Skip to content

Commit

Permalink
Merge pull request #1052 from achrefbensaad/revert-apparmor-log
Browse files Browse the repository at this point in the history 
Revert "audit log matcher from kubearmor"
  • Loading branch information
@achrefbensaad
achrefbensaad authored Jan 20, 2023
2 parents d90557a + 2d5b532 commit 9d59c67
Show file tree
Hide file tree
Showing 45 changed files with 181 additions and 425 deletions.
1 change: 0 additions & 1 deletion KubeArmor/build/kubearmor-test-containerd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ spec:
- IPC_LOCK
- CAP_DAC_OVERRIDE
- CAP_DAC_READ_SEARCH
- CAP_AUDIT_READ
ports:
- containerPort: 32767
livenessProbe:
Expand Down
1 change: 0 additions & 1 deletion KubeArmor/build/kubearmor-test-crio.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ spec:
- IPC_LOCK
- CAP_DAC_OVERRIDE
- CAP_DAC_READ_SEARCH
- CAP_AUDIT_READ
volumeMounts:
- mountPath: /opt/kubearmor/BPF
name: bpf
Expand Down
1 change: 0 additions & 1 deletion KubeArmor/build/kubearmor-test-docker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ spec:
- IPC_LOCK
- CAP_DAC_OVERRIDE
- CAP_DAC_READ_SEARCH
- CAP_AUDIT_READ
ports:
- containerPort: 32767
livenessProbe:
Expand Down
1 change: 0 additions & 1 deletion KubeArmor/build/kubearmor-test-k3s.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ spec:
- IPC_LOCK
- CAP_DAC_OVERRIDE
- CAP_DAC_READ_SEARCH
- CAP_AUDIT_READ
ports:
- containerPort: 32767
livenessProbe:
Expand Down
40 changes: 16 additions & 24 deletions KubeArmor/core/kubeArmor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ func (dm *KubeArmorDaemon) CloseLogger() bool {

// InitSystemMonitor Function
func (dm *KubeArmorDaemon) InitSystemMonitor() bool {
dm.SystemMonitor = mon.NewSystemMonitor(&dm.Node, dm.Logger, &dm.Containers, &dm.ContainersLock, &dm.ActiveHostPidMap, &dm.ActivePidMapLock, dm.RuntimeEnforcer.EnforcerType)
dm.SystemMonitor = mon.NewSystemMonitor(&dm.Node, dm.Logger, &dm.Containers, &dm.ContainersLock, &dm.ActiveHostPidMap, &dm.ActivePidMapLock)
if dm.SystemMonitor == nil {
return false
}
Expand All @@ -237,9 +237,6 @@ func (dm *KubeArmorDaemon) MonitorSystemEvents() {

if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy {
go dm.SystemMonitor.TraceSyscall()
if dm.RuntimeEnforcer.EnforcerType == "AppArmor" {
go dm.SystemMonitor.WatchAppArmorAlerts()
}
go dm.SystemMonitor.UpdateLogs()
go dm.SystemMonitor.CleanUpExitedHostPids()
}
Expand Down Expand Up @@ -416,21 +413,6 @@ func KubeArmor() {

// == //

// initialize runtime enforcer
if !dm.InitRuntimeEnforcer() {
dm.Logger.Print("Disabled KubeArmor Enforcer since No LSM is enabled")
} else {
dm.Logger.Print("Initialized KubeArmor Enforcer")

if cfg.GlobalCfg.Policy && !cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect containers")
} else if !cfg.GlobalCfg.Policy && cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect a host")
} else if cfg.GlobalCfg.Policy && cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect a host and containers")
}
}

// Containerized workloads with Host
if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy {
// initialize system monitor
Expand All @@ -444,14 +426,24 @@ func KubeArmor() {
}
dm.Logger.Print("Initialized KubeArmor Monitor")

// No need for mutex here
if dm.SystemMonitor.NetLinkClient != nil {
dm.Logger.Netfilter = true
}

// monior system events
go dm.MonitorSystemEvents()
dm.Logger.Print("Started to monitor system events")

// initialize runtime enforcer
if !dm.InitRuntimeEnforcer() {
dm.Logger.Print("Disabled KubeArmor Enforcer since No LSM is enabled")
} else {
dm.Logger.Print("Initialized KubeArmor Enforcer")

if cfg.GlobalCfg.Policy && !cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect containers")
} else if !cfg.GlobalCfg.Policy && cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect a host")
} else if cfg.GlobalCfg.Policy && cfg.GlobalCfg.HostPolicy {
dm.Logger.Print("Started to protect a host and containers")
}
}
}

enableContainerPolicy := true
Expand Down
Loading

0 comments on commit 9d59c67

Please sign in to comment.