address review comments

Signed-off-by: Ankur Kothiwal <[email protected]>

KubeArmor/Makefile

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: Apache-2.0
-# Copyright 2021 Authors of KubeArmor
+# Copyright 2022 Authors of KubeArmor
 
 CURDIR          := $(shell pwd)
 CRDDIR          := $(realpath $(CURDIR)/../deployments/CRD)
@@ -43,7 +43,7 @@ run: build
 	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
 	cd $(CURDIR)/BPF; make clean
 	cd $(CURDIR)/BPF; make
-	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy=true -enableKubeArmorHostPolicy=true -hostVisibility=process,file,network,capabilities
+	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -enableKubeArmorHostPolicy -hostVisibility=process,file,network,capabilities
 
 .PHONY: run-container
 run-container: build

KubeArmor/common/common.go

@@ -383,9 +383,15 @@ var ContainerRuntimeSocketMap = map[string][]string{
 
 // GetCRISocket Function
 func GetCRISocket(ContainerRuntime string) string {
-	for _, candidate := range ContainerRuntimeSocketMap[ContainerRuntime] {
-		if _, err := os.Stat(candidate); err == nil {
-			return candidate
+	for k := range ContainerRuntimeSocketMap {
+		if ContainerRuntime != "" && k != ContainerRuntime {
+			continue
+		}
+		criruntime := k
+		for _, candidate := range ContainerRuntimeSocketMap[criruntime] {
+			if _, err := os.Stat(candidate); err == nil {
+				return candidate
+			}
 		}
 	}
 	return ""

KubeArmor/core/dockerHandler.go

@@ -170,6 +170,34 @@ func (dh *DockerHandler) GetEventChannel() <-chan events.Message {
 // == Docker Events == //
 // =================== //
 
+// Enable visibility flag arguments for un-orchestrated container
+func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) {
+
+	// get container information from docker client
+	container, err := Docker.GetContainerInfo(containerID)
+	if err != nil {
+		return
+	}
+
+	if strings.Contains(cfg.GlobalCfg.Visibility, "process") {
+		container.ProcessVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "file") {
+		container.FileVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "network") {
+		container.NetworkVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "capabilities") {
+		container.CapabilitiesVisibilityEnabled = true
+	}
+
+	dm.Containers[container.ContainerID] = container
+
+	container.EndPointName = container.ContainerName
+	container.NamespaceName = "container_namespace"
+}
+
 // GetAlreadyDeployedDockerContainers Function
 func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 	// check if Docker exists else instantiate
@@ -240,12 +268,7 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 				// check for unorchestrated docker containers
 				if !dm.K8sEnabled {
 					dm.ContainersLock.Lock()
-					container.ProcessVisibilityEnabled = true
-					container.FileVisibilityEnabled = true
-					container.NetworkVisibilityEnabled = true
-					container.CapabilitiesVisibilityEnabled = true
-
-					dm.Containers[container.ContainerID] = container
+					dm.SetContainerVisibility(dcontainer.ID)
 					dm.ContainersLock.Unlock()
 				}
 
@@ -332,14 +355,7 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 
 		if !dm.K8sEnabled {
 			dm.ContainersLock.Lock()
-			container.ProcessVisibilityEnabled = true
-			container.FileVisibilityEnabled = true
-			container.NetworkVisibilityEnabled = true
-			container.CapabilitiesVisibilityEnabled = true
-			container.EndPointName = container.ContainerName
-			container.NamespaceName = "container_namespace"
-
-			dm.Containers[container.ContainerID] = container
+			dm.SetContainerVisibility(containerID)
 			dm.ContainersLock.Unlock()
 		}
 

