core

package
v0.0.0-...-7fb477a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2025 License: Apache-2.0 Imports: 69 Imported by: 1

Documentation

Overview

Package core is responsible for initiating and maintaining interactions between external entities like K8s,CRIs and internal KubeArmor entities like eBPF Monitor and Log Feeders

Package core is responsible for initiating and maintaining interactions between external entities like K8s,CRIs and internal KubeArmor entities like eBPF Monitor and Log Feeders

Index

Constants

View Source 
const (
	KubeArmorPolicy        string = "KubeArmorPolicy"
	KubeArmorClusterPolicy string = "KubeArmorClusterPolicy"
)

Variables

View Source 
var StopChan chan struct{}

StopChan Channel

Functions

func GetOSSigChannel 

func GetOSSigChannel() chan os.Signal

GetOSSigChannel Function

func KubeArmor 

func KubeArmor()

KubeArmor Function

Types

type ContainerdHandler 

type ContainerdHandler struct {
	// contains filtered or unexported fields
}

ContainerdHandler Structure 

var Containerd *ContainerdHandler

Containerd Handler

func NewContainerdHandler 

func NewContainerdHandler() *ContainerdHandler

NewContainerdHandler Function

func (*ContainerdHandler) Close 

func (ch *ContainerdHandler) Close()

Close Function

func (*ContainerdHandler) GetContainerInfo 

func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, eventpid uint32, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function

func (*ContainerdHandler) GetContainerdContainers 

func (ch *ContainerdHandler) GetContainerdContainers() map[string]context.Context

GetContainerdContainers Function

type CrioContainerInfo 

type CrioContainerInfo struct {
	SandboxID   string    `json:"sandboxID"`
	Pid         int       `json:"pid"`
	RuntimeSpec spec.Spec `json:"runtimeSpec"`
	Privileged  bool      `json:"privileged"`
}

CrioContainerInfo struct corresponds to CRI-O's container info returned with container status

type CrioHandler 

type CrioHandler struct {
	// contains filtered or unexported fields
}

CrioHandler Structure 

var Crio *CrioHandler

Crio Handler

func NewCrioHandler 

func NewCrioHandler() *CrioHandler

NewCrioHandler Function creates a new Crio handler

func (*CrioHandler) Close 

func (ch *CrioHandler) Close()

Close the connection

func (*CrioHandler) GetContainerInfo 

func (ch *CrioHandler) GetContainerInfo(ctx context.Context, containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function gets info of a particular container

func (*CrioHandler) GetCrioContainers 

func (ch *CrioHandler) GetCrioContainers() (map[string]struct{}, error)

GetCrioContainers Function gets IDs of all containers

func (*CrioHandler) GetDeletedCrioContainers 

func (ch *CrioHandler) GetDeletedCrioContainers(containers map[string]struct{}) map[string]struct{}

GetDeletedCrioContainers Function gets deleted crio containers

func (*CrioHandler) GetNewCrioContainers 

func (ch *CrioHandler) GetNewCrioContainers(containers map[string]struct{}) map[string]struct{}

GetNewCrioContainers Function gets new crio containers

type DockerHandler 

type DockerHandler struct {
	DockerClient *client.Client
	Version      DockerVersion

	// needed for container info
	NodeIP string
}

DockerHandler Structure 

var Docker *DockerHandler

Docker Handler

func NewDockerHandler 

func NewDockerHandler() (*DockerHandler, error)

NewDockerHandler Function

func (*DockerHandler) Close 

func (dh *DockerHandler) Close()

Close Function

func (*DockerHandler) GetContainerInfo 

func (dh *DockerHandler) GetContainerInfo(containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function

func (*DockerHandler) GetEventChannel 

func (dh *DockerHandler) GetEventChannel() <-chan events.Message

GetEventChannel Function

type DockerVersion 

type DockerVersion struct {
	APIVersion string `json:"ApiVersion"`
}

DockerVersion Structure

type K8sHandler 

type K8sHandler struct {
	K8sClient   *kubernetes.Clientset
	KSPClient   *kspclient.Clientset
	HTTPClient  *http.Client
	WatchClient *http.Client

	K8sToken string
	K8sHost  string
	K8sPort  string
}

K8sHandler Structure 

var K8s *K8sHandler

K8s Handler

func NewK8sHandler 

func NewK8sHandler() *K8sHandler

NewK8sHandler Function

func (*K8sHandler) CheckCustomResourceDefinition 

func (kh *K8sHandler) CheckCustomResourceDefinition(resourceName string) bool

CheckCustomResourceDefinition Function

func (*K8sHandler) DoRequest 

func (kh *K8sHandler) DoRequest(cmd string, data interface{}, path string) ([]byte, error)

