Merge branch 'main' into main

kubearmor · Dec 22, 2024 · d6a8a90 · d6a8a90
2 parents a3cd24e + 3dee887
commit d6a8a90
Show file tree

Hide file tree

Showing 40 changed files with 1,396 additions and 161 deletions.
diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest-16-cores
     permissions:
       id-token: write
-    timeout-minutes: 120
+    timeout-minutes: 150
     steps:
       - uses: actions/checkout@v3
         with:
@@ -109,7 +109,7 @@ jobs:
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-          make
+          ginkgo --vv --flake-attempts=10 --timeout=10m smoke/
         working-directory: ./tests/k8s_env
         timeout-minutes: 30
 

diff --git a/Dockerfile b/Dockerfile
@@ -83,6 +83,7 @@ ENV KUBEARMOR_UBI=true
 
 LABEL name="kubearmor" \
       vendor="Accuknox" \
+      maintainer="Barun Acharya, Ramakant Sharma" \
       version=${VERSION} \
       release=${VERSION} \
       summary="kubearmor container image based on redhat ubi" \
@@ -119,6 +120,7 @@ ENV KUBEARMOR_UBI=true
 
 LABEL name="kubearmor" \
       vendor="Accuknox" \
+      maintainer="Barun Acharya, Ramakant Sharma" \
       version=${VERSION} \
       release=${VERSION} \
       summary="kubearmor container image based on redhat ubi" \

diff --git a/Dockerfile.init b/Dockerfile.init
@@ -8,6 +8,7 @@ ARG VERSION=latest
 
 LABEL name="kubearmor-init" \
       vendor="Accuknox" \
+      maintainer="Barun Acharya, Ramakant Sharma" \
       version=${VERSION} \
       release=${VERSION} \
       summary="kubearmor-init container image based on redhat ubi" \

diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go
@@ -18,6 +18,7 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	kc "github.com/kubearmor/KubeArmor/KubeArmor/config"
@@ -291,7 +292,11 @@ func GetCommandOutputWithoutErr(cmd string, args []string) string {
 		return ""
 	}
 
+	var wg sync.WaitGroup
+	wg.Add(1)
+
 	go func() {
+		defer wg.Done()
 		defer func() {
 			if err = stdin.Close(); err != nil {
 				kg.Warnf("Error closing stdin %s\n", err)
@@ -300,6 +305,9 @@ func GetCommandOutputWithoutErr(cmd string, args []string) string {
 		_, _ = io.WriteString(stdin, "values written to stdin are passed to cmd's standard input")
 	}()
 
+	// Wait for the stdin writing to complete
+	wg.Wait()
+
 	out, err := res.CombinedOutput()
 	if err != nil {
 		return ""

diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -245,6 +245,7 @@ func LoadConfig() error {
 	if cfgfile == "" {
 		cfgfile = "kubearmor.yaml"
 	}
+
 	if _, err := os.Stat(cfgfile); err == nil {
 		kg.Printf("setting config from file [%s]", cfgfile)
 		viper.SetConfigFile(cfgfile)
@@ -254,6 +255,8 @@ func LoadConfig() error {
 		}
 	}
 
+	kg.Printf("Configuration [%+v]", GlobalCfg)
+
 	GlobalCfg.Cluster = viper.GetString(ConfigCluster)
 	GlobalCfg.Host = viper.GetString(ConfigHost)
 	if hostname, err := os.Hostname(); GlobalCfg.Host == "" && err == nil {
@@ -275,39 +278,18 @@ func LoadConfig() error {
 		return fmt.Errorf("CRI socket must start with 'unix://' (%s is invalid)", GlobalCfg.CRISocket)
 	}
 
-	GlobalCfg.Visibility = viper.GetString(ConfigVisibility)
-	GlobalCfg.HostVisibility = viper.GetString(ConfigHostVisibility)
-
 	GlobalCfg.Policy = viper.GetBool(ConfigKubearmorPolicy)
 	GlobalCfg.HostPolicy = viper.GetBool(ConfigKubearmorHostPolicy)
 	GlobalCfg.KVMAgent = viper.GetBool(ConfigKubearmorVM)
 	GlobalCfg.K8sEnv = viper.GetBool(ConfigK8sEnv)
 
 	GlobalCfg.Debug = viper.GetBool(ConfigDebug)
 
