Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(core): add support for kata and confidential containers #1888

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

rootxrishabh
Copy link
Member

Purpose of PR?:
This PR introduces support for kata and confidential containers.

Fixes #1340

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

Signed-off-by: rootxrishabh <risrock02@gmail.com>
@rootxrishabh rootxrishabh added the enhancement New feature or request label Nov 6, 2024
@rootxrishabh
Copy link
Member Author

#1793

@rootxrishabh
Copy link
Member Author

Enforcement confirmed on CoCo + Kubearmor VM setup
https://asciinema.org/a/RAAG15qLZMLBvdWPaifBAV71d

KubeArmor/config/config.go Outdated Show resolved Hide resolved
Copy link
Member

@daemon1024 daemon1024 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More pending work

  • Use custom directory for backup of policies
  • Refactor and streamline endpoint creation for unorchestrated workloads.

Comment on lines 96 to 123
// endpoint := types.EndPoint{}

// dm.ContainersLock.Lock()
// defer dm.ContainersLock.Unlock()
// if _, ok := dm.Containers[container.ContainerID]; !ok {
// dm.Containers[container.ContainerID] = container
// } else if dm.Containers[container.ContainerID].PidNS == 0 && dm.Containers[container.ContainerID].MntNS == 0 {
// c := dm.Containers[container.ContainerID]
// c.MntNS = container.MntNS
// c.PidNS = container.PidNS
// c.AppArmorProfile = container.AppArmorProfile
// dm.Containers[c.ContainerID] = c
// dm.EndPointsLock.Lock()
// for idx, endPoint := range dm.EndPoints {
// if endPoint.NamespaceName == container.NamespaceName && endPoint.EndPointName == container.EndPointName && kl.ContainsElement(endPoint.Containers, container.ContainerID) {

// // update apparmor profiles
// if !kl.ContainsElement(endPoint.AppArmorProfiles, container.AppArmorProfile) {
// dm.EndPoints[idx].AppArmorProfiles = append(dm.EndPoints[idx].AppArmorProfiles, container.AppArmorProfile)
// }

// if container.Privileged && dm.EndPoints[idx].PrivilegedContainers != nil {
// dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
// }

// endpoint = dm.EndPoints[idx]

// break
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's avoid redundant code

KubeArmor/core/hookHandler.go Outdated Show resolved Hide resolved
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
@daemon1024
Copy link
Member

daemon1024 commented Nov 7, 2024

  • support custom policy backup path, so we can adapt to using writeable path
  • support storing policies in YAML rather than JSON.

Signed-off-by: Rishabh Soni <risrock02@gmail.com>
@rootxrishabh
Copy link
Member Author

@daemon1024 @DelusionalOptimist, need your thoughts on custom restore path -

  1. Kubearmor will panic if the user specifies a path which contains files other than json. Should we add a check here? If yes, we could fall back top /opt/kubearmor/policies
  2. Should we create the user specified path in case it does not exist? We can fall back to /opt/kubearmor/policies in case the path is privileged.

Signed-off-by: Rishabh Soni <risrock02@gmail.com>
Signed-off-by: Rishabh Soni <risrock02@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: In Progress
Development

Successfully merging this pull request may close these issues.

check support for Kata containers
3 participants