Merge pull request #1660 from daemon1024/fix-policy-enforcementka-res…

…tart fix(core): update container maps with secpol when containers are detected later than k8s event
kubearmor · Mar 4, 2024 · b86dbcc · b86dbcc
2 parents 03bcf22 + 8c426e8
commit b86dbcc
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 3 deletions.
diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go
@@ -7,12 +7,13 @@ package core
 import (
 	"context"
 	"fmt"
-	"github.com/containerd/typeurl/v2"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/containerd/typeurl/v2"
+
 	"golang.org/x/exp/slices"
 
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
@@ -294,6 +295,8 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 			return false
 		}
 
+		endpoint := tp.EndPoint{}
+
 		dm.ContainersLock.Lock()
 		if _, ok := dm.Containers[container.ContainerID]; !ok {
 			dm.Containers[container.ContainerID] = container
@@ -323,7 +326,7 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 			for idx, endPoint := range dm.EndPoints {
 				if endPoint.NamespaceName == container.NamespaceName && endPoint.EndPointName == container.EndPointName && kl.ContainsElement(endPoint.Containers, container.ContainerID) {
 					// update containers
-					if !kl.ContainsElement(endPoint.Containers, container.ContainerID) {
+					if !kl.ContainsElement(endPoint.Containers, container.ContainerID) { // does not make sense but need to verify
 						dm.EndPoints[idx].Containers = append(dm.EndPoints[idx].Containers, container.ContainerID)
 					}
 
@@ -336,6 +339,8 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 						dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
 					}
 
+					endpoint = dm.EndPoints[idx]
+
 					break
 				}
 			}
@@ -349,6 +354,14 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 			// update NsMap
 			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
 			dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
+
+			if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
+				dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
+				if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
+					// enforce security policies
+					dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+				}
+			}
 		}
 
 		if !dm.K8sEnabled {

diff --git a/KubeArmor/core/crioHandler.go b/KubeArmor/core/crioHandler.go
@@ -210,6 +210,8 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
 			return false
 		}
 
+		endpoint := tp.EndPoint{}
+
 		dm.ContainersLock.Lock()
 		if _, ok := dm.Containers[container.ContainerID]; !ok {
 			dm.Containers[container.ContainerID] = container
@@ -245,6 +247,8 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
 						dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
 					}
 
+					endpoint = dm.EndPoints[idx]
+
 					break
 				}
 			}
@@ -258,6 +262,14 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
 			// update NsMap
 			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
 			dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
+
+			if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
+				dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
+				if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
+					// enforce security policies
+					dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+				}
+			}
 		}
 
 		if !dm.K8sEnabled {

diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go
@@ -126,7 +126,8 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err
 	}
 
 	container.AppArmorProfile = inspect.AppArmorProfile
-	if inspect.HostConfig != nil {
+	if inspect.HostConfig.Privileged ||
+		(inspect.HostConfig.CapAdd != nil && len(inspect.HostConfig.CapAdd) > 0) {
 		container.Privileged = inspect.HostConfig.Privileged
 	}
 
@@ -261,6 +262,9 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 			if container.ContainerID == "" {
 				continue
 			}
+
+			endpoint := tp.EndPoint{}
+
 			if dcontainer.State == "running" {
 				dm.ContainersLock.Lock()
 				if _, ok := dm.Containers[container.ContainerID]; !ok {
@@ -301,6 +305,8 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 								dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
 							}
 
+							endpoint = dm.EndPoints[idx]
+
 							break
 						}
 					}
@@ -326,6 +332,14 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() {
 					// update NsMap
 					dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS)
 					dm.RuntimeEnforcer.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
+
+					if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
+						dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
+						if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
+							// enforce security policies
+							dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+						}
+					}
 				}
 
 				dm.Logger.Printf("Detected a container (added/%.12s)", container.ContainerID)
@@ -358,6 +372,8 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 			return
 		}
 
+		endpoint := tp.EndPoint{}
+
 		dm.ContainersLock.Lock()
 		if _, ok := dm.Containers[containerID]; !ok {
 			dm.Containers[containerID] = container
@@ -392,6 +408,12 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 						dm.EndPoints[idx].AppArmorProfiles = append(dm.EndPoints[idx].AppArmorProfiles, container.AppArmorProfile)
 					}
 
+					if container.Privileged && dm.EndPoints[idx].PrivilegedContainers != nil {
+						dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
+					}
+
+					endpoint = dm.EndPoints[idx]
+
 					break
 				}
 			}
@@ -412,6 +434,14 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
 			// update NsMap
 			dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
 			dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
+
+			if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
+				dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
+				if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
+					// enforce security policies
+					dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+				}
+			}
 		}
 
 		if !dm.K8sEnabled {