From f45729fdffeb3094764905206fa865856020e1e9 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Mon, 9 Oct 2023 20:51:05 +0530 Subject: [PATCH 1/8] send protected objects with state agent Signed-off-by: Rudraksh Pareek --- KubeArmor/common/common.go | 54 ++++ KubeArmor/config/config.go | 17 ++ KubeArmor/core/containerdHandler.go | 43 ++++ KubeArmor/core/dockerHandler.go | 78 ++++++ KubeArmor/core/kubeArmor.go | 61 +++++ KubeArmor/state/data.go | 154 +++++++++++ KubeArmor/state/stateAgent.go | 383 ++++++++++++++++++++++++++++ KubeArmor/types/types.go | 15 ++ protobuf/Makefile | 2 +- protobuf/state.pb.go | 316 +++++++++++++++++++++++ protobuf/state.proto | 30 +++ protobuf/state_grpc.pb.go | 208 +++++++++++++++ 12 files changed, 1360 insertions(+), 1 deletion(-) create mode 100644 KubeArmor/state/data.go create mode 100644 KubeArmor/state/stateAgent.go create mode 100644 protobuf/state.pb.go create mode 100644 protobuf/state.proto create mode 100644 protobuf/state_grpc.pb.go diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go index 3271cf7202..3adcf1e97b 100644 --- a/KubeArmor/common/common.go +++ b/KubeArmor/common/common.go @@ -9,6 +9,7 @@ import ( "fmt" "io" "net" + "net/url" "os" "os/exec" "path/filepath" @@ -19,6 +20,8 @@ import ( kc "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -375,6 +378,12 @@ func IsK8sEnv() bool { return false } +// IsECSEnv Function +func IsECSEnv() bool { + _, ok := os.LookupEnv("ECS_CONTAINER_METADATA_URI_V4") + return ok +} + // ContainerRuntimeSocketMap Structure var ContainerRuntimeSocketMap = map[string][]string{ "docker": { @@ -456,3 +465,48 @@ func WriteToFile(val interface{}, destFile string) error { } return nil } + +// ParseURL with/without scheme and return host, port or error +func ParseURL(address string) (string, string, error) { + var host string + port := "80" + + addr, err := url.Parse(address) + if err != nil || addr.Host == "" { + // URL without scheme + u, repErr := url.ParseRequestURI("http://" + address) + if repErr != nil { + return "", "", fmt.Errorf("Error while parsing URL: %s", err) + } + + addr = u + } + + if addr.Port() != "" { + host = strings.Split(addr.Host, ":")[0] + port = addr.Port() + } + + return host, port, nil +} + +// handle gRPC errors +func HandleGRPCErrors(err error) error { + if err == nil { + return nil + } + + if status, ok := status.FromError(err); ok { + switch status.Code() { + case codes.OK: + // noop + return nil + //case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: + // return status.Err() + default: + return status.Err() + } + } + + return nil +} diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index ab384f50b6..3931a5440b 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -50,6 +50,8 @@ type KubearmorConfig struct { EnforcerAlerts bool // policy enforcer DefaultPostureLogs bool // Enable/Disable Default Posture logs for AppArmor LSM + StateAgent bool // Enable/Disable State Agent Client + StateAgentAddr string // Address to State Agent Server } // GlobalCfg Global configuration for Kubearmor @@ -86,6 +88,12 @@ const ( ConfigDefaultPostureLogs string = "defaultPostureLogs" ) +// ConfigStateAgent state agent key +const ConfigStateAgent string = "enableStateAgent" + +// ConfigStateAgentAddr state agent address key +const ConfigStateAgentAddr string = "stateAgentAddr" + func readCmdLineParams() { hostname, _ := os.Hostname() clusterStr := flag.String(ConfigCluster, "default", "cluster name") @@ -125,6 +133,9 @@ func readCmdLineParams() { defaultPostureLogs := flag.Bool(ConfigDefaultPostureLogs, true, "Default Posture Alerts (for Apparmor only)") + stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") + stateAgentAddr := flag.String(ConfigStateAgentAddr, "localhost:8801", "address of State Agent Server") + flags := []string{} flag.VisitAll(func(f *flag.Flag) { kv := fmt.Sprintf("%s:%v", f.Name, f.Value) @@ -171,6 +182,9 @@ func readCmdLineParams() { viper.SetDefault(EnforcerAlerts, *enforcerAlerts) viper.SetDefault(ConfigDefaultPostureLogs, *defaultPostureLogs) + + viper.SetDefault(ConfigStateAgent, *stateAgent) + viper.SetDefault(ConfigStateAgentAddr, *stateAgentAddr) } // LoadConfig Load configuration @@ -256,6 +270,9 @@ func LoadConfig() error { GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs) + GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent) + GlobalCfg.StateAgentAddr = viper.GetString(ConfigStateAgentAddr) + kg.Printf("Final Configuration [%+v]", GlobalCfg) return nil diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index c0886d635a..561e8db082 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -14,6 +14,7 @@ import ( kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" pb "github.com/containerd/containerd/api/services/containers/v1" @@ -132,6 +133,10 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s if val, ok := containerLabels["io.kubernetes.pod.name"]; ok { container.EndPointName = val } + } else if val, ok := containerLabels["kubearmor.io/namespace"]; ok { + container.NamespaceName = val + } else { + container.NamespaceName = "container_namespace" } iface, err := typeurl.UnmarshalAny(res.Container.Spec) @@ -169,6 +174,34 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s // == // + if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { + container.ContainerImage = res.Container.Image //+ kl.GetSHA256ofImage(inspect.Image) + + // TODO + container.ProtocolPort = "0" + + container.NodeName = cfg.GlobalCfg.Host + + labels := []string{} + for k, v := range res.Container.Labels { + labels = append(labels, k+"="+v) + } + for k, v := range spec.Annotations { + labels = append(labels, k+"="+v) + } + container.Labels = strings.Join(labels, ",") + + /* + container.Owner = tp.PodOwner{ + Name: container.ContainerName, + Namespace: container.NamespaceName, + Ref: "Deployment", + } + */ + } + + // == // + return container, nil } @@ -305,6 +338,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + container.Status = "running" + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + dm.Logger.Printf("Detected a container (added/%.12s/pidns=%d/mntns=%d)", containerID, container.PidNS, container.MntNS) } else if action == "destroy" { @@ -345,6 +383,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai dm.RuntimeEnforcer.UnregisterContainer(containerID) } + if cfg.GlobalCfg.StateAgent { + container.Status = "terminated" + go dm.StateAgent.PushContainerEvent(container, state.EventDeleted) + } + dm.Logger.Printf("Detected a container (removed/%.12s/pidns=%d/mntns=%d)", containerID, container.PidNS, container.MntNS) } diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index 0ffeea9e3b..7cdc39a231 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -18,6 +18,7 @@ import ( kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" ) @@ -37,6 +38,9 @@ type DockerVersion struct { type DockerHandler struct { DockerClient *client.Client Version DockerVersion + + // needed for container info + NodeIP string } // NewDockerHandler Function @@ -65,6 +69,8 @@ func NewDockerHandler() (*DockerHandler, error) { docker.DockerClient = DockerClient + docker.NodeIP = kl.GetExternalIPAddr() + kg.Printf("Initialized Docker Handler (version: %s)", clientVersion) return docker, nil @@ -112,6 +118,10 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err if val, ok := containerLabels["io.kubernetes.pod.name"]; ok { container.EndPointName = val } + } else if val, ok := containerLabels["kubearmor.io/namespace"]; ok { + container.NamespaceName = val + } else { + container.NamespaceName = "container_namespace" } container.AppArmorProfile = inspect.AppArmorProfile @@ -134,6 +144,48 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err // == // + if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { + container.ContainerImage = inspect.Config.Image //+ kl.GetSHA256ofImage(inspect.Image) + + // TODO + container.ProtocolPort = "0" + + container.NodeName = cfg.GlobalCfg.Host + + labels := []string{} + for k, v := range inspect.Config.Labels { + labels = append(labels, k+"="+v) + } + + if _, ok := containerLabels["kubearmor.io/container.name"]; !ok { + labels = append(labels, "kubearmor.io/container.name="+container.ContainerName) + } + + container.Labels = strings.Join(labels, ",") + + var podIP string + if inspect.HostConfig.NetworkMode.IsNone() || inspect.HostConfig.NetworkMode.IsContainer() { + podIP = "" + } else if inspect.HostConfig.NetworkMode.IsHost() { + podIP = dh.NodeIP + } else if inspect.HostConfig.NetworkMode.IsDefault() { + podIP = inspect.NetworkSettings.Networks["bridge"].IPAddress + } else { + networkName := inspect.HostConfig.NetworkMode.NetworkName() + podIP = inspect.NetworkSettings.Networks[networkName].IPAddress + } + container.ContainerIP = podIP + + /* + container.Owner = tp.PodOwner{ + Name: container.ContainerName, + Namespace: container.NamespaceName, + Ref: "Deployment", + } + */ + + } + return container, nil } @@ -258,6 +310,10 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy { // update NsMap dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS) @@ -358,6 +414,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + container.Status = "running" + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + dm.Logger.Printf("Detected a container (added/%.12s)", containerID) } else if action == "stop" || action == "destroy" { @@ -399,6 +460,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { } dm.EndPointsLock.Unlock() + if cfg.GlobalCfg.StateAgent { + container.Status = "terminated" + go dm.StateAgent.PushContainerEvent(container, state.EventDeleted) + } + if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy { // update NsMap dm.SystemMonitor.DeleteContainerIDFromNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS) @@ -406,6 +472,18 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { } dm.Logger.Printf("Detected a container (removed/%.12s)", containerID) + } else if action == "die" && cfg.GlobalCfg.StateAgent { + // handle die - keep map but update state + dm.ContainersLock.Lock() + container, ok := dm.Containers[containerID] + if !ok { + dm.ContainersLock.Unlock() + return + } + dm.ContainersLock.Unlock() + + container.Status = "waiting" + go dm.StateAgent.PushContainerEvent(container, state.EventUpdated) } } diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index a9cad23ae0..f08cc6657d 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -16,6 +16,7 @@ import ( cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" "github.com/kubearmor/KubeArmor/KubeArmor/policy" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" "google.golang.org/grpc/reflection" @@ -88,6 +89,9 @@ type KubeArmorDaemon struct { // kvm agent KVMAgent *kvm.KVMAgent + // state agent + StateAgent *state.StateAgent + // WgDaemon Handler WgDaemon sync.WaitGroup @@ -165,6 +169,13 @@ func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon() { kg.Print("Terminated KubeArmor") } + if dm.StateAgent != nil { + //go dm.StateAgent.PushNodeEvent(dm.Node, state.EventDeleted) + if dm.CloseStateAgent() { + kg.Print("Destroyed StateAgent") + } + } + // wait for a while time.Sleep(time.Second * 1) @@ -300,6 +311,29 @@ func (dm *KubeArmorDaemon) CloseKVMAgent() bool { return true } +// ================= // +// == State Agent == // +// ================= // + +// InitStateAgent Function +func (dm *KubeArmorDaemon) InitStateAgent() bool { + dm.StateAgent = state.NewStateAgent(cfg.GlobalCfg.StateAgentAddr, &dm.Node, dm.NodeLock, dm.Containers, dm.ContainersLock) + return dm.StateAgent != nil +} + +func (dm *KubeArmorDaemon) RunStateAgent() { + go dm.StateAgent.RunStateAgent() +} + +// CloseStateAgent Function +func (dm *KubeArmorDaemon) CloseStateAgent() bool { + if err := dm.StateAgent.DestroyStateAgent(); err != nil { + dm.Logger.Errf("Failed to destory State Agent (%s)", err.Error()) + return false + } + return true +} + // ==================== // // == Signal Handler == // // ==================== // @@ -429,6 +463,33 @@ func KubeArmor() { // == // + // Init StateAgent + if !dm.K8sEnabled && cfg.GlobalCfg.StateAgent { + dm.NodeLock.Lock() + dm.Node.ClusterName = cfg.GlobalCfg.Cluster + dm.NodeLock.Unlock() + + // initialize state agent + if !dm.InitStateAgent() { + dm.Logger.Err("Failed to initialize State Agent Client") + + // destroy the daemon + dm.DestroyKubeArmorDaemon() + + return + } + dm.Logger.Print("Initialized State Agent Client") + + // connect to state agent server + go dm.RunStateAgent() + } + + if dm.StateAgent != nil { + go dm.StateAgent.PushNodeEvent(dm.Node, state.EventAdded) + } + + // == // + // Containerized workloads with Host if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy { // initialize system monitor diff --git a/KubeArmor/state/data.go b/KubeArmor/state/data.go new file mode 100644 index 0000000000..483fe1411c --- /dev/null +++ b/KubeArmor/state/data.go @@ -0,0 +1,154 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package state + +import ( + "encoding/json" + + "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/types" + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + pb "github.com/kubearmor/KubeArmor/protobuf" +) + +// pushes (container + pod) & workload event +func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { + if container.ContainerID == "" { + kg.Debug("Error while pushing container event. Missing data.") + return + } + + // create ns first + namespace := container.NamespaceName + sa.KubeArmorNamespacesLock.Lock() + if event == EventAdded { + + // create this kubearmor ns if it doesn't exist + // currently only "container_namespace" until we have config agent + if _, ok := sa.KubeArmorNamespaces[namespace]; !ok { + sa.KubeArmorNamespaces[namespace] = []string{} + sa.KubeArmorNamespaces[namespace] = append(sa.KubeArmorNamespaces[container.NamespaceName], container.ContainerID) + + sa.PushNamespaceEvent(namespace, EventAdded) + } else { + sa.KubeArmorNamespaces[namespace] = append(sa.KubeArmorNamespaces[container.NamespaceName], container.ContainerID) + } + + } else if event == EventDeleted { + + if containers, ok := sa.KubeArmorNamespaces[namespace]; ok { + containerDeleted := false + for i, c := range containers { + if c == container.ContainerID { + newNSList := common.RemoveStringElement(containers, i) + sa.KubeArmorNamespaces[namespace] = newNSList + break + } + } + + // no containers left - namespace deleted + if containerDeleted && len(sa.KubeArmorNamespaces[namespace]) > 0 { + sa.PushNamespaceEvent(namespace, EventDeleted) + } + } + + } + sa.KubeArmorNamespacesLock.Unlock() + + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container data. %s", err.Error()) + return + } + + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: event, + Name: