From 3c938d77337f8f76b591a7df7f3612c8e8996ce3 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Mon, 22 May 2023 19:25:09 +0530 Subject: [PATCH] core: setup visibibility map for unorchestrated workloads This commit populates visibility map of unorchestrated containers where namespace is custom set to "container_namespace" based on the config values Signed-off-by: daemon1024 --- KubeArmor/core/dockerHandler.go | 13 ++++++++++--- KubeArmor/core/kubeArmor.go | 2 ++ KubeArmor/core/unorchestratedUpdates.go | 21 +++++++++++++++++++++ 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index d86a8bf46a..26d8818362 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -192,10 +192,10 @@ func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) { container.CapabilitiesVisibilityEnabled = true } - dm.Containers[container.ContainerID] = container - container.EndPointName = container.ContainerName container.NamespaceName = "container_namespace" + + dm.Containers[container.ContainerID] = container } // GetAlreadyDeployedDockerContainers Function @@ -265,6 +265,7 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { if !dm.K8sEnabled { dm.ContainersLock.Lock() dm.SetContainerVisibility(dcontainer.ID) + container = dm.Containers[dcontainer.ID] dm.ContainersLock.Unlock() } @@ -345,6 +346,13 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { return } + if !dm.K8sEnabled { + dm.ContainersLock.Lock() + dm.SetContainerVisibility(containerID) + container = dm.Containers[containerID] + dm.ContainersLock.Unlock() + } + if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy { // update NsMap dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS) @@ -353,7 +361,6 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { if !dm.K8sEnabled { dm.ContainersLock.Lock() - dm.SetContainerVisibility(containerID) dm.EndPointsLock.Lock() dm.MatchandUpdateContainerSecurityPolicies(containerID) dm.EndPointsLock.Unlock() diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index b2ec103060..108bb9d852 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -467,6 +467,8 @@ func KubeArmor() { // Un-orchestrated workloads if !dm.K8sEnabled && cfg.GlobalCfg.Policy { + dm.SetContainerNSVisibility() + // Check if cri socket set, if not then auto detect if cfg.GlobalCfg.CRISocket == "" { if kl.GetCRISocket("") == "" { diff --git a/KubeArmor/core/unorchestratedUpdates.go b/KubeArmor/core/unorchestratedUpdates.go index b70b824d14..60832e5633 100644 --- a/KubeArmor/core/unorchestratedUpdates.go +++ b/KubeArmor/core/unorchestratedUpdates.go @@ -15,6 +15,27 @@ import ( tp "github.com/kubearmor/KubeArmor/KubeArmor/types" ) +// SetContainerVisibility function enables visibility flag arguments for un-orchestrated container and updates the visibility map +func (dm *KubeArmorDaemon) SetContainerNSVisibility() { + + visibility := tp.Visibility{} + + if strings.Contains(cfg.GlobalCfg.Visibility, "process") { + visibility.Process = true + } + if strings.Contains(cfg.GlobalCfg.Visibility, "file") { + visibility.File = true + } + if strings.Contains(cfg.GlobalCfg.Visibility, "network") { + visibility.Network = true + } + if strings.Contains(cfg.GlobalCfg.Visibility, "capabilities") { + visibility.Capabilities = true + } + + dm.UpdateVisibility("ADDED", "container_namespace", visibility) +} + // ====================================== // // == Container Security Policy Update == // // ====================================== //