core

package
v0.0.0-...-2cfc2e2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 7, 2024 License: Apache-2.0 Imports: 59 Imported by: 1

Documentation

Overview

Package core is responsible for initiating and maintaining interactions between external entities like K8s,CRIs and internal KubeArmor entities like eBPF Monitor and Log Feeders

Package core is responsible for initiating and maintaining interactions between external entities like K8s,CRIs and internal KubeArmor entities like eBPF Monitor and Log Feeders

Index

Constants

View Source 
const (
	KubeArmorPolicy        string = "KubeArmorPolicy"
	KubeArmorClusterPolicy string = "KubeArmorClusterPolicy"
)

Variables

View Source 
var StopChan chan struct{}

StopChan Channel

Functions

func GetOSSigChannel 

func GetOSSigChannel() chan os.Signal

GetOSSigChannel Function

func KubeArmor 

func KubeArmor()

KubeArmor Function

Types

type ContainerdHandler 

type ContainerdHandler struct {
	// contains filtered or unexported fields
}

ContainerdHandler Structure 

var Containerd *ContainerdHandler

Containerd Handler

func NewContainerdHandler 

func NewContainerdHandler() *ContainerdHandler

NewContainerdHandler Function

func (*ContainerdHandler) Close 

func (ch *ContainerdHandler) Close()

Close Function

func (*ContainerdHandler) GetContainerInfo 

func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function

func (*ContainerdHandler) GetContainerdContainers 

func (ch *ContainerdHandler) GetContainerdContainers() map[string]context.Context

GetContainerdContainers Function

func (*ContainerdHandler) GetDeletedContainerdContainers 

func (ch *ContainerdHandler) GetDeletedContainerdContainers(containers map[string]context.Context) map[string]context.Context

GetDeletedContainerdContainers Function

func (*ContainerdHandler) GetNewContainerdContainers 

func (ch *ContainerdHandler) GetNewContainerdContainers(containers map[string]context.Context) map[string]context.Context

GetNewContainerdContainers Function

type CrioContainerInfo 

type CrioContainerInfo struct {
	SandboxID   string    `json:"sandboxID"`
	Pid         int       `json:"pid"`
	RuntimeSpec spec.Spec `json:"runtimeSpec"`
	Privileged  bool      `json:"privileged"`
}

CrioContainerInfo struct corresponds to CRI-O's container info returned with container status

type CrioHandler 

type CrioHandler struct {
	// contains filtered or unexported fields
}

CrioHandler Structure 

var Crio *CrioHandler

Crio Handler

func NewCrioHandler 

func NewCrioHandler() *CrioHandler

NewCrioHandler Function creates a new Crio handler

func (*CrioHandler) Close 

func (ch *CrioHandler) Close()

Close the connection

func (*CrioHandler) GetContainerInfo 

func (ch *CrioHandler) GetContainerInfo(ctx context.Context, containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function gets info of a particular container

func (*CrioHandler) GetCrioContainers 

func (ch *CrioHandler) GetCrioContainers() (map[string]struct{}, error)

GetCrioContainers Function gets IDs of all containers

func (*CrioHandler) GetDeletedCrioContainers 

func (ch *CrioHandler) GetDeletedCrioContainers(containers map[string]struct{}) map[string]struct{}

GetDeletedCrioContainers Function gets deleted crio containers

func (*CrioHandler) GetNewCrioContainers 

func (ch *CrioHandler) GetNewCrioContainers(containers map[string]struct{}) map[string]struct{}

GetNewCrioContainers Function gets new crio containers

type DockerHandler 

type DockerHandler struct {
	DockerClient *client.Client
	Version      DockerVersion

	// needed for container info
	NodeIP string
}

DockerHandler Structure 

var Docker *DockerHandler

Docker Handler

func NewDockerHandler 

func NewDockerHandler() (*DockerHandler, error)