container.ContainerName, + Object: containerBytes, + } + + // skip sending message as no state receiver is connected + if sa.StateEvents == nil { + return + } + + select { + case sa.StateEvents <- containerEvent: + default: + kg.Debugf("Failed to send container %s state event", event) + return + } + + return +} + +func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { + if node.NodeName == "" { + kg.Warn("Received empty node event") + return + } + + nodeData, err := json.Marshal(node) + if err != nil { + kg.Warnf("Error while trying to marshal node data. %s", err.Error()) + return + } + + nodeEvent := &pb.StateEvent{ + Kind: KindNode, + Type: event, + Name: node.NodeName, + Object: nodeData, + } + + // skip sending message as no state receiver is connected + if sa.StateEvents == nil { + return + } + + select { + case sa.StateEvents <- nodeEvent: + default: + kg.Debugf("Failed to send node %s state event.", event) + return + } + + return +} + +func (sa *StateAgent) PushNamespaceEvent(namespace string, event string) { + ns := types.Namespace{ + Name: namespace, + //Labels: "", + KubearmorFilePosture: "audit", + KubearmorNetworkPosture: "audit", + } + + nsBytes, err := json.Marshal(ns) + if err != nil { + kg.Warnf("Failed to marshal ns event: %s", err.Error()) + return + } + + nsEvent := &pb.StateEvent{ + Kind: KindNamespace, + Type: event, + Name: namespace, + Object: nsBytes, + } + + // skip sending message as no state receiver is connected + if sa.StateEvents == nil { + return + } + + select { + case sa.StateEvents <- nsEvent: + default: + kg.Debugf("Failed to send namespace %s state event", event) + return + } +} diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go new file mode 100644 index 0000000000..8ec8d0886d --- /dev/null +++ b/KubeArmor/state/stateAgent.go @@ -0,0 +1,383 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +// package state implements the state agent service which reports details about the node and containers being protected by KubeArmor +package state + +import ( + "context" + "encoding/json" + "fmt" + "sync" + "time" + + "github.com/kubearmor/KubeArmor/KubeArmor/common" + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + pb "github.com/kubearmor/KubeArmor/protobuf" + "google.golang.org/grpc" + "google.golang.org/grpc/health/grpc_health_v1" + "google.golang.org/grpc/keepalive" +) + +const ( + EventAdded = "added" + EventUpdated = "updated" + EventDeleted = "deleted" + + KindContainer = "container" + KindPod = "pod" + KindNode = "node" + KindNamespace = "namespace" + + PodEntityK8s = "pod" + PodEntityECS = "task" + PodEntityNone = "none" +) + +type StateAgent struct { + StateEvents chan *pb.StateEvent + + StateAgentAddr string + + Running bool + PodEntity string + + SAClient *StateAgentClient + + Node *tp.Node + NodeLock *sync.RWMutex + + Containers map[string]tp.Container + ContainersLock *sync.RWMutex + + KubeArmorNamespaces map[string][]string + KubeArmorNamespacesLock *sync.RWMutex + + Wg *sync.WaitGroup + Context context.Context + Cancel context.CancelFunc +} + +type StateAgentClient struct { + Conn *grpc.ClientConn + + WatchClient pb.StateAgent_WatchStateClient + GetClient pb.StateAgent_GetStateClient +} + +func NewStateAgent(addr string, node *tp.Node, nodeLock *sync.RWMutex, containers map[string]tp.Container, containersLock *sync.RWMutex) *StateAgent { + host, port, err := common.ParseURL(addr) + if err != nil { + kg.Err("Error while parsing State Agent URL") + return nil + } + + var podEntity string + if ok := kl.IsK8sEnv(); ok && cfg.GlobalCfg.K8sEnv { + // pod == K8s pod + podEntity = PodEntityK8s + } else if ok := kl.IsECSEnv(); ok { + // pod == ECS task + // taskMetaURL, ok := os.LookupEnv("ECS_CONTAINER_METADATA_URI_V4") + podEntity = PodEntityECS + } else { + // pod == Container + // PodEntity == "" + podEntity = PodEntityNone + } + + context, cancel := context.WithCancel(context.Background()) + + sa := &StateAgent{ + StateAgentAddr: fmt.Sprintf("%s:%s", host, port), + + Running: true, + PodEntity: podEntity, + + Node: node, + NodeLock: nodeLock, + + Containers: containers, + ContainersLock: containersLock, + + KubeArmorNamespaces: make(map[string][]string), + KubeArmorNamespacesLock: new(sync.RWMutex), + + Wg: new(sync.WaitGroup), + Context: context, + Cancel: cancel, + } + + return sa +} + +func (sa *StateAgent) RunStateAgent() { + var err error + + for sa.Running { + // connect with state agent service + sa.SAClient, err = sa.connectWithStateAgentService() + if err != nil { + kg.Debugf("Failed to connect with StateAgent at %s: %s", sa.StateAgentAddr, err.Error()) + continue + } + + kg.Printf("Connected with State Agent Service for reporting state") + + // run RPCs + sa.Wg.Add(1) + go sa.WatchStateClient() + + sa.Wg.Add(1) + go sa.GetStateClient() + + sa.Wg.Wait() + + if err := sa.SAClient.Conn.Close(); err != nil { + kg.Warnf("Failed to close State Agent client: %s", err.Error()) + } + kg.Printf("Closed State Agent client") + + // reset connection + sa.SAClient = nil + if sa.StateEvents != nil { + sa.StateEvents = nil + } + } + + kg.Printf("Stop streaming state events") +} + +// DestroyStateAgent +func (sa *StateAgent) DestroyStateAgent() error { + sa.Cancel() + sa.Running = false + time.Sleep(1 * time.Second) + + if sa.SAClient != nil { + if sa.SAClient.Conn != nil { + err := sa.SAClient.Conn.Close() + if err != nil { + return err + } + } + } + + // wait for terminations + sa.Wg.Wait() + + return nil +} + +// sends state events in a continuous stream +func (sa *StateAgent) WatchStateClient() { + defer sa.Wg.Done() + + kg.Print("Streaming State Events with WatchState Client") + defer kg.Print("Closed WatchState Client") + + client := sa.SAClient.WatchClient + closeChan := make(chan struct{}) + + // initialize this chan + sa.StateEvents = make(chan *pb.StateEvent, 25) + + go func() { + defer close(closeChan) + _, err := client.Recv() + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Warnf("Error while receiving reply from State Agent WatchClient. %s", err.Error()) + } + closeChan <- struct{}{} + }() + + for sa.Running { + select { + + case <-client.Context().Done(): + return + + case <-closeChan: + kg.Printf("Closing connection with State Agent Client") + return + + case event := <-sa.StateEvents: + if err := kl.HandleGRPCErrors(client.Send(event)); err != nil { + kg.Warnf("Failed to send state event.", err.Error()) + return + } + + } + } +} + +// sends current state upon request +func (sa *StateAgent) GetStateClient() { + defer sa.Wg.Done() + + kg.Print("Streaming State Events with GetState Client") + defer kg.Print("Closed GetState Client") + + client := sa.SAClient.GetClient + + // create a new stream and start listening for incoming msgs + // only send the state when a receiver sends an emptypb.Empty request message + for sa.Running { + select { + // avoid panics when the connection has been terminated + case <-client.Context().Done(): + return + + default: + _, err := client.Recv() + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Warnf("Error while receiving request from GetState Client %s", err.Error()) + continue + } + + stateEventList := make([]*pb.StateEvent, 0) + + nodeData, err := json.Marshal(sa.Node) + if err != nil { + kg.Warnf("Error while trying to marshal node data. %s", err.Error()) + } + + nodeEvent := &pb.StateEvent{ + Kind: KindNode, + Type: EventAdded, + Name: sa.Node.NodeName, + Object: nodeData, + } + stateEventList = append(stateEventList, nodeEvent) + + for _, container := range sa.Containers { + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container data. %s", err.Error()) + } + + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: EventAdded, + Name: container.ContainerName, + Object: containerBytes, + } + + stateEventList = append(stateEventList, containerEvent) + } + + sa.KubeArmorNamespacesLock.RLock() + for ns := range sa.KubeArmorNamespaces { + nsBytes, err := json.Marshal(ns) + if err != nil { + kg.Warnf("Failed to marshal ns event: %s", err.Error()) + } + + nsEvent := &pb.StateEvent{ + Kind: KindNamespace, + Type: EventAdded, + Name: ns, + Object: nsBytes, + } + + stateEventList = append(stateEventList, nsEvent) + } + sa.KubeArmorNamespacesLock.RUnlock() + + stateEvents := &pb.StateEvents{ + StateEvents: stateEventList, + } + + err = client.Send(stateEvents) + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Warnf("Failed to send State Events to GetState Client: ", err.Error()) + return + } + + } + } +} + +func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) { + var ( + err error + conn *grpc.ClientConn + client pb.StateAgentClient + ) + + kacp := keepalive.ClientParameters{ + Time: 1 * time.Second, + Timeout: 5 * time.Second, + PermitWithoutStream: true, + } + + // dial state agent server at the specified address and wait until it is + // healthy + for sa.Running { + conn, err = grpc.DialContext(sa.Context, sa.StateAgentAddr, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) + if err != nil { + time.Sleep(time.Second * 5) + conn.Close() + continue + } + + client = pb.NewStateAgentClient(conn) + if client == nil { + time.Sleep(time.Second * 5) + conn.Close() + continue + } + + healthClient := grpc_health_v1.NewHealthClient(conn) + healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ + Service: pb.StateAgent_ServiceDesc.ServiceName, + } + + resp, err := healthClient.Check(sa.Context, healthCheckRequest) + grpcErr := kl.HandleGRPCErrors(err) + if grpcErr != nil { + kg.Debugf("State Agent Service unhealthy. Error: %s", grpcErr.Error()) + conn.Close() + time.Sleep(time.Second * 5) + continue + } + + switch resp.Status { + case grpc_health_v1.HealthCheckResponse_SERVING: + break + case grpc_health_v1.HealthCheckResponse_NOT_SERVING: + conn.Close() + return nil, fmt.Errorf("State Agent server is not serving") + default: + kg.Debugf("State Agent Service unhealthy. Status: %s", resp.Status.String()) + conn.Close() + time.Sleep(time.Second * 5) + continue + } + + break + } + + watchClient, err := client.WatchState(sa.Context) + if err != nil { + err := fmt.Errorf("Failed to create StateAgent WatchClient: %s", err.Error()) + return nil, err + } + + getClient, err := client.GetState(sa.Context) + if err != nil { + err := fmt.Errorf("Failed to create StateAgent GetClient: %s", err.Error()) + return nil, err + } + + saClient := &StateAgentClient{ + Conn: conn, + WatchClient: watchClient, + GetClient: getClient, + } + + return saClient, nil +} diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index f40fd30d0b..04eaaf58e0 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -37,6 +37,13 @@ type Container struct { // == // + NodeName string `json:"node_name"` + ProtocolPort string `json:"protocolPort"` + Status string `json:"status"` + ContainerIP string `json:"container_ip"` + + // == // + PolicyEnabled int `json:"policyEnabled"` ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"` @@ -52,6 +59,14 @@ type PodOwner struct { Namespace string `json:"namespace,omitempty"` } +// Namespace struct +type Namespace struct { + Name string `json:"name,omitempty"` + Labels string `json:"labels,omitempty"` + KubearmorFilePosture string `json:"kubearmor_file_posture,omitempty"` + KubearmorNetworkPosture string `json:"kubearmor_network_posture,omitempty"` +} + // EndPoint Structure type EndPoint struct { NamespaceName string `json:"namespaceName"` diff --git a/protobuf/Makefile b/protobuf/Makefile index d0e3179a02..2474cef5cb 100644 --- a/protobuf/Makefile +++ b/protobuf/Makefile @@ -3,7 +3,7 @@ CURDIR=$(shell pwd) -PROTOS:=kubearmor.proto kvm.proto policy.proto +PROTOS:=kubearmor.proto kvm.proto policy.proto state.proto PBGO:=$(PROTOS:.proto=.pb.go) .PHONY: build diff --git a/protobuf/state.pb.go b/protobuf/state.pb.go new file mode 100644 index 0000000000..54300eac32 --- /dev/null +++ b/protobuf/state.pb.go @@ -0,0 +1,316 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.28.1 +// protoc v4.24.2 +// source: state.proto + +package protobuf + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + emptypb "google.golang.org/protobuf/types/known/emptypb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type StateEvent struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"Kind,omitempty"` + Type string `protobuf:"bytes,2,opt,name=Type,proto3" json:"Type,omitempty"` + Name string `protobuf:"bytes,3,opt,name=Name,proto3" json:"Name,omitempty"` + Object []byte `protobuf:"bytes,4,opt,name=Object,proto3" json:"Object,omitempty"` +} + +func (x *StateEvent) Reset() { + *x = StateEvent{} + if protoimpl.UnsafeEnabled { + mi := &file_state_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StateEvent) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StateEvent) ProtoMessage() {} + +func (x *StateEvent) ProtoReflect() protoreflect.Message { + mi := &file_state_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StateEvent.ProtoReflect.Descriptor instead. +func (*StateEvent) Descriptor() ([]byte, []int) { + return file_state_proto_rawDescGZIP(), []int{0} +} + +func (x *StateEvent) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *StateEvent) GetType() string { + if x != nil { + return x.Type + } + return "" +} + +func (x *StateEvent) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *StateEvent) GetObject() []byte { + if x != nil { + return x.Object + } + return nil +} + +type StateEvents struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + StateEvents []*StateEvent `protobuf:"bytes,1,rep,name=StateEvents,proto3" json:"StateEvents,omitempty"` +} + +func (x *StateEvents) Reset() { + *x = StateEvents{} + if protoimpl.UnsafeEnabled { + mi := &file_state_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StateEvents) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StateEvents) ProtoMessage() {} + +func (x *StateEvents) ProtoReflect() protoreflect.Message { + mi := &file_state_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StateEvents.ProtoReflect.Descriptor instead. +func (*StateEvents) Descriptor() ([]byte, []int) { + return file_state_proto_rawDescGZIP(), []int{1} +} + +func (x *StateEvents) GetStateEvents() []*StateEvent { + if x != nil { + return x.StateEvents + } + return nil +} + +type StatusCode struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Code int32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"` +} + +func (x *StatusCode) Reset() { + *x = StatusCode{} + if protoimpl.UnsafeEnabled { + mi := &file_state_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StatusCode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StatusCode) ProtoMessage() {} + +func (x *StatusCode) ProtoReflect() protoreflect.Message { + mi := &file_state_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StatusCode.ProtoReflect.Descriptor