diff --git a/.github/workflows/ci-controllers-release.yml b/.github/workflows/ci-controllers-release.yml index 668e52498..2e5af9ec6 100644 --- a/.github/workflows/ci-controllers-release.yml +++ b/.github/workflows/ci-controllers-release.yml @@ -45,7 +45,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 @@ -78,7 +78,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 @@ -111,7 +111,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml index 3cf648ddc..f4021ef31 100644 --- a/.github/workflows/ci-latest-release.yml +++ b/.github/workflows/ci-latest-release.yml @@ -31,7 +31,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh diff --git a/.github/workflows/ci-systemd-release.yml b/.github/workflows/ci-systemd-release.yml index a8ec68b3f..ac4317a3b 100644 --- a/.github/workflows/ci-systemd-release.yml +++ b/.github/workflows/ci-systemd-release.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml index 9fb9f4fb6..e825bb910 100644 --- a/.github/workflows/ci-test-controllers.yml +++ b/.github/workflows/ci-test-controllers.yml @@ -47,7 +47,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 @@ -66,7 +66,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 @@ -85,7 +85,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - uses: actions/checkout@v3 diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml index 43709b464..5edf8f8b3 100644 --- a/.github/workflows/ci-test-ginkgo.yml +++ b/.github/workflows/ci-test-ginkgo.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh @@ -104,4 +104,4 @@ jobs: - uses: codecov/codecov-action@v3 if: ${{ always() }} with: - files: ./KubeArmor/gover.coverprofile \ No newline at end of file + files: ./KubeArmor/gover.coverprofile diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml index f1cce0f36..e4edb04a1 100644 --- a/.github/workflows/ci-test-go.yml +++ b/.github/workflows/ci-test-go.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Check gofmt run: make gofmt @@ -27,7 +27,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Run Revive Action on KubeArmor uses: morphy2k/revive-action@v2 @@ -41,7 +41,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Run Revive Action on KubeArmor tests uses: morphy2k/revive-action@v2 @@ -55,7 +55,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Run Gosec Security Scanner run: make gosec diff --git a/.github/workflows/ci-test-systemd.yml b/.github/workflows/ci-test-systemd.yml index 9af1663fb..0ad2acf4a 100644 --- a/.github/workflows/ci-test-systemd.yml +++ b/.github/workflows/ci-test-systemd.yml @@ -27,7 +27,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: v1.20 + go-version: "v1.20" - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh diff --git a/Dockerfile b/Dockerfile index 5697f5a57..fd4fbfe6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ FROM golang:1.20-alpine3.17 as builder RUN apk --no-cache update -RUN apk add --no-cache bash git wget python3 linux-headers build-base clang clang-dev libc-dev llvm make gcc protobuf +RUN apk add --no-cache git clang llvm make gcc protobuf WORKDIR /usr/src/KubeArmor @@ -21,16 +21,12 @@ RUN make FROM alpine:3.17 as kubearmor -RUN apk --no-cache update RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories -RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories RUN apk --no-cache update -RUN apk add bash curl procps -RUN apk add apparmor@community apparmor-utils@community kubectl@testing +RUN apk add apparmor@community apparmor-utils@community bash COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/ - ENTRYPOINT ["/KubeArmor/kubearmor"] diff --git a/Dockerfile.init b/Dockerfile.init index 34748ec57..0d04efe47 100644 --- a/Dockerfile.init +++ b/Dockerfile.init @@ -9,7 +9,7 @@ COPY ./KubeArmor/BPF/tests/main.go main.go COPY ./KubeArmor/BPF/tests/go.mod go.mod COPY ./KubeArmor/BPF/tests/go.sum go.sum -RUN go build -o syscheck main.go +RUN CGO_ENABLED=0 go build -o syscheck main.go ### Make compiler image FROM alpine:3.17 as kubearmor-init @@ -21,7 +21,6 @@ RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /e RUN apk --no-cache update RUN apk --no-cache add bash git clang llvm make gcc bpftool@edge - COPY ./KubeArmor/BPF /KubeArmor/BPF/ COPY ./KubeArmor/build/compile.sh /KubeArmor/compile.sh COPY --from=init-builder /usr/src/KubeArmor/syscheck /KubeArmor/BPF/tests/syscheck diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index d22f6c158..5a8f08d6d 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -32,7 +32,7 @@ ifneq (, $(shell which llvm-strip)) fi endif endif - cd $(CURDIR); go build -ldflags "$(GIT_INFO)" -o kubearmor main.go + cd $(CURDIR); CGO_ENABLED=0 go build -ldflags "$(GIT_INFO)" -o kubearmor main.go .PHONY: protobuf protobuf: diff --git a/KubeArmor/build/compile.sh b/KubeArmor/build/compile.sh index 83e1d2718..dec60e8d5 100755 --- a/KubeArmor/build/compile.sh +++ b/KubeArmor/build/compile.