KubeArmor/core/kubeArmor.go

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright 2021 Authors of KubeArmor
+// Copyright 2022 Authors of KubeArmor
 
 package core
 
@@ -311,27 +311,10 @@ func GetOSSigChannel() chan os.Signal {
 	return c
 }
 
-// ======================= //
-// == Container runtime == //
-// ======================= //
-
-// host container runtime available in case of containerized workloads
-func hostContainerRuntime() (string, string) {
-	var sockFile, sockPath string
-	if _, err := os.Stat("/var/run/docker.sock"); err == nil {
-		sockFile = "docker"
-		sockPath = "/var/run/docker.sock"
-	} else if _, err := os.Stat("/var/run/containerd/containerd.sock"); err == nil {
-		sockFile = "containerd"
-		sockPath = "/var/run/containerd/containerd.sock"
-	} else if _, err := os.Stat("/var/run/crio/crio.sock"); err == nil {
-		sockFile = "crio"
-		sockPath = "/var/run/crio/crio.sock"
-	} else {
-		sockFile = "unavailable"
-		sockPath = "unavailable"
-	}
-	return sockFile, sockPath
+// Trim sock file location from the env variable
+func trimmedSocketPath() string {
+	trimmedPath := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
+	return trimmedPath
 }
 
 // ========== //
@@ -437,7 +420,6 @@ func KubeArmor() {
 
 	// Containerized workloads with Host
 	if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy {
-
 		// initialize system monitor
 		if !dm.InitSystemMonitor() {
 			dm.Logger.Err("Failed to initialize KubeArmor Monitor")
@@ -453,8 +435,6 @@ func KubeArmor() {
 		go dm.MonitorSystemEvents()
 		dm.Logger.Print("Started to monitor system events")
 
-		// == //
-
 		// initialize runtime enforcer
 		if !dm.InitRuntimeEnforcer() {
 			dm.Logger.Print("Disabled KubeArmor Enforcer since No LSM is enabled")
@@ -471,50 +451,44 @@ func KubeArmor() {
 		}
 	}
 
-	// == //
+	trimmedSocket := trimmedSocketPath()
 
+	// Un-orchestrated workloads
 	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
-		// check if the CRI socket set while executing kubearmor exists
-		if cfg.GlobalCfg.CRISocket != "" {
-			trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
-			if _, err := os.Stat(trimmedSocket); err != nil {
-				dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())
+
+		// Check if cri socket set, if not then auto detect
+		if cfg.GlobalCfg.CRISocket == "" {
+			if kl.GetCRISocket("") == "" {
+				dm.Logger.Warnf("Error while looking for CRI socket file")
+			} else {
+				cfg.GlobalCfg.CRISocket = "unix://" + kl.GetCRISocket("")
+				// update the value of trimmed socket path when the cfg.GlobalCfg.CRISocket is not set
+				trimmedSocket = trimmedSocketPath()
 			}
 		}
-		cri, criPath := hostContainerRuntime()
-		if cri == "docker" {
-			if cfg.GlobalCfg.CRISocket == "" {
-				cfg.GlobalCfg.CRISocket = "unix://" + criPath
-			}
+
+		// monitor containers
+		if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
 			// update already deployed containers
 			dm.GetAlreadyDeployedDockerContainers()
-
 			// monitor docker events
 			go dm.MonitorDockerEvents()
-
-		} else if cri == "containerd" {
-			if cfg.GlobalCfg.CRISocket == "" {
-				cfg.GlobalCfg.CRISocket = "unix://" + criPath
-			}
+		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
 			// monitor containerd events
 			go dm.MonitorContainerdEvents()
-
-		} else if cri == "crio" {
-			if cfg.GlobalCfg.CRISocket == "" {
-				cfg.GlobalCfg.CRISocket = "unix://" + criPath
-			}
-			// monitor cri-o events
+		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "crio") {
+			// monitor crio events
 			go dm.MonitorCrioEvents()
-
-		} else if cri == "unavailable" {
-			dm.Logger.Warnf("Failed to monitor containers. Unsupported container runtime")
+		} else {
+			dm.Logger.Warnf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket)
 		}
+
+		dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket)
 	}
 
 	if dm.K8sEnabled && cfg.GlobalCfg.Policy {
 		// check if the CRI socket set while executing kubearmor exists
 		if cfg.GlobalCfg.CRISocket != "" {
-			trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
 			if _, err := os.Stat(trimmedSocket); err != nil {
 				dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())
 