instead. +func (*StatusCode) Descriptor() ([]byte, []int) { + return file_state_proto_rawDescGZIP(), []int{2} +} + +func (x *StatusCode) GetCode() int32 { + if x != nil { + return x.Code + } + return 0 +} + +var File_state_proto protoreflect.FileDescriptor + +var file_state_proto_rawDesc = []byte{ + 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0b, 0x73, + 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, + 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x60, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x4b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, + 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, + 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x16, 0x0a, 0x06, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x0c, 0x52, 0x06, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0x48, 0x0a, 0x0b, 0x53, 0x74, 0x61, + 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x39, 0x0a, 0x0b, 0x53, 0x74, 0x61, 0x74, + 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, + 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, + 0x6e, 0x74, 0x73, 0x22, 0x20, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, + 0x65, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, + 0x04, 0x63, 0x6f, 0x64, 0x65, 0x32, 0x92, 0x01, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, 0x41, + 0x67, 0x65, 0x6e, 0x74, 0x12, 0x42, 0x0a, 0x0a, 0x57, 0x61, 0x74, 0x63, 0x68, 0x53, 0x74, 0x61, + 0x74, 0x65, 0x12, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, + 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x1a, 0x17, 0x2e, 0x73, 0x74, + 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x43, 0x6f, 0x64, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x40, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x53, + 0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, + 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0x16, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, + 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_state_proto_rawDescOnce sync.Once + file_state_proto_rawDescData = file_state_proto_rawDesc +) + +func file_state_proto_rawDescGZIP() []byte { + file_state_proto_rawDescOnce.Do(func() { + file_state_proto_rawDescData = protoimpl.X.CompressGZIP(file_state_proto_rawDescData) + }) + return file_state_proto_rawDescData +} + +var file_state_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_state_proto_goTypes = []interface{}{ + (*StateEvent)(nil), // 0: state_agent.StateEvent + (*StateEvents)(nil), // 1: state_agent.StateEvents + (*StatusCode)(nil), // 2: state_agent.StatusCode + (*emptypb.Empty)(nil), // 3: google.protobuf.Empty +} +var file_state_proto_depIdxs = []int32{ + 0, // 0: state_agent.StateEvents.StateEvents:type_name -> state_agent.StateEvent + 0, // 1: state_agent.StateAgent.WatchState:input_type -> state_agent.StateEvent + 1, // 2: state_agent.StateAgent.GetState:input_type -> state_agent.StateEvents + 2, // 3: state_agent.StateAgent.WatchState:output_type -> state_agent.StatusCode + 3, // 4: state_agent.StateAgent.GetState:output_type -> google.protobuf.Empty + 3, // [3:5] is the sub-list for method output_type + 1, // [1:3] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_state_proto_init() } +func file_state_proto_init() { + if File_state_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_state_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StateEvent); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_state_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StateEvents); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_state_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StatusCode); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_state_proto_rawDesc, + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_state_proto_goTypes, + DependencyIndexes: file_state_proto_depIdxs, + MessageInfos: file_state_proto_msgTypes, + }.Build() + File_state_proto = out.File + file_state_proto_rawDesc = nil + file_state_proto_goTypes = nil + file_state_proto_depIdxs = nil +} diff --git a/protobuf/state.proto b/protobuf/state.proto new file mode 100644 index 0000000000..ff8c4e6061 --- /dev/null +++ b/protobuf/state.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package state_agent; + +import "google/protobuf/empty.proto"; + +option go_package="github.com/kubearmor/KubeArmor/protobuf"; + +message StateEvent { + string Kind=1; + string Type=2; + string Name=3; + bytes Object=4; +} + +message StateEvents { + repeated StateEvent StateEvents=1; +} + +message StatusCode { + int32 code=1; +} + +service StateAgent { + // stream which continuously pushes state events + rpc WatchState (stream StateEvent) returns (stream StatusCode); + + // get all state events in one go + rpc GetState (stream StateEvents) returns (stream google.protobuf.Empty); +} diff --git a/protobuf/state_grpc.pb.go b/protobuf/state_grpc.pb.go new file mode 100644 index 0000000000..0c614b0ea1 --- /dev/null +++ b/protobuf/state_grpc.pb.go @@ -0,0 +1,208 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.2.0 +// - protoc v4.24.2 +// source: state.proto + +package protobuf + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + emptypb "google.golang.org/protobuf/types/known/emptypb" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +// StateAgentClient is the client API for StateAgent service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type StateAgentClient interface { + // stream which continuously pushes state events + WatchState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) + // get all state events in one go + GetState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) +} + +type stateAgentClient struct { + cc grpc.ClientConnInterface +} + +func NewStateAgentClient(cc grpc.ClientConnInterface) StateAgentClient { + return &stateAgentClient{cc} +} + +func (c *stateAgentClient) WatchState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[0], "/state_agent.StateAgent/WatchState", opts...) + if err != nil { + return nil, err + } + x := &stateAgentWatchStateClient{stream} + return x, nil +} + +type StateAgent_WatchStateClient interface { + Send(*StateEvent) error + Recv() (*StatusCode, error) + grpc.ClientStream +} + +type stateAgentWatchStateClient struct { + grpc.ClientStream +} + +func (x *stateAgentWatchStateClient) Send(m *StateEvent) error { + return x.ClientStream.SendMsg(m) +} + +func (x *stateAgentWatchStateClient) Recv() (*StatusCode, error) { + m := new(StatusCode) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +func (c *stateAgentClient) GetState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[1], "/state_agent.StateAgent/GetState", opts...) + if err != nil { + return nil, err + } + x := &stateAgentGetStateClient{stream} + return x, nil +} + +type StateAgent_GetStateClient interface { + Send(*StateEvents) error + Recv() (*emptypb.Empty, error) + grpc.ClientStream +} + +type stateAgentGetStateClient struct { + grpc.ClientStream +} + +func (x *stateAgentGetStateClient) Send(m *StateEvents) error { + return x.ClientStream.SendMsg(m) +} + +func (x *stateAgentGetStateClient) Recv() (*emptypb.Empty, error) { + m := new(emptypb.Empty) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// StateAgentServer is the server API for StateAgent service. +// All implementations should embed UnimplementedStateAgentServer +// for forward compatibility +type StateAgentServer interface { + // stream which continuously pushes state events + WatchState(StateAgent_WatchStateServer) error + // get all state events in one go + GetState(StateAgent_GetStateServer) error +} + +// UnimplementedStateAgentServer should be embedded to have forward compatible implementations. +type UnimplementedStateAgentServer struct { +} + +func (UnimplementedStateAgentServer) WatchState(StateAgent_WatchStateServer) error { + return status.Errorf(codes.Unimplemented, "method WatchState not implemented") +} +func (UnimplementedStateAgentServer) GetState(StateAgent_GetStateServer) error { + return status.Errorf(codes.Unimplemented, "method GetState not implemented") +} + +// UnsafeStateAgentServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to StateAgentServer will +// result in compilation errors. +type UnsafeStateAgentServer interface { + mustEmbedUnimplementedStateAgentServer() +} + +func RegisterStateAgentServer(s grpc.ServiceRegistrar, srv StateAgentServer) { + s.RegisterService(&StateAgent_ServiceDesc, srv) +} + +func _StateAgent_WatchState_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(StateAgentServer).WatchState(&stateAgentWatchStateServer{stream}) +} + +type StateAgent_WatchStateServer interface { + Send(*StatusCode) error + Recv() (*StateEvent, error) + grpc.ServerStream +} + +type stateAgentWatchStateServer struct { + grpc.ServerStream +} + +func (x *stateAgentWatchStateServer) Send(m *StatusCode) error { + return x.ServerStream.SendMsg(m) +} + +func (x *stateAgentWatchStateServer) Recv() (*StateEvent, error) { + m := new(StateEvent) + if err := x.ServerStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +func _StateAgent_GetState_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(StateAgentServer).GetState(&stateAgentGetStateServer{stream}) +} + +type StateAgent_GetStateServer interface { + Send(*emptypb.Empty) error + Recv() (*StateEvents, error) + grpc.ServerStream +} + +type stateAgentGetStateServer struct { + grpc.ServerStream +} + +func (x *stateAgentGetStateServer) Send(m *emptypb.Empty) error { + return x.ServerStream.SendMsg(m) +} + +func (x *stateAgentGetStateServer) Recv() (*StateEvents, error) { + m := new(StateEvents) + if err := x.ServerStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// StateAgent_ServiceDesc is the grpc.ServiceDesc for StateAgent service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var StateAgent_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "state_agent.StateAgent", + HandlerType: (*StateAgentServer)(nil), + Methods: []grpc.MethodDesc{}, + Streams: []grpc.StreamDesc{ + { + StreamName: "WatchState", + Handler: _StateAgent_WatchState_Handler, + ServerStreams: true, + ClientStreams: true, + }, + { + StreamName: "GetState", + Handler: _StateAgent_GetState_Handler, + ServerStreams: true, + ClientStreams: true, + }, + }, + Metadata: "state.proto", +} From bc240574bc03a38d851212282d782d864ae904e2 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Wed, 25 Oct 2023 18:00:11 +0530 Subject: [PATCH 2/8] udpate protobufs Signed-off-by: Rudraksh Pareek --- protobuf/go.mod | 2 +- protobuf/kubearmor.pb.go | 83 ++++---- protobuf/kubearmor.proto | 6 +- protobuf/kubearmor_grpc.pb.go | 192 ++++++++---------- protobuf/policy.pb.go | 367 +++++++++++----------------------- protobuf/policy.proto | 24 +-- protobuf/policy_grpc.pb.go | 191 ++++++++---------- 7 files changed, 329 insertions(+), 536 deletions(-) diff --git a/protobuf/go.mod b/protobuf/go.mod index 76e7ce9ed6..f67b9cb035 100644 --- a/protobuf/go.mod +++ b/protobuf/go.mod @@ -11,12 +11,12 @@ replace ( ) require ( - github.com/golang/protobuf v1.5.3 google.golang.org/grpc v1.56.3 google.golang.org/protobuf v1.30.0 ) require ( + github.com/golang/protobuf v1.5.3 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/sys v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect diff --git a/protobuf/kubearmor.pb.go b/protobuf/kubearmor.pb.go index 7d415f6b5f..c5426a2fc4 100644 --- a/protobuf/kubearmor.pb.go +++ b/protobuf/kubearmor.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 -// protoc v3.12.4 +// protoc-gen-go v1.31.0 +// protoc v4.25.1 // source: kubearmor.proto package protobuf @@ -1035,25 +1035,22 @@ var file_kubearmor_proto_rawDesc = []byte{ 0x32, 0x0a, 0x09, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, - 0x67, 0x30, 0x01, 0x32, 0xf0, 0x01, 0x0a, 0x0e, 0x50, 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, - 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4e, - 0x6f, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, - 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, - 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x50, 0x75, 0x73, 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x73, 0x12, 0x0f, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, - 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0a, - 0x50, 0x75, 0x73, 0x68, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x73, 0x12, 0x0d, 0x2e, 0x66, 0x65, 0x65, - 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, - 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, - 0x01, 0x30, 0x01, 0x12, 0x31, 0x0a, 0x08, 0x50, 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, - 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x67, 0x1a, 0x14, 0x2e, 0x66, - 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, - 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x67, 0x30, 0x01, 0x32, 0xb8, 0x01, 0x0a, 0x11, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x4c, + 0x6f, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x50, 0x75, 0x73, + 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x0f, 0x2e, 0x66, 0x65, 0x65, 0x64, + 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, + 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, + 0x28, 0x01, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0a, 0x50, 0x75, 0x73, 0x68, 0x41, 0x6c, 0x65, 0x72, + 0x74, 0x73, 0x12, 0x0d, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, 0x65, 0x72, + 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x31, 0x0a, 0x08, 0x50, + 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, + 0x2e, 0x4c, 0x6f, 0x67, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, + 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, + 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, + 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, } var ( @@ -1079,29 +1076,27 @@ var file_kubearmor_proto_goTypes = []interface{}{ (*ReplyMessage)(nil), // 6: feeder.ReplyMessage } var file_kubearmor_proto_depIdxs = []int32{ - 2, // 0: feeder.Alert.Owner:type_name -> feeder.Podowner - 2, // 1: feeder.Log.Owner:type_name -> feeder.Podowner - 0, // 2: feeder.LogService.HealthCheck:input_type -> feeder.NonceMessage - 5, // 3: feeder.LogService.WatchMessages:input_type -> feeder.RequestMessage - 5, // 4: feeder.LogService.WatchAlerts:input_type -> feeder.RequestMessage - 5, // 5: feeder.LogService.WatchLogs:input_type -> feeder.RequestMessage - 0, // 6: feeder.PushLogService.HealthCheck:input_type -> feeder.NonceMessage - 1, // 7: feeder.PushLogService.PushMessages:input_type -> feeder.Message - 3, // 8: feeder.PushLogService.PushAlerts:input_type -> feeder.Alert - 4, // 9: feeder.PushLogService.PushLogs:input_type -> feeder.Log - 6, // 10: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage - 1, // 11: feeder.LogService.WatchMessages:output_type -> feeder.Message - 3, // 12: feeder.LogService.WatchAlerts:output_type -> feeder.Alert - 4, // 13: feeder.LogService.WatchLogs:output_type -> feeder.Log - 6, // 14: feeder.PushLogService.HealthCheck:output_type -> feeder.ReplyMessage - 6, // 15: feeder.PushLogService.PushMessages:output_type -> feeder.ReplyMessage - 6, // 16: feeder.PushLogService.PushAlerts:output_type -> feeder.ReplyMessage - 6, // 17: feeder.PushLogService.PushLogs:output_type -> feeder.ReplyMessage - 10, // [10:18] is the sub-list for method output_type - 2, // [2:10] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 2, // 0: feeder.Alert.Owner:type_name -> feeder.Podowner + 2, // 1: feeder.Log.Owner:type_name -> feeder.Podowner + 0, // 2: feeder.LogService.HealthCheck:input_type -> feeder.NonceMessage + 5, // 3: feeder.LogService.WatchMessages:input_type -> feeder.RequestMessage + 5, // 4: feeder.LogService.WatchAlerts:input_type -> feeder.RequestMessage + 5, // 5: feeder.LogService.WatchLogs:input_type -> feeder.RequestMessage + 1, // 6: feeder.ReverseLogService.PushMessages:input_type -> feeder.Message + 3, // 7: feeder.ReverseLogService.PushAlerts:input_type -> feeder.Alert + 4, // 8: feeder.ReverseLogService.PushLogs:input_type -> feeder.Log + 6, // 9: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage + 1, // 10: feeder.LogService.WatchMessages:output_type -> feeder.Message + 3, // 11: feeder.LogService.WatchAlerts:output_type -> feeder.Alert + 4, // 12: feeder.LogService.WatchLogs:output_type -> feeder.Log + 6, // 13: feeder.ReverseLogService.PushMessages:output_type -> feeder.ReplyMessage + 6, // 14: feeder.ReverseLogService.PushAlerts:output_type -> feeder.ReplyMessage + 6, // 15: feeder.ReverseLogService.PushLogs:output_type -> feeder.ReplyMessage + 9, // [9:16] is the sub-list for method output_type + 2, // [2:9] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name } func init() { file_kubearmor_proto_init() } diff --git a/protobuf/kubearmor.proto b/protobuf/kubearmor.proto index 444e0ef9dc..a76e4d5577 100644 --- a/protobuf/kubearmor.proto +++ b/protobuf/kubearmor.proto @@ -1,5 +1,5 @@ syntax = "proto3"; - + package feeder; option go_package="github.com/kubearmor/KubeArmor/protobuf"; @@ -125,14 +125,14 @@ message ReplyMessage { } service LogService { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" rpc HealthCheck(NonceMessage) returns (ReplyMessage); rpc WatchMessages(RequestMessage) returns (stream Message); rpc WatchAlerts(RequestMessage) returns (stream Alert); rpc WatchLogs(RequestMessage) returns (stream Log); } -service PushLogService { - rpc HealthCheck(NonceMessage) returns (ReplyMessage); +service ReverseLogService { rpc PushMessages(stream Message) returns (stream ReplyMessage); rpc PushAlerts(stream Alert) returns (stream ReplyMessage); rpc PushLogs(stream Log) returns (stream ReplyMessage); diff --git a/protobuf/kubearmor_grpc.pb.go b/protobuf/kubearmor_grpc.pb.go index 8fe03186c7..b866f8ac68 100644 --- a/protobuf/kubearmor_grpc.pb.go +++ b/protobuf/kubearmor_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v3.12.4 +// - protoc v4.25.1 // source: kubearmor.proto package protobuf @@ -29,6 +29,7 @@ const ( // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type LogServiceClient interface { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) WatchMessages(ctx context.Context, in *RequestMessage, opts ...grpc.CallOption) (LogService_WatchMessagesClient, error) WatchAlerts(ctx context.Context, in *RequestMessage, opts ...grpc.CallOption) (LogService_WatchAlertsClient, error) @@ -152,6 +153,7 @@ func (x *logServiceWatchLogsClient) Recv() (*Log, error) { // All implementations should embed UnimplementedLogServiceServer // for forward compatibility type LogServiceServer interface { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) WatchMessages(*RequestMessage, LogService_WatchMessagesServer) error WatchAlerts(*RequestMessage, LogService_WatchAlertsServer) error @@ -300,63 +302,52 @@ var LogService_ServiceDesc = grpc.ServiceDesc{ } const ( - PushLogService_HealthCheck_FullMethodName = "/feeder.PushLogService/HealthCheck" - PushLogService_PushMessages_FullMethodName = "/feeder.PushLogService/PushMessages" - PushLogService_PushAlerts_FullMethodName = "/feeder.PushLogService/PushAlerts" - PushLogService_PushLogs_FullMethodName = "/feeder.PushLogService/PushLogs" + ReverseLogService_PushMessages_FullMethodName = "/feeder.ReverseLogService/PushMessages" + ReverseLogService_PushAlerts_FullMethodName = "/feeder.ReverseLogService/PushAlerts" + ReverseLogService_PushLogs_FullMethodName = "/feeder.ReverseLogService/PushLogs" ) -// PushLogServiceClient is the client API for PushLogService service. +// ReverseLogServiceClient is the client API for ReverseLogService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type PushLogServiceClient interface { - HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) - PushMessages(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushMessagesClient, error) - PushAlerts(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushAlertsClient, error) - PushLogs(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushLogsClient, error) +type ReverseLogServiceClient interface { + PushMessages(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushMessagesClient, error) + PushAlerts(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushAlertsClient, error) + PushLogs(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushLogsClient, error) } -type pushLogServiceClient struct { +type reverseLogServiceClient struct { cc grpc.ClientConnInterface } -func NewPushLogServiceClient(cc grpc.ClientConnInterface) PushLogServiceClient { - return &pushLogServiceClient{cc} -} - -func (c *pushLogServiceClient) HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) { - out := new(ReplyMessage) - err := c.cc.Invoke(ctx, PushLogService_HealthCheck_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil +func NewReverseLogServiceClient(cc grpc.ClientConnInterface) ReverseLogServiceClient { + return &reverseLogServiceClient{cc} } -func (c *pushLogServiceClient) PushMessages(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushMessagesClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[0], PushLogService_PushMessages_FullMethodName, opts...) +func (c *reverseLogServiceClient) PushMessages(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushMessagesClient, error) { + stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[0], ReverseLogService_PushMessages_FullMethodName, opts...) if err != nil { return nil, err } - x := &pushLogServicePushMessagesClient{stream} + x := &reverseLogServicePushMessagesClient{stream} return x, nil } -type PushLogService_PushMessagesClient interface { +type ReverseLogService_PushMessagesClient interface { Send(*Message) error Recv() (*ReplyMessage, error) grpc.ClientStream } -type pushLogServicePushMessagesClient struct { +type reverseLogServicePushMessagesClient struct { grpc.ClientStream } -func (x *pushLogServicePushMessagesClient) Send(m *Message) error { +func (x *reverseLogServicePushMessagesClient) Send(m *Message) error { return x.ClientStream.SendMsg(m) } -func (x *pushLogServicePushMessagesClient) Recv() (*ReplyMessage, error) { +func (x *reverseLogServicePushMessagesClient) Recv() (*ReplyMessage, error) { m := new(ReplyMessage) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err @@ -364,30 +355,30 @@ func (x *pushLogServicePushMessagesClient) Recv() (*ReplyMessage, error) { return m, nil } -func (c *pushLogServiceClient) PushAlerts(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushAlertsClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[1], PushLogService_PushAlerts_FullMethodName, opts...) +func (c *reverseLogServiceClient) PushAlerts(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushAlertsClient, error) { + stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[1], ReverseLogService_PushAlerts_FullMethodName, opts...) if err != nil { return nil, err } - x := &pushLogServicePushAlertsClient{stream} + x := &reverseLogServicePushAlertsClient{stream} return x, nil } -type PushLogService_PushAlertsClient interface { +type ReverseLogService_PushAlertsClient interface { Send(*Alert) error Recv() (*ReplyMessage, error) grpc.ClientStream } -type pushLogServicePushAlertsClient struct { +type reverseLogServicePushAlertsClient struct { grpc.ClientStream } -func (x *pushLogServicePushAlertsClient) Send(m *Alert) error { +func (x *reverseLogServicePushAlertsClient) Send(m *Alert) error { return x.ClientStream.SendMsg(m) } -func (x *pushLogServicePushAlertsClient) Recv() (*ReplyMessage, error) { +func (x *reverseLogServicePushAlertsClient) Recv() (*ReplyMessage, error) { m := new(ReplyMessage) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err @@ -395,30 +386,30 @@ func (x *pushLogServicePushAlertsClient) Recv() (*ReplyMessage, error) { return m, nil } -func (c *pushLogServiceClient) PushLogs(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushLogsClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[2], PushLogService_PushLogs_FullMethodName, opts...) +func (c *reverseLogServiceClient) PushLogs(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushLogsClient, error) { + stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[2], ReverseLogService_PushLogs_FullMethodName, opts...) if err != nil { return nil, err } - x := &pushLogServicePushLogsClient{stream} + x := &reverseLogServicePushLogsClient{stream} return x, nil } -type PushLogService_PushLogsClient interface { +type ReverseLogService_PushLogsClient interface { Send(*Log) error Recv() (*ReplyMessage, error) grpc.ClientStream } -type pushLogServicePushLogsClient struct { +type reverseLogServicePushLogsClient struct { grpc.ClientStream } -func (x *pushLogServicePushLogsClient) Send(m *Log) error { +func (x *reverseLogServicePushLogsClient) Send(m *Log) error { return x.ClientStream.SendMsg(m) } -func (x *pushLogServicePushLogsClient) Recv() (*ReplyMessage, error) { +func (x *reverseLogServicePushLogsClient) Recv() (*ReplyMessage, error) { m := new(ReplyMessage) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err @@ -426,81 +417,59 @@ func (x *pushLogServicePushLogsClient) Recv() (*ReplyMessage, error) { return m, nil } -// PushLogServiceServer is the server API for PushLogService service. -// All implementations should embed UnimplementedPushLogServiceServer +// ReverseLogServiceServer is the server API for ReverseLogService service. +// All implementations should embed UnimplementedReverseLogServiceServer // for forward compatibility -type PushLogServiceServer interface { - HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) - PushMessages(PushLogService_PushMessagesServer) error - PushAlerts(PushLogService_PushAlertsServer) error - PushLogs(PushLogService_PushLogsServer) error +type ReverseLogServiceServer interface { + PushMessages(ReverseLogService_PushMessagesServer) error + PushAlerts(ReverseLogService_PushAlertsServer) error + PushLogs(ReverseLogService_PushLogsServer) error } -// UnimplementedPushLogServiceServer should be embedded to have forward compatible implementations. -type UnimplementedPushLogServiceServer struct { +// UnimplementedReverseLogServiceServer should be embedded to have forward compatible implementations. +type UnimplementedReverseLogServiceServer struct { } -func (UnimplementedPushLogServiceServer) HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) { - return nil, status.Errorf(codes.Unimplemented, "method HealthCheck not implemented") -} -func (UnimplementedPushLogServiceServer) PushMessages(PushLogService_PushMessagesServer) error { +func (UnimplementedReverseLogServiceServer) PushMessages(ReverseLogService_PushMessagesServer) error { return status.Errorf(codes.Unimplemented, "method PushMessages not implemented") } -func (UnimplementedPushLogServiceServer) PushAlerts(PushLogService_PushAlertsServer) error { +func (UnimplementedReverseLogServiceServer) PushAlerts(ReverseLogService_PushAlertsServer) error { return status.Errorf(codes.Unimplemented, "method PushAlerts not implemented") } -func (UnimplementedPushLogServiceServer) PushLogs(PushLogService_PushLogsServer) error { +func (UnimplementedReverseLogServiceServer) PushLogs(ReverseLogService_PushLogsServer) error { return status.Errorf(codes.Unimplemented, "method PushLogs not implemented") } -// UnsafePushLogServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to PushLogServiceServer will +// UnsafeReverseLogServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to ReverseLogServiceServer will // result in compilation errors. -type UnsafePushLogServiceServer interface { - mustEmbedUnimplementedPushLogServiceServer() +type UnsafeReverseLogServiceServer interface { + mustEmbedUnimplementedReverseLogServiceServer() } -func RegisterPushLogServiceServer(s grpc.ServiceRegistrar, srv PushLogServiceServer) { - s.RegisterService(&PushLogService_ServiceDesc, srv) -} - -func _PushLogService_HealthCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(NonceMessage) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(PushLogServiceServer).HealthCheck(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: PushLogService_HealthCheck_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PushLogServiceServer).HealthCheck(ctx, req.