Skip to content

Commit 0449317

Browse files
rootxrishabhrootxrishabh
committed
Refactor: Endpoint and map creation
Signed-off-by: Rishabh Soni <[email protected]>
1 parent a8650b1 commit 0449317

File tree

5 files changed

+106
-247
lines changed

5 files changed

+106
-247
lines changed

KubeArmor/core/containerdHandler.go

+4-70
Original file line numberDiff line numberDiff line change
@@ -335,61 +335,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
335335
}
336336
}
337337

338-
switch endPointEvent {
339-
case "ADDED":
340-
endPoint.EndPointName = container.ContainerName
341-
endPoint.ContainerName = container.ContainerName
342-
endPoint.NamespaceName = container.NamespaceName
343-
344-
endPoint.Containers = []string{container.ContainerID}
345-
346-
endPoint.Labels = containerLabels
347-
endPoint.Identities = containerIdentities
348-
349-
endPoint.PolicyEnabled = tp.KubeArmorPolicyEnabled
350-
endPoint.ProcessVisibilityEnabled = true
351-
endPoint.FileVisibilityEnabled = true
352-
endPoint.NetworkVisibilityEnabled = true
353-
endPoint.CapabilitiesVisibilityEnabled = true
354-
355-
endPoint.AppArmorProfiles = []string{"kubearmor_" + container.ContainerName}
356-
357-
globalDefaultPosture := tp.DefaultPosture{
358-
FileAction: cfg.GlobalCfg.DefaultFilePosture,
359-
NetworkAction: cfg.GlobalCfg.DefaultNetworkPosture,
360-
CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
361-
}
362-
endPoint.DefaultPosture = globalDefaultPosture
363-
364-
dm.SecurityPoliciesLock.RLock()
365-
for _, secPol := range dm.SecurityPolicies {
366-
if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
367-
endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
368-
}
369-
}
370-
dm.SecurityPoliciesLock.RUnlock()
371-
372-
dm.EndPoints = append(dm.EndPoints, endPoint)
373-
case "UPDATED":
374-
// in case of AppArmor enforcement when endPoint has to be created first
375-
endPoint.Containers = append(endPoint.Containers, container.ContainerID)
376-
377-
// if this container has any additional identities, add them
378-
endPoint.Identities = append(endPoint.Identities, containerIdentities...)
379-
endPoint.Identities = slices.Compact(endPoint.Identities)
380-
381-
// add other policies
382-
endPoint.SecurityPolicies = []tp.SecurityPolicy{}
383-
dm.SecurityPoliciesLock.RLock()
384-
for _, secPol := range dm.SecurityPolicies {
385-
if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
386-
endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
387-
}
388-
}
389-
dm.SecurityPoliciesLock.RUnlock()
390-
338+
dm.CreateEndpoint(&endPoint, container, containerLabels, containerIdentities, endPointEvent)
339+
if endPointEvent == "UPDATED" {
391340
dm.EndPoints[endPointIdx] = endPoint
392341
}
342+
393343
dm.EndPointsLock.Unlock()
394344
}
395345

@@ -457,23 +407,7 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
457407
}
458408

459409
if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
460-
// for throttling
461-
dm.SystemMonitor.Logger.ContainerNsKey[containerID] = common.OuterKey{
462-
MntNs: container.MntNS,
463-
PidNs: container.PidNS,
464-
}
465-
466-
// update NsMap
467-
dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
468-
dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
469-
470-
if len(endPoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endPoint yet
471-
dm.Logger.UpdateSecurityPolicies("ADDED", endPoint)
472-
if dm.RuntimeEnforcer != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
473-
// enforce security policies
474-
dm.RuntimeEnforcer.UpdateSecurityPolicies(endPoint)
475-
}
476-
}
410+
dm.PopulateMaps(endPoint, container)
477411
}
478412

479413
if cfg.GlobalCfg.StateAgent {

KubeArmor/core/dockerHandler.go

+4-70
Original file line numberDiff line numberDiff line change
@@ -496,61 +496,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
496496
}
497497
}
498498