-	GlobalCfg.DefaultFilePosture = viper.GetString(ConfigDefaultFilePosture)
-	GlobalCfg.DefaultNetworkPosture = viper.GetString(ConfigDefaultNetworkPosture)
-	GlobalCfg.DefaultCapabilitiesPosture = viper.GetString(ConfigDefaultCapabilitiesPosture)
-
-	GlobalCfg.HostDefaultFilePosture = viper.GetString(ConfigHostDefaultFilePosture)
-	GlobalCfg.HostDefaultNetworkPosture = viper.GetString(ConfigHostDefaultNetworkPosture)
-	GlobalCfg.HostDefaultCapabilitiesPosture = viper.GetString(ConfigHostDefaultCapabilitiesPosture)
-
-	kg.Printf("Configuration [%+v]", GlobalCfg)
-
 	if GlobalCfg.KVMAgent {
 		GlobalCfg.Policy = false
 		GlobalCfg.HostPolicy = true
 	}
 
-	if GlobalCfg.HostVisibility == "default" {
-		if GlobalCfg.KVMAgent || (!GlobalCfg.K8sEnv && GlobalCfg.HostPolicy) {
-			GlobalCfg.HostVisibility = "process,file,network,capabilities"
-		} else { // k8s
-			GlobalCfg.HostVisibility = "none"
-		}
-	}
-
 	GlobalCfg.CoverageTest = viper.GetBool(ConfigCoverageTest)
 
 	GlobalCfg.ConfigUntrackedNs = strings.Split(viper.GetString(ConfigUntrackedNs), ",")
@@ -316,22 +298,46 @@ func LoadConfig() error {
 
 	GlobalCfg.BPFFsPath = viper.GetString(BPFFsPath)
 
-	GlobalCfg.EnforcerAlerts = viper.GetBool(EnforcerAlerts)
-
-	GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs)
-
 	GlobalCfg.InitTimeout = viper.GetString(ConfigInitTimeout)
 
 	GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent)
 
-	GlobalCfg.AlertThrottling = viper.GetBool(ConfigAlertThrottling)
-	GlobalCfg.MaxAlertPerSec = int32(viper.GetInt(ConfigMaxAlertPerSec))
-	GlobalCfg.ThrottleSec = int32(viper.GetInt(ConfigThrottleSec))
 	GlobalCfg.AnnotateResources = viper.GetBool(ConfigAnnotateResources)
 
 	GlobalCfg.ProcFsMount = viper.GetString(ConfigProcFsMount)
 
+	LoadDynamicConfig()
+
 	kg.Printf("Final Configuration [%+v]", GlobalCfg)
 
 	return nil
 }
+
+// LoadDynamicConfig set dynamic configuration which can be updated at runtime without restarting kubearmor
+func LoadDynamicConfig() {
+	GlobalCfg.DefaultFilePosture = viper.GetString(ConfigDefaultFilePosture)
+	GlobalCfg.DefaultNetworkPosture = viper.GetString(ConfigDefaultNetworkPosture)
+	GlobalCfg.DefaultCapabilitiesPosture = viper.GetString(ConfigDefaultCapabilitiesPosture)
+
+	GlobalCfg.HostDefaultFilePosture = viper.GetString(ConfigHostDefaultFilePosture)
+	GlobalCfg.HostDefaultNetworkPosture = viper.GetString(ConfigHostDefaultNetworkPosture)
+	GlobalCfg.HostDefaultCapabilitiesPosture = viper.GetString(ConfigHostDefaultCapabilitiesPosture)
+
+	GlobalCfg.Visibility = viper.GetString(ConfigVisibility)
+	GlobalCfg.HostVisibility = viper.GetString(ConfigHostVisibility)
+
+	if GlobalCfg.HostVisibility == "default" {
+		if GlobalCfg.KVMAgent || (!GlobalCfg.K8sEnv && GlobalCfg.HostPolicy) {
+			GlobalCfg.HostVisibility = "process,file,network,capabilities"
+		} else { // k8s
+			GlobalCfg.HostVisibility = "none"
+		}
+	}
+
+	GlobalCfg.EnforcerAlerts = viper.GetBool(EnforcerAlerts)
+	GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs)
+
+	GlobalCfg.AlertThrottling = viper.GetBool(ConfigAlertThrottling)
+	GlobalCfg.MaxAlertPerSec = int32(viper.GetInt(ConfigMaxAlertPerSec))
+	GlobalCfg.ThrottleSec = int32(viper.GetInt(ConfigThrottleSec))
+}
diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -413,6 +413,8 @@ func KubeArmor() {
 		dm.Node.KernelVersion = kl.GetCommandOutputWithoutErr("uname", []string{"-r"})
 		dm.Node.KernelVersion = strings.TrimSuffix(dm.Node.KernelVersion, "\n")
 
+		dm.WatchConfigChanges()
+
 		dm.NodeLock.Unlock()
 
 	} else if cfg.GlobalCfg.K8sEnv {