end or begin:end:step
[WARNING]: Unable to parse /runner/inventory/hosts as an inventory source
ERROR! No inventory was parsed, please check your configuration and options.

Below is the corresponding policy violation seen when AWX tries to execute the job within the automation pod container. Since we have policy to block any script execution on the container which is not part of the original image, do we have any options within AWX to address this?

I believe this is expected as job specific private data is copied to pod under /runner path after the automation pod is created, however Aquasec in our case is blocking running of executables from this path as these executables (/runner/inventory/hosts --list) is not part of original EE image.

Thanks,
Harish

AWX version

24.6.1

Select the relevant components

• UI
• UI (tech preview)
• API
• Docs
• Collection
• CLI
• Other

Installation method

kubernetes

Modifications

no

Ansible version

ansible [core 2.15.12]

Operating system

Ubuntu worker nodes

Web browser

Chrome, Edge

Steps to reproduce

Deploy the Aquasec enforcers on the kubernetes cluster (refer - https://github.com/aquasecurity/deployments/tree/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer) and enable "drift prevention" policy to "prevent running executable not in original image" and trigger any test job template that uses regular or localhost inventory inside AWX.

Expected results

Job template to run without being blocked by aquasec policy though AWX transmits job specific data to EE pod that it has triggered.

Actual results

Job template launch fails with permission denied to plugin with error - problem running /runner/inventory/hosts --list ([Errno 13] Permission denied:
'/runner/inventory/hosts')

Additional information

No response