499-
switch endPointEvent {
500-
case "ADDED":
501-
endPoint.EndPointName = container.ContainerName
502-
endPoint.ContainerName = container.ContainerName
503-
endPoint.NamespaceName = container.NamespaceName
504-
505-
endPoint.Containers = []string{container.ContainerID}
506-
507-
endPoint.Labels = containerLabels
508-
endPoint.Identities = containerIdentities
509-
510-
endPoint.PolicyEnabled = tp.KubeArmorPolicyEnabled
511-
endPoint.ProcessVisibilityEnabled = true
512-
endPoint.FileVisibilityEnabled = true
513-
endPoint.NetworkVisibilityEnabled = true
514-
endPoint.CapabilitiesVisibilityEnabled = true
515-
516-
endPoint.AppArmorProfiles = []string{"kubearmor_" + container.ContainerName}
517-
518-
globalDefaultPosture := tp.DefaultPosture{
519-
FileAction: cfg.GlobalCfg.DefaultFilePosture,
520-
NetworkAction: cfg.GlobalCfg.DefaultNetworkPosture,
521-
CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
522-
}
523-
endPoint.DefaultPosture = globalDefaultPosture
524-
525-
dm.SecurityPoliciesLock.RLock()
526-
for _, secPol := range dm.SecurityPolicies {
527-
if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
528-
endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
529-
}
530-
}
531-
dm.SecurityPoliciesLock.RUnlock()
532-
533-
dm.EndPoints = append(dm.EndPoints, endPoint)
534-
case "UPDATED":
535-
// in case of AppArmor enforcement when endpoint has to be created first
536-
endPoint.Containers = append(endPoint.Containers, container.ContainerID)
537-
538-
// if this container has any additional identities, add them
539-
endPoint.Identities = append(endPoint.Identities, containerIdentities...)
540-
endPoint.Identities = slices.Compact(endPoint.Identities)
541-
542-
// add other policies
543-
endPoint.SecurityPolicies = []tp.SecurityPolicy{}
544-
dm.SecurityPoliciesLock.RLock()
545-
for _, secPol := range dm.SecurityPolicies {
546-
if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
547-
endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
548-
}
549-
}
550-
dm.SecurityPoliciesLock.RUnlock()
551-
499+
dm.CreateEndpoint(&endPoint, container, containerLabels, containerIdentities, endPointEvent)
500+
if endPointEvent == "UPDATED" {
552501
dm.EndPoints[endPointIdx] = endPoint
553502
}
503+
554504
dm.EndPointsLock.Unlock()
555505
}
556506

@@ -607,23 +557,7 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) {
607557
}
608558

609559
if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
610-
// for throttling
611-
dm.SystemMonitor.Logger.ContainerNsKey[containerID] = common.OuterKey{
612-
MntNs: container.MntNS,
613-
PidNs: container.PidNS,
614-
}
615-
616-
// update NsMap
617-
dm.SystemMonitor.AddContainerIDToNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS)
618-
dm.RuntimeEnforcer.RegisterContainer(containerID, container.PidNS, container.MntNS)
619-
620-
if len(endPoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
621-
dm.Logger.UpdateSecurityPolicies("ADDED", endPoint)
622-
if dm.RuntimeEnforcer != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
623-
// enforce security policies
624-
dm.RuntimeEnforcer.UpdateSecurityPolicies(endPoint)
625-
}
626-
}
560+
dm.PopulateMaps(endPoint, container)
627561
}
628562

629563
if cfg.GlobalCfg.StateAgent {

KubeArmor/core/hookHandler.go

+5-102
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,9 @@ func (dm *KubeArmorDaemon) HandleFile(file string) {
3737
break
3838
}
3939
}
40-
f.Close()
40+
41+
defer f.Close()
42+
4143
w, err := fsnotify.NewWatcher()
4244
if err != nil {
4345
log.Fatal("Error creating new watcher:", err)
@@ -92,60 +94,6 @@ func (dm *KubeArmorDaemon) HandleFile(file string) {
9294
}
9395

