From a8c46f0325f84c0d085b9d8d8404b5237ac34200 Mon Sep 17 00:00:00 2001 From: Ankur Kothiwal Date: Mon, 6 Jun 2022 09:21:42 +0530 Subject: [PATCH] support observability for containerized workloads Signed-off-by: Ankur Kothiwal --- src/accuknox.db-journal | Bin 0 -> 8720 bytes src/cluster/clusterResourceHandler.go | 5 +++++ src/conf/local-file.yaml | 2 +- src/libs/common.go | 4 ---- src/plugin/kubearmor.go | 6 ++++++ src/systempolicy/helperFunctions.go | 4 ++-- src/systempolicy/systemPolicy.go | 10 +++++++--- src/types/constants.go | 8 ++++++-- 8 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 src/accuknox.db-journal diff --git a/src/accuknox.db-journal b/src/accuknox.db-journal new file mode 100644 index 0000000000000000000000000000000000000000..9a7448d97bb49222555bf4836009d4c0c0ae3fd8 GIT binary patch literal 8720 zcmeHMO>Eo96_#wvzfn`5b=B5b>~w=|;x?p2>K}!GDz>uqMiFgGP8uv0(r`GGxu!T; zav0mdUX)cgKy&ZCz4lt5hoU_dy%$BXSoG9Gf!^9{kxL&%St27THnK^u!CHbqa^9Qa zyzhPU-kZ@Ee~>;&J z2TIWGqzuyCfv`sTF|&^}*1?8VD&KDI)G7_cPrI~KSGMjn>y7SD*DL!&litP@wx0uDjQfhlJx{jSx4J&z!IXOgvg;Jt~ zh-;fj5(nSghDnpAp(alXxn?dSn1BNY_e&lu9Ap z#BHafH21faTJ^yvN^=NX0GW3HnRk3-9(}w2jSw(Qj*$3wW>e-m-xhNUy0 zip1FkjYwo5eoWmbYa3)3 z#R7hv9mrv4;L$9(#Wb2caHySZn@q)KoiiJ^X_8~rg4$RdUWJFSZvahjBDM|cBr{@0 zgcAF#8g~5>eOMKDT*pk_-xeBJt-&Bj5Qu3|iz9!O(X-H@9BY_kIo>HvUtCZs2vTAqo*kzr{i>8za}!dv`4+f>J{ z$&@xgM=ViU9Nwk2o6449!v`iq^5F%?C zD(7=)O-m6ylPjikI?d5Ep{exQkcJ~z^jN^%u3%UW_x5lh^Pn;t%pYEvPG_^lj3x`& zyqp#?a#0hCdI1ZCR3WbunP#P;D&=yioGcg8sp9w@CbrrxkgP8$fo?a9nJn zI(IdLA&;F%6vg4zbd))>vPZvsN|dFdpFA^}^b4oXw;*-CYp;O!;jYYss^V> zXLbj3l!gcMGE@=o`47aSLOJAEdmF(W_5Ao%q$KaeZZZ z?P~1L%YThMi9MOo@v`|6flCA~5%@YGkY8O)+<7+|frLp{6ov8 z$=Xg+3O=oUwz{;GxOOf2w$+MWty%VfCNnQj)%vCPqE#B zO&kfR$WwG!m)e*^Su`GLnwm{7GMI@~YC6v!$*Vb^uR$=UZDya2wWiD)lklXcs6Yv2 z^CmYuhNuRVvmDiw5i#5@%!Fz)af(|;Yi*3}gcd@mHCh?r5eI$<`0-iJfqZh6 z={D=sCsspl!Un)IysD&0ogwZm#9>SEY`7sd^;p$-KIvwNr?N*`TuhMCEcVQDYg3vf zS?bTvFD0&Dk3OyhW3%t&A^-e`g)oCcvh!(!yT)+)IQDa9(lg%1YOEknDtL4mE4&Wk zg&E*YDL^*}D%=f(IB9am%;kg7GM@DWzgJpLmy#BGzpm7trBIu~|6(srqLvAL9SB^v z6s1}z*KSS^O2vi6#NF$&XchAHC@lH3i1icErNriD^szA@&{^X5rQxT!FonXx7vs{9 bgt9q{RAKLrD@LC<^L}A{Wl356!+-t{{R*zj literal 0 HcmV?d00001 diff --git a/src/cluster/clusterResourceHandler.go b/src/cluster/clusterResourceHandler.go index 3503a4e8..8e4bc32d 100644 --- a/src/cluster/clusterResourceHandler.go +++ b/src/cluster/clusterResourceHandler.go @@ -27,6 +27,11 @@ func GetPods(clusterName string) []types.Pod { PodName: types.PolicyDiscoveryVMPodName, }) + pods = append(pods, types.Pod{ + Namespace: types.PolicyDiscoveryContainerNamespace, + PodName: types.PolicyDiscoveryContainerPodName, + }) + return pods } diff --git a/src/conf/local-file.yaml b/src/conf/local-file.yaml index 442d14b1..19bcb551 100644 --- a/src/conf/local-file.yaml +++ b/src/conf/local-file.yaml @@ -1,7 +1,7 @@ application: name: knoxautopolicy network: - operation-mode: 1 # 1: cronjob | 2: one-time-job + operation-mode: 0 # 1: cronjob | 2: one-time-job operation-trigger: 100 cron-job-time-interval: "0h0m10s" # format: XhYmZs network-log-limit: 10000 diff --git a/src/libs/common.go b/src/libs/common.go index 3ebcad63..c9adc9f2 100644 --- a/src/libs/common.go +++ b/src/libs/common.go @@ -404,10 +404,6 @@ func writeYamlByte(f *os.File, b []byte) { log.Error().Msg(err.Error()) } - if _, err := f.WriteString("---\n"); err != nil { - log.Error().Msg(err.Error()) - } - if err := f.Sync(); err != nil { log.Error().Msg(err.Error()) } diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go