DoRequest Function

func (*K8sHandler) GetDaemonSet 

func (kh *K8sHandler) GetDaemonSet(namespaceName, podownerName string) (string, string)

GetDaemonSet Function

func (*K8sHandler) GetDeploymentNameControllingReplicaSet 

func (kh *K8sHandler) GetDeploymentNameControllingReplicaSet(namespaceName, podownerName string) (string, string)

GetDeploymentNameControllingReplicaSet Function

func (*K8sHandler) GetReplicaSet 

func (kh *K8sHandler) GetReplicaSet(namespaceName, podownerName string) (string, string)

GetReplicaSet Function

func (*K8sHandler) GetStatefulSet 

func (kh *K8sHandler) GetStatefulSet(namespaceName, podownerName string) (string, string)

GetStatefulSet Function

func (*K8sHandler) InitInclusterAPIClient 

func (kh *K8sHandler) InitInclusterAPIClient() bool

InitInclusterAPIClient Function

func (*K8sHandler) InitK8sClient 

func (kh *K8sHandler) InitK8sClient() bool

InitK8sClient Function

func (*K8sHandler) InitLocalAPIClient 

func (kh *K8sHandler) InitLocalAPIClient() bool

InitLocalAPIClient Function

func (*K8sHandler) PatchDeploymentWithSELinuxAnnotations 

func (kh *K8sHandler) PatchDeploymentWithSELinuxAnnotations(namespaceName, deploymentName string, seLinuxAnnotations map[string]string) error

PatchDeploymentWithSELinuxAnnotations Function

func (*K8sHandler) PatchResourceWithAppArmorAnnotations 

func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploymentName string, appArmorAnnotations map[string]string, kind string) error

PatchDeploymentWithAppArmorAnnotations Function

func (*K8sHandler) WatchK8sHostSecurityPolicies 

func (kh *K8sHandler) WatchK8sHostSecurityPolicies() *http.Response

WatchK8sHostSecurityPolicies Function

func (*K8sHandler) WatchK8sPods 

func (kh *K8sHandler) WatchK8sPods(nodeName string) *http.Response

WatchK8sPods Function

func (*K8sHandler) WatchK8sSecurityPolicies 

func (kh *K8sHandler) WatchK8sSecurityPolicies() *http.Response

WatchK8sSecurityPolicies Function

type KarmorData 

type KarmorData struct {
	OSImage                 string
	KernelVersion           string
	KubeletVersion          string
	ContainerRuntime        string
	ActiveLSM               string
	KernelHeaderPresent     bool
	HostSecurity            bool
	ContainerSecurity       bool
	ContainerDefaultPosture tp.DefaultPosture
	HostDefaultPosture      tp.DefaultPosture
	HostVisibility          string
}

KarmorData Structure

type KubeArmorDaemon 

type KubeArmorDaemon struct {
	// node
	Node     tp.Node
	NodeLock *sync.RWMutex

	// flag
	K8sEnabled bool

	// K8s pods (from kubernetes)
	K8sPods     []tp.K8sPod
	K8sPodsLock *sync.RWMutex

	// containers (from docker)
	Containers     map[string]tp.Container
	ContainersLock *sync.RWMutex

	// endpoints
	EndPoints     []tp.EndPoint
	EndPointsLock *sync.RWMutex

	// Owner Info
	OwnerInfo map[string]tp.PodOwner

	// Security policies
	SecurityPolicies     []tp.SecurityPolicy
	SecurityPoliciesLock *sync.RWMutex

	// Host Security policies
	HostSecurityPolicies     []tp.HostSecurityPolicy
	HostSecurityPoliciesLock *sync.RWMutex

	//DefaultPosture (namespace -> postures)
	DefaultPostures     map[string]tp.DefaultPosture
	DefaultPosturesLock *sync.Mutex

	// pid map
	ActiveHostPidMap map[string]tp.PidMap
	ActivePidMapLock *sync.RWMutex

