feat(core): add support for kata and confidential containers

Signed-off-by: rootxrishabh <[email protected]> Check kind instead of namespace for restoring policies Signed-off-by: Rishabh Soni <[email protected]> Add support for custom policy backup path Signed-off-by: Rishabh Soni <[email protected]> Restore and Backup policies in YAML instead of JSON Signed-off-by: Rishabh Soni <[email protected]> Refactor: Endpoint and map creation Signed-off-by: Rishabh Soni <[email protected]> Signed-off-by: rootxrishabh <[email protected]>
kubearmor · Jan 23, 2025 · 6ae831d · 6ae831d
1 parent 3a7003f
commit 6ae831d
Show file tree

Hide file tree

Showing 9 changed files with 358 additions and 209 deletions.
diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -56,7 +56,10 @@ type KubearmorConfig struct {
 	DefaultPostureLogs bool     // Enable/Disable Default Posture logs for AppArmor LSM
 	InitTimeout        string   // Timeout for main thread init stages
 
-	StateAgent bool // enable KubeArmor state agent
+	UseOCIHooks bool   // Use OCI hooks for container visibility instead of CRI socket
+	HookPath    string // OCI hook path to use
+	StateAgent  bool   // enable KubeArmor state agent
+	RestorePath string // Path to restore policies from
 
 	AlertThrottling   bool  // Enable/Disable Alert Throttling
 	MaxAlertPerSec    int32 // Maximum alerts allowed per second
@@ -100,6 +103,9 @@ const (
 	ConfigCoverageTest                   string = "coverageTest"
 	ConfigK8sEnv                         string = "k8s"
 	ConfigDebug                          string = "debug"
+	UseOCIHooks                          string = "useOCIHooks"
+	HookPath                             string = "hookPath"
+	RestorePath                          string = "restorePath"
 	ConfigUntrackedNs                    string = "untrackedNs"
 	LsmOrder                             string = "lsm"
 	BPFFsPath                            string = "bpfFsPath"
@@ -162,6 +168,12 @@ func readCmdLineParams() {
 
 	stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client")
 
+	useOCIHooks := flag.Bool(UseOCIHooks, false, "Use OCI hooks to get new containers instead of using container runtime socket")
+
+	hookPath := flag.String(HookPath, "/opt/output.json", "OCI hook path to use")
+
+	restorePath := flag.String(RestorePath, PolicyDir, "Path to restore policies from")
+
 	alertThrottling := flag.Bool(ConfigAlertThrottling, true, "enabling Alert Throttling")
 
 	maxAlertPerSec := flag.Int(ConfigMaxAlertPerSec, 10, "Maximum alerts allowed per second")
@@ -228,6 +240,12 @@ func readCmdLineParams() {
 
 	viper.SetDefault(ConfigStateAgent, *stateAgent)
 
+	viper.SetDefault(UseOCIHooks, *useOCIHooks)
+
+	viper.SetDefault(HookPath, *hookPath)
+
+	viper.SetDefault(RestorePath, *restorePath)
+
 	viper.SetDefault(ConfigAlertThrottling, *alertThrottling)
 
 	viper.SetDefault(ConfigMaxAlertPerSec, *maxAlertPerSec)
@@ -351,6 +369,16 @@ func LoadDynamicConfig() {
 	GlobalCfg.EnforcerAlerts = viper.GetBool(EnforcerAlerts)
 	GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs)
 
+	GlobalCfg.InitTimeout = viper.GetString(ConfigInitTimeout)
+
+	GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent)
+
+	GlobalCfg.UseOCIHooks = viper.GetBool(UseOCIHooks)
+
+	GlobalCfg.HookPath = viper.GetString(HookPath)
+
+	GlobalCfg.RestorePath = viper.GetString(RestorePath)
+
 	GlobalCfg.AlertThrottling = viper.GetBool(ConfigAlertThrottling)
 	GlobalCfg.MaxAlertPerSec = int32(viper.GetInt(ConfigMaxAlertPerSec))
 	GlobalCfg.ThrottleSec = int32(viper.GetInt(ConfigThrottleSec))

diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go
@@ -345,61 +345,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 					}
 				}
 