9496
func (dm *KubeArmorDaemon) handleContainerCreate(container tp.Container) {
95-
// endpoint := types.EndPoint{}
96-
97-
// dm.ContainersLock.Lock()
98-
// defer dm.ContainersLock.Unlock()
99-
// if _, ok := dm.Containers[container.ContainerID]; !ok {
100-
// dm.Containers[container.ContainerID] = container
101-
// } else if dm.Containers[container.ContainerID].PidNS == 0 && dm.Containers[container.ContainerID].MntNS == 0 {
102-
// c := dm.Containers[container.ContainerID]
103-
// c.MntNS = container.MntNS
104-
// c.PidNS = container.PidNS
105-
// c.AppArmorProfile = container.AppArmorProfile
106-
// dm.Containers[c.ContainerID] = c
107-
// dm.EndPointsLock.Lock()
108-
// for idx, endPoint := range dm.EndPoints {
109-
// if endPoint.NamespaceName == container.NamespaceName && endPoint.EndPointName == container.EndPointName && kl.ContainsElement(endPoint.Containers, container.ContainerID) {
110-
111-
// // update apparmor profiles
112-
// if !kl.ContainsElement(endPoint.AppArmorProfiles, container.AppArmorProfile) {
113-
// dm.EndPoints[idx].AppArmorProfiles = append(dm.EndPoints[idx].AppArmorProfiles, container.AppArmorProfile)
114-
// }
115-
116-
// if container.Privileged && dm.EndPoints[idx].PrivilegedContainers != nil {
117-
// dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
118-
// }
119-
120-
// endpoint = dm.EndPoints[idx]
121-
122-
// break
123-
// }
124-
// }
125-
// dm.EndPointsLock.Unlock()
126-
// }
127-
128-
// if len(dm.OwnerInfo) > 0 {
129-
// container.Owner = dm.OwnerInfo[container.EndPointName]
130-
// }
131-
132-
// if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
133-
// dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS)
134-
// dm.RuntimeEnforcer.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
135-
136-
// if len(endpoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endpoint yet
137-
// dm.Logger.UpdateSecurityPolicies("ADDED", endpoint)
138-
// if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == types.KubeArmorPolicyEnabled {
139-
// // enforce security policies
140-
// dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
141-
// }
142-
// }
143-
// }
144-
145-
// if container.ContainerID == "" {
146-
// return false
147-
// }
148-
14997
endPoint := tp.EndPoint{}
15098

15199
dm.ContainersLock.Lock()
@@ -164,36 +112,7 @@ func (dm *KubeArmorDaemon) handleContainerCreate(container tp.Container) {
164112

165113
containerLabels, containerIdentities := kl.GetLabelsFromString(container.Labels)
166114
dm.EndPointsLock.Lock()
167-
168-
endPoint.EndPointName = container.ContainerName
169-
endPoint.NamespaceName = container.NamespaceName
170-
endPoint.Containers = []string{container.ContainerID}
171-
endPoint.Labels = containerLabels
172-
endPoint.Identities = containerIdentities
173-
endPoint.PolicyEnabled = tp.KubeArmorPolicyEnabled
174-
endPoint.ProcessVisibilityEnabled = true
175-
endPoint.FileVisibilityEnabled = true
176-
endPoint.NetworkVisibilityEnabled = true
177-
endPoint.CapabilitiesVisibilityEnabled = true
178-
179-
endPoint.AppArmorProfiles = []string{"kubearmor_" + container.ContainerName}
180-
181-
globalDefaultPosture := tp.DefaultPosture{
182-
FileAction: cfg.GlobalCfg.DefaultFilePosture,
183-
NetworkAction: cfg.GlobalCfg.DefaultNetworkPosture,
184-
CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
185-
}
186-
endPoint.DefaultPosture = globalDefaultPosture
187-
188-
dm.SecurityPoliciesLock.RLock()
189-
for _, secPol := range dm.SecurityPolicies {
190-
if kl.MatchIdentities(secPol.Spec.Selector.Identities, endPoint.Identities) {
191-
endPoint.SecurityPolicies = append(endPoint.SecurityPolicies, secPol)
192-
}
193-
}
194-
dm.SecurityPoliciesLock.RUnlock()
195-
196-
dm.EndPoints = append(dm.EndPoints, endPoint)
115+
dm.CreateEndpoint(&endPoint, container, containerLabels, containerIdentities, "ADDED")
197116
dm.EndPointsLock.Unlock()
198117
}
199118
} else if dm.Containers[container.ContainerID].PidNS == 0 && dm.Containers[container.ContainerID].MntNS == 0 {
@@ -229,23 +148,7 @@ func (dm *KubeArmorDaemon) handleContainerCreate(container tp.Container) {
229148
}
230149

231150
if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
232-
// for throttling
233-
dm.SystemMonitor.Logger.ContainerNsKey[container.ContainerID] = kl.OuterKey{
234-
MntNs: container.MntNS,
235-
PidNs: container.PidNS,
236-
}
237-
238-
// update NsMap
239-
dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS)
240-
dm.RuntimeEnforcer.RegisterContainer(container.ContainerID, container.PidNS, container.MntNS)
241-
242-
if len(endPoint.SecurityPolicies) > 0 { // struct can be empty or no policies registered for the endPoint yet
243-
dm.Logger.UpdateSecurityPolicies("ADDED", endPoint)
244-
if dm.RuntimeEnforcer != nil && endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
245-
// enforce security policies
246-
dm.RuntimeEnforcer.UpdateSecurityPolicies(endPoint)
247-
}
248-
}
151+
dm.PopulateMaps(endPoint, container)
249152
}
250153

251154
if cfg.GlobalCfg.StateAgent {

0 commit comments

Comments
 (0)