From d889b7334921c907dc521cdebcafe22641984eaf Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Wed, 27 Nov 2024 01:18:10 +0530 Subject: [PATCH] bugfix: don't panic when set CRI socket is not found Signed-off-by: Rudraksh Pareek --- KubeArmor/core/kubeArmor.go | 47 +++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index bceda7f2b..051842b81 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -567,8 +567,6 @@ func KubeArmor() { // Un-orchestrated workloads if !dm.K8sEnabled && cfg.GlobalCfg.Policy { - dm.SetContainerNSVisibility() - // Check if cri socket set, if not then auto detect if cfg.GlobalCfg.CRISocket == "" { if kl.GetCRISocket("") == "" { @@ -577,26 +575,39 @@ func KubeArmor() { } else { cfg.GlobalCfg.CRISocket = "unix://" + kl.GetCRISocket("") } + } else { + // CRI socket supplied by user, check for existence + criSocketPath := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://") + _, err := os.Stat(criSocketPath) + if err != nil { + enableContainerPolicy = false + dm.Logger.Warnf("Error while looking for CRI socket file %s", err.Error()) + } } - // monitor containers - if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") { - // update already deployed containers - dm.GetAlreadyDeployedDockerContainers() - // monitor docker events - go dm.MonitorDockerEvents() - } else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") { - // monitor containerd events - go dm.MonitorContainerdEvents() - } else if strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") { - // monitor crio events - go dm.MonitorCrioEvents() - } else { - dm.Logger.Warnf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket) - enableContainerPolicy = false + if enableContainerPolicy { + dm.SetContainerNSVisibility() + + // monitor containers + if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") { + // update already deployed containers + dm.GetAlreadyDeployedDockerContainers() + // monitor docker events + go dm.MonitorDockerEvents() + } else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") { + // monitor containerd events + go dm.MonitorContainerdEvents() + } else if strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") { + // monitor crio events + go dm.MonitorCrioEvents() + } else { + enableContainerPolicy = false + dm.Logger.Warnf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket) + } + + dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket) } - dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket) } if dm.K8sEnabled && cfg.GlobalCfg.Policy {