-				switch endPointEvent {
-				case "ADDED":
-					endPoint.EndPointName = container.ContainerName
-					endPoint.ContainerName = container.ContainerName
-					endPoint.NamespaceName = container.NamespaceName
-
-					endPoint.Containers = []string{container.ContainerID}
-
-					endPoint.Labels = containerLabels
-					endPoint.Identities = containerIdentities
-
-					endPoint.PolicyEnabled = tp.KubeArmorPolicyEnabled
-					endPoint.ProcessVisibilityEnabled = true
-					endPoint.FileVisibilityEnabled = true
-					endPoint.NetworkVisibilityEnabled = true
-					endPoint.CapabilitiesVisibilityEnabled = true
-
-					endPoint.AppArmorProfiles = []string{"kubearmor_" + container.ContainerName}
-
-					globalDefaultPosture := tp.DefaultPosture{
-						FileAction:         cfg.GlobalCfg.DefaultFilePosture,
-						NetworkAction:      cfg.GlobalCfg.DefaultNetworkPosture,
-						CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
-					}
-					endPoint.DefaultPosture = globalDefaultPosture
-
-					dm.SecurityPoliciesLock.RLock()
-					for _, secPol := range dm.SecurityPolicies {
-						if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
-							endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
-						}
-					}
-					dm.SecurityPoliciesLock.RUnlock()
-
-					dm.EndPoints = append(dm.EndPoints, endPoint)
-				case "UPDATED":
-					// in case of AppArmor enforcement when endPoint has to be created first
-					endPoint.Containers = append(endPoint.Containers, container.ContainerID)
-
-					// if this container has any additional identities, add them
-					endPoint.Identities = append(endPoint.Identities, containerIdentities...)
-					endPoint.Identities = slices.Compact(endPoint.Identities)
-
-					// add other policies
-					endPoint.SecurityPolicies = []tp.SecurityPolicy{}
-					dm.SecurityPoliciesLock.RLock()
-					for _, secPol := range dm.SecurityPolicies {
-						if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
-							endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
-						}
-					}
-					dm.SecurityPoliciesLock.RUnlock()
-
+				dm.CreateEndpoint(&endPoint, container, containerLabels, containerIdentities, endPointEvent)
+				if endPointEvent == "UPDATED" {
 					dm.EndPoints[endPointIdx] = endPoint
 				}
+
 				dm.EndPointsLock.Unlock()
 			}
 
@@ -468,29 +418,7 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 
 		if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 			// for throttling
-			dm.SystemMonitor.Logger.ContainerNsKey[containerID] = common.OuterKey{
-				MntNs: container.MntNS,
-				PidNs: container.PidNS,
-			}
-
-			// update NsMap
-			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
-			dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
-			if dm.Presets != nil {
-				dm.Presets.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
-			}
-
-			if len(endPoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endPoint yet
-				dm.Logger.UpdateSecurityPolicies("ADDED", endPoint)
-				if dm.RuntimeEnforcer != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-					// enforce security policies
-					dm.RuntimeEnforcer.UpdateSecurityPolicies(endPoint)
-				}
-				if dm.Presets != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-					// enforce preset rules
-					dm.Presets.UpdateSecurityPolicies(endPoint)
-				}
-			}
+			dm.PopulateMaps(endPoint, container)
 		}
 
 		if cfg.GlobalCfg.StateAgent {

diff --git a/KubeArmor/core/crioHandler.go b/KubeArmor/core/crioHandler.go
@@ -12,7 +12,6 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/kubearmor/KubeArmor/KubeArmor/common"
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
 	cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
 	kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
@@ -268,29 +267,7 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
 