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # SPDX-License-Identifier: Apache-2.0 # Copyright 2021 Authors of KubeArmor @@ -11,4 +11,4 @@ else make fi -cp *.bpf.o ignore.lst /opt/kubearmor/BPF/ \ No newline at end of file +cp *.bpf.o ignore.lst /opt/kubearmor/BPF/ diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index 26d881836..3c569aba9 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -5,7 +5,6 @@ package core import ( "context" - "encoding/json" "errors" "fmt" "os" @@ -41,46 +40,34 @@ type DockerHandler struct { } // NewDockerHandler Function -func NewDockerHandler() *DockerHandler { +func NewDockerHandler() (*DockerHandler, error) { docker := &DockerHandler{} - // specify the docker api version that we want to use - // Versioned API: https://docs.docker.com/engine/api/ - - versionStr, err := kl.GetCommandOutputWithErr("curl", []string{"--silent", "--unix-socket", strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://"), "http://localhost/version"}) + // try to create a new docker client + // If env DOCKER_API_VERSION set - NegotiateAPIVersion() won't do anything + DockerClient, err := client.NewClientWithOpts(client.FromEnv) if err != nil { - return nil + return nil, err } + DockerClient.NegotiateAPIVersion(context.Background()) + clientVersion := DockerClient.ClientVersion() - if err := json.Unmarshal([]byte(versionStr), &docker.Version); err != nil { - kg.Warnf("Unable to get Docker version (%s)", err.Error()) - } + kg.Printf("Verifying Docker API client version: %s", clientVersion) - apiVersion, _ := strconv.ParseFloat(docker.Version.APIVersion, 64) - - if apiVersion >= 1.39 { - // downgrade the api version to 1.39 - if err := os.Setenv("DOCKER_API_VERSION", "1.39"); err != nil { - kg.Warnf("Unable to set DOCKER_API_VERSION (%s)", err.Error()) - } - } else { - // set the current api version - if err := os.Setenv("DOCKER_API_VERSION", docker.Version.APIVersion); err != nil { - kg.Warnf("Unable to set DOCKER_API_VERSION (%s)", err.Error()) - } + serverVersion, err := DockerClient.ServerVersion(context.Background()) + if err != nil { + return nil, err } - // create a new client with the above env variable - - DockerClient, err := client.NewClientWithOpts(client.FromEnv) - if err != nil { - return nil + if clientVersion != serverVersion.APIVersion { + kg.Warnf("Docker client (%s) and Docker server (%s) API versions don't match", clientVersion, serverVersion.APIVersion) } + docker.DockerClient = DockerClient - kg.Printf("Initialized Docker Handler (version: %s)", docker.Version.APIVersion) + kg.Printf("Initialized Docker Handler (version: %s)", clientVersion) - return docker + return docker, nil } // Close Function @@ -202,7 +189,11 @@ func (dm *KubeArmorDaemon) SetContainerVisibility(containerID string) { func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { // check if Docker exists else instantiate if Docker == nil { - Docker = NewDockerHandler() + var err error + Docker, err = NewDockerHandler() + if err != nil { + dm.Logger.Errf("Failed to create new Docker client: %s", err) + } } if containerList, err := Docker.DockerClient.ContainerList(context.Background(), types.ContainerListOptions{}); err == nil { @@ -278,6 +269,8 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { dm.Logger.Printf("Detected a container (added/%.12s)", container.ContainerID) } } + } else { + dm.Logger.Warnf("Error while listing containers: %s", err) } } @@ -425,7 +418,11 @@ func (dm *KubeArmorDaemon) MonitorDockerEvents() { // check if Docker exists else instantiate if Docker == nil { - Docker = NewDockerHandler() + var err error + Docker, err = NewDockerHandler() + if err != nil { + dm.Logger.Errf("Failed to create new Docker client: %s", err) + } } dm.Logger.Print("Started to monitor Docker events")