diff --git a/Dockerfile b/Dockerfile index 5697f5a57d..fd4fbfe6a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ FROM golang:1.20-alpine3.17 as builder RUN apk --no-cache update -RUN apk add --no-cache bash git wget python3 linux-headers build-base clang clang-dev libc-dev llvm make gcc protobuf +RUN apk add --no-cache git clang llvm make gcc protobuf WORKDIR /usr/src/KubeArmor @@ -21,16 +21,12 @@ RUN make FROM alpine:3.17 as kubearmor -RUN apk --no-cache update RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories -RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories RUN apk --no-cache update -RUN apk add bash curl procps -RUN apk add apparmor@community apparmor-utils@community kubectl@testing +RUN apk add apparmor@community apparmor-utils@community bash COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/ - ENTRYPOINT ["/KubeArmor/kubearmor"] diff --git a/Dockerfile.init b/Dockerfile.init index 34748ec575..0d04efe476 100644 --- a/Dockerfile.init +++ b/Dockerfile.init @@ -9,7 +9,7 @@ COPY ./KubeArmor/BPF/tests/main.go main.go COPY ./KubeArmor/BPF/tests/go.mod go.mod COPY ./KubeArmor/BPF/tests/go.sum go.sum -RUN go build -o syscheck main.go +RUN CGO_ENABLED=0 go build -o syscheck main.go ### Make compiler image FROM alpine:3.17 as kubearmor-init @@ -21,7 +21,6 @@ RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /e RUN apk --no-cache update RUN apk --no-cache add bash git clang llvm make gcc bpftool@edge - COPY ./KubeArmor/BPF /KubeArmor/BPF/ COPY ./KubeArmor/build/compile.sh /KubeArmor/compile.sh COPY --from=init-builder /usr/src/KubeArmor/syscheck /KubeArmor/BPF/tests/syscheck diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index d22f6c1587..5a8f08d6d2 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -32,7 +32,7 @@ ifneq (, $(shell which llvm-strip)) fi endif endif - cd $(CURDIR); go build -ldflags "$(GIT_INFO)" -o kubearmor main.go + cd $(CURDIR); CGO_ENABLED=0 go build -ldflags "$(GIT_INFO)" -o kubearmor main.go .PHONY: protobuf protobuf: diff --git a/KubeArmor/build/compile.sh b/KubeArmor/build/compile.sh index 83e1d27188..dec60e8d50 100755 --- a/KubeArmor/build/compile.sh +++ b/KubeArmor/build/compile.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # SPDX-License-Identifier: Apache-2.0 # Copyright 2021 Authors of KubeArmor @@ -11,4 +11,4 @@ else make fi -cp *.bpf.o ignore.lst /opt/kubearmor/BPF/ \ No newline at end of file +cp *.bpf.o ignore.lst /opt/kubearmor/BPF/ diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index 26d8818362..3c569aba97 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -5,7 +5,6 @@ package core import ( "context" - "encoding/json" "errors" "fmt" "os" @@ -41,46 +40,34 @@ type DockerHandler struct { } // NewDockerHandler Function -func NewDockerHandler() *DockerHandler { +func NewDockerHandler() (*DockerHandler, error) { docker := &DockerHandler{} - // specify the docker api version that we want to use - // Versioned API: https://docs.docker.com/engine/api/ - - versionStr, err := kl.GetCommandOutputWithErr("curl", []string{"--silent", "--unix-socket", strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://"), "http://localhost/version"}) + // try to create a new docker client + // If env DOCKER_API_VERSION set - NegotiateAPIVersion() won't do anything + DockerClient, err := client.NewClientWithOpts(client.FromEnv) if err != nil { - return nil + return nil, err } + DockerClient.NegotiateAPIVersion(context.Background()) + clientVersion := DockerClient.ClientVersion() - if err := json.Unmarshal([]byte(versionStr), &docker.Version); err != nil { - kg.Warnf("Unable to get Docker version (%s)", err.Error()) - } + kg.Printf("Verifying Docker API client version: %s", clientVersion) - apiVersion, _ := strconv.ParseFloat(docker.Version.APIVersion, 64) - - if apiVersion >= 1.39 { - // downgrade the api version to 1.39 - if err := os.Setenv("DOCKER_API_VERSION", "1.39"); err != nil { - kg.Warnf("Unable to set DOCKER_API_VERSION (%s)", err.Error()) - } - } else { - // set the current api version - if err := os.Setenv("DOCKER_API_VERSION", docker.Version.APIVersion); err != nil { - kg.Warnf("Unable to set DOCKER_API_VERSION (%s)", err.Error()) - } + serverVersion, err := DockerClient.ServerVersion(context.Background()) + if err != nil { + return nil, err } - // create a new client with the above env variable - - DockerClient, err := client.NewClientWithOpts(client.FromEnv) - if err != nil { - return nil + if clientVersion != serverVersion.APIVersion { + kg.Warnf("Docker client (%s) and Docker server (%s) API versions don't match", clientVersion, serverVersion.APIVersion) } + docker.DockerClient = DockerClient - kg.Printf("Initialized Docker Handler (version: %s)", docker.Version.APIVersion) + kg.Printf("Initialized Docker Handler (version: %s)", clientVersion) - return docker + return docker, nil } // Close Function @@ -202,7 +189,11 @@ func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) { func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { // check if Docker exists else instantiate if Docker == nil { - Docker = NewDockerHandler() + var err error + Docker, err = NewDockerHandler() + if err != nil { + dm.Logger.Errf("Failed to create new Docker client: %s", err) + } } if containerList, err := Docker.DockerClient.ContainerList(context.Background(), types.ContainerListOptions{}); err == nil { @@ -278,6 +269,8 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { dm.Logger.Printf("Detected a container (added/%.12s)", container.ContainerID) } } + } else { + dm.Logger.Warnf("Error while listing containers: %s", err) } } @@ -425,7 +418,11 @@ func (dm *KubeArmorDaemon) MonitorDockerEvents() { // check if Docker exists else instantiate if Docker == nil { - Docker = NewDockerHandler() + var err error + Docker, err = NewDockerHandler() + if err != nil { + dm.Logger.Errf("Failed to create new Docker client: %s", err) + } } dm.Logger.Print("Started to monitor Docker events")