From c11b9b3a893ed38145b508bd16130c967bdc5a5a Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Tue, 28 Nov 2023 15:25:41 +0530 Subject: [PATCH] handle visibility if namespace info is missing Signed-off-by: rksharma95 --- KubeArmor/core/kubeUpdate.go | 28 ++++++++++++++++++++++++++++ KubeArmor/go.sum | 7 ------- KubeArmor/monitor/processTree.go | 22 +++++++++++++++------- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go index effe43be9..def159fd1 100644 --- a/KubeArmor/core/kubeUpdate.go +++ b/KubeArmor/core/kubeUpdate.go @@ -269,6 +269,12 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { } dm.Containers[containerID] = container + + // in case if container runtime detect the container and emit that event before pod event then + // the container id will be added to NsMap with "Unknown" namespace + // therefore update the NsMap to have this container id with associated namespace + // and delete the container id from NamespacePidsMap within "Unknown" namespace + dm.HandleUnknownNamespaceNsMap(&container) } dm.ContainersLock.Unlock() @@ -428,6 +434,12 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { } dm.Containers[containerID] = container + // in case if container runtime detect the container and emit that event before pod event then + // the container id will be added to NsMap with "Unknown" namespace + // therefore update the NsMap to have this container id with associated namespace + // and delete the container id from NamespacePidsMap within "Unknown" namespace + dm.HandleUnknownNamespaceNsMap(&container) + } dm.ContainersLock.Unlock() @@ -510,6 +522,22 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { } } +// HandleUnknownNamespaceNsMap Function +func (dm *KubeArmorDaemon) HandleUnknownNamespaceNsMap(container *tp.Container) { + dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS) + dm.SystemMonitor.NsMapLock.Lock() + if val, ok := dm.SystemMonitor.NamespacePidsMap["Unknown"]; ok { + for i := range val.NsKeys { + if val.NsKeys[i].MntNS == container.MntNS && val.NsKeys[i].PidNS == container.PidNS { + val.NsKeys = append(val.NsKeys[:i], val.NsKeys[i+1:]...) + break + } + } + dm.SystemMonitor.NamespacePidsMap["Unknown"] = val + } + dm.SystemMonitor.NsMapLock.Unlock() +} + // WatchK8sPods Function func (dm *KubeArmorDaemon) WatchK8sPods() { for { diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index d385e3b7c..e919bcc0d 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -84,8 +84,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v23.0.6+incompatible h1:aBD4np894vatVX99UTx/GyOUOK4uEcROwA3+bQhEcoU= -github.com/docker/docker v23.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -114,7 +112,6 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -226,12 +223,10 @@ github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7P github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= @@ -267,8 +262,6 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss= diff --git a/KubeArmor/monitor/processTree.go b/KubeArmor/monitor/processTree.go index d72bfdc8c..bc7e825e9 100644 --- a/KubeArmor/monitor/processTree.go +++ b/KubeArmor/monitor/processTree.go @@ -11,6 +11,7 @@ import ( "syscall" "time" + cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" ) @@ -54,20 +55,27 @@ func (mon *SystemMonitor) AddContainerIDToNsMap(containerID string, namespace st if !found { val.NsKeys = append(val.NsKeys, key) mon.NamespacePidsMap[namespace] = val + mon.UpdateNsKeyMap("ADDED", key, tp.Visibility{ + File: val.File, + Process: val.Process, + Capabilities: val.Capability, + Network: val.Network, + }) } - mon.UpdateNsKeyMap("ADDED", key, tp.Visibility{ - File: val.File, - Process: val.Process, - Capabilities: val.Capability, - Network: val.Network, - }) } else { mon.NamespacePidsMap[namespace] = NsVisibility{ NsKeys: []NsKey{ key, }, } - mon.UpdateNsKeyMap("ADDED", key, tp.Visibility{}) + // Set Visibility to Global Default + visibility := tp.Visibility{ + File: strings.Contains(cfg.GlobalCfg.Visibility, "file"), + Process: strings.Contains(cfg.GlobalCfg.Visibility, "process"), + Network: strings.Contains(cfg.GlobalCfg.Visibility, "network"), + Capabilities: strings.Contains(cfg.GlobalCfg.Visibility, "capabilities"), + } + mon.UpdateNsKeyMap("ADDED", key, visibility) } mon.BpfMapLock.Unlock() }