Merge remote-tracking branch 'origin/k8s_testing' into k8s_testing

Ishaanj18 · Jun 10, 2024 · a0d5fdd · a0d5fdd
2 parents 10a1ac3 + 60c6405
commit a0d5fdd
Show file tree

Hide file tree

Showing 67 changed files with 1,445 additions and 359 deletions.
diff --git a/.gitbook/assets/kubearmor-tls-arch-overview.png b/.gitbook/assets/kubearmor-tls-arch-overview.png
diff --git a/.github/workflows/ci-latest-helm-chart-release.yaml b/.github/workflows/ci-latest-helm-chart-release.yaml
@@ -13,7 +13,7 @@ permissions: read-all
 jobs:
   publish-chart:
     name: Update Stable Helm Chart With Latest Changes
-    if: ${{ (github.repository == 'kubearmor/kubearmor') && (!contains(github.event.head_commit.message, '[skip ci]')) }}
+    if: ${{ (github.repository == 'kubearmor/kubearmor') }}
     runs-on: ubuntu-20.04
     permissions:
       contents: write

diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
@@ -46,7 +46,7 @@ jobs:
     if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main')
     runs-on: ubuntu-latest-16-cores
     permissions:
-      id-token: write 
+      id-token: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v3
@@ -81,7 +81,7 @@ jobs:
         run: |
           make docker-build TAG=${{ steps.vars.outputs.tag }}
 
-      - name: deploy pre existing pod 
+      - name: deploy pre existing pod
         run: |
           kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
           sleep 60
@@ -93,7 +93,7 @@ jobs:
           docker save kubearmor/kubearmor:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-operator:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-snitch:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
-        
+
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=${{ steps.vars.outputs.tag }}
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
           kubectl get pods -A
@@ -145,12 +145,12 @@ jobs:
       - name: Push KubeArmor images to Docker
         run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }}
 
-      - name: Install Cosign 
+      - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Get Image Digest
         id: digest
-        run: | 
+        run: |
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
           echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT
@@ -207,7 +207,7 @@ jobs:
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
           regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
-  
+
   kubearmor-controller-release:
     name: Build & Push KubeArmorController
     needs: check
@@ -223,7 +223,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-  
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
 

diff --git a/.github/workflows/ci-marketplace-release.yml b/.github/workflows/ci-marketplace-release.yml
@@ -7,6 +7,9 @@ on:
       - "STABLE-RELEASE"
       - ".github/workflows/ci-marketplace-release.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   certify-images-on-redhat:
     runs-on: ubuntu-latest
@@ -249,4 +252,4 @@ jobs:
 
             Assignees: @kubearmor/triagers
 
-            Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions.
+            Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions.
diff --git a/.github/workflows/ci-systemd-release.yml b/.github/workflows/ci-systemd-release.yml
@@ -1,10 +1,19 @@
 name: ci-systemd-release
 
 on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag which has to be updated"
+        type: "string"
+        required: true
   push:
     tags:
       - "*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   goreleaser:
     runs-on: ubuntu-20.04
@@ -16,34 +25,70 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: true
+          fetch-depth: 0
 
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-
 
       - name: Install the latest LLVM toolchain
         run: ./.github/workflows/install-llvm.sh
 
       - name: Compile libbpf
         run: ./.github/workflows/install-libbpf.sh
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Install karmor
         run: curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b .
         working-directory: KubeArmor
-      
+
       - name: Build KubeArmor object files
-        run: make 
+        run: make
         working-directory: KubeArmor/BPF
-
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Get release tag
+        id: vars
+        run: |
+          cp KubeArmor/.goreleaser.yaml /tmp/.goreleaser.yaml
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            # checkout branch but use goreleaser config from latest
+            echo "Checking out tag: ${{ inputs.tag }}"
+            git checkout ${{ inputs.tag }}
+            echo "GORELEASER_CURRENT_TAG=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+
+            REF=${{ inputs.tag }}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          else
+            REF=${GITHUB_REF#refs/*/}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          fi
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
           version: v1.25.0
-          args: release --clean
+          args: release --config=/tmp/.goreleaser.yaml
           workdir: KubeArmor
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ steps.vars.outputs.GORELEASER_CURRENT_TAG }}
+
+      - name: Setup ORAS
+        uses: oras-project/setup-oras@v1
+        with:
+          version: 1.0.0
+
+      - name: Publish release artifacts to Dockerhub
+        working-directory: KubeArmor/dist
+        run: |
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-amd64 kubearmor_${{ steps.vars.outputs.tag }}_linux-amd64.tar.gz
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-arm64 kubearmor_${{ steps.vars.outputs.tag }}_linux-arm64.tar.gz
diff --git a/KubeArmor/.goreleaser.yaml b/KubeArmor/.goreleaser.yaml
@@ -8,6 +8,13 @@ builds:
     goarch:
       - amd64
       - arm64
+    env:
+      - CGO_ENABLED=0
+
+release:
+  replace_existing_artifacts: true
+  mode: replace
+  make_latest: false
 
 signs:
   - cmd: cosign
@@ -20,7 +27,7 @@ signs:
       - --yes
     artifacts: all
     output: true
-    
+
 archives:
   - id: "kubearmor"
     builds:

diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -253,6 +253,9 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   return ret;
 
 ringbuf:
+  if (get_kubearmor_config(_ALERT_THROTTLING) && should_drop_alerts_per_container(okey)) {
+    return retval;
+  }
 
