This message was deleted.

Hey Kareem! This should work… When you say you see the CRD in the UI, you mean you see the rules marked with the red CRD label, or something else? Is it just the rules that arent working?

Looks like I sent the wrong CRD. I meant to send a different example. The target on the CRD is

target:
    policymode: Monitor
    selector:
      comment: ""
      criteria:
      - key: domain
        op: =
        value: site-primary
      - key: service
        op: =
        value: canton-participant.site-primary
      name: nv.canton-participant.site-primary
      original_name: ""

can you do a

kubectl get nvsecurityrules -n site-primary

and see if there are any other CRDs in there? I wonder if there is some conflict. what you have here looks to me like it should work

$ kubectl get nvsecurityrules -n site-primary NAME AGE canton-domain.site-primary 3h43m canton-ledger-pruner.site-primary 3h43m canton-participant.site-primary 3h43m

do those other 2 work OK?

yep

and can you do

kubectl get <http://nvclustersecurityrule.neuvector.com|nvclustersecurityrule.neuvector.com>

i think the one without the NV might be a non namespaced custom group. you cant set a mode on those, so it shouldn’t matter that it is there

Got distracted. Its not a a cluster rule. I don't have any.

i copied your target, and just changed the name to match a NS/pod on my cluster and it matched and changed the mode OK. Those custom groups marked as CRD, I don’t understand where they are coming from if you have no custom group CRDs

Thanks for looking

I was able to test the zero drift with extra policy allows, and it does seem to work for me. I get the not parent process violation, and if I add the process to the list, I stop getting alerts. So I will dig into it a little more.