NewDockerHandler Function

func (*DockerHandler) Close 

func (dh *DockerHandler) Close()

Close Function

func (*DockerHandler) GetContainerInfo 

func (dh *DockerHandler) GetContainerInfo(containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error)

GetContainerInfo Function

func (*DockerHandler) GetEventChannel 

func (dh *DockerHandler) GetEventChannel() <-chan events.Message

GetEventChannel Function

type DockerVersion 

type DockerVersion struct {
	APIVersion string `json:"ApiVersion"`
}

DockerVersion Structure

type K8sHandler 

type K8sHandler struct {
	K8sClient   *kubernetes.Clientset
	KSPClient   *kspclient.Clientset
	HTTPClient  *http.Client
	WatchClient *http.Client

	K8sToken string
	K8sHost  string
	K8sPort  string
}

K8sHandler Structure 

var K8s *K8sHandler

K8s Handler

func NewK8sHandler 

func NewK8sHandler() *K8sHandler

NewK8sHandler Function

func (*K8sHandler) CheckCustomResourceDefinition 

func (kh *K8sHandler) CheckCustomResourceDefinition(resourceName string) bool

CheckCustomResourceDefinition Function

func (*K8sHandler) DoRequest 

func (kh *K8sHandler) DoRequest(cmd string, data interface{}, path string) ([]byte, error)

DoRequest Function

func (*K8sHandler) GetDaemonSet 

func (kh *K8sHandler) GetDaemonSet(namespaceName, podownerName string) (string, string)

GetDaemonSet Function

func (*K8sHandler) GetDeploymentNameControllingReplicaSet 

func (kh *K8sHandler) GetDeploymentNameControllingReplicaSet(namespaceName, podownerName string) (string, string)

GetDeploymentNameControllingReplicaSet Function

func (*K8sHandler) GetReplicaSet 

func (kh *K8sHandler) GetReplicaSet(namespaceName, podownerName string) (string, string)

GetReplicaSet Function

func (*K8sHandler) GetStatefulSet 

func (kh *K8sHandler) GetStatefulSet(namespaceName, podownerName string) (string, string)

GetStatefulSet Function

func (*K8sHandler) InitInclusterAPIClient 

func (kh *K8sHandler) InitInclusterAPIClient() bool

InitInclusterAPIClient Function

func (*K8sHandler) InitK8sClient 

func (kh *K8sHandler) InitK8sClient() bool

InitK8sClient Function

func (*K8sHandler) InitLocalAPIClient 

func (kh *K8sHandler) InitLocalAPIClient() bool

InitLocalAPIClient Function

func (*K8sHandler) PatchDeploymentWithSELinuxAnnotations 

func (kh *K8sHandler) PatchDeploymentWithSELinuxAnnotations(namespaceName, deploymentName string, seLinuxAnnotations map[string]string) error

PatchDeploymentWithSELinuxAnnotations Function

func (*K8sHandler) PatchResourceWithAppArmorAnnotations 

func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploymentName string, appArmorAnnotations map[string]string, kind string) error

PatchDeploymentWithAppArmorAnnotations Function

func (*K8sHandler) WatchK8sHostSecurityPolicies 

func (kh *K8sHandler) WatchK8sHostSecurityPolicies() *http.Response

WatchK8sHostSecurityPolicies Function

func (*K8sHandler) WatchK8sPods 

func (kh *K8sHandler) WatchK8sPods(nodeName string) *http.Response

WatchK8sPods Function

func (*K8sHandler) WatchK8sSecurityPolicies 

func (kh *K8sHandler) WatchK8sSecurityPolicies() *http.Response

WatchK8sSecurityPolicies Function

type KarmorData 

type KarmorData struct {
	OSImage                 string
	KernelVersion           string
	KubeletVersion          string
	ContainerRuntime        string
	ActiveLSM               string
	KernelHeaderPresent     bool
	HostSecurity            bool
	ContainerSecurity       bool
	ContainerDefaultPosture tp.DefaultPosture
	HostDefaultPosture      tp.DefaultPosture
	HostVisibility          string
}