   task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
@@ -394,10 +397,15 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) {
   return 0;
 
 ringbuf:
+  if (get_kubearmor_config(_ALERT_THROTTLING) && should_drop_alerts_per_container(okey)) {
+    return retval;
+  }
+
   task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return retval;
   }
+
   // Clearing arrays to avoid garbage values to be parsed
   __builtin_memset(task_info->data.path, 0, sizeof(task_info->data.path));
   __builtin_memset(task_info->data.source, 0, sizeof(task_info->data.source));
@@ -557,10 +565,15 @@ int BPF_PROG(enforce_cap, const struct cred *cred, struct user_namespace *ns,
   return 0;
 
 ringbuf:
+  if (get_kubearmor_config(_ALERT_THROTTLING) && should_drop_alerts_per_container(okey)) {
+    return retval;
+  }
+
   task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return retval;
   }
+
   // Clearing arrays to avoid garbage values to be parsed
   __builtin_memset(task_info->data.path, 0, sizeof(task_info->data.path));
   __builtin_memset(task_info->data.source, 0, sizeof(task_info->data.source));

diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h
@@ -6,9 +6,11 @@
 
 #include "vmlinux.h"
 #include "vmlinux_macro.h"
+#include "syscalls.h"
 #include <bpf/bpf_core_read.h>
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
+#include "throttling.h"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #define EPERM 13
@@ -72,11 +74,6 @@ struct {
   __uint(max_entries, 3);
 } bufk SEC(".maps");
 
-struct outer_key {
-  u32 pid_ns;
-  u32 mnt_ns;
-};
-
 typedef struct {
   u64 ts;
 
@@ -122,6 +119,24 @@ struct data_t {
   u8 filemask;
 };
 
+enum
+{
+    _ALERT_THROTTLING = 3,
+    _MAX_ALERT_PER_SEC = 4,
+    _THROTTLE_SEC = 5,
+};
+
+struct kaconfig
+{
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, u32);
+    __type(value, u32);
+    __uint(max_entries, 16);
+    __uint(pinning, LIBBPF_PIN_BY_NAME);
+};
+
+struct kaconfig kubearmor_config SEC(".maps");
+
 struct outer_hash {
   __uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
   __uint(max_entries, 256);
@@ -297,6 +312,84 @@ static __always_inline u32 init_context(event *event_data) {
   return 0;
 }
 
+
+static __always_inline u32 get_kubearmor_config(u32 config)
+{
+    u32 *value = bpf_map_lookup_elem(&kubearmor_config, &config);
+    if (!value)
+    {
+        return 0;
+    }
+
+    return *value;
+}
+
+// To check if subsequent alerts should be dropped per container
+static __always_inline bool should_drop_alerts_per_container(struct outer_key okey) {
+  u64 current_timestamp = bpf_ktime_get_ns();
+
+  struct outer_key key = {
+    .pid_ns = okey.pid_ns,
+    .mnt_ns = okey.mnt_ns
+  };
+
+  struct alert_throttle_state *state = bpf_map_lookup_elem(&kubearmor_alert_throttle, &key);
+
+  if (!state) {
+    struct alert_throttle_state new_state = {
+      .event_count = 1,
+      .first_event_timestamp = current_timestamp,
+      .throttle = 0
+    };
+
+    bpf_map_update_elem(&kubearmor_alert_throttle, &key, &new_state, BPF_ANY);
+    return false;
+  }
+
+  u64 throttle_sec = (u64)get_kubearmor_config(_THROTTLE_SEC); 
+  u64 throttle_nsec = throttle_sec * 1000000000L; 
+  u64 maxAlert = (u64)get_kubearmor_config(_MAX_ALERT_PER_SEC); 
+
+  if (state->throttle) {
+    u64 time_difference = current_timestamp - state->first_event_timestamp;
+    if (time_difference < throttle_nsec) {
+      return true;
+    }
+  }
+
+  u64 time_difference = current_timestamp - state->first_event_timestamp;
+
+  if (time_difference >= 1000000000L) { // 1 second
+    state->first_event_timestamp = current_timestamp;
+    state->event_count = 1;
+    state->throttle = 0;
+  } else {
+    state->event_count++;
+  }
+
+  if (state->event_count > maxAlert) {
+    state->event_count = 0;
+    state->throttle = 1;
+    bpf_map_update_elem(&kubearmor_alert_throttle, &key, state, BPF_ANY);
+
+    // Generating Throttling Alert 
+    event *event_data = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
+    if (!event_data) {
+      // Failed to reserve
+      return true;
+    }
+    init_context(event_data);
+    event_data->event_id = _DROPPING_ALERT;
+    event_data->retval = 0; 
+    bpf_ringbuf_submit(event_data, 0);
+
+    return true; 
+  }
+
+  bpf_map_update_elem(&kubearmor_alert_throttle, &key, state, BPF_ANY);
+  return false; 
+}
+
 static bool is_owner(struct file *file_p) {
   kuid_t owner = BPF_CORE_READ(file_p, f_inode, i_uid);
   unsigned int z = bpf_get_current_uid_gid();
@@ -599,6 +692,10 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
   return 0;
 
 ringbuf:
+  if (get_kubearmor_config(_ALERT_THROTTLING) && should_drop_alerts_per_container(okey)) {
+    return retval;
+  }
+
   task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     // Failed to reserve, doing policy enforcement without alert