(*NonceMessage)) - } - return interceptor(ctx, in, info, handler) +func RegisterReverseLogServiceServer(s grpc.ServiceRegistrar, srv ReverseLogServiceServer) { + s.RegisterService(&ReverseLogService_ServiceDesc, srv) } -func _PushLogService_PushMessages_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushMessages(&pushLogServicePushMessagesServer{stream}) +func _ReverseLogService_PushMessages_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(ReverseLogServiceServer).PushMessages(&reverseLogServicePushMessagesServer{stream}) } -type PushLogService_PushMessagesServer interface { +type ReverseLogService_PushMessagesServer interface { Send(*ReplyMessage) error Recv() (*Message, error) grpc.ServerStream } -type pushLogServicePushMessagesServer struct { +type reverseLogServicePushMessagesServer struct { grpc.ServerStream } -func (x *pushLogServicePushMessagesServer) Send(m *ReplyMessage) error { +func (x *reverseLogServicePushMessagesServer) Send(m *ReplyMessage) error { return x.ServerStream.SendMsg(m) } -func (x *pushLogServicePushMessagesServer) Recv() (*Message, error) { +func (x *reverseLogServicePushMessagesServer) Recv() (*Message, error) { m := new(Message) if err := x.ServerStream.RecvMsg(m); err != nil { return nil, err @@ -508,25 +477,25 @@ func (x *pushLogServicePushMessagesServer) Recv() (*Message, error) { return m, nil } -func _PushLogService_PushAlerts_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushAlerts(&pushLogServicePushAlertsServer{stream}) +func _ReverseLogService_PushAlerts_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(ReverseLogServiceServer).PushAlerts(&reverseLogServicePushAlertsServer{stream}) } -type PushLogService_PushAlertsServer interface { +type ReverseLogService_PushAlertsServer interface { Send(*ReplyMessage) error Recv() (*Alert, error) grpc.ServerStream } -type pushLogServicePushAlertsServer struct { +type reverseLogServicePushAlertsServer struct { grpc.ServerStream } -func (x *pushLogServicePushAlertsServer) Send(m *ReplyMessage) error { +func (x *reverseLogServicePushAlertsServer) Send(m *ReplyMessage) error { return x.ServerStream.SendMsg(m) } -func (x *pushLogServicePushAlertsServer) Recv() (*Alert, error) { +func (x *reverseLogServicePushAlertsServer) Recv() (*Alert, error) { m := new(Alert) if err := x.ServerStream.RecvMsg(m); err != nil { return nil, err @@ -534,25 +503,25 @@ func (x *pushLogServicePushAlertsServer) Recv() (*Alert, error) { return m, nil } -func _PushLogService_PushLogs_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushLogs(&pushLogServicePushLogsServer{stream}) +func _ReverseLogService_PushLogs_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(ReverseLogServiceServer).PushLogs(&reverseLogServicePushLogsServer{stream}) } -type PushLogService_PushLogsServer interface { +type ReverseLogService_PushLogsServer interface { Send(*ReplyMessage) error Recv() (*Log, error) grpc.ServerStream } -type pushLogServicePushLogsServer struct { +type reverseLogServicePushLogsServer struct { grpc.ServerStream } -func (x *pushLogServicePushLogsServer) Send(m *ReplyMessage) error { +func (x *reverseLogServicePushLogsServer) Send(m *ReplyMessage) error { return x.ServerStream.SendMsg(m) } -func (x *pushLogServicePushLogsServer) Recv() (*Log, error) { +func (x *reverseLogServicePushLogsServer) Recv() (*Log, error) { m := new(Log) if err := x.ServerStream.RecvMsg(m); err != nil { return nil, err @@ -560,34 +529,29 @@ func (x *pushLogServicePushLogsServer) Recv() (*Log, error) { return m, nil } -// PushLogService_ServiceDesc is the grpc.ServiceDesc for PushLogService service. +// ReverseLogService_ServiceDesc is the grpc.ServiceDesc for ReverseLogService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) -var PushLogService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "feeder.PushLogService", - HandlerType: (*PushLogServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "HealthCheck", - Handler: _PushLogService_HealthCheck_Handler, - }, - }, +var ReverseLogService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "feeder.ReverseLogService", + HandlerType: (*ReverseLogServiceServer)(nil), + Methods: []grpc.MethodDesc{}, Streams: []grpc.StreamDesc{ { StreamName: "PushMessages", - Handler: _PushLogService_PushMessages_Handler, + Handler: _ReverseLogService_PushMessages_Handler, ServerStreams: true, ClientStreams: true, }, { StreamName: "PushAlerts", - Handler: _PushLogService_PushAlerts_Handler, + Handler: _ReverseLogService_PushAlerts_Handler, ServerStreams: true, ClientStreams: true, }, { StreamName: "PushLogs", - Handler: _PushLogService_PushLogs_Handler, + Handler: _ReverseLogService_PushLogs_Handler, ServerStreams: true, ClientStreams: true, }, diff --git a/protobuf/policy.pb.go b/protobuf/policy.pb.go index 248182898d..c509f88202 100644 --- a/protobuf/policy.pb.go +++ b/protobuf/policy.pb.go @@ -1,15 +1,15 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.1 -// protoc v3.19.4 +// protoc-gen-go v1.31.0 +// protoc v4.24.3 // source: policy.proto package protobuf import ( - empty "github.com/golang/protobuf/ptypes/empty" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + emptypb "google.golang.org/protobuf/types/known/emptypb" reflect "reflect" sync "sync" ) @@ -23,7 +23,7 @@ const ( // Symbols defined in public import of google/protobuf/empty.proto. -type Empty = empty.Empty +type Empty = emptypb.Empty type PolicyStatus int32 @@ -83,102 +83,6 @@ func (PolicyStatus) EnumDescriptor() ([]byte, []int) { return file_policy_proto_rawDescGZIP(), []int{0} } -// Health check -type HealthCheckReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Nonce int32 `protobuf:"varint,1,opt,name=nonce,proto3" json:"nonce,omitempty"` -} - -func (x *HealthCheckReq) Reset() { - *x = HealthCheckReq{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HealthCheckReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HealthCheckReq) ProtoMessage() {} - -func (x *HealthCheckReq) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HealthCheckReq.ProtoReflect.Descriptor instead. -func (*HealthCheckReq) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{0} -} - -func (x *HealthCheckReq) GetNonce() int32 { - if x != nil { - return x.Nonce - } - return 0 -} - -// healthcheck reply message -type HealthCheckReply struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Retval int32 `protobuf:"varint,1,opt,name=Retval,proto3" json:"Retval,omitempty"` -} - -func (x *HealthCheckReply) Reset() { - *x = HealthCheckReply{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HealthCheckReply) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HealthCheckReply) ProtoMessage() {} - -func (x *HealthCheckReply) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HealthCheckReply.ProtoReflect.Descriptor instead. -func (*HealthCheckReply) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{1} -} - -func (x *HealthCheckReply) GetRetval() int32 { - if x != nil { - return x.Retval - } - return 0 -} - type Response struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -190,7 +94,7 @@ type Response struct { func (x *Response) Reset() { *x = Response{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[2] + mi := &file_policy_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -203,7 +107,7 @@ func (x *Response) String() string { func (*Response) ProtoMessage() {} func (x *Response) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[2] + mi := &file_policy_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -216,7 +120,7 @@ func (x *Response) ProtoReflect() protoreflect.Message { // Deprecated: Use Response.ProtoReflect.Descriptor instead. func (*Response) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{2} + return file_policy_proto_rawDescGZIP(), []int{0} } func (x *Response) GetStatus() PolicyStatus { @@ -237,7 +141,7 @@ type Policy struct { func (x *Policy) Reset() { *x = Policy{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[3] + mi := &file_policy_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -250,7 +154,7 @@ func (x *Policy) String() string { func (*Policy) ProtoMessage() {} func (x *Policy) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[3] + mi := &file_policy_proto_msgTypes[1] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -263,7 +167,7 @@ func (x *Policy) ProtoReflect() protoreflect.Message { // Deprecated: Use Policy.ProtoReflect.Descriptor instead. func (*Policy) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{3} + return file_policy_proto_rawDescGZIP(), []int{1} } func (x *Policy) GetPolicy() []byte { @@ -285,7 +189,7 @@ type ContainerData struct { func (x *ContainerData) Reset() { *x = ContainerData{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[4] + mi := &file_policy_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -298,7 +202,7 @@ func (x *ContainerData) String() string { func (*ContainerData) ProtoMessage() {} func (x *ContainerData) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[4] + mi := &file_policy_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -311,7 +215,7 @@ func (x *ContainerData) ProtoReflect() protoreflect.Message { // Deprecated: Use ContainerData.ProtoReflect.Descriptor instead. func (*ContainerData) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{4} + return file_policy_proto_rawDescGZIP(), []int{2} } func (x *ContainerData) GetPolicyList() []string { @@ -339,7 +243,7 @@ type HostSecurityPolicies struct { func (x *HostSecurityPolicies) Reset() { *x = HostSecurityPolicies{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[5] + mi := &file_policy_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -352,7 +256,7 @@ func (x *HostSecurityPolicies) String() string { func (*HostSecurityPolicies) ProtoMessage() {} func (x *HostSecurityPolicies) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[5] + mi := &file_policy_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -365,7 +269,7 @@ func (x *HostSecurityPolicies) ProtoReflect() protoreflect.Message { // Deprecated: Use HostSecurityPolicies.ProtoReflect.Descriptor instead. func (*HostSecurityPolicies) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{5} + return file_policy_proto_rawDescGZIP(), []int{3} } func (x *HostSecurityPolicies) GetPolicyList() []string { @@ -388,7 +292,7 @@ type ProbeResponse struct { func (x *ProbeResponse) Reset() { *x = ProbeResponse{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[6] + mi := &file_policy_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -401,7 +305,7 @@ func (x *ProbeResponse) String() string { func (*ProbeResponse) ProtoMessage() {} func (x *ProbeResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[6] + mi := &file_policy_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -414,7 +318,7 @@ func (x *ProbeResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use ProbeResponse.ProtoReflect.Descriptor instead. func (*ProbeResponse) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{6} + return file_policy_proto_rawDescGZIP(), []int{4} } func (x *ProbeResponse) GetContainerList() []string { @@ -444,84 +348,75 @@ var file_policy_proto_rawDesc = []byte{ 0x0a, 0x0c, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x22, 0x26, 0x0a, 0x0e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, - 0x63, 0x6b, 0x52, 0x65, 0x71, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x22, 0x2a, 0x0a, 0x10, 0x48, - 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, - 0x16, 0x0a, 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, - 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x22, 0x38, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x2c, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0e, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x22, 0x20, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x22, 0x55, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, - 0x44, 0x61, 0x74, 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, - 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x4c, 0x69, 0x73, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, - 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x48, 0x6f, - 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, - 0x65, 0x73, 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, - 0x73, 0x74, 0x22, 0xf2, 0x02, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x6f, 0x6e, - 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x6f, - 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x27, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, - 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x12, 0x3c, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, - 0x61, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, - 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x6f, - 0x73, 0x74, 0x4d, 0x61, 0x70, 0x1a, 0x56, 0x0a, 0x11, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, - 0x74, 0x61, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x58, 0x0a, - 0x0c, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, - 0x32, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x2a, 0x5e, 0x0a, 0x0c, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0b, 0x0a, 0x07, 0x46, 0x61, 0x69, 0x6c, 0x75, - 0x72, 0x65, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x10, - 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x10, 0x02, 0x12, 0x0c, - 0x0a, 0x08, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, - 0x4e, 0x6f, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x10, 0x04, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x6e, - 0x76, 0x61, 0x6c, 0x69, 0x64, 0x10, 0x05, 0x32, 0x4d, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x62, 0x65, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x3d, 0x0a, 0x0c, 0x67, 0x65, 0x74, 0x50, 0x72, - 0x6f, 0x62, 0x65, 0x44, 0x61, 0x74, 0x61, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, - 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x74, 0x0a, 0x0d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, - 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x0a, - 0x68, 0x6f, 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xc3, 0x01, 0x0a, - 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x53, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, - 0x65, 0x63, 0x6b, 0x12, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x65, 0x61, - 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x1a, 0x18, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, - 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x37, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x6f, 0x74, 0x6f, 0x22, 0x38, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x2c, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x20, 0x0a, + 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, + 0x55, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, + 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, + 0x12, 0x24, 0x0a, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, + 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, + 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x1e, + 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xf2, + 0x02, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x24, 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4c, 0x69, 0x73, + 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, + 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, + 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, + 0x4d, 0x61, 0x70, 0x12, 0x3c, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x18, 0x03, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, + 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x48, 0x6f, 0x73, 0x74, + 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, 0x61, + 0x70, 0x1a, 0x56, 0x0a, 0x11, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, + 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x52, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x58, 0x0a, 0x0c, 0x48, 0x6f, 0x73, + 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, + 0x02, 0x38, 0x01, 0x2a, 0x5e, 