KarmorData Structure

type KubeArmorDaemon 

type KubeArmorDaemon struct {
	// node
	Node     tp.Node
	NodeLock *sync.RWMutex

	// flag
	K8sEnabled bool

	// K8s pods (from kubernetes)
	K8sPods     []tp.K8sPod
	K8sPodsLock *sync.RWMutex

	// containers (from docker)
	Containers     map[string]tp.Container
	ContainersLock *sync.RWMutex

	// endpoints
	EndPoints     []tp.EndPoint
	EndPointsLock *sync.RWMutex

	// Owner Info
	OwnerInfo map[string]tp.PodOwner

	// Security policies
	SecurityPolicies     []tp.SecurityPolicy
	SecurityPoliciesLock *sync.RWMutex

	// Host Security policies
	HostSecurityPolicies     []tp.HostSecurityPolicy
	HostSecurityPoliciesLock *sync.RWMutex

	//DefaultPosture (namespace -> postures)
	DefaultPostures     map[string]tp.DefaultPosture
	DefaultPosturesLock *sync.Mutex

	// pid map
	ActiveHostPidMap map[string]tp.PidMap
	ActivePidMapLock *sync.RWMutex

	// logger
	Logger *fd.Feeder

	// system monitor
	SystemMonitor *mon.SystemMonitor

	// runtime enforcer
	RuntimeEnforcer *efc.RuntimeEnforcer

	// kvm agent
	KVMAgent *kvm.KVMAgent

	// state agent
	StateAgent *state.StateAgent

	// WgDaemon Handler
	WgDaemon sync.WaitGroup

	// system monitor lock
	MonitorLock *sync.RWMutex

	// health-server
	GRPCHealthServer *health.Server
}

KubeArmorDaemon Structure

func NewKubeArmorDaemon 

func NewKubeArmorDaemon() *KubeArmorDaemon

NewKubeArmorDaemon Function

func (*KubeArmorDaemon) CloseKVMAgent 

func (dm *KubeArmorDaemon) CloseKVMAgent() bool

CloseKVMAgent Function

func (*KubeArmorDaemon) CloseLogger 

func (dm *KubeArmorDaemon) CloseLogger() bool

CloseLogger Function

func (*KubeArmorDaemon) CloseRuntimeEnforcer 

func (dm *KubeArmorDaemon) CloseRuntimeEnforcer() bool

CloseRuntimeEnforcer Function

func (*KubeArmorDaemon) CloseStateAgent 

func (dm *KubeArmorDaemon) CloseStateAgent() bool

CloseStateAgent Function

func (*KubeArmorDaemon) CloseSystemMonitor 

func (dm *KubeArmorDaemon) CloseSystemMonitor() bool

CloseSystemMonitor Function

func (*KubeArmorDaemon) ConnectToKVMService 

func (dm *KubeArmorDaemon) ConnectToKVMService()

ConnectToKVMService Function

func (*KubeArmorDaemon) CreateSecurityPolicy 

func (dm *KubeArmorDaemon) CreateSecurityPolicy(policyType string, securityPolicy interface{}) (secPolicy tp.SecurityPolicy, err error)

CreateSecurityPolicy - creates `KubeArmorPolicy` & `KubeArmorClusterPolicy` object from crd

func (*KubeArmorDaemon) DestroyKubeArmorDaemon 

func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon()

DestroyKubeArmorDaemon Function

func (*KubeArmorDaemon) GetAlreadyDeployedDockerContainers 

func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers()

GetAlreadyDeployedDockerContainers Function

func (*KubeArmorDaemon) GetConfigMapNS 

func (dm *KubeArmorDaemon) GetConfigMapNS() string

GetConfigMapNS Returns KubeArmor configmap namespace

func (*KubeArmorDaemon) GetSecurityPolicies 

func (dm *KubeArmorDaemon) GetSecurityPolicies(identities []string, namespaceName string) []tp.SecurityPolicy

