Merge pull request #709 from Ankurk99/main

KubeArmor support for un-orchestrated containers

KubeArmor/Makefile

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: Apache-2.0
-# Copyright 2021 Authors of KubeArmor
+# Copyright 2022 Authors of KubeArmor
 
 CURDIR          := $(shell pwd)
 CRDDIR          := $(realpath $(CURDIR)/../deployments/CRD)
@@ -43,7 +43,12 @@ run: build
 	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
 	cd $(CURDIR)/BPF; make clean
 	cd $(CURDIR)/BPF; make
-	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy=true -enableKubeArmorHostPolicy=true -hostVisibility=process,file,network,capabilities
+	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -enableKubeArmorHostPolicy -hostVisibility=process,file,network,capabilities
+
+.PHONY: run-container
+run-container: build
+	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
+	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false
 
 .PHONY: run-host-only
 run-host-only: build

KubeArmor/common/common.go

@@ -383,9 +383,15 @@ var ContainerRuntimeSocketMap = map[string][]string{
 
 // GetCRISocket Function
 func GetCRISocket(ContainerRuntime string) string {
-	for _, candidate := range ContainerRuntimeSocketMap[ContainerRuntime] {
-		if _, err := os.Stat(candidate); err == nil {
-			return candidate
+	for k := range ContainerRuntimeSocketMap {
+		if ContainerRuntime != "" && k != ContainerRuntime {
+			continue
+		}
+		criruntime := k
+		for _, candidate := range ContainerRuntimeSocketMap[criruntime] {
+			if _, err := os.Stat(candidate); err == nil {
+				return candidate
+			}
 		}
 	}
 	return ""
@@ -414,7 +420,7 @@ func MatchIdentities(identities []string, superIdentities []string) bool {
 		return false
 	}
 
-	// if super identities not include indentity, return false
+	// if super identities not include identity, return false
 	for _, identity := range identities {
 		if !ContainsElement(superIdentities, identity) {
 			matched = false

KubeArmor/core/dockerHandler.go

@@ -170,6 +170,34 @@ func (dh *DockerHandler) GetEventChannel() <-chan events.Message {
 // == Docker Events == //
 // =================== //
 
+// Enable visibility flag arguments for un-orchestrated container
+func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) {
+
+	// get container information from docker client
+	container, err := Docker.GetContainerInfo(containerID)
+	if err != nil {
+		return
+	}
+
+	if strings.Contains(cfg.GlobalCfg.Visibility, "process") {
+		container.ProcessVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "file") {
+		container.FileVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "network") {
+		container.NetworkVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "capabilities") {
+		container.CapabilitiesVisibilityEnabled = true
+	}
+
+	dm.Containers[container.ContainerID] = container
+
+	container.EndPointName = container.ContainerName
+	container.NamespaceName = "container_namespace"
+}
+
 // GetAlreadyDeployedDockerContainers Function
 func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 	// check if Docker exists else instantiate
@@ -237,6 +265,13 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 					continue
 				}
 
+				// check for unorchestrated docker containers
+				if !dm.K8sEnabled {
+					dm.ContainersLock.Lock()
+					dm.SetContainerVisibility(dcontainer.ID)
+					dm.ContainersLock.Unlock()
+				}
+
 				if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 					// update NsMap
 					dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.PidNS, container.MntNS)
@@ -318,6 +353,12 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 			return
 		}
 
+		if !dm.K8sEnabled {
+			dm.ContainersLock.Lock()
+			dm.SetContainerVisibility(containerID)
+			dm.ContainersLock.Unlock()
+		}
+
 		if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 			// update NsMap
 			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.PidNS, container.MntNS)

KubeArmor/core/kubeArmor.go

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright 2021 Authors of KubeArmor
+// Copyright 2022 Authors of KubeArmor
 
 package core
 
@@ -311,6 +311,12 @@ func GetOSSigChannel() chan os.Signal {
 	return c
 }
 
+// Trim sock file location from the env variable
+func trimmedSocketPath() string {
+	trimmedPath := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
+	return trimmedPath
+}
+
 // ========== //
 // == Main == //
 // ========== //
@@ -412,6 +418,7 @@ func KubeArmor() {
 
 	// == //
 
+	// Containerized workloads with Host
 	if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy {
 		// initialize system monitor
 		if !dm.InitSystemMonitor() {
@@ -428,8 +435,6 @@ func KubeArmor() {
 		go dm.MonitorSystemEvents()
 		dm.Logger.Print("Started to monitor system events")
 
-		// == //
-
 		// initialize runtime enforcer
 		if !dm.InitRuntimeEnforcer() {
 			dm.Logger.Print("Disabled KubeArmor Enforcer since No LSM is enabled")
@@ -446,12 +451,44 @@ func KubeArmor() {
 		}
 	}
 
-	// == //
+	trimmedSocket := trimmedSocketPath()
+
+	// Un-orchestrated workloads
+	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
+
+		// Check if cri socket set, if not then auto detect
+		if cfg.GlobalCfg.CRISocket == "" {
+			if kl.GetCRISocket("") == "" {
+				dm.Logger.Warnf("Error while looking for CRI socket file")
+			} else {
+				cfg.GlobalCfg.CRISocket = "unix://" + kl.GetCRISocket("")
+				// update the value of trimmed socket path when the cfg.GlobalCfg.CRISocket is not set
+				trimmedSocket = trimmedSocketPath()
+			}
+		}
+
+		// monitor containers
+		if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
+			// update already deployed containers
+			dm.GetAlreadyDeployedDockerContainers()
+			// monitor docker events
+			go dm.MonitorDockerEvents()
+		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
+			// monitor containerd events
+			go dm.MonitorContainerdEvents()
+		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "crio") {
+			// monitor crio events
+			go dm.MonitorCrioEvents()
+		} else {
+			dm.Logger.Warnf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket)
+		}
+
+		dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket)
+	}
 
 	if dm.K8sEnabled && cfg.GlobalCfg.Policy {
 		// check if the CRI socket set while executing kubearmor exists
 		if cfg.GlobalCfg.CRISocket != "" {
-			trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
 			if _, err := os.Stat(trimmedSocket); err != nil {
 				dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())
 
@@ -479,7 +516,7 @@ func KubeArmor() {
 				return
 			}
 
-			dm.Logger.Printf("Using %s for monitoring containers.", cfg.GlobalCfg.CRISocket)
+			dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket)
 
 		} else { // CRI socket not set, we'll have to auto detect
 			dm.Logger.Print("CRI socket not set. Trying to detect.")
@@ -577,8 +614,16 @@ func KubeArmor() {
 		dm.Logger.Print("Started to monitor host security policies")
 	}
 
+	policyService := &policy.ServiceServer{}
+
+	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
+		if _, err := os.Stat(trimmedSocket); err == nil {
+			policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy
+			dm.Logger.Print("Started to monitor container security policies on gRPC")
+		}
+	}
+
 	if !cfg.GlobalCfg.K8sEnv && cfg.GlobalCfg.HostPolicy {
-		policyService := &policy.ServiceServer{}
 		policyService.UpdateHostPolicy = dm.ParseAndUpdateHostSecurityPolicy
 		dm.Node.PolicyEnabled = tp.KubeArmorPolicyEnabled