Skip to content

Commit

Permalink
Merge pull request #1206 from daemon1024/bpflsm-container-only
Browse files Browse the repository at this point in the history 
BPF LSM Enforcement for unorchestrated containers
  • Loading branch information
@nyrahul
nyrahul authored May 15, 2023
2 parents 5953817 + a6c179e commit 35434b6
Show file tree
Hide file tree
Showing 5 changed files with 660 additions and 559 deletions.
13 changes: 13 additions & 0 deletions KubeArmor/core/containerdHandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,14 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
}

if !dm.K8sEnabled {
dm.ContainersLock.Lock()
dm.EndPointsLock.Lock()
dm.MatchandUpdateContainerSecurityPolicies(containerID)
dm.EndPointsLock.Unlock()
dm.ContainersLock.Unlock()
}

dm.Logger.Printf("Detected a container (added/%.12s/pidns=%d/mntns=%d)", containerID, container.PidNS, container.MntNS)

} else if action == "destroy" {
Expand All @@ -326,6 +334,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
dm.ContainersLock.Unlock()
return false
}
if !dm.K8sEnabled {
dm.EndPointsLock.Lock()
dm.MatchandRemoveContainerFromEndpoint(containerID)
dm.EndPointsLock.Unlock()
}
delete(dm.Containers, containerID)
dm.ContainersLock.Unlock()

Expand Down
13 changes: 13 additions & 0 deletions KubeArmor/core/crioHandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,14 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
}

if !dm.K8sEnabled {
dm.ContainersLock.Lock()
dm.EndPointsLock.Lock()
dm.MatchandUpdateContainerSecurityPolicies(containerID)
dm.EndPointsLock.Unlock()
dm.ContainersLock.Unlock()
}

dm.Logger.Printf("Detected a container (added/%.12s)", containerID)
} else if action == "destroy" {
dm.ContainersLock.Lock()
Expand All @@ -266,6 +274,11 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
dm.ContainersLock.Unlock()
return false
}
if !dm.K8sEnabled {
dm.EndPointsLock.Lock()
dm.MatchandRemoveContainerFromEndpoint(containerID)
dm.EndPointsLock.Unlock()
}
delete(dm.Containers, containerID)
dm.ContainersLock.Unlock()

Expand Down
23 changes: 17 additions & 6 deletions KubeArmor/core/dockerHandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,25 +345,36 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
return
}

if !dm.K8sEnabled {
dm.ContainersLock.Lock()
dm.SetContainerVisibility(containerID)
dm.ContainersLock.Unlock()
}

if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
// update NsMap
dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
}

if !dm.K8sEnabled {
dm.ContainersLock.Lock()
dm.SetContainerVisibility(containerID)
dm.EndPointsLock.Lock()
dm.MatchandUpdateContainerSecurityPolicies(containerID)
dm.EndPointsLock.Unlock()
dm.ContainersLock.Unlock()
}

dm.Logger.Printf("Detected a container (added/%.12s)", containerID)

} else if action == "stop" || action == "destroy" {
// case 1: kill -> die -> stop
// case 2: kill -> die -> destroy
// case 3: destroy

if !dm.K8sEnabled {
dm.ContainersLock.Lock()
dm.EndPointsLock.Lock()
dm.MatchandRemoveContainerFromEndpoint(containerID)
dm.EndPointsLock.Unlock()
dm.ContainersLock.Unlock()
}

dm.ContainersLock.Lock()
container, ok := dm.Containers[containerID]
if !ok {
Expand Down
Loading

0 comments on commit 35434b6

Please sign in to comment.