GetSecurityPolicies Function

func (*KubeArmorDaemon) HandleNodeAnnotations 

func (dm *KubeArmorDaemon) HandleNodeAnnotations(node *tp.Node)

HandleNodeAnnotations Handle Node Annotations i.e, set host visibility based on annotations, enable/disable policy

func (*KubeArmorDaemon) HandleUnknownNamespaceNsMap 

func (dm *KubeArmorDaemon) HandleUnknownNamespaceNsMap(container *tp.Container)

HandleUnknownNamespaceNsMap Function

func (*KubeArmorDaemon) InitKVMAgent 

func (dm *KubeArmorDaemon) InitKVMAgent() bool

InitKVMAgent Function

func (*KubeArmorDaemon) InitLogger 

func (dm *KubeArmorDaemon) InitLogger() bool

InitLogger Function

func (*KubeArmorDaemon) InitRuntimeEnforcer 

func (dm *KubeArmorDaemon) InitRuntimeEnforcer(pinpath string) bool

InitRuntimeEnforcer Function

func (*KubeArmorDaemon) InitStateAgent 

func (dm *KubeArmorDaemon) InitStateAgent() bool

InitStateAgent Function

func (*KubeArmorDaemon) InitSystemMonitor 

func (dm *KubeArmorDaemon) InitSystemMonitor() bool

InitSystemMonitor Function

func (*KubeArmorDaemon) MatchandRemoveContainerFromEndpoint 

func (dm *KubeArmorDaemon) MatchandRemoveContainerFromEndpoint(cid string)

MatchandRemoveContainerSecurityPolicies finds relevant endpoint for containers and removes cid from the container list

func (*KubeArmorDaemon) MatchandUpdateContainerSecurityPolicies 

func (dm *KubeArmorDaemon) MatchandUpdateContainerSecurityPolicies(cid string)

MatchandUpdateContainerSecurityPolicies finds relevant endpoint for containers and updates the security policies for enforcement

func (*KubeArmorDaemon) MonitorContainerdEvents 

func (dm *KubeArmorDaemon) MonitorContainerdEvents()

MonitorContainerdEvents Function

func (*KubeArmorDaemon) MonitorCrioEvents 

func (dm *KubeArmorDaemon) MonitorCrioEvents()

MonitorCrioEvents Function

func (*KubeArmorDaemon) MonitorDockerEvents 

func (dm *KubeArmorDaemon) MonitorDockerEvents()

MonitorDockerEvents Function

func (*KubeArmorDaemon) MonitorSystemEvents 

func (dm *KubeArmorDaemon) MonitorSystemEvents()

MonitorSystemEvents Function

func (*KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy 

func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus

ParseAndUpdateContainerSecurityPolicy Function

func (*KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy 

func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus

ParseAndUpdateHostSecurityPolicy Function

func (*KubeArmorDaemon) ServeLogFeeds 

func (dm *KubeArmorDaemon) ServeLogFeeds()

ServeLogFeeds Function

func (*KubeArmorDaemon) SetContainerNSVisibility 

func (dm *KubeArmorDaemon) SetContainerNSVisibility()

SetContainerVisibility function enables visibility flag arguments for un-orchestrated container and updates the visibility map

func (*KubeArmorDaemon) SetContainerVisibility 

func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string)

SetContainerVisibility function enables visibility flag arguments for un-orchestrated container

func (*KubeArmorDaemon) SetHealthStatus 

func (dm *KubeArmorDaemon) SetHealthStatus(serviceName string, healthStatus grpc_health_v1.HealthCheckResponse_ServingStatus) bool

=================== // == Health Server == // =================== //

func (*KubeArmorDaemon) SetKarmorData 

func (dm *KubeArmorDaemon) SetKarmorData()