0x0a, 0x0c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x12, 0x0b, 0x0a, 0x07, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x10, 0x00, + 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x10, 0x01, 0x12, 0x0b, 0x0a, + 0x07, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x4d, 0x6f, + 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x4e, 0x6f, 0x74, 0x45, + 0x78, 0x69, 0x73, 0x74, 0x10, 0x04, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x10, 0x05, 0x32, 0x4d, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x12, 0x3d, 0x0a, 0x0c, 0x67, 0x65, 0x74, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x44, + 0x61, 0x74, 0x61, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x32, 0x74, 0x0a, 0x0d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x0a, 0x68, 0x6f, 0x73, 0x74, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x83, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x76, + 0x65, 0x72, 0x73, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x12, 0x37, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x12, 0x32, 0x0a, 0x0a, 0x68, 0x6f, + 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x12, 0x32, - 0x0a, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, - 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, - 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, + 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, + 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -537,40 +432,36 @@ func file_policy_proto_rawDescGZIP() []byte { } var file_policy_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 7) var file_policy_proto_goTypes = []interface{}{ (PolicyStatus)(0), // 0: policy.PolicyStatus - (*HealthCheckReq)(nil), // 1: policy.HealthCheckReq - (*HealthCheckReply)(nil), // 2: policy.HealthCheckReply - (*Response)(nil), // 3: policy.response - (*Policy)(nil), // 4: policy.policy - (*ContainerData)(nil), // 5: policy.ContainerData - (*HostSecurityPolicies)(nil), // 6: policy.HostSecurityPolicies - (*ProbeResponse)(nil), // 7: policy.ProbeResponse - nil, // 8: policy.ProbeResponse.ContainerMapEntry - nil, // 9: policy.ProbeResponse.HostMapEntry - (*empty.Empty)(nil), // 10: google.protobuf.Empty + (*Response)(nil), // 1: policy.response + (*Policy)(nil), // 2: policy.policy + (*ContainerData)(nil), // 3: policy.ContainerData + (*HostSecurityPolicies)(nil), // 4: policy.HostSecurityPolicies + (*ProbeResponse)(nil), // 5: policy.ProbeResponse + nil, // 6: policy.ProbeResponse.ContainerMapEntry + nil, // 7: policy.ProbeResponse.HostMapEntry + (*emptypb.Empty)(nil), // 8: google.protobuf.Empty } var file_policy_proto_depIdxs = []int32{ 0, // 0: policy.response.status:type_name -> policy.PolicyStatus - 8, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry - 9, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry - 5, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData - 6, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies - 10, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty - 4, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy - 4, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy - 1, // 8: policy.PolicyStreamService.HealthCheck:input_type -> policy.HealthCheckReq - 3, // 9: policy.PolicyStreamService.containerPolicy:input_type -> policy.response - 3, // 10: policy.PolicyStreamService.hostPolicy:input_type -> policy.response - 7, // 11: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse - 3, // 12: policy.PolicyService.containerPolicy:output_type -> policy.response - 3, // 13: policy.PolicyService.hostPolicy:output_type -> policy.response - 2, // 14: policy.PolicyStreamService.HealthCheck:output_type -> policy.HealthCheckReply - 4, // 15: policy.PolicyStreamService.containerPolicy:output_type -> policy.policy - 4, // 16: policy.PolicyStreamService.hostPolicy:output_type -> policy.policy - 11, // [11:17] is the sub-list for method output_type - 5, // [5:11] is the sub-list for method input_type + 6, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry + 7, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry + 3, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData + 4, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies + 8, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty + 2, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy + 2, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy + 1, // 8: policy.ReversePolicyService.containerPolicy:input_type -> policy.response + 1, // 9: policy.ReversePolicyService.hostPolicy:input_type -> policy.response + 5, // 10: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse + 1, // 11: policy.PolicyService.containerPolicy:output_type -> policy.response + 1, // 12: policy.PolicyService.hostPolicy:output_type -> policy.response + 2, // 13: policy.ReversePolicyService.containerPolicy:output_type -> policy.policy + 2, // 14: policy.ReversePolicyService.hostPolicy:output_type -> policy.policy + 10, // [10:15] is the sub-list for method output_type + 5, // [5:10] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name 5, // [5:5] is the sub-list for extension extendee 0, // [0:5] is the sub-list for field type_name @@ -583,30 +474,6 @@ func file_policy_proto_init() { } if !protoimpl.UnsafeEnabled { file_policy_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HealthCheckReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HealthCheckReply); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Response); i { case 0: return &v.state @@ -618,7 +485,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Policy); i { case 0: return &v.state @@ -630,7 +497,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ContainerData); i { case 0: return &v.state @@ -642,7 +509,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*HostSecurityPolicies); i { case 0: return &v.state @@ -654,7 +521,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ProbeResponse); i { case 0: return &v.state @@ -673,7 +540,7 @@ func file_policy_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_proto_rawDesc, NumEnums: 1, - NumMessages: 9, + NumMessages: 7, NumExtensions: 0, NumServices: 3, }, diff --git a/protobuf/policy.proto b/protobuf/policy.proto index 62c0040424..122dc356a0 100644 --- a/protobuf/policy.proto +++ b/protobuf/policy.proto @@ -1,20 +1,10 @@ syntax = "proto3"; - -import public "google/protobuf/empty.proto"; package policy; -option go_package="github.com/kubearmor/KubeArmor/protobuf"; - -// Health check -message HealthCheckReq { - int32 nonce = 1; -} +import public "google/protobuf/empty.proto"; -// healthcheck reply message -message HealthCheckReply { - int32 Retval = 1; -} +option go_package="github.com/kubearmor/KubeArmor/protobuf"; enum PolicyStatus { Failure = 0 ; @@ -22,9 +12,9 @@ enum PolicyStatus { Deleted = 2 ; Modified = 3 ; NotExist = 4; - Invalid = 5; - + Invalid = 5; } + message response { PolicyStatus status = 1; } @@ -38,13 +28,14 @@ message ContainerData { int32 policyEnabled = 2; } message HostSecurityPolicies { - repeated string policyList = 1; + repeated string policyList = 1; } message ProbeResponse { repeated string containerList = 1; map containerMap = 2; map hostMap = 3; } + service ProbeService { rpc getProbeData(google.protobuf.Empty) returns (ProbeResponse); } @@ -54,8 +45,7 @@ service PolicyService { rpc hostPolicy (policy) returns (response); } -service PolicyStreamService { - rpc HealthCheck(HealthCheckReq) returns (HealthCheckReply); +service ReversePolicyService { rpc containerPolicy (stream response) returns (stream policy); rpc hostPolicy (stream response) returns (stream policy); } diff --git a/protobuf/policy_grpc.pb.go b/protobuf/policy_grpc.pb.go index 8eae2a7af3..0531574d86 100644 --- a/protobuf/policy_grpc.pb.go +++ b/protobuf/policy_grpc.pb.go @@ -1,17 +1,17 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v3.19.4 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.24.3 // source: policy.proto package protobuf import ( context "context" - empty "github.com/golang/protobuf/ptypes/empty" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" + emptypb "google.golang.org/protobuf/types/known/emptypb" ) // This is a compile-time assertion to ensure that this generated file @@ -19,11 +19,15 @@ import ( // Requires gRPC-Go v1.32.0 or later. const _ = grpc.SupportPackageIsVersion7 +const ( + ProbeService_GetProbeData_FullMethodName = "/policy.ProbeService/getProbeData" +) + // ProbeServiceClient is the client API for ProbeService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type ProbeServiceClient interface { - GetProbeData(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) + GetProbeData(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) } type probeServiceClient struct { @@ -34,9 +38,9 @@ func NewProbeServiceClient(cc grpc.ClientConnInterface) ProbeServiceClient { return &probeServiceClient{cc} } -func (c *probeServiceClient) GetProbeData(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) { +func (c *probeServiceClient) GetProbeData(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) { out := new(ProbeResponse) - err := c.cc.Invoke(ctx, "/policy.ProbeService/getProbeData", in, out, opts...) + err := c.cc.Invoke(ctx, ProbeService_GetProbeData_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -47,14 +51,14 @@ func (c *probeServiceClient) GetProbeData(ctx context.Context, in *empty.Empty, // All implementations should embed UnimplementedProbeServiceServer // for forward compatibility type ProbeServiceServer interface { - GetProbeData(context.Context, *empty.Empty) (*ProbeResponse, error) + GetProbeData(context.Context, *emptypb.Empty) (*ProbeResponse, error) } // UnimplementedProbeServiceServer should be embedded to have forward compatible implementations. type UnimplementedProbeServiceServer struct { } -func (UnimplementedProbeServiceServer) GetProbeData(context.Context, *empty.Empty) (*ProbeResponse, error) { +func (UnimplementedProbeServiceServer) GetProbeData(context.Context, *emptypb.Empty) (*ProbeResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method GetProbeData not implemented") } @@ -70,7 +74,7 @@ func RegisterProbeServiceServer(s grpc.ServiceRegistrar, srv ProbeServiceServer) } func _ProbeService_GetProbeData_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(empty.Empty) + in := new(emptypb.Empty) if err := dec(in); err != nil { return nil, err } @@ -79,10 +83,10 @@ func _ProbeService_GetProbeData_Handler(srv interface{}, ctx context.Context, de } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.ProbeService/getProbeData", + FullMethod: ProbeService_GetProbeData_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(ProbeServiceServer).GetProbeData(ctx, req.(*empty.Empty)) + return srv.(ProbeServiceServer).GetProbeData(ctx, req.(*emptypb.Empty)) } return interceptor(ctx, in, info, handler) } @@ -103,6 +107,11 @@ var ProbeService_ServiceDesc = grpc.ServiceDesc{ Metadata: "policy.proto", } +const ( + PolicyService_ContainerPolicy_FullMethodName = "/policy.PolicyService/containerPolicy" + PolicyService_HostPolicy_FullMethodName = "/policy.PolicyService/hostPolicy" +) + // PolicyServiceClient is the client API for PolicyService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. @@ -121,7 +130,7 @@ func NewPolicyServiceClient(cc grpc.ClientConnInterface) PolicyServiceClient { func (c *policyServiceClient) ContainerPolicy(ctx context.Context, in *Policy, opts ...grpc.CallOption) (*Response, error) { out := new(Response) - err := c.cc.Invoke(ctx, "/policy.PolicyService/containerPolicy", in, out, opts...) + err := c.cc.Invoke(ctx, PolicyService_ContainerPolicy_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -130,7 +139,7 @@ func (c *policyServiceClient) ContainerPolicy(ctx context.Context, in *Policy, o func (c *policyServiceClient) HostPolicy(ctx context.Context, in *Policy, opts ...grpc.CallOption) (*Response, error) { out := new(Response) - err := c.cc.Invoke(ctx, "/policy.PolicyService/hostPolicy", in, out, opts...) + err := c.cc.Invoke(ctx, PolicyService_HostPolicy_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -177,7 +186,7 @@ func _PolicyService_ContainerPolicy_Handler(srv interface{}, ctx context.Context } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.PolicyService/containerPolicy", + FullMethod: PolicyService_ContainerPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(PolicyServiceServer).ContainerPolicy(ctx, req.(*Policy)) @@ -195,7 +204,7 @@ func _PolicyService_HostPolicy_Handler(srv interface{}, ctx context.Context, dec } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.PolicyService/hostPolicy", + FullMethod: PolicyService_HostPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(PolicyServiceServer).HostPolicy(ctx, req.