	// logger
	Logger *fd.Feeder

	// system monitor
	SystemMonitor *mon.SystemMonitor

	// runtime enforcer
	RuntimeEnforcer *efc.RuntimeEnforcer

	// presets
	Presets *presets.Preset

	// kvm agent
	KVMAgent *kvm.KVMAgent

	// state agent
	StateAgent *state.StateAgent

	// WgDaemon Handler
	WgDaemon sync.WaitGroup

	// system monitor lock
	MonitorLock *sync.RWMutex

	// health-server
	GRPCHealthServer *health.Server
}

KubeArmorDaemon Structure

func NewKubeArmorDaemon 

func NewKubeArmorDaemon() *KubeArmorDaemon

NewKubeArmorDaemon Function

func (*KubeArmorDaemon) CloseKVMAgent 

func (dm *KubeArmorDaemon) CloseKVMAgent() bool

CloseKVMAgent Function

func (*KubeArmorDaemon) CloseLogger 

func (dm *KubeArmorDaemon) CloseLogger() bool

CloseLogger Function

func (*KubeArmorDaemon) ClosePresets 

func (dm *KubeArmorDaemon) ClosePresets() bool

ClosePresets Function

func (*KubeArmorDaemon) CloseRuntimeEnforcer 

func (dm *KubeArmorDaemon) CloseRuntimeEnforcer() bool

CloseRuntimeEnforcer Function

func (*KubeArmorDaemon) CloseStateAgent 

func (dm *KubeArmorDaemon) CloseStateAgent() bool

CloseStateAgent Function

func (*KubeArmorDaemon) CloseSystemMonitor 

func (dm *KubeArmorDaemon) CloseSystemMonitor() bool

CloseSystemMonitor Function

func (*KubeArmorDaemon) ConnectToKVMService 

func (dm *KubeArmorDaemon) ConnectToKVMService()

ConnectToKVMService Function

func (*KubeArmorDaemon) CreateSecurityPolicy 

func (dm *KubeArmorDaemon) CreateSecurityPolicy(policyType string, securityPolicy interface{}) (secPolicy tp.SecurityPolicy, err error)

CreateSecurityPolicy - creates `KubeArmorPolicy` & `KubeArmorClusterPolicy` object from crd

func (*KubeArmorDaemon) DestroyKubeArmorDaemon 

func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon()

DestroyKubeArmorDaemon Function

func (*KubeArmorDaemon) GetAlreadyDeployedDockerContainers 

func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers()

GetAlreadyDeployedDockerContainers Function

func (*KubeArmorDaemon) GetConfigMapNS 

func (dm *KubeArmorDaemon) GetConfigMapNS() string

GetConfigMapNS Returns KubeArmor configmap namespace

func (*KubeArmorDaemon) GetSecurityPolicies 

func (dm *KubeArmorDaemon) GetSecurityPolicies(identities []string, namespaceName string) []tp.SecurityPolicy

GetSecurityPolicies Function

func (*KubeArmorDaemon) HandleNodeAnnotations 

func (dm *KubeArmorDaemon) HandleNodeAnnotations(node *tp.Node)

HandleNodeAnnotations Handle Node Annotations i.e, set host visibility based on annotations, enable/disable policy

func (*KubeArmorDaemon) HandleUnknownNamespaceNsMap 

func (dm *KubeArmorDaemon) HandleUnknownNamespaceNsMap(container *tp.Container)

HandleUnknownNamespaceNsMap Function

func (*KubeArmorDaemon) InitKVMAgent 

func (dm *KubeArmorDaemon) InitKVMAgent() bool

InitKVMAgent Function

func (*KubeArmorDaemon) InitLogger 

func (dm *KubeArmorDaemon) InitLogger() bool

InitLogger Function

func (*KubeArmorDaemon) InitPresets 

func (dm *KubeArmorDaemon) InitPresets(logger *fd.Feeder, monitor *mon.SystemMonitor) bool

InitPresets Function

func (*KubeArmorDaemon) InitRuntimeEnforcer 

func (dm *KubeArmorDaemon) InitRuntimeEnforcer(pinpath string) bool

InitRuntimeEnforcer Function

func (*KubeArmorDaemon) InitStateAgent 

func (dm *KubeArmorDaemon) InitStateAgent() bool

InitStateAgent Function

func (*KubeArmorDaemon) InitSystemMonitor 

func (dm *KubeArmorDaemon) InitSystemMonitor() bool

InitSystemMonitor Function

func (*KubeArmorDaemon) MatchandRemoveContainerFromEndpoint 

func (dm *KubeArmorDaemon) MatchandRemoveContainerFromEndpoint(cid string)

MatchandRemoveContainerSecurityPolicies finds relevant endpoint for containers and removes cid from the container list

func (*KubeArmorDaemon) MatchandUpdateContainerSecurityPolicies 

func (dm *KubeArmorDaemon) MatchandUpdateContainerSecurityPolicies(cid string)

