Merge pull request #1357 from rksharma95/fix-operator-mount

fix(operator):fix kernel header mount bug
kubearmor · Aug 9, 2023 · e58e722 · e58e722
2 parents e2d5d57 + 3feae65
commit e58e722
Show file tree

Hide file tree

Showing 9 changed files with 45 additions and 133 deletions.
diff --git a/pkg/KubeArmorOperator/cmd/snitch-cmd/root.go b/pkg/KubeArmorOperator/cmd/snitch-cmd/root.go
@@ -123,13 +123,18 @@ func snitch() {
 		os.Exit(1)
 	}
 
+	// Check BTF support
+	btfPresent := enforcer.CheckBtfSupport(PathPrefix, *Logger)
+	Logger.Infof("Kernel has BTF: %s", btfPresent)
+
 	patchNode := metadata{}
 	patchNode.Metadata.Labels = map[string]string{}
 	patchNode.Metadata.Labels[common.RuntimeLabel] = runtime
 	patchNode.Metadata.Labels[common.SocketLabel] = strings.ReplaceAll(socket[1:], "/", "_")
 	patchNode.Metadata.Labels[common.EnforcerLabel] = nodeEnforcer
 	patchNode.Metadata.Labels[common.RuntimeStorageLabel] = strings.ReplaceAll(runtimeStorage[1:], "/", "_")
 	patchNode.Metadata.Labels[common.RandLabel] = rand.String(4)
+	patchNode.Metadata.Labels[common.BTFLabel] = btfPresent
 	patch, err := json.Marshal(patchNode)
 
 	if err != nil {

diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go
@@ -48,6 +48,7 @@ var (
 	RandLabel                       string = "kubearmor.io/rand"
 	OsLabel                         string = "kubernetes.io/os"
 	ArchLabel                       string = "kubernetes.io/arch"
+	BTFLabel                        string = "kubearmor.io/btf"
 	DeletAction                     string = "DELETE"
 	AddAction                       string = "ADD"
 	Namespace                       string = "kube-system"
@@ -183,15 +184,6 @@ var CommonVolumes = []corev1.Volume{
 			EmptyDir: &corev1.EmptyDirVolumeSource{},
 		},
 	},
-	{
-		Name: "sys-kernel-security-path",
-		VolumeSource: corev1.VolumeSource{
-			HostPath: &corev1.HostPathVolumeSource{
-				Path: "/sys/kernel/security",
-				Type: &HostPathDirectory,
-			},
-		},
-	},
 	{
 		Name: "sys-kernel-debug-path",
 		VolumeSource: corev1.VolumeSource{
@@ -217,10 +209,6 @@ var CommonVolumesMount = []corev1.VolumeMount{
 		Name:      "bpf",
 		MountPath: "/opt/kubearmor/BPF",
 	},
-	{
-		Name:      "sys-kernel-security-path",
-		MountPath: "/sys/kernel/security",
-	},
 	{
 		Name:      "sys-kernel-debug-path",
 		MountPath: "/sys/kernel/debug",

diff --git a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml
@@ -114,22 +114,15 @@ rules:
   - apps
   resources:
   - deployments
-  verbs:
-  - get
-  - patch
-  - list
-  - watch
-  - update
-- apiGroups:
-  - apps
-  resources:
   - replicasets
   - daemonsets
   - statefulsets
   verbs:
   - get
+  - patch
   - list
   - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/pkg/KubeArmorOperator/deployments/operator.yaml b/pkg/KubeArmorOperator/deployments/operator.yaml
@@ -187,15 +187,12 @@ rules:
   resources:
   - deployments
   - daemonsets
-  - replicasets
-  - statefulsets
   verbs:
   - list
   - get
   - create
   - delete
   - update
-  - patch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -354,16 +351,6 @@ rules:
   - list
   - watch
   - update
-- apiGroups:
-  - apps
-  resources:
-  - replicasets
-  - daemonsets
-  - statefulsets
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/pkg/KubeArmorOperator/enforcer/enforcer.go b/pkg/KubeArmorOperator/enforcer/enforcer.go
@@ -18,6 +18,15 @@ func GetAvailableLsms() []string {
 	return []string{"bpf", "selinux", "apparmor"}
 }
 
+// CheckBtfSupport checks if BTF is present
+func CheckBtfSupport(PathPrefix string, log zap.SugaredLogger) string {
+	btfPath := PathPrefix + "/sys/kernel/btf/vmlinux"
+	if _, err := os.Stat(filepath.Clean(btfPath)); err == nil {
+		return "yes"
+	}
+	return "no"
+}
+
 // DetectEnforcer: detect the enforcer on the node
 func DetectEnforcer(lsmOrder []string, PathPrefix string, log zap.SugaredLogger) string {
 	supportedLsms := []string{}

diff --git a/pkg/KubeArmorOperator/go.mod b/pkg/KubeArmorOperator/go.mod
@@ -3,23 +3,21 @@ module github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator
 go 1.20
 
 require (
-	github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20230804143049-f7f820045b85
-	github.com/kubearmor/KubeArmor/deployments v0.0.0-20230804143049-f7f820045b85
-	github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230804143049-f7f820045b85
+	github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20230809083125-e2d5d5709d2c
+	github.com/kubearmor/KubeArmor/deployments v0.0.0-20230809083125-e2d5d5709d2c
+	github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230808073138-46a1e116bcd7
 	github.com/spf13/cobra v1.7.0
 	go.uber.org/zap v1.25.0
-	golang.org/x/mod v0.10.0
 	k8s.io/api v0.27.4
 	k8s.io/apiextensions-apiserver v0.27.4
 	k8s.io/apimachinery v0.27.4
 	k8s.io/client-go v0.27.4
-	k8s.io/kubectl v0.27.2
+	k8s.io/kubectl v0.27.4
 	sigs.k8s.io/controller-runtime v0.15.0
 )
 
 require (
 	github.com/cilium/ebpf v0.11.0 // indirect
-	github.com/clarketm/json v1.17.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
@@ -53,7 +51,6 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.16.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 	golang.org/x/net v0.14.0 // indirect