Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): implement NRI handler #1674

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions KubeArmor/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ type KubearmorConfig struct {
LogPath string // Log file to use
SELinuxProfileDir string // Directory to store SELinux profiles
CRISocket string // Container runtime to use
NRISocket string // NRI socket to use
NRIIndex string // NRI socket to use

Visibility string // Container visibility to use
HostVisibility string // Host visibility to use
Expand Down Expand Up @@ -82,6 +84,8 @@ const (
ConfigLogPath string = "logPath"
ConfigSELinuxProfileDir string = "seLinuxProfileDir"
ConfigCRISocket string = "criSocket"
ConfigNRISocket string = "nriSocket"
ConfigNRIIndex string = "nriIndex"
ConfigVisibility string = "visibility"
ConfigHostVisibility string = "hostVisibility"
ConfigKubearmorPolicy string = "enableKubeArmorPolicy"
Expand Down Expand Up @@ -122,6 +126,8 @@ func readCmdLineParams() {
logStr := flag.String(ConfigLogPath, "none", "log file path, {path|stdout|none}")
seLinuxProfileDirStr := flag.String(ConfigSELinuxProfileDir, "/tmp/kubearmor.selinux", "SELinux profile directory")
criSocket := flag.String(ConfigCRISocket, "", "path to CRI socket (format: unix:///path/to/file.sock)")
nriSocket := flag.String(ConfigNRISocket, "", "path to NRI socket (format: /path/to/file.sock)")
nriIndex := flag.String(ConfigNRIIndex, "99", "NRI plugin index")

visStr := flag.String(ConfigVisibility, "process,file,network,capabilities", "Container Visibility to use [process,file,network,capabilities,none]")
hostVisStr := flag.String(ConfigHostVisibility, "default", "Host Visibility to use [process,file,network,capabilities,none] (default \"none\" for k8s, \"process,file,network,capabilities\" for VM)")
Expand Down Expand Up @@ -185,6 +191,8 @@ func readCmdLineParams() {
viper.SetDefault(ConfigLogPath, *logStr)
viper.SetDefault(ConfigSELinuxProfileDir, *seLinuxProfileDirStr)
viper.SetDefault(ConfigCRISocket, *criSocket)
viper.SetDefault(ConfigNRISocket, *nriSocket)
viper.SetDefault(ConfigNRIIndex, *nriIndex)

viper.SetDefault(ConfigVisibility, *visStr)
viper.SetDefault(ConfigHostVisibility, *hostVisStr)
Expand Down Expand Up @@ -275,6 +283,13 @@ func LoadConfig() error {
return fmt.Errorf("CRI socket must start with 'unix://' (%s is invalid)", GlobalCfg.CRISocket)
}

GlobalCfg.NRISocket = os.Getenv("NRI_SOCKET")
if GlobalCfg.NRISocket == "" {
GlobalCfg.NRISocket = viper.GetString(ConfigNRISocket)
}

GlobalCfg.NRIIndex = viper.GetString(ConfigNRIIndex)

GlobalCfg.Visibility = viper.GetString(ConfigVisibility)
GlobalCfg.HostVisibility = viper.GetString(ConfigHostVisibility)

Expand Down
11 changes: 8 additions & 3 deletions KubeArmor/core/kubeArmor.go
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,10 @@ func KubeArmor() {
dm.SetContainerNSVisibility()

// monitor containers
if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
if cfg.GlobalCfg.NRISocket != "" {
// monitor NRI events
go dm.MonitorNRIEvents()
} else if strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
// update already deployed containers
dm.GetAlreadyDeployedDockerContainers()
// monitor docker events
Expand All @@ -611,8 +614,10 @@ func KubeArmor() {
}

if dm.K8sEnabled && cfg.GlobalCfg.Policy {
// check if the CRI socket set while executing kubearmor exists
if cfg.GlobalCfg.CRISocket != "" {
if cfg.GlobalCfg.NRISocket != "" {
// monitor NRI events
go dm.MonitorNRIEvents()
} else if cfg.GlobalCfg.CRISocket != "" { // check if the CRI socket set while executing kubearmor exists
trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
if _, err := os.Stat(trimmedSocket); err != nil {
dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())
Expand Down
Loading
Loading