@@ -542,7 +516,7 @@ func KubeArmor() {
 				return
 			}
 
-			dm.Logger.Printf("Using %s for monitoring containers.", cfg.GlobalCfg.CRISocket)
+			dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket)
 
 		} else { // CRI socket not set, we'll have to auto detect
 			dm.Logger.Print("CRI socket not set. Trying to detect.")
@@ -642,6 +616,13 @@ func KubeArmor() {
 
 	policyService := &policy.ServiceServer{}
 
+	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
+		if _, err := os.Stat(trimmedSocket); err == nil {
+			policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy
+			dm.Logger.Print("Started to monitor container security policies on gRPC")
+		}
+	}
+
 	if !cfg.GlobalCfg.K8sEnv && cfg.GlobalCfg.HostPolicy {
 		policyService.UpdateHostPolicy = dm.ParseAndUpdateHostSecurityPolicy
 		dm.Node.PolicyEnabled = tp.KubeArmorPolicyEnabled
@@ -650,13 +631,6 @@ func KubeArmor() {
 		reflection.Register(dm.Logger.LogServer)
 
 		dm.Logger.Print("Started to monitor host security policies on gRPC")
-
-	}
-
-	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
-		policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy
-
-		dm.Logger.Print("Started to monitor container security policies on gRPC")
 	}
 
 	// serve log feeds

KubeArmor/policy/policy.go

@@ -15,38 +15,38 @@ import (
 // ServiceServer provides structure to serve Policy gRPC service
 type ServiceServer struct {
 	pb.PolicyServiceServer
-	UpdateHostPolicy      func(tp.K8sKubeArmorHostPolicyEvent)
 	UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent)
+	UpdateHostPolicy      func(tp.K8sKubeArmorHostPolicyEvent)
 }
 
-// HostPolicy accepts host policy event on gRPC service and updates host security policies. It responds with 1 if success else 0.
-func (p *ServiceServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
-	policyEvent := tp.K8sKubeArmorHostPolicyEvent{}
+// ContainerPolicy accepts container events on gRPC and update container security policies
+func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
+	policyEvent := tp.K8sKubeArmorPolicyEvent{}
 	res := new(pb.Response)
 
 	err := json.Unmarshal(data.Policy, &policyEvent)
 	if err == nil {
-		p.UpdateHostPolicy(policyEvent)
+		p.UpdateContainerPolicy(policyEvent)
 		res.Status = 1
 	} else {
-		kg.Warn("Invalid Host Policy Event")
+		kg.Warn("Invalid Container Policy Event")
 		res.Status = 0
 	}
 
 	return res, nil
 }
 
-// ContainerPolicy accepts container events on gRPC and update container security policies
-func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
-	policyEvent := tp.K8sKubeArmorPolicyEvent{}
+// HostPolicy accepts host policy event on gRPC service and updates host security policies. It responds with 1 if success else 0.
+func (p *ServiceServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
+	policyEvent := tp.K8sKubeArmorHostPolicyEvent{}
 	res := new(pb.Response)
 
 	err := json.Unmarshal(data.Policy, &policyEvent)
 	if err == nil {
-		p.UpdateContainerPolicy(policyEvent)
+		p.UpdateHostPolicy(policyEvent)
 		res.Status = 1
 	} else {
-		kg.Warn("Invalid Container Policy Event")
+		kg.Warn("Invalid Host Policy Event")
 		res.Status = 0
 	}
 

protobuf/policy.proto

@@ -13,6 +13,6 @@ message policy {
 }
 
 service PolicyService {
-    rpc hostPolicy (policy) returns (response);
     rpc containerPolicy (policy) returns (response);
+    rpc hostPolicy (policy) returns (response);
 }