(*Policy)) @@ -223,56 +232,51 @@ var PolicyService_ServiceDesc = grpc.ServiceDesc{ Metadata: "policy.proto", } -// PolicyStreamServiceClient is the client API for PolicyStreamService service. +const ( + ReversePolicyService_ContainerPolicy_FullMethodName = "/policy.ReversePolicyService/containerPolicy" + ReversePolicyService_HostPolicy_FullMethodName = "/policy.ReversePolicyService/hostPolicy" +) + +// ReversePolicyServiceClient is the client API for ReversePolicyService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type PolicyStreamServiceClient interface { - HealthCheck(ctx context.Context, in *HealthCheckReq, opts ...grpc.CallOption) (*HealthCheckReply, error) - ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_ContainerPolicyClient, error) - HostPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_HostPolicyClient, error) +type ReversePolicyServiceClient interface { + ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_ContainerPolicyClient, error) + HostPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_HostPolicyClient, error) } -type policyStreamServiceClient struct { +type reversePolicyServiceClient struct { cc grpc.ClientConnInterface } -func NewPolicyStreamServiceClient(cc grpc.ClientConnInterface) PolicyStreamServiceClient { - return &policyStreamServiceClient{cc} +func NewReversePolicyServiceClient(cc grpc.ClientConnInterface) ReversePolicyServiceClient { + return &reversePolicyServiceClient{cc} } -func (c *policyStreamServiceClient) HealthCheck(ctx context.Context, in *HealthCheckReq, opts ...grpc.CallOption) (*HealthCheckReply, error) { - out := new(HealthCheckReply) - err := c.cc.Invoke(ctx, "/policy.PolicyStreamService/HealthCheck", in, out, opts...) +func (c *reversePolicyServiceClient) ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_ContainerPolicyClient, error) { + stream, err := c.cc.NewStream(ctx, &ReversePolicyService_ServiceDesc.Streams[0], ReversePolicyService_ContainerPolicy_FullMethodName, opts...) if err != nil { return nil, err } - return out, nil -} - -func (c *policyStreamServiceClient) ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_ContainerPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &PolicyStreamService_ServiceDesc.Streams[0], "/policy.PolicyStreamService/containerPolicy", opts...) - if err != nil { - return nil, err - } - x := &policyStreamServiceContainerPolicyClient{stream} + x := &reversePolicyServiceContainerPolicyClient{stream} return x, nil } -type PolicyStreamService_ContainerPolicyClient interface { +type ReversePolicyService_ContainerPolicyClient interface { Send(*Response) error Recv() (*Policy, error) grpc.ClientStream } -type policyStreamServiceContainerPolicyClient struct { +type reversePolicyServiceContainerPolicyClient struct { grpc.ClientStream } -func (x *policyStreamServiceContainerPolicyClient) Send(m *Response) error { +func (x *reversePolicyServiceContainerPolicyClient) Send(m *Response) error { return x.ClientStream.SendMsg(m) } -func (x *policyStreamServiceContainerPolicyClient) Recv() (*Policy, error) { +func (x *reversePolicyServiceContainerPolicyClient) Recv() (*Policy, error) { m := new(Policy) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err @@ -280,30 +284,30 @@ func (x *policyStreamServiceContainerPolicyClient) Recv() (*Policy, error) { return m, nil } -func (c *policyStreamServiceClient) HostPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_HostPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &PolicyStreamService_ServiceDesc.Streams[1], "/policy.PolicyStreamService/hostPolicy", opts...) +func (c *reversePolicyServiceClient) HostPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_HostPolicyClient, error) { + stream, err := c.cc.NewStream(ctx, &ReversePolicyService_ServiceDesc.Streams[1], ReversePolicyService_HostPolicy_FullMethodName, opts...) if err != nil { return nil, err } - x := &policyStreamServiceHostPolicyClient{stream} + x := &reversePolicyServiceHostPolicyClient{stream} return x, nil } -type PolicyStreamService_HostPolicyClient interface { +type ReversePolicyService_HostPolicyClient interface { Send(*Response) error Recv() (*Policy, error) grpc.ClientStream } -type policyStreamServiceHostPolicyClient struct { +type reversePolicyServiceHostPolicyClient struct { grpc.ClientStream } -func (x *policyStreamServiceHostPolicyClient) Send(m *Response) error { +func (x *reversePolicyServiceHostPolicyClient) Send(m *Response) error { return x.ClientStream.SendMsg(m) } -func (x *policyStreamServiceHostPolicyClient) Recv() (*Policy, error) { +func (x *reversePolicyServiceHostPolicyClient) Recv() (*Policy, error) { m := new(Policy) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err @@ -311,77 +315,55 @@ func (x *policyStreamServiceHostPolicyClient) Recv() (*Policy, error) { return m, nil } -// PolicyStreamServiceServer is the server API for PolicyStreamService service. -// All implementations should embed UnimplementedPolicyStreamServiceServer +// ReversePolicyServiceServer is the server API for ReversePolicyService service. +// All implementations should embed UnimplementedReversePolicyServiceServer // for forward compatibility -type PolicyStreamServiceServer interface { - HealthCheck(context.Context, *HealthCheckReq) (*HealthCheckReply, error) - ContainerPolicy(PolicyStreamService_ContainerPolicyServer) error - HostPolicy(PolicyStreamService_HostPolicyServer) error +type ReversePolicyServiceServer interface { + ContainerPolicy(ReversePolicyService_ContainerPolicyServer) error + HostPolicy(ReversePolicyService_HostPolicyServer) error } -// UnimplementedPolicyStreamServiceServer should be embedded to have forward compatible implementations. -type UnimplementedPolicyStreamServiceServer struct { +// UnimplementedReversePolicyServiceServer should be embedded to have forward compatible implementations. +type UnimplementedReversePolicyServiceServer struct { } -func (UnimplementedPolicyStreamServiceServer) HealthCheck(context.Context, *HealthCheckReq) (*HealthCheckReply, error) { - return nil, status.Errorf(codes.Unimplemented, "method HealthCheck not implemented") -} -func (UnimplementedPolicyStreamServiceServer) ContainerPolicy(PolicyStreamService_ContainerPolicyServer) error { +func (UnimplementedReversePolicyServiceServer) ContainerPolicy(ReversePolicyService_ContainerPolicyServer) error { return status.Errorf(codes.Unimplemented, "method ContainerPolicy not implemented") } -func (UnimplementedPolicyStreamServiceServer) HostPolicy(PolicyStreamService_HostPolicyServer) error { +func (UnimplementedReversePolicyServiceServer) HostPolicy(ReversePolicyService_HostPolicyServer) error { return status.Errorf(codes.Unimplemented, "method HostPolicy not implemented") } -// UnsafePolicyStreamServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to PolicyStreamServiceServer will +// UnsafeReversePolicyServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to ReversePolicyServiceServer will // result in compilation errors. -type UnsafePolicyStreamServiceServer interface { - mustEmbedUnimplementedPolicyStreamServiceServer() -} - -func RegisterPolicyStreamServiceServer(s grpc.ServiceRegistrar, srv PolicyStreamServiceServer) { - s.RegisterService(&PolicyStreamService_ServiceDesc, srv) +type UnsafeReversePolicyServiceServer interface { + mustEmbedUnimplementedReversePolicyServiceServer() } -func _PolicyStreamService_HealthCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(HealthCheckReq) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(PolicyStreamServiceServer).HealthCheck(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/policy.PolicyStreamService/HealthCheck", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PolicyStreamServiceServer).HealthCheck(ctx, req.(*HealthCheckReq)) - } - return interceptor(ctx, in, info, handler) +func RegisterReversePolicyServiceServer(s grpc.ServiceRegistrar, srv ReversePolicyServiceServer) { + s.RegisterService(&ReversePolicyService_ServiceDesc, srv) } -func _PolicyStreamService_ContainerPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PolicyStreamServiceServer).ContainerPolicy(&policyStreamServiceContainerPolicyServer{stream}) +func _ReversePolicyService_ContainerPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(ReversePolicyServiceServer).ContainerPolicy(&reversePolicyServiceContainerPolicyServer{stream}) } -type PolicyStreamService_ContainerPolicyServer interface { +type ReversePolicyService_ContainerPolicyServer interface { Send(*Policy) error Recv() (*Response, error) grpc.ServerStream } -type policyStreamServiceContainerPolicyServer struct { +type reversePolicyServiceContainerPolicyServer struct { grpc.ServerStream } -func (x *policyStreamServiceContainerPolicyServer) Send(m *Policy) error { +func (x *reversePolicyServiceContainerPolicyServer) Send(m *Policy) error { return x.ServerStream.SendMsg(m) } -func (x *policyStreamServiceContainerPolicyServer) Recv() (*Response, error) { +func (x *reversePolicyServiceContainerPolicyServer) Recv() (*Response, error) { m := new(Response) if err := x.ServerStream.RecvMsg(m); err != nil { return nil, err @@ -389,25 +371,25 @@ func (x *policyStreamServiceContainerPolicyServer) Recv() (*Response, error) { return m, nil } -func _PolicyStreamService_HostPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PolicyStreamServiceServer).HostPolicy(&policyStreamServiceHostPolicyServer{stream}) +func _ReversePolicyService_HostPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(ReversePolicyServiceServer).HostPolicy(&reversePolicyServiceHostPolicyServer{stream}) } -type PolicyStreamService_HostPolicyServer interface { +type ReversePolicyService_HostPolicyServer interface { Send(*Policy) error Recv() (*Response, error) grpc.ServerStream } -type policyStreamServiceHostPolicyServer struct { +type reversePolicyServiceHostPolicyServer struct { grpc.ServerStream } -func (x *policyStreamServiceHostPolicyServer) Send(m *Policy) error { +func (x *reversePolicyServiceHostPolicyServer) Send(m *Policy) error { return x.ServerStream.SendMsg(m) } -func (x *policyStreamServiceHostPolicyServer) Recv() (*Response, error) { +func (x *reversePolicyServiceHostPolicyServer) Recv() (*Response, error) { m := new(Response) if err := x.ServerStream.RecvMsg(m); err != nil { return nil, err @@ -415,28 +397,23 @@ func (x *policyStreamServiceHostPolicyServer) Recv() (*Response, error) { return m, nil } -// PolicyStreamService_ServiceDesc is the grpc.ServiceDesc for PolicyStreamService service. +// ReversePolicyService_ServiceDesc is the grpc.ServiceDesc for ReversePolicyService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) -var PolicyStreamService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "policy.PolicyStreamService", - HandlerType: (*PolicyStreamServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "HealthCheck", - Handler: _PolicyStreamService_HealthCheck_Handler, - }, - }, +var ReversePolicyService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "policy.ReversePolicyService", + HandlerType: (*ReversePolicyServiceServer)(nil), + Methods: []grpc.MethodDesc{}, Streams: []grpc.StreamDesc{ { StreamName: "containerPolicy", - Handler: _PolicyStreamService_ContainerPolicy_Handler, + Handler: _ReversePolicyService_ContainerPolicy_Handler, ServerStreams: true, ClientStreams: true, }, { StreamName: "hostPolicy", - Handler: _PolicyStreamService_HostPolicy_Handler, + Handler: _ReversePolicyService_HostPolicy_Handler, ServerStreams: true, ClientStreams: true, }, From 9a621e0540a7f29e69742b4ba253ba6e97ff06b5 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Wed, 25 Oct 2023 18:00:38 +0530 Subject: [PATCH 3/8] refactor feeder and add reverse services Signed-off-by: Rudraksh Pareek --- KubeArmor/Makefile | 2 +- KubeArmor/common/common.go | 20 +- KubeArmor/config/config.go | 21 ++ KubeArmor/core/containerdHandler.go | 10 +- KubeArmor/core/dockerHandler.go | 28 +- KubeArmor/core/kubeArmor.go | 40 +- KubeArmor/feeder/feeder.go | 461 ++++++++++++------------ KubeArmor/feeder/logServer.go | 125 +++++++ KubeArmor/feeder/policyMatcher.go | 4 +- KubeArmor/feeder/reverseLogserver.go | 260 +++++++++++++ KubeArmor/policy/policy.go | 8 +- KubeArmor/policy/reversePolicyServer.go | 242 +++++++++++++ KubeArmor/state/data.go | 55 ++- KubeArmor/state/stateAgent.go | 98 ++--- KubeArmor/types/types.go | 16 +- 15 files changed, 1038 insertions(+), 352 deletions(-) create mode 100644 KubeArmor/feeder/logServer.go create mode 100644 KubeArmor/feeder/reverseLogserver.go create mode 100644 KubeArmor/policy/reversePolicyServer.go diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index fdb55bf62a..a1acd227cc 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -55,7 +55,7 @@ run: build .PHONY: run-container run-container: build cd $(CURDIR); sudo rm -f /tmp/kubearmor.log - cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false + cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false -criSocket=unix:///var/run/docker.sock .PHONY: run-host-only run-host-only: build diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go index 3adcf1e97b..5867f3b578 100644 --- a/KubeArmor/common/common.go +++ b/KubeArmor/common/common.go @@ -20,6 +20,7 @@ import ( kc "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "golang.org/x/sys/unix" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -378,12 +379,6 @@ func IsK8sEnv() bool { return false } -// IsECSEnv Function -func IsECSEnv() bool { - _, ok := os.LookupEnv("ECS_CONTAINER_METADATA_URI_V4") - return ok -} - // ContainerRuntimeSocketMap Structure var ContainerRuntimeSocketMap = map[string][]string{ "docker": { @@ -510,3 +505,16 @@ func HandleGRPCErrors(err error) error { return nil } + +// get boot time +// credits: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/util/boottime_util_linux.go +func GetBootTime() string { + currentTime := time.Now() + + var info unix.Sysinfo_t + if err := unix.Sysinfo(&info); err != nil { + return "" + } + + return currentTime.Add(-time.Duration(info.Uptime) * time.Second).Truncate(time.Second).UTC().String() +} diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index 3931a5440b..ee64078432 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -50,6 +50,9 @@ type KubearmorConfig struct { EnforcerAlerts bool // policy enforcer DefaultPostureLogs bool // Enable/Disable Default Posture logs for AppArmor LSM + ReverseGRPCServer bool // to enable/disable reverse grpc server + RelayServerURL string // URL of relay server + StateAgent bool // Enable/Disable State Agent Client StateAgentAddr string // Address to State Agent Server } @@ -88,6 +91,12 @@ const ( ConfigDefaultPostureLogs string = "defaultPostureLogs" ) +// ConfigReverseGRPCServer state agent key +const ConfigReverseGRPCServer string = "enableReverseGRPC" + +// ConfigRelayServerURL Path key +const ConfigRelayServerURL string = "relayServerURL" + // ConfigStateAgent state agent key const ConfigStateAgent string = "enableStateAgent" @@ -133,6 +142,9 @@ func readCmdLineParams() { defaultPostureLogs := flag.Bool(ConfigDefaultPostureLogs, true, "Default Posture Alerts (for Apparmor only)") + reverseGRPCServer := flag.Bool(ConfigReverseGRPCServer, false, "enabling KubeArmor Reverse Log and Policy gRPC Service") + relayServerURLStr := flag.String(ConfigRelayServerURL, "http://localhost:2801/", "relay-server http URL listening for logs") + stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") stateAgentAddr := flag.String(ConfigStateAgentAddr, "localhost:8801", "address of State Agent Server") @@ -183,6 +195,9 @@ func readCmdLineParams() { viper.SetDefault(ConfigDefaultPostureLogs, *defaultPostureLogs) + viper.SetDefault(ConfigReverseGRPCServer, *reverseGRPCServer) + viper.SetDefault(ConfigRelayServerURL, *relayServerURLStr) + viper.SetDefault(ConfigStateAgent, *stateAgent) viper.SetDefault(ConfigStateAgentAddr, *stateAgentAddr) } @@ -212,6 +227,9 @@ func LoadConfig() error { GlobalCfg.Cluster = viper.GetString(ConfigCluster) GlobalCfg.Host = viper.GetString(ConfigHost) + if hostname, err := os.Hostname(); GlobalCfg.Host == "" && err == nil { + GlobalCfg.Host = strings.Split(hostname, ".")