Skip to content

Commit

Permalink
support observability for containerized workloads
Browse files Browse the repository at this point in the history
Signed-off-by: Ankur Kothiwal <ankur.kothiwal@accuknox.com>
  • Loading branch information
Ankurk99 committed Aug 16, 2022
1 parent 7d33584 commit a8c46f0
Show file tree
Hide file tree
Showing 8 changed files with 27 additions and 12 deletions.
Binary file added src/accuknox.db-journal
Binary file not shown.
5 changes: 5 additions & 0 deletions src/cluster/clusterResourceHandler.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ func GetPods(clusterName string) []types.Pod {
PodName: types.PolicyDiscoveryVMPodName,
})

pods = append(pods, types.Pod{
Namespace: types.PolicyDiscoveryContainerNamespace,
PodName: types.PolicyDiscoveryContainerPodName,
})

return pods
}

Expand Down
2 changes: 1 addition & 1 deletion src/conf/local-file.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
application:
name: knoxautopolicy
network:
operation-mode: 1 # 1: cronjob | 2: one-time-job
operation-mode: 0 # 1: cronjob | 2: one-time-job
operation-trigger: 100
cron-job-time-interval: "0h0m10s" # format: XhYmZs
network-log-limit: 10000
Expand Down
4 changes: 0 additions & 4 deletions src/libs/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -404,10 +404,6 @@ func writeYamlByte(f *os.File, b []byte) {
log.Error().Msg(err.Error())
}

if _, err := f.WriteString("---\n"); err != nil {
log.Error().Msg(err.Error())
}

if err := f.Sync(); err != nil {
log.Error().Msg(err.Error())
}
Expand Down
6 changes: 6 additions & 0 deletions src/plugin/kubearmor.go
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,12 @@ func ConvertKubeArmorLogToKnoxSystemLog(relayLog *pb.Log) (types.KnoxSystemLog,
knoxSystemLog.PodName = types.PolicyDiscoveryVMPodName
}

if relayLog.Type == "ContainerLog" {
knoxSystemLog.ContainerName = relayLog.ContainerName
knoxSystemLog.Namespace = types.PolicyDiscoveryContainerNamespace
knoxSystemLog.PodName = types.PolicyDiscoveryContainerPodName
}

return knoxSystemLog, nil
}

Expand Down
4 changes: 2 additions & 2 deletions src/systempolicy/helperFunctions.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty
}

// 2. check pod labels
if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) {
if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || log.Namespace == types.PolicyDiscoveryContainerNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) {
checkedItems = checkedItems | 1<<1
}

Expand Down Expand Up @@ -156,7 +156,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty
func GetWPFSSources() []string {
res, _, err := libs.GetWorkloadProcessFileSet(CfgDB, types.WorkloadProcessFileSet{})
if err != nil {
log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error())
log.Error().Msgf("could not fetch WPFS err=%s", err.Error())
return nil
}

Expand Down
10 changes: 7 additions & 3 deletions src/systempolicy/systemPolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,7 @@ func populateKnoxSysPolicyFromWPFSDb(namespace, clustername, labels, fromsource
}
res, pnMap, err := libs.GetWorkloadProcessFileSet(CfgDB, wpfs)
if err != nil {
log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error())
log.Error().Msgf("could not fetch WPFS err=%s", err.Error())
return nil
}
log.Info().Msgf("found %d WPFS records", len(res))
Expand Down Expand Up @@ -1261,9 +1261,14 @@ func GenFileSetForAllPodsInCluster(clusterName string, pods []types.Pod, settype
wpfs.SetType = settype
labels, err := GetPodLabels(slog.ClusterName, slog.PodName, slog.Namespace, pods)
if err != nil {
log.Error().Msgf("cudnot get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace)
log.Error().Msgf("could not get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace)
continue
}

if slog.Namespace == types.PolicyDiscoveryContainerNamespace {
labels = append(labels, "kubearmor.io/container.name="+slog.ContainerName)
}

wpfs.Labels = strings.Join(labels[:], ",")

if isNetworkOp {
Expand Down Expand Up @@ -1339,7 +1344,6 @@ func DiscoverSystemPolicyMain() {
}

PopulateSystemPoliciesFromSystemLogs(allSystemkLogs)

}

// ==================================== //
Expand Down
8 changes: 6 additions & 2 deletions src/types/constants.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
package types

const (
// Kubearmor VM
// KubeArmor VM
PolicyDiscoveryVMNamespace = "accuknox-vm-namespace"
PolicyDiscoveryVMPodName = "accuknox-vm-podname"

// Kubearmor k8s
// KubeArmor container
PolicyDiscoveryContainerNamespace = "container_namespace"
PolicyDiscoveryContainerPodName = "container_podname"

// KubeArmor k8s
PreConfiguredKubearmorRule = "/lib/x86_64-linux-gnu/"

// RecordSeparator - DB separator flag
Expand Down

0 comments on commit a8c46f0

Please sign in to comment.