index ac2e65e6..3b3aa3ac 100644 --- a/src/plugin/kubearmor.go +++ b/src/plugin/kubearmor.go @@ -293,6 +293,12 @@ func ConvertKubeArmorLogToKnoxSystemLog(relayLog *pb.Log) (types.KnoxSystemLog, knoxSystemLog.PodName = types.PolicyDiscoveryVMPodName } + if relayLog.Type == "ContainerLog" { + knoxSystemLog.ContainerName = relayLog.ContainerName + knoxSystemLog.Namespace = types.PolicyDiscoveryContainerNamespace + knoxSystemLog.PodName = types.PolicyDiscoveryContainerPodName + } + return knoxSystemLog, nil } diff --git a/src/systempolicy/helperFunctions.go b/src/systempolicy/helperFunctions.go index c7e3ee14..acb83b92 100644 --- a/src/systempolicy/helperFunctions.go +++ b/src/systempolicy/helperFunctions.go @@ -115,7 +115,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty } // 2. check pod labels - if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) { + if (checkItems&2 > 0) && (log.Namespace == types.PolicyDiscoveryVMNamespace || log.Namespace == types.PolicyDiscoveryContainerNamespace || containLabelByConfiguration(filter.Labels, getLabelsFromPod(log.PodName, pods))) { checkedItems = checkedItems | 1<<1 } @@ -156,7 +156,7 @@ func FilterSystemLogsByConfig(logs []types.KnoxSystemLog, pods []types.Pod) []ty func GetWPFSSources() []string { res, _, err := libs.GetWorkloadProcessFileSet(CfgDB, types.WorkloadProcessFileSet{}) if err != nil { - log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error()) + log.Error().Msgf("could not fetch WPFS err=%s", err.Error()) return nil } diff --git a/src/systempolicy/systemPolicy.go b/src/systempolicy/systemPolicy.go index 0204028b..16a2c5e9 100644 --- a/src/systempolicy/systemPolicy.go +++ b/src/systempolicy/systemPolicy.go @@ -265,7 +265,7 @@ func populateKnoxSysPolicyFromWPFSDb(namespace, clustername, labels, fromsource } res, pnMap, err := libs.GetWorkloadProcessFileSet(CfgDB, wpfs) if err != nil { - log.Error().Msgf("cudnot fetch WPFS err=%s", err.Error()) + log.Error().Msgf("could not fetch WPFS err=%s", err.Error()) return nil } log.Info().Msgf("found %d WPFS records", len(res)) @@ -1261,9 +1261,14 @@ func GenFileSetForAllPodsInCluster(clusterName string, pods []types.Pod, settype wpfs.SetType = settype labels, err := GetPodLabels(slog.ClusterName, slog.PodName, slog.Namespace, pods) if err != nil { - log.Error().Msgf("cudnot get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace) + log.Error().Msgf("could not get pod labels for podname=%s ns=%s", slog.PodName, slog.Namespace) continue } + + if slog.Namespace == types.PolicyDiscoveryContainerNamespace { + labels = append(labels, "kubearmor.io/container.name="+slog.ContainerName) + } + wpfs.Labels = strings.Join(labels[:], ",") if isNetworkOp { @@ -1339,7 +1344,6 @@ func DiscoverSystemPolicyMain() { } PopulateSystemPoliciesFromSystemLogs(allSystemkLogs) - } // ==================================== // diff --git a/src/types/constants.go b/src/types/constants.go index 080a549a..0fe85bfe 100644 --- a/src/types/constants.go +++ b/src/types/constants.go @@ -1,11 +1,15 @@ package types const ( - // Kubearmor VM + // KubeArmor VM PolicyDiscoveryVMNamespace = "accuknox-vm-namespace" PolicyDiscoveryVMPodName = "accuknox-vm-podname" - // Kubearmor k8s + // KubeArmor container + PolicyDiscoveryContainerNamespace = "container_namespace" + PolicyDiscoveryContainerPodName = "container_podname" + + // KubeArmor k8s PreConfiguredKubearmorRule = "/lib/x86_64-linux-gnu/" // RecordSeparator - DB separator flag