Merge pull request #1956 from Prateeknandle/nri-flag

adding NRI flag

Author: rksharma95

KubeArmor/config/config.go

@@ -29,6 +29,7 @@ type KubearmorConfig struct {
 	CRISocket         string // Container runtime to use
 	NRISocket         string // NRI socket to use
 	NRIIndex          string // NRI socket to use
+	NRIEnabled        bool   // enable NRI
 
 	Visibility     string // Container visibility to use
 	HostVisibility string // Host visibility to use
@@ -86,6 +87,7 @@ const (
 	ConfigCRISocket                      string = "criSocket"
 	ConfigNRISocket                      string = "nriSocket"
 	ConfigNRIIndex                       string = "nriIndex"
+	ConfigNRI                            string = "enableNRI"
 	ConfigVisibility                     string = "visibility"
 	ConfigHostVisibility                 string = "hostVisibility"
 	ConfigKubearmorPolicy                string = "enableKubeArmorPolicy"
@@ -128,6 +130,7 @@ func readCmdLineParams() {
 	criSocket := flag.String(ConfigCRISocket, "", "path to CRI socket (format: unix:///path/to/file.sock)")
 	nriSocket := flag.String(ConfigNRISocket, "", "path to NRI socket (format: /path/to/file.sock)")
 	nriIndex := flag.String(ConfigNRIIndex, "99", "NRI plugin index")
+	nriEnabled := flag.Bool(ConfigNRI, false, "enable NRI to get events from it")
 
 	visStr := flag.String(ConfigVisibility, "process,file,network,capabilities", "Container Visibility to use [process,file,network,capabilities,none]")
 	hostVisStr := flag.String(ConfigHostVisibility, "default", "Host Visibility to use [process,file,network,capabilities,none] (default \"none\" for k8s, \"process,file,network,capabilities\" for VM)")
@@ -193,6 +196,7 @@ func readCmdLineParams() {
 	viper.SetDefault(ConfigCRISocket, *criSocket)
 	viper.SetDefault(ConfigNRISocket, *nriSocket)
 	viper.SetDefault(ConfigNRIIndex, *nriIndex)
+	viper.SetDefault(ConfigNRI, *nriEnabled)
 
 	viper.SetDefault(ConfigVisibility, *visStr)
 	viper.SetDefault(ConfigHostVisibility, *hostVisStr)
@@ -291,6 +295,7 @@ func LoadConfig() error {
 		GlobalCfg.NRISocket = viper.GetString(ConfigNRISocket)
 	}
 	GlobalCfg.NRIIndex = viper.GetString(ConfigNRIIndex)
+	GlobalCfg.NRIEnabled = viper.GetBool(ConfigNRI)
 
 	GlobalCfg.Policy = viper.GetBool(ConfigKubearmorPolicy)
 	GlobalCfg.HostPolicy = viper.GetBool(ConfigKubearmorHostPolicy)

KubeArmor/core/containerdHandler.go

@@ -308,7 +308,7 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 		// get container information from containerd client
 		container, err := Containerd.GetContainerInfo(ctx, containerID, containerPid, dm.OwnerInfo)
 		if err != nil {
-			if strings.Contains(string(err.Error()), "pause container") {
+			if strings.Contains(string(err.Error()), "pause container") || strings.Contains(string(err.Error()), "moby") {
 				kg.Debug(err.Error())
 				return false
 			}

KubeArmor/core/kubeArmor.go

@@ -626,7 +626,7 @@ func KubeArmor() {
 				go dm.MonitorDockerEvents()
 			} else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
 				// insuring NRI monitoring only in case containerd is present
-				if dm.checkNRIAvailability() {
+				if cfg.GlobalCfg.NRIEnabled && dm.checkNRIAvailability() {
 					// monitor NRI events
 					go dm.MonitorNRIEvents()
 				} else {

KubeArmor/core/nriHandler.go

@@ -64,6 +64,10 @@ func (dm *KubeArmorDaemon) NewNRIHandler(
 	opts := []stub.Option{
 		stub.WithSocketPath(cfg.GlobalCfg.NRISocket),
 		stub.WithPluginIdx(cfg.GlobalCfg.NRIIndex),
+		stub.WithOnClose(func() {
+			kg.Printf("restarting NRI")
+			nri.Start()
+		}),
 	}
 
 	stub, err := stub.New(nri, opts...)

