Adding fixed version of kapprofiler (#106)

* Adding fixed version of kapprofiler Signed-off-by: Amit Schendel <[email protected]> * Adding helm value to fix open config and adding locks on container cache Signed-off-by: Amit Schendel <[email protected]> * Adding /tmp to default rule binding Signed-off-by: Amit Schendel <[email protected]> * Adding more locks Signed-off-by: Amit Schendel <[email protected]> --------- Signed-off-by: Amit Schendel <[email protected]>
armosec · Dec 17, 2023 · eae813d · eae813d
1 parent 25d6adc
commit eae813d
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 13 deletions.
diff --git a/chart/kubecop/templates/deamonset.yaml b/chart/kubecop/templates/deamonset.yaml
@@ -76,6 +76,17 @@ spec:
           - name: _PPROF_SERVER
             value: "true"
           {{- end }}
+          {{- if not .Values.kubecop.partialProfiles.enabled  }}
+          - name: OPEN_IGNORE_MOUNTS
+            value: "false"
+          - name: OPEN_IGNORE_PREFIXES
+            value: ""
+          {{- else }}
+          - name: OPEN_IGNORE_MOUNTS
+            value: "{{ .Values.kubecop.partialProfiles.ignoreMounts }}"
+          - name: OPEN_IGNORE_PREFIXES
+            value: "{{ .Values.kubecop.partialProfiles.ignorePrefixes }}"
+          {{- end }}
           {{- if .Values.kubecop.recording.samplingInterval  }}
           - name: SAMPLING_INTERVAL
             value: "{{ .Values.kubecop.recording.samplingInterval }}"

diff --git a/chart/kubecop/templates/default-rule-binding.yaml b/chart/kubecop/templates/default-rule-binding.yaml
@@ -25,7 +25,7 @@ spec:
     - ruleName: "Unexpected file access"
       parameters:
         ignoreMounts: true
-        ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount"]
+        ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"]
     - ruleName: "Unexpected system call"
     - ruleName: "Unexpected capability used"
     - ruleName: "Unexpected domain request"

diff --git a/chart/kubecop/values.yaml b/chart/kubecop/values.yaml
@@ -26,6 +26,10 @@ kubecop:
     enabled: false
   pprofserver:
     enabled: false
+  partialProfiles: # If enabled, application profiles won't be enriched with the following prefixes and mounts.
+    enabled: true
+    ignoreMounts: "true"
+    ignorePrefixes: "/proc,/var/lib/elasticsearch,/tmp"
 
 serviceAccount:
   # Specifies whether a service account should be created

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/gammazero/workerpool v1.1.3
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/inspektor-gadget/inspektor-gadget v0.23.1
-	github.com/kubescape/kapprofiler v0.0.38
+	github.com/kubescape/kapprofiler v0.0.39
 	github.com/prometheus/alertmanager v0.26.0
 	github.com/prometheus/client_golang v1.17.0
 	github.com/stretchr/testify v1.8.4

diff --git a/go.sum b/go.sum
@@ -233,8 +233,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubescape/kapprofiler v0.0.38 h1:FdFAX4aUvQUW2p4HluiFMbN/myT7m7URyN9CJVGUUog=
-github.com/kubescape/kapprofiler v0.0.38/go.mod h1:3YmtBCW5mspDNXlH148xHgbxyHzr1+bIdYU7iLCHfl0=
+github.com/kubescape/kapprofiler v0.0.39 h1:1a+9kYxmnyAgdtti3wcemqxYtGoXIhJUuWaT8DUfPUE=
+github.com/kubescape/kapprofiler v0.0.39/go.mod h1:3YmtBCW5mspDNXlH148xHgbxyHzr1+bIdYU7iLCHfl0=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=

diff --git a/pkg/engine/container.go b/pkg/engine/container.go
@@ -121,30 +121,27 @@ func (engine *Engine) OnContainerActivityEvent(event *tracing.ContainerActivityE
 			}
 		}
 		for neededEvent := range neededEvents {
-			//log.Printf("Starting to trace container %s/%s/%s/%s for event %v\n", event.Namespace, ownerRef.Kind, ownerRef.Name, event.ContainerName, neededEvent)
 			_ = engine.tracer.StartTraceContainer(event.NsMntId, event.Pid, neededEvent)
-			//if err != nil {
-			// log.Printf("Failed to enable event %v for container %s/%s/%s/%s: %v\n", neededEvent, event.Namespace, ownerRef.Kind, ownerRef.Name, event.ContainerName, err)
-			//}
 		}
 
 	} else if event.Activity == tracing.ContainerActivityEventStop {
 		go func() {
+			containerIdToDetailsCacheLock.RLock()
 			eventsInUse := GetRequiredEventsFromRules(containerIdToDetailsCache[event.ContainerID].BoundRules)
+			containerIdToDetailsCacheLock.RUnlock()
 
 			// Stop tracing the container
 			for _, eventInUse := range eventsInUse {
 				_ = engine.tracer.StopTraceContainer(event.NsMntId, event.Pid, eventInUse)
-				//if err != nil {
-				// log.Printf("Failed to disable event %v for container %s/%s/%s: %v\n", eventInUse, event.Namespace, event.PodName, event.ContainerName, err)
-				//}
 			}
 
 			// Remove the container from the cache
 			deleteContainerDetails(event.ContainerID)
 
 			// Remove the container from the cache
+			containerIdToDetailsCacheLock.Lock()
 			delete(containerIdToDetailsCache, event.ContainerID)
+			containerIdToDetailsCacheLock.Unlock()
 		}()
 	}
 }
@@ -154,6 +151,8 @@ func (engine *Engine) GetPodSpec(podName, namespace, containerID string) (*corev
 		return nil, fmt.Errorf("podName or namespace is empty")
 	}
 
+	containerIdToDetailsCacheLock.RLock()
+	defer containerIdToDetailsCacheLock.RUnlock()
 	podSpec, ok := containerIdToDetailsCache[containerID]
 	if !ok {
 		return nil, fmt.Errorf("containerID not found in cache")
@@ -257,6 +256,8 @@ func (engine *Engine) GetRulesForEvent(event *tracing.GeneralEvent) []rule.Rule
 }
 
 func (engine *Engine) IsContainerIDInCache(containerID string) bool {
+	containerIdToDetailsCacheLock.RLock()
+	defer containerIdToDetailsCacheLock.RUnlock()
 	_, ok := containerIdToDetailsCache[containerID]
 	return ok
 }

diff --git a/pkg/engine/poll.go b/pkg/engine/poll.go
@@ -52,8 +52,6 @@ func (engine *Engine) Poll() {
 				for containerId, containerDetails := range getcontainerIdToDetailsCacheCopy() {
 					syscalls, err := engine.tracer.PeekSyscallInContainer(containerDetails.NsMntId)
 					if err != nil {
-						// Disabled the log for now, it's too noisy (running containers and during shutdown this prints a lot)
-						// log.Printf("Failed to peek syscalls in container %s: %v\n", containerId, err)
 						continue
 					}
 					// Generate events for the syscalls and process them in the engine