core: setup visibibility map for unorchestrated workloads

This commit populates visibility map of unorchestrated containers where namespace is custom set to "container_namespace" based on the config values Signed-off-by: daemon1024 <[email protected]>
kubearmor · May 22, 2023 · 3c938d7 · 3c938d7
1 parent e8b4504
commit 3c938d7
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go
@@ -192,10 +192,10 @@ func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) {
 		container.CapabilitiesVisibilityEnabled = true
 	}
 
-	dm.Containers[container.ContainerID] = container
-
 	container.EndPointName = container.ContainerName
 	container.NamespaceName = "container_namespace"
+
+	dm.Containers[container.ContainerID] = container
 }
 
 // GetAlreadyDeployedDockerContainers Function
@@ -265,6 +265,7 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 				if !dm.K8sEnabled {
 					dm.ContainersLock.Lock()
 					dm.SetContainerVisibility(dcontainer.ID)
+					container = dm.Containers[dcontainer.ID]
 					dm.ContainersLock.Unlock()
 				}
 
@@ -345,6 +346,13 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 			return
 		}
 
+		if !dm.K8sEnabled {
+			dm.ContainersLock.Lock()
+			dm.SetContainerVisibility(containerID)
+			container = dm.Containers[containerID]
+			dm.ContainersLock.Unlock()
+		}
+
 		if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 			// update NsMap
 			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
@@ -353,7 +361,6 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 
 		if !dm.K8sEnabled {
 			dm.ContainersLock.Lock()
-			dm.SetContainerVisibility(containerID)
 			dm.EndPointsLock.Lock()
 			dm.MatchandUpdateContainerSecurityPolicies(containerID)
 			dm.EndPointsLock.Unlock()

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -467,6 +467,8 @@ func KubeArmor() {
 	// Un-orchestrated workloads
 	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
 
+		dm.SetContainerNSVisibility()
+
 		// Check if cri socket set, if not then auto detect
 		if cfg.GlobalCfg.CRISocket == "" {
 			if kl.GetCRISocket("") == "" {

diff --git a/KubeArmor/core/unorchestratedUpdates.go b/KubeArmor/core/unorchestratedUpdates.go
@@ -15,6 +15,27 @@ import (
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
 )
 
+// SetContainerVisibility function enables visibility flag arguments for un-orchestrated container and updates the visibility map
+func (dm *KubeArmorDaemon) SetContainerNSVisibility() {
+
+	visibility := tp.Visibility{}
+
+	if strings.Contains(cfg.GlobalCfg.Visibility, "process") {
+		visibility.Process = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "file") {
+		visibility.File = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "network") {
+		visibility.Network = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "capabilities") {
+		visibility.Capabilities = true
+	}
+
+	dm.UpdateVisibility("ADDED", "container_namespace", visibility)
+}
+
 // ====================================== //
 // == Container Security Policy Update == //
 // ====================================== //