MatchandUpdateContainerSecurityPolicies finds relevant endpoint for containers and updates the security policies for enforcement

func (*KubeArmorDaemon) MonitorContainerdEvents 

func (dm *KubeArmorDaemon) MonitorContainerdEvents()

MonitorContainerdEvents Function

func (*KubeArmorDaemon) MonitorCrioEvents 

func (dm *KubeArmorDaemon) MonitorCrioEvents()

MonitorCrioEvents Function

func (*KubeArmorDaemon) MonitorDockerEvents 

func (dm *KubeArmorDaemon) MonitorDockerEvents()

MonitorDockerEvents Function

func (*KubeArmorDaemon) MonitorNRIEvents 

func (dm *KubeArmorDaemon) MonitorNRIEvents()

MonitorNRIEvents monitors NRI events.

func (*KubeArmorDaemon) MonitorSystemEvents 

func (dm *KubeArmorDaemon) MonitorSystemEvents()

MonitorSystemEvents Function

func (*KubeArmorDaemon) NewNRIHandler 

func (dm *KubeArmorDaemon) NewNRIHandler(
	handleDeletedContainer func(tp.Container),
	handleNewContainer func(tp.Container),
) *NRIHandler

NewNRIHandler creates a new NRIHandler with the given event callbacks.

func (*KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy 

func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus

ParseAndUpdateContainerSecurityPolicy Function

func (*KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy 

func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus

ParseAndUpdateHostSecurityPolicy Function

func (*KubeArmorDaemon) ServeLogFeeds 

func (dm *KubeArmorDaemon) ServeLogFeeds()

ServeLogFeeds Function

func (*KubeArmorDaemon) SetContainerNSVisibility 

func (dm *KubeArmorDaemon) SetContainerNSVisibility()

SetContainerVisibility function enables visibility flag arguments for un-orchestrated container and updates the visibility map

func (*KubeArmorDaemon) SetContainerVisibility 

func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string)

SetContainerVisibility function enables visibility flag arguments for un-orchestrated container

func (*KubeArmorDaemon) SetHealthStatus 

func (dm *KubeArmorDaemon) SetHealthStatus(serviceName string, healthStatus grpc_health_v1.HealthCheckResponse_ServingStatus) bool

=================== // == Health Server == // =================== //

func (*KubeArmorDaemon) SetKarmorData 

func (dm *KubeArmorDaemon) SetKarmorData()

SetKarmorData generates runtime configuration for KubeArmor to be consumed by kArmor

func (*KubeArmorDaemon) SetProbeContainerData 

func (dm *KubeArmorDaemon) SetProbeContainerData() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies)

SetProbeContainerData keeps track of containers and the applied policies

func (*KubeArmorDaemon) UpdateContainerdContainer 

func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID string, containerPid uint32, action string) bool

UpdateContainerdContainer Function

func (*KubeArmorDaemon) UpdateCrioContainer 

func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID, action string) bool

UpdateCrioContainer Function

func (*KubeArmorDaemon) UpdateDefaultPosture 

func (dm *KubeArmorDaemon) UpdateDefaultPosture(action string, namespace string, defaultPosture tp.DefaultPosture, annotated bool)

UpdateDefaultPosture Function

func (*KubeArmorDaemon) UpdateDefaultPostureWithCM 

func (dm *KubeArmorDaemon) UpdateDefaultPostureWithCM(endPoint *tp.EndPoint, action string, namespace string, defaultPosture tp.DefaultPosture, annotated bool)

UpdateDefaultPostureWithCM Function

func (*KubeArmorDaemon) UpdateDockerContainer 

func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string)

UpdateDockerContainer Function

func (*KubeArmorDaemon) UpdateEndPointWithPod 

func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod)

UpdateEndPointWithPod Function

func (*KubeArmorDaemon) UpdateGlobalPosture 

func (dm *KubeArmorDaemon) UpdateGlobalPosture(posture tp.DefaultPosture)

UpdateGlobalPosture Function

func (*KubeArmorDaemon) UpdateHostSecurityPolicies 

func (dm *KubeArmorDaemon) UpdateHostSecurityPolicies()

UpdateHostSecurityPolicies Function

func (*KubeArmorDaemon) UpdateSecurityPolicy 

func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicyType string, secPolicy tp.SecurityPolicy)

UpdateSecurityPolicy Function

func (*KubeArmorDaemon) UpdateVisibility 

func (dm *KubeArmorDaemon) UpdateVisibility(action string, namespace string, visibility tp.Visibility)

UpdateVisibility Function

func (*KubeArmorDaemon) WatchClusterSecurityPolicies 

func (dm *KubeArmorDaemon) WatchClusterSecurityPolicies(timeout time.Duration) cache.InformerSynced

