From 58adc0e13a6df5a5233252de56c2949711dc3b50 Mon Sep 17 00:00:00 2001 From: Prateek Nandle Date: Sun, 26 May 2024 03:08:50 +0530 Subject: [PATCH 1/2] patch apparmor annotations for cronjobs and updating rbac rules Signed-off-by: Prateek Nandle --- KubeArmor/core/k8sHandler.go | 15 ++++++++++++++- deployments/get/objects.go | 2 +- .../helm/KubeArmor/templates/RBAC/roles.yaml | 4 ++++ .../templates/clusterrole-rbac.yaml | 4 ++++ deployments/operator/operator.yaml | 11 +++++++++++ .../config/rbac/clusterrole.yaml | 4 ++++ 6 files changed, 38 insertions(+), 2 deletions(-) diff --git a/KubeArmor/core/k8sHandler.go b/KubeArmor/core/k8sHandler.go index f65f4c2e0e..7cac5da30f 100644 --- a/KubeArmor/core/k8sHandler.go +++ b/KubeArmor/core/k8sHandler.go @@ -230,6 +230,10 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy } spec := `{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",` + if kind == "CronJob" { + spec = `{"spec":{"jobTemplate":{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",` + } + count := len(appArmorAnnotations) for k, v := range appArmorAnnotations { @@ -246,7 +250,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy count-- } - spec = spec + `}}}}}` + if kind == "CronJob" { + spec = spec + `}}}}}}}` + } else { + spec = spec + `}}}}}` + } if kind == "StatefulSet" { _, err := kh.K8sClient.AppsV1().StatefulSets(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{}) @@ -292,6 +300,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy if err != nil { return err } + } else if kind == "CronJob" { + _, err := kh.K8sClient.BatchV1().CronJobs(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{}) + if err != nil { + return err + } } else if kind == "Pod" { // this condition wont be triggered, handled by controller return nil diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 692796dd2a..40076539bc 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -54,7 +54,7 @@ func GetClusterRole() *rbacv1.ClusterRole { { APIGroups: []string{"batch"}, Resources: []string{"jobs", "cronjobs"}, - Verbs: []string{"get"}, + Verbs: []string{"get", "patch", "list", "watch", "update"}, }, { APIGroups: []string{"security.kubearmor.com"}, diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml index c556f66b7e..96ceac7b4e 100644 --- a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml +++ b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml @@ -36,6 +36,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml index 4b06441df0..8075210e26 100644 --- a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml +++ b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml @@ -136,6 +136,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index f3bacad8b1..4bf8da1485 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -377,6 +377,17 @@ rules: - list - watch - update +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml index 156e279516..5a6a99e91e 100644 --- a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml +++ b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml @@ -130,6 +130,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: From 0a8837f4590cb97653c0bcceaad598fb53a82bf0 Mon Sep 17 00:00:00 2001 From: Prateek Nandle Date: Tue, 28 May 2024 00:37:53 +0530 Subject: [PATCH 2/2] removing priority class Signed-off-by: Prateek Nandle --- deployments/get/objects.go | 1 - 1 file changed, 1 deletion(-) diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 40076539bc..6ead7f5d63 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -546,7 +546,6 @@ func GetKubeArmorControllerDeployment(namespace string) *appsv1.Deployment { Labels: KubeArmorControllerLabels, }, Spec: corev1.PodSpec{ - PriorityClassName: "system-node-critical", ServiceAccountName: KubeArmorControllerServiceAccountName, Volumes: []corev1.Volume{ KubeArmorControllerCertVolume,