KubeArmor/go.mod

@@ -25,7 +25,7 @@ replace (
 
 require (
 	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/cilium/cilium v1.16.5
+	github.com/cilium/cilium v1.16.6
 	github.com/cilium/ebpf v0.17.1
 	github.com/containerd/containerd/api v1.8.0
 	github.com/containerd/containerd/v2 v2.0.2

KubeArmor/go.sum

@@ -29,8 +29,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cilium/cilium v1.16.5 h1:ecjhh98fl6Ki641+8Cdb0oynsy3toQ+oPLCSI3d+KLE=
-github.com/cilium/cilium v1.16.5/go.mod h1:EqOosPzJuv28Hz3Ulz6cCXfYKbll7vbIwMGZU5houOw=
+github.com/cilium/cilium v1.16.6 h1:KRQn5knO48ERxB6SusQo02nYmE0NO0qiLlvqhwBTXbI=
+github.com/cilium/cilium v1.16.6/go.mod h1:NnDWQiYmPef24+pX2U/V85uL8eUTJSFUUjMEy41lGPA=
 github.com/cilium/ebpf v0.17.1 h1:G8mzU81R2JA1nE5/8SRubzqvBMmAmri2VL8BIZPWvV0=
 github.com/cilium/ebpf v0.17.1/go.mod h1:vay2FaYSmIlv3r8dNACd4mW/OCaZLJKJOo+IHBvCIO8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=

deployments/helm/KubeArmorOperator/README.md

@@ -62,6 +62,12 @@ spec:
     # default visibility configuration
     defaultVisibility: [comma separated: process|file|network] # DEFAULT - process,network
 
+    # enabling NRI
+    # Naming convention for kubearmor daemonset in case of NRI will be effective only when initally NRI is available & enabled. 
+    # In case snitch service account token is already present before its deployment, the naming convention won't show NRI, 
+    # it will be based on the runtime present. This happens because operator won't get KubearmorConfig event(initially).
+    enableNRI: [true|false] # DEFAULT - false
+
     # KubeArmor image and pull policy
     kubearmorImage:
         image: [image-repo:tag]                                # DEFAULT - kubearmor/kubearmor:stable

deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml

@@ -89,6 +89,8 @@ spec:
                 type: string
               defaultVisibility:
                 type: string
+              enableNRI:
+                type: boolean
               enableStdOutAlerts:
                 type: boolean
               enableStdOutLogs:
@@ -102,10 +104,13 @@ spec:
                     referenced object inside the same namespace.
                   properties:
                     name:
+                      default: ""
                       description: |-
                         Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
                         More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Add other useful fields. apiVersion, kind, uid?
                       type: string
                   type: object
                   x-kubernetes-map-type: atomic
@@ -172,10 +177,13 @@ spec:
                         referenced object inside the same namespace.
                       properties:
                         name:
+                          default: ""
                           description: |-
                             Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
                             More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?
                           type: string
                       type: object
                       x-kubernetes-map-type: atomic
@@ -242,10 +250,13 @@ spec:
                         referenced object inside the same namespace.
                       properties:
                         name:
+                          default: ""
                           description: |-
                             Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
                             More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?
                           type: string
                       type: object
                       x-kubernetes-map-type: atomic
@@ -312,10 +323,13 @@ spec:
                         referenced object inside the same namespace.
                       properties:
                         name:
+                          default: ""
                           description: |-
                             Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
                             More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?
                           type: string
                       type: object
                       x-kubernetes-map-type: atomic
@@ -382,10 +396,13 @@ spec:
                         referenced object inside the same namespace.
                       properties:
                         name:
+                          default: ""
                           description: |-
                             Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
                             More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?
                           type: string
                       type: object
                       x-kubernetes-map-type: atomic
@@ -452,10 +469,13 @@ spec:
                         referenced object inside the same namespace.
                       properties:
                         name:
+                          default: ""
                           description: |-
                             Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
                             More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?
                           type: string
                       type: object
                       x-kubernetes-map-type: atomic
@@ -553,9 +573,6 @@ spec:
               message:
                 type: string
               phase:
-                description: |-
-                  INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-                  Important: Run "make" to regenerate code after modifying this file
                 type: string
             type: object
         type: object