From 6cd61f8e995cb043fe2e44ff14babec98f9c656e Mon Sep 17 00:00:00 2001 From: Ankur Kothiwal Date: Mon, 6 Jun 2022 09:21:42 +0530 Subject: [PATCH] support observability for containerized workloads Signed-off-by: Ankur Kothiwal --- .gitignore | 3 ++- src/cluster/clusterResourceHandler.go | 5 +++++ src/libs/common.go | 4 ---- src/plugin/kubearmor.go | 6 ++++++ src/systempolicy/helperFunctions.go | 4 ++-- src/systempolicy/systemPolicy.go | 10 +++++++--- src/types/constants.go | 8 ++++++-- 7 files changed, 28 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index b7d0df35..b065a757 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,5 @@ src/report*.json kubearmor_policies*.yaml cilium_policies*.yaml knox_net_policies*.yaml -src/accuknox.db +src/accuknox*.db* + diff --git a/src/cluster/clusterResourceHandler.go b/src/cluster/clusterResourceHandler.go index 3503a4e8..8e4bc32d 100644 --- a/src/cluster/clusterResourceHandler.go +++ b/src/cluster/clusterResourceHandler.go @@ -27,6 +27,11 @@ func GetPods(clusterName string) []types.Pod { PodName: types.PolicyDiscoveryVMPodName, }) + pods = append(pods, types.Pod{ + Namespace: types.PolicyDiscoveryContainerNamespace, + PodName: types.PolicyDiscoveryContainerPodName, + }) + return pods } diff --git a/src/libs/common.go b/src/libs/common.go index 3ebcad63..c9adc9f2 100644 --- a/src/libs/common.go +++ b/src/libs/common.go @@ -404,10 +404,6 @@ func writeYamlByte(f *os.File, b []byte) { log.Error().Msg(err.Error()) } - if _, err := f.WriteString("---\n"); err != nil { - log.Error().Msg(err.Error()) - } - if err := f.Sync(); err != nil { log.Error().Msg(err.Error()) } diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go index ac2e65e6..3b3aa3ac 100644 --- a/src/plugin/kubearmor.go +++ b/src/plugin/kubearmor.go @@ -293,6 +293,12 @@ func ConvertKubeArmorLogToKnoxSystemLog(relayLog *pb.Log) (types.KnoxSystemLog, knoxSystemLog.PodName = types.PolicyDiscoveryVMPodName } + if relayLog.Type == "ContainerLog" { + knoxSystemLog.ContainerName = relayLog.ContainerName + knoxSystemLog.Namespace = types.PolicyDiscoveryContainerNamespace + knoxSystemLog.PodName = types.PolicyDiscoveryContainerPodName + } + return knoxSystemLog, nil } diff --git a/src/systempolicy/helperFunctions.go b/src/systempolicy/helperFunctions.go index c7e3ee14..acb83b92 100644 --- a/src/systempolicy/helperFunctions.go +++ b/src/systempolicy/helperFunctions.go @@ -115,7 +115,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty } // 2. check pod labels - if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) { + if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || log.Namespace == types.PolicyDiscoveryContainerNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) { checkedItems = checkedItems | 1<<1 } @@ -156,7 +156,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty func GetWPFSSources() []string { res, _, err := libs.GetWorkloadProcessFileSet(CfgDB, types.WorkloadProcessFileSet{}) if err != nil { - log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error()) + log.Error().Msgf("could not fetch WPFS err=%s", err.Error()) return nil } diff --git a/src/systempolicy/systemPolicy.go b/src/systempolicy/systemPolicy.go index 0204028b..16a2c5e9 100644 --- a/src/systempolicy/systemPolicy.go +++ b/src/systempolicy/systemPolicy.go @@ -265,7 +265,7 @@ func populateKnoxSysPolicyFromWPFSDb(namespace, clustername, labels, fromsource } res, pnMap, err := libs.GetWorkloadProcessFileSet(CfgDB, wpfs) if err != nil { - log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error()) + log.Error().Msgf("could not fetch WPFS err=%s", err.Error()) return nil } log.Info().Msgf("found %d WPFS records", len(res)) @@ -1261,9 +1261,14 @@ func GenFileSetForAllPodsInCluster(clusterName string, pods []types.Pod, settype wpfs.SetType = settype labels, err := GetPodLabels(slog.ClusterName, slog.PodName, slog.Namespace, pods) if err != nil { - log.Error().Msgf("cudnot get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace) + log.Error().Msgf("could not get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace) continue } + + if slog.Namespace == types.PolicyDiscoveryContainerNamespace { + labels = append(labels, "kubearmor.io/container.name="+slog.ContainerName) + } + wpfs.Labels = strings.Join(labels[:], ",") if isNetworkOp { @@ -1339,7 +1344,6 @@ func DiscoverSystemPolicyMain() { } PopulateSystemPoliciesFromSystemLogs(allSystemkLogs) - } // ==================================== // diff --git a/src/types/constants.go b/src/types/constants.go index 080a549a..0fe85bfe 100644 --- a/src/types/constants.go +++ b/src/types/constants.go @@ -1,11 +1,15 @@ package types const ( - // Kubearmor VM + // KubeArmor VM PolicyDiscoveryVMNamespace = "accuknox-vm-namespace" PolicyDiscoveryVMPodName = "accuknox-vm-podname" - // Kubearmor k8s + // KubeArmor container + PolicyDiscoveryContainerNamespace = "container_namespace" + PolicyDiscoveryContainerPodName = "container_podname" + + // KubeArmor k8s PreConfiguredKubearmorRule = "/lib/x86_64-linux-gnu/" // RecordSeparator - DB separator flag