implement NRI handler

Signed-off-by: Prateek <prateeknandle@gmail.com>
kubearmor · Jan 17, 2025 · d080e8b · d080e8b
1 parent 503b97d
commit d080e8b
Show file tree

Hide file tree

Showing 8 changed files with 543 additions and 11 deletions.
diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go
@@ -442,6 +442,24 @@ var ContainerRuntimeSocketMap = map[string][]string{
 	},
 }
 
+// NRISocketMap Structure
+var NRISocketMap = map[string][]string{
+	"nri": {
+		"/var/run/nri/nri.sock",
+		"/run/nri/nri.sock",
+	},
+}
+
+// GetNRISocket Function
+func GetNRISocket(ContainerRuntime string) string {
+	for _, candidate := range NRISocketMap["nri"] {
+		if _, err := os.Stat(candidate); err == nil {
+			return candidate
+		}
+	}
+	return ""
+}
+
 // GetCRISocket Function
 func GetCRISocket(ContainerRuntime string) string {
 	for _, k := range ContainerRuntimeSocketKeys {

diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -27,6 +27,8 @@ type KubearmorConfig struct {
 	LogPath           string // Log file to use
 	SELinuxProfileDir string // Directory to store SELinux profiles
 	CRISocket         string // Container runtime to use
+	NRISocket         string // NRI socket to use
+	NRIIndex          string // NRI socket to use
 
 	Visibility     string // Container visibility to use
 	HostVisibility string // Host visibility to use
@@ -82,6 +84,8 @@ const (
 	ConfigLogPath                        string = "logPath"
 	ConfigSELinuxProfileDir              string = "seLinuxProfileDir"
 	ConfigCRISocket                      string = "criSocket"
+	ConfigNRISocket                      string = "nriSocket"
+	ConfigNRIIndex                       string = "nriIndex"
 	ConfigVisibility                     string = "visibility"
 	ConfigHostVisibility                 string = "hostVisibility"
 	ConfigKubearmorPolicy                string = "enableKubeArmorPolicy"
@@ -122,6 +126,8 @@ func readCmdLineParams() {
 	logStr := flag.String(ConfigLogPath, "none", "log file path, {path|stdout|none}")
 	seLinuxProfileDirStr := flag.String(ConfigSELinuxProfileDir, "/tmp/kubearmor.selinux", "SELinux profile directory")
 	criSocket := flag.String(ConfigCRISocket, "", "path to CRI socket (format: unix:///path/to/file.sock)")
+	nriSocket := flag.String(ConfigNRISocket, "", "path to NRI socket (format: /path/to/file.sock)")
+	nriIndex := flag.String(ConfigNRIIndex, "99", "NRI plugin index")
 
 	visStr := flag.String(ConfigVisibility, "process,file,network,capabilities", "Container Visibility to use [process,file,network,capabilities,none]")
 	hostVisStr := flag.String(ConfigHostVisibility, "default", "Host Visibility to use [process,file,network,capabilities,none] (default \"none\" for k8s, \"process,file,network,capabilities\" for VM)")
@@ -185,6 +191,8 @@ func readCmdLineParams() {
 	viper.SetDefault(ConfigLogPath, *logStr)
 	viper.SetDefault(ConfigSELinuxProfileDir, *seLinuxProfileDirStr)
 	viper.SetDefault(ConfigCRISocket, *criSocket)
+	viper.SetDefault(ConfigNRISocket, *nriSocket)
+	viper.SetDefault(ConfigNRIIndex, *nriIndex)
 
 	viper.SetDefault(ConfigVisibility, *visStr)
 	viper.SetDefault(ConfigHostVisibility, *hostVisStr)
@@ -278,6 +286,12 @@ func LoadConfig() error {
 		return fmt.Errorf("CRI socket must start with 'unix://' (%s is invalid)", GlobalCfg.CRISocket)
 	}
 
+	GlobalCfg.NRISocket = os.Getenv("NRI_SOCKET")
+	if GlobalCfg.NRISocket == "" {
+		GlobalCfg.NRISocket = viper.GetString(ConfigNRISocket)
+	}
+	GlobalCfg.NRIIndex = viper.GetString(ConfigNRIIndex)
+
 	GlobalCfg.Policy = viper.GetBool(ConfigKubearmorPolicy)
 	GlobalCfg.HostPolicy = viper.GetBool(ConfigKubearmorHostPolicy)
 	GlobalCfg.KVMAgent = viper.GetBool(ConfigKubearmorVM)

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -597,7 +597,6 @@ func KubeArmor() {
 
 	// Un-orchestrated workloads
 	if !dm.K8sEnabled && cfg.GlobalCfg.Policy {
-
 		// Check if cri socket set, if not then auto detect
 		if cfg.GlobalCfg.CRISocket == "" {
 			if kl.GetCRISocket("") == "" {
@@ -626,8 +625,14 @@ func KubeArmor() {
 				// monitor docker events
 				go dm.MonitorDockerEvents()
 			} else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
-				// monitor containerd events
-				go dm.MonitorContainerdEvents()
+				// insuring NRI monitoring only in case containerd is present
+				if dm.checkNRIAvailability() {
+					// monitor NRI events
+					go dm.MonitorNRIEvents()
+				} else {
+					// monitor containerd events
+					go dm.MonitorContainerdEvents()
+				}
 			} else if strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") {
 				// monitor crio events
 				go dm.MonitorCrioEvents()
@@ -642,8 +647,10 @@ func KubeArmor() {
 	}
 
 	if dm.K8sEnabled && cfg.GlobalCfg.Policy {
-		// check if the CRI socket set while executing kubearmor exists
-		if cfg.GlobalCfg.CRISocket != "" {
+		if dm.checkNRIAvailability() {
+			// monitor NRI events
+			go dm.MonitorNRIEvents()
+		} else if cfg.GlobalCfg.CRISocket != "" { // check if the CRI socket set while executing kubearmor exists
 			trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
 			if _, err := os.Stat(trimmedSocket); err != nil {
 				dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())
@@ -892,3 +899,23 @@ func KubeArmor() {
 	// destroy the daemon
 	dm.DestroyKubeArmorDaemon()
 }
+
+func (dm *KubeArmorDaemon) checkNRIAvailability() bool {
+	// Check if nri socket is set, if not then auto detect
+	if cfg.GlobalCfg.NRISocket == "" {
+		if kl.GetNRISocket("") != "" {
+			cfg.GlobalCfg.NRISocket = kl.GetNRISocket("")
+		} else {
+			dm.Logger.Warnf("Error while looking for NRI socket file")
+			return false
+		}
+	} else {
+		// NRI socket supplied by user, check for existence
+		_, err := os.Stat(cfg.GlobalCfg.NRISocket)
+		if err != nil {
+			dm.Logger.Warnf("Error while looking for NRI socket file %s", err.Error())
+			return false
+		}
+	}
+	return true
+}