 		if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 			// for throttling
-			dm.SystemMonitor.Logger.ContainerNsKey[containerID] = common.OuterKey{
-				MntNs: container.MntNS,
-				PidNs: container.PidNS,
-			}
-
-			// update NsMap
-			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
-			dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
-			if dm.Presets != nil {
-				dm.Presets.RegisterContainer(containerID, container.PidNS, container.MntNS)
-			}
-
-			if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
-				dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
-				if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-					// enforce security policies
-					dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
-				}
-				if dm.Presets != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-					// enforce preset rules
-					dm.Presets.UpdateSecurityPolicies(endpoint)
-				}
-			}
+			dm.PopulateMaps(endpoint, container)
 		}
 
 		if !dm.K8sEnabled {

diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go
@@ -424,29 +424,7 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 
 				if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 					// for throttling
-					dm.SystemMonitor.Logger.ContainerNsKey[container.ContainerID] = common.OuterKey{
-						MntNs: container.MntNS,
-						PidNs: container.PidNS,
-					}
-
-					// update NsMap
-					dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS)
-					dm.RuntimeEnforcer.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
-					if dm.Presets != nil {
-						dm.Presets.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
-					}
-
-					if len(endPoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
-						dm.Logger.UpdateSecurityPolicies("ADDED", endPoint)
-						if dm.RuntimeEnforcer != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-							// enforce security policies
-							dm.RuntimeEnforcer.UpdateSecurityPolicies(endPoint)
-						}
-						if dm.Presets != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
-							// enforce preset rules
-							dm.Presets.UpdateSecurityPolicies(endPoint)
-						}
-					}
+					dm.PopulateMaps(endPoint, container)
 				}
 
 				dm.Logger.Printf("Detected a container (added/%.12s)", container.ContainerID)
@@ -504,61 +482,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 					}
 				}
 
-				switch endPointEvent {
-				case "ADDED":
-					endPoint.EndPointName = container.ContainerName
-					endPoint.ContainerName = container.ContainerName
-					endPoint.NamespaceName = container.NamespaceName
-
-					endPoint.Containers = []string{container.ContainerID}
-
-					endPoint.Labels = containerLabels
-					endPoint.Identities = containerIdentities
-
-					endPoint.PolicyEnabled = tp.KubeArmorPolicyEnabled
-					endPoint.ProcessVisibilityEnabled = true
-					endPoint.FileVisibilityEnabled = true
-					endPoint.NetworkVisibilityEnabled = true
-					endPoint.CapabilitiesVisibilityEnabled = true
-
-					endPoint.AppArmorProfiles = []string{"kubearmor_" + container.ContainerName}
-
-					globalDefaultPosture := tp.DefaultPosture{
-						FileAction:         cfg.GlobalCfg.DefaultFilePosture,
-						NetworkAction:      cfg.GlobalCfg.DefaultNetworkPosture,
-						CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
-					}
-					endPoint.DefaultPosture = globalDefaultPosture
-
-					dm.SecurityPoliciesLock.RLock()
-					for _, secPol := range dm.SecurityPolicies {
-						if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
-							endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
-						}
-					}
-					dm.SecurityPoliciesLock.RUnlock()
-
-					dm.EndPoints = append(dm.EndPoints, endPoint)
-				case "UPDATED":
-					// in case of AppArmor enforcement when endpoint has to be created first
-					endPoint.Containers = append(endPoint.Containers, container.ContainerID)
-
-					// if this container has any additional identities, add them
-					endPoint.Identities = append(endPoint.Identities, containerIdentities...)
-					endPoint.Identities = slices.Compact(endPoint.Identities)
-
-					// add other policies
-					endPoint.SecurityPolicies = []tp.SecurityPolicy{}
-					dm.SecurityPoliciesLock.RLock()
-					for _, secPol := range dm.SecurityPolicies {
-						if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
-							endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
-						}
-					}
-					dm.SecurityPoliciesLock.RUnlock()
-
+				dm.CreateEndpoint(&endPoint, container, containerLabels, containerIdentities, endPointEvent)
+				if endPointEvent == "UPDATED" {
 					dm.EndPoints[endPointIdx] = endPoint
 				}
+
 				dm.EndPointsLock.Unlock()
 			}