WatchClusterSecurityPolicies Function

func (*KubeArmorDaemon) WatchConfigChanges 

func (dm *KubeArmorDaemon) WatchConfigChanges()

WatchConfigChanges watches for configuration changes and updates the default posture

func (*KubeArmorDaemon) WatchConfigMap 

func (dm *KubeArmorDaemon) WatchConfigMap() cache.InformerSynced

WatchConfigMap function

func (*KubeArmorDaemon) WatchDefaultPosture 

func (dm *KubeArmorDaemon) WatchDefaultPosture() cache.InformerSynced

WatchDefaultPosture Function

func (*KubeArmorDaemon) WatchHostSecurityPolicies 

func (dm *KubeArmorDaemon) WatchHostSecurityPolicies(timeout time.Duration)

WatchHostSecurityPolicies Function

func (*KubeArmorDaemon) WatchK8sNodes 

func (dm *KubeArmorDaemon) WatchK8sNodes()

WatchK8sNodes Function

func (*KubeArmorDaemon) WatchK8sPods 

func (dm *KubeArmorDaemon) WatchK8sPods()

WatchK8sPods Function

func (*KubeArmorDaemon) WatchSecurityPolicies 

func (dm *KubeArmorDaemon) WatchSecurityPolicies() cache.InformerSynced

WatchSecurityPolicies Function

type NRIHandler 

type NRIHandler struct {
	// contains filtered or unexported fields
}

NRIHandler connects to an NRI socket and informs on container creation/deletion events. 

var NRI *NRIHandler

NRI Handler

func (*NRIHandler) Close 

func (nh *NRIHandler) Close()

Stop closes the NRI connection.

func (*NRIHandler) RemoveContainer 

func (nh *NRIHandler) RemoveContainer(
	_ context.Context,
	_ *api.PodSandbox,
	nriContainer *api.Container,
) ([]*api.ContainerUpdate, error)

RemoveContainer is an NRI callback which is called after a container has exited.

In case StopContainer isn't called, we hook into RemoveContainer to ensure that we stop enforcing a container after it has exited. For example, the NRI API doesn't guarantee that StopContainer will be called if a container crashed unexpectedly.

func (*NRIHandler) Start 

func (nh *NRIHandler) Start()

Start initiates a configured NRI connection.

func (*NRIHandler) StartContainer 

func (nh *NRIHandler) StartContainer(
	_ context.Context,
	_ *api.PodSandbox,
	nriContainer *api.Container,
) error

StartContainer is an NRI callback which is called after a container has started.

Unfortunately we can't use the CreateContainer or PostCreateContainer NRI callbacks because they are called without a PID value, which is required in order to get the PID and mount namespaces of the container. This means that there is a short period of time between a container starting and us enforcing it.

If StartContainer detects a container namespace ID overlap with a previous container (since Linux can reuse namespace IDs), it will override the old policy correctly, but any actions runc took to set up this container and start it will be logged/enforced as if they were the old container's actions. This should be exceedingly rare, but there's no way using just NRI that we can entirely avoid this scenario.

func (*NRIHandler) StopContainer 

func (nh *NRIHandler) StopContainer(
	_ context.Context,
	_ *api.PodSandbox,
	nriContainer *api.Container,
) ([]*api.ContainerUpdate, error)

StopContainer is an NRI callback which is called before a container receives the signal to stop.

StopContainer is called synchronously before a termination signal is sent to a container, so we can be sure that we stop enforcing before the container shuts down, at least in most cases. This means that if a new container reuses Linux namespace IDs from a previous container, so long as that previous container didn't crash unexpectedly, we can be sure that we won't accidentally enforce the new container with the old container's policy.

The tradeoff here is that once a container receives its termination signal, KubeArmor is no longer enforcing anything on it while it shuts down.

func (*NRIHandler) Synchronize 

func (nh *NRIHandler) Synchronize(
	_ context.Context,
	_ []*api.PodSandbox,
	nriContainers []*api.Container,
) ([]*api.ContainerUpdate, error)

Synchronize is an NRI callback which is called at the beginning of an NRI socket connection to inform on all existing containers.

type Probe 

type Probe struct {
	pb.ProbeServiceServer
	GetContainerData func() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies)
}

Probe provides structure to serve Policy gRPC service

func (*Probe) GetProbeData 

func (p *Probe) GetProbeData(c context.Context, in *empty.Empty) (*pb.ProbeResponse, error)

GetProbeData sends policy data through grpc client

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.