Merge pull request #1803 from Prateeknandle/csp-fix

fix(core):timeout when host & cluster security policies crds are not found
kubearmor · Jul 19, 2024 · 0d103cf · 0d103cf
2 parents 0144213 + 17a330d
commit 0d103cf
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 17 deletions.
diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -708,8 +708,8 @@ func KubeArmor() {
 
 	// == //
 
+	timeout, err := time.ParseDuration(cfg.GlobalCfg.InitTimeout)
 	if dm.K8sEnabled && cfg.GlobalCfg.Policy {
-		timeout, err := time.ParseDuration(cfg.GlobalCfg.InitTimeout)
 		if err != nil {
 			dm.Logger.Warnf("Not a valid InitTimeout duration: %q, defaulting to '60s'", cfg.GlobalCfg.InitTimeout)
 			timeout = 60 * time.Second
@@ -726,14 +726,12 @@ func KubeArmor() {
 		dm.Logger.Print("Started to monitor security policies")
 
 		// watch cluster security policies
-		clusterSecurityPoliciesSynced := dm.WatchClusterSecurityPolicies()
+		clusterSecurityPoliciesSynced := dm.WatchClusterSecurityPolicies(timeout)
 		if clusterSecurityPoliciesSynced == nil {
-			// destroy the daemon
-			dm.DestroyKubeArmorDaemon()
-
-			return
+			dm.Logger.Warn("error while monitoring cluster security policies, informer cache not synced")
+		} else {
+			dm.Logger.Print("Started to monitor cluster security policies")
 		}
-		dm.Logger.Print("Started to monitor cluster security policies")
 
 		// watch default posture
 		defaultPostureSynced := dm.WatchDefaultPosture()
@@ -776,8 +774,7 @@ func KubeArmor() {
 
 	if dm.K8sEnabled && cfg.GlobalCfg.HostPolicy {
 		// watch host security policies
-		go dm.WatchHostSecurityPolicies()
-		dm.Logger.Print("Started to monitor host security policies")
+		go dm.WatchHostSecurityPolicies(timeout)
 	}
 
 	if !dm.K8sEnabled && (enableContainerPolicy || cfg.GlobalCfg.HostPolicy) {

diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -1676,13 +1676,22 @@ func (dm *KubeArmorDaemon) WatchSecurityPolicies() cache.InformerSynced {
 }
 
 // WatchClusterSecurityPolicies Function
-func (dm *KubeArmorDaemon) WatchClusterSecurityPolicies() cache.InformerSynced {
-	for {
-		if !K8s.CheckCustomResourceDefinition("kubearmorclusterpolicies") {
-			time.Sleep(time.Second * 1)
-			continue
-		} else {
-			break
+func (dm *KubeArmorDaemon) WatchClusterSecurityPolicies(timeout time.Duration) cache.InformerSynced {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	crdFound := false
+	for !crdFound {
+		select {
+		case <-ctx.Done():
+			dm.Logger.Warn("timeout while monitoring cluster security policies, kubearmorclusterpolicies CRD not found")
+			return nil
+		default:
+			if K8s.CheckCustomResourceDefinition("kubearmorclusterpolicies") {
+				crdFound = true
+			} else {
+				time.Sleep(time.Second * 1)
+			}
 		}
 	}
 
@@ -2260,8 +2269,24 @@ func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmo
 }
 
 // WatchHostSecurityPolicies Function
-func (dm *KubeArmorDaemon) WatchHostSecurityPolicies() {
+func (dm *KubeArmorDaemon) WatchHostSecurityPolicies(timeout time.Duration) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
 	for {
+		select {
+		case <-ctx.Done():
+			dm.Logger.Warn("timeout while monitoring host security policies, kubearmorhostpolicies CRD not found")
+			return
+		default:
+			if !K8s.CheckCustomResourceDefinition("kubearmorhostpolicies") {
+				time.Sleep(time.Second * 1)
+				continue
+			}
+		}
+
+		dm.Logger.Print("Started to monitor host security policies")
+
 		if !K8s.CheckCustomResourceDefinition("kubearmorhostpolicies") {
 			time.Sleep(time.Second * 1)
 			continue