SetKarmorData generates runtime configuration for KubeArmor to be consumed by kArmor

func (*KubeArmorDaemon) SetProbeContainerData 

func (dm *KubeArmorDaemon) SetProbeContainerData() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies)

SetKarmorContainerData() keeps track of containers and the applied policies

func (*KubeArmorDaemon) UpdateContainerdContainer 

func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID, action string) bool

UpdateContainerdContainer Function

func (*KubeArmorDaemon) UpdateCrioContainer 

func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID, action string) bool

UpdateCrioContainer Function

func (*KubeArmorDaemon) UpdateDefaultPosture 

func (dm *KubeArmorDaemon) UpdateDefaultPosture(action string, namespace string, defaultPosture tp.DefaultPosture, annotated bool)

UpdateDefaultPosture Function

func (*KubeArmorDaemon) UpdateDefaultPostureWithCM 

func (dm *KubeArmorDaemon) UpdateDefaultPostureWithCM(endPoint *tp.EndPoint, action string, namespace string, defaultPosture tp.DefaultPosture, annotated bool)

UpdateDefaultPostureWithCM Function

func (*KubeArmorDaemon) UpdateDockerContainer 

func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string)

UpdateDockerContainer Function

func (*KubeArmorDaemon) UpdateEndPointWithPod 

func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod)

UpdateEndPointWithPod Function

func (*KubeArmorDaemon) UpdateGlobalPosture 

func (dm *KubeArmorDaemon) UpdateGlobalPosture(posture tp.DefaultPosture)

UpdateGlobalPosture Function

func (*KubeArmorDaemon) UpdateHostSecurityPolicies 

func (dm *KubeArmorDaemon) UpdateHostSecurityPolicies()

UpdateHostSecurityPolicies Function

func (*KubeArmorDaemon) UpdateSecurityPolicy 

func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicyType string, secPolicy tp.SecurityPolicy)

UpdateSecurityPolicy Function

func (*KubeArmorDaemon) UpdateVisibility 

func (dm *KubeArmorDaemon) UpdateVisibility(action string, namespace string, visibility tp.Visibility)

UpdateVisibility Function

func (*KubeArmorDaemon) WatchClusterSecurityPolicies 

func (dm *KubeArmorDaemon) WatchClusterSecurityPolicies(timeout time.Duration) cache.InformerSynced

WatchClusterSecurityPolicies Function

func (*KubeArmorDaemon) WatchConfigMap 

func (dm *KubeArmorDaemon) WatchConfigMap() cache.InformerSynced

WatchConfigMap function

func (*KubeArmorDaemon) WatchDefaultPosture 

func (dm *KubeArmorDaemon) WatchDefaultPosture() cache.InformerSynced

WatchDefaultPosture Function

func (*KubeArmorDaemon) WatchHostSecurityPolicies 

func (dm *KubeArmorDaemon) WatchHostSecurityPolicies(timeout time.Duration)

WatchHostSecurityPolicies Function

func (*KubeArmorDaemon) WatchK8sNodes 

func (dm *KubeArmorDaemon) WatchK8sNodes()

WatchK8sNodes Function

func (*KubeArmorDaemon) WatchK8sPods 

func (dm *KubeArmorDaemon) WatchK8sPods()

WatchK8sPods Function

func (*KubeArmorDaemon) WatchSecurityPolicies 

func (dm *KubeArmorDaemon) WatchSecurityPolicies() cache.InformerSynced

WatchSecurityPolicies Function

type Probe 

type Probe struct {
	pb.ProbeServiceServer
	GetContainerData func() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies)
}

Karmor provides structure to serve Policy gRPC service

func (*Probe) GetProbeData 

func (p *Probe) GetProbeData(c context.Context, in *empty.Empty) (*pb.ProbeResponse, error)

GetProbeData() sends policy data through grpc client

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.