[0] + } GlobalCfg.GRPC = viper.GetString(ConfigGRPC) GlobalCfg.LogPath = viper.GetString(ConfigLogPath) @@ -270,6 +288,9 @@ func LoadConfig() error { GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs) + GlobalCfg.ReverseGRPCServer = viper.GetBool(ConfigReverseGRPCServer) + GlobalCfg.RelayServerURL = viper.GetString(ConfigRelayServerURL) + GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent) GlobalCfg.StateAgentAddr = viper.GetString(ConfigStateAgentAddr) diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index 561e8db082..d062d6b384 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -192,11 +192,11 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s container.Labels = strings.Join(labels, ",") /* - container.Owner = tp.PodOwner{ - Name: container.ContainerName, - Namespace: container.NamespaceName, - Ref: "Deployment", - } + container.Owner = tp.PodOwner{ + Name: container.ContainerName, + Namespace: container.NamespaceName, + Ref: "Deployment", + } */ } diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index 7cdc39a231..ee6ebcb392 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -10,6 +10,7 @@ import ( "os" "strconv" "strings" + "time" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/events" @@ -147,9 +148,6 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { container.ContainerImage = inspect.Config.Image //+ kl.GetSHA256ofImage(inspect.Image) - // TODO - container.ProtocolPort = "0" - container.NodeName = cfg.GlobalCfg.Host labels := []string{} @@ -176,12 +174,26 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err } container.ContainerIP = podIP - /* - container.Owner = tp.PodOwner{ - Name: container.ContainerName, - Namespace: container.NamespaceName, - Ref: "Deployment", + // time format used by docker engine is RFC3339Nano + lastUpdatedAt, err := time.Parse(time.RFC3339Nano, inspect.State.StartedAt) + if err == nil { + container.LastUpdatedAt = lastUpdatedAt.UTC().String() + } + // finished at is IsZero until a container exits + timeFinished, err := time.Parse(time.RFC3339Nano, inspect.State.FinishedAt) + if err == nil && !timeFinished.IsZero() && timeFinished.After(lastUpdatedAt) { + lastUpdatedAt = timeFinished } + + // TODO + container.ProtocolPort = "0" + + /* + container.Owner = tp.PodOwner{ + Name: container.ContainerName, + Namespace: container.NamespaceName, + Ref: "Deployment", + } */ } diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index f08cc6657d..9dd820ddff 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -92,6 +92,9 @@ type KubeArmorDaemon struct { // state agent StateAgent *state.StateAgent + // reverse policy server + ReversePolicyServer *policy.ReversePolicyServer + // WgDaemon Handler WgDaemon sync.WaitGroup @@ -186,6 +189,12 @@ func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon() { } } + if dm.ReversePolicyServer != nil { + if dm.CloseReversePolicyServer() { + kg.Print("Destroyed ReversePolicyServer") + } + } + // wait for other routines kg.Print("Waiting for routine terminations") dm.WgDaemon.Wait() @@ -217,6 +226,10 @@ func (dm *KubeArmorDaemon) ServeLogFeeds() { defer dm.WgDaemon.Done() go dm.Logger.ServeLogFeeds() + + if cfg.GlobalCfg.ReverseGRPCServer { + go dm.Logger.ServeReverseLogFeeds() + } } // CloseLogger Function @@ -228,6 +241,13 @@ func (dm *KubeArmorDaemon) CloseLogger() bool { return true } +func (dm *KubeArmorDaemon) CloseReversePolicyServer() bool { + if err := dm.ReversePolicyServer.DestroyReversePolicyServer(); err != nil { + return false + } + return true +} + // ==================== // // == System Monitor == // // ==================== // @@ -379,6 +399,8 @@ func KubeArmor() { } } + dm.Node.LastUpdatedAt = kl.GetBootTime() + dm.Node.KernelVersion = kl.GetCommandOutputWithoutErr("uname", []string{"-r"}) dm.Node.KernelVersion = strings.TrimSuffix(dm.Node.KernelVersion, "\n") @@ -695,7 +717,7 @@ func KubeArmor() { } if !dm.K8sEnabled && (enableContainerPolicy || cfg.GlobalCfg.HostPolicy) { - policyService := &policy.ServiceServer{} + policyService := &policy.PolicyServer{} if enableContainerPolicy { policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy dm.Logger.Print("Started to monitor container security policies on gRPC") @@ -706,11 +728,27 @@ func KubeArmor() { dm.Logger.Print("Started to monitor host security policies on gRPC") } pb.RegisterPolicyServiceServer(dm.Logger.LogServer, policyService) + //Enable grpc service to send kubearmor data to client in unorchestrated mode probe := &Probe{} probe.GetContainerData = dm.SetProbeContainerData pb.RegisterProbeServiceServer(dm.Logger.LogServer, probe) + if cfg.GlobalCfg.ReverseGRPCServer { + dm.ReversePolicyServer = policy.NewReversePolicyServer(dm.Logger.RelayServerURL) + + if enableContainerPolicy { + dm.ReversePolicyServer.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy + dm.Logger.Print("Started to monitor container security policies over reverse gRPC connection") + } + + if cfg.GlobalCfg.HostPolicy { + dm.ReversePolicyServer.UpdateHostPolicy = dm.ParseAndUpdateHostSecurityPolicy + dm.Logger.Print("Started to monitor host security policies over reverse gRPC connection") + } + + go dm.ReversePolicyServer.WatchPolicies() + } } reflection.Register(dm.Logger.LogServer) // Helps grpc clients list out what all svc/endpoints available diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index 9a89b83ab5..ccefb16402 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -24,8 +24,8 @@ import ( "github.com/google/uuid" pb "github.com/kubearmor/KubeArmor/protobuf" "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" + "google.golang.org/grpc/health" + "google.golang.org/grpc/health/grpc_health_v1" ) // ============ // @@ -46,245 +46,175 @@ func init() { // == gRPC == // // ========== // -// MsgStruct Structure -type MsgStruct struct { +// EventStruct Structure +type EventStruct[T any] struct { Filter string - Broadcast chan *pb.Message + Broadcast chan *T } -// MsgStructs Map -var MsgStructs map[string]MsgStruct +type EventStructs struct { + MsgStructs map[string]EventStruct[pb.Message] + MsgLock sync.RWMutex -// MsgLock Lock -var MsgLock *sync.RWMutex + AlertStructs map[string]EventStruct[pb.Alert] + AlertLock sync.RWMutex -// AlertStruct Structure -type AlertStruct struct { - Filter string - Broadcast chan *pb.Alert + LogStructs map[string]EventStruct[pb.Log] + LogLock sync.RWMutex } -// AlertStructs Map -var AlertStructs map[string]AlertStruct - -// AlertLock Lock -var AlertLock *sync.RWMutex +// AddMsgStruct Function +func (es *EventStructs) AddMsgStruct(filter string, queueSize int) (string, chan *pb.Message) { + es.MsgLock.Lock() + defer es.MsgLock.Unlock() -// LogStruct Structure -type LogStruct struct { - Filter string - Broadcast chan *pb.Log -} + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.Message, queueSize) -// LogStructs Map -var LogStructs map[string]LogStruct + msgStruct := EventStruct[pb.Message]{ + Filter: filter, + Broadcast: conn, + } -// LogLock Lock -var LogLock *sync.RWMutex + es.MsgStructs[uid] = msgStruct -// LogService Structure -type LogService struct { - // + return uid, conn } -// HealthCheck Function -func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { - replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} - return &replyMessage, nil -} - -// addMsgStruct Function -func (ls *LogService) addMsgStruct(uid string, conn chan *pb.Message, filter string) { - MsgLock.Lock() - defer MsgLock.Unlock() - - msgStruct := MsgStruct{} - msgStruct.Filter = filter - msgStruct.Broadcast = conn - MsgStructs[uid] = msgStruct +// RemoveMsgStruct Function +func (es *EventStructs) RemoveMsgStruct(uid string) { + es.MsgLock.Lock() + defer es.MsgLock.Unlock() - kg.Printf("Added a new client (%s) for WatchMessages", uid) + delete(es.MsgStructs, uid) } -// removeMsgStruct Function -func (ls *LogService) removeMsgStruct(uid string) { - MsgLock.Lock() - defer MsgLock.Unlock() +// AddAlertStruct Function +func (es *EventStructs) AddAlertStruct(filter string, queueSize int) (string, chan *pb.Alert) { + es.AlertLock.Lock() + defer es.AlertLock.Unlock() - delete(MsgStructs, uid) - - kg.Printf("Deleted the client (%s) for WatchMessages", uid) -} - -// WatchMessages Function -func (ls *LogService) WatchMessages(req *pb.RequestMessage, svr pb.LogService_WatchMessagesServer) error { uid := uuid.Must(uuid.NewRandom()).String() - conn := make(chan *pb.Message, QueueSize) - defer close(conn) - ls.addMsgStruct(uid, conn, req.Filter) - defer ls.removeMsgStruct(uid) + conn := make(chan *pb.Alert, queueSize) - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send a message=[%+v] err=[%s]", resp, status.Err().Error()) - return status.Err() - default: - return nil - } - } - } + alertStruct := EventStruct[pb.Alert]{ + Filter: filter, + Broadcast: conn, } - return nil -} - -// addAlertStruct Function -func (ls *LogService) addAlertStruct(uid string, conn chan *pb.Alert, filter string) { - AlertLock.Lock() - defer AlertLock.Unlock() + es.AlertStructs[uid] = alertStruct - alertStruct := AlertStruct{} - alertStruct.Filter = filter - alertStruct.Broadcast = conn - AlertStructs[uid] = alertStruct - - kg.Printf("Added a new client (%s, %s) for WatchAlerts", uid, filter) + return uid, conn } // removeAlertStruct Function -func (ls *LogService) removeAlertStruct(uid string) { - AlertLock.Lock() - defer AlertLock.Unlock() - - delete(AlertStructs, uid) +func (es *EventStructs) RemoveAlertStruct(uid string) { + es.AlertLock.Lock() + defer es.AlertLock.Unlock() - kg.Printf("Deleted the client (%s) for WatchAlerts", uid) + delete(es.AlertStructs, uid) } -// WatchAlerts Function -func (ls *LogService) WatchAlerts(req *pb.RequestMessage, svr pb.LogService_WatchAlertsServer) error { +// addLogStruct Function +func (es *EventStructs) AddLogStruct(filter string, queueSize int) (string, chan *pb.Log) { + es.LogLock.Lock() + defer es.LogLock.Unlock() + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.Log, queueSize) - if req.Filter != "all" && req.Filter != "policy" { - return nil + logStruct := EventStruct[pb.Log]{ + Filter: filter, + Broadcast: conn, } - conn := make(chan *pb.Alert, QueueSize) - defer close(conn) - ls.addAlertStruct(uid, conn, req.Filter) - defer ls.removeAlertStruct(uid) - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send an alert=[%+v] err=[%s]", resp, status.Err().Error()) - return status.Err() - default: - return nil - } - } - } - } + es.LogStructs[uid] = logStruct - return nil -} - -// addLogStruct Function -func (ls *LogService) addLogStruct(uid string, conn chan *pb.Log, filter string) { - LogLock.Lock() - defer LogLock.Unlock() - - logStruct := LogStruct{} - logStruct.Filter = filter - logStruct.Broadcast = conn - LogStructs[uid] = logStruct - - kg.Printf("Added a new client (%s, %s) for WatchLogs", uid, filter) + return uid, conn } // removeLogStruct Function -func (ls *LogService) removeLogStruct(uid string) { - LogLock.Lock() - defer LogLock.Unlock() +func (es *EventStructs) RemoveLogStruct(uid string) { + es.LogLock.Lock() + defer es.LogLock.Unlock() - delete(LogStructs, uid) - - kg.Printf("Deleted the client (%s) for WatchLogs", uid) + delete(es.LogStructs, uid) } -// WatchLogs Function -func (ls *LogService) WatchLogs(req *pb.RequestMessage, svr pb.LogService_WatchLogsServer) error { - uid := uuid.Must(uuid.NewRandom()).String() - - if req.Filter != "all" && req.Filter != "system" { - return nil - } - conn := make(chan *pb.Log, QueueSize) - defer close(conn) - ls.addLogStruct(uid, conn, req.Filter) - defer ls.removeLogStruct(uid) - - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send a log=[%+v] err=[%s] CODE=%d", resp, status.Err().Error(), status.Code()) - return status.Err() - default: - return nil - } - } - } - } - - return nil +/* +// HealthCheck Function +func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { + replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} + return &replyMessage, nil } +*/ // ============ // // == Feeder == // // ============ // +type FeederInterface interface { + // Methods -// Feeder Structure -type Feeder struct { + // How does the feeder pushes logs and messages + PushLog(tp.Log) + PushMessage(string, string) + + // How does this feeder match log with policy + UpdateMatchedPolicy(tp.Log) + + // How this feeder serves log feeds + ServeLogFeeds() +} + +type BaseFeeder struct { // node Node *tp.Node NodeLock **sync.RWMutex - // port - Port string + // wait group + WgServer sync.WaitGroup // output Output string LogFile *os.File + // Activated Enforcer + Enforcer string + + // Msg, log and alert connection stores + EventStructs *EventStructs + + // True if feeder and its workers are working + Running bool + + // LogServer // + + // port + Port string + // gRPC listener Listener net.Listener // log server LogServer *grpc.Server - // wait group - WgServer sync.WaitGroup + // ReverseLogServer // + + // URL of RelayServer + RelayServerURL string + + // log server with connection initalized by KubeArmor + ReverseLogServer *ReverseLogService + + Context context.Context + Cancel context.CancelFunc +} + +// Feeder Structure +type Feeder struct { + BaseFeeder + + // KubeArmor feeder // // namespace name + endpoint name / host name -> corresponding security policies SecurityPolicies map[string]tp.MatchPolicies @@ -293,24 +223,20 @@ type Feeder struct { // DefaultPosture (namespace -> postures) DefaultPostures map[string]tp.DefaultPosture DefaultPosturesLock *sync.Mutex - - // GKE - IsGKE bool - - // Activated Enforcer - Enforcer string } // NewFeeder Function func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd := &Feeder{} + // base feeder // + // node fd.Node = node fd.NodeLock = nodeLock - // gRPC configuration - fd.Port = fmt.Sprintf(":%s", cfg.GlobalCfg.GRPC) + // set wait group + fd.WgServer = sync.WaitGroup{} // output fd.Output = cfg.GlobalCfg.LogPath @@ -326,6 +252,30 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd.LogFile = logFile } + // default enforcer + fd.Enforcer = "eBPF Monitor" + + // initialize msg structs + fd.EventStructs = &EventStructs{ + MsgStructs: make(map[string]EventStruct[pb.Message]), + MsgLock: sync.RWMutex{}, + + // initialize alert structs + AlertStructs: make(map[string]EventStruct[pb.Alert]), + AlertLock: sync.RWMutex{}, + + // initialize log structs + LogStructs: make(map[string]EventStruct[pb.Log]), + LogLock: sync.RWMutex{}, + } + + fd.Running = true + + // LogServer // + + // gRPC configuration + fd.Port = fmt.Sprintf(":%s", cfg.GlobalCfg.GRPC) + // listen to gRPC port listener, err := net.Listen("tcp", fd.Port) if err != nil { @@ -359,26 +309,30 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { } // create a log server + + logService := &LogService{ + QueueSize: 1000, + Running: &fd.Running, + EventStructs: fd.EventStructs, + } + fd.LogServer = grpc.NewServer() - // register a log service - logService := &LogService{} pb.RegisterLogServiceServer(fd.LogServer, logService) + grpc_health_v1.RegisterHealthServer(fd.LogServer, health.NewServer()) - // initialize msg structs - MsgStructs = make(map[string]MsgStruct) - MsgLock = &sync.RWMutex{} + // ReverseLogServer // - // initialize alert structs - AlertStructs = make(map[string]AlertStruct) - AlertLock = &sync.RWMutex{} + host, port, err := kl.ParseURL(cfg.GlobalCfg.RelayServerURL) + if err != nil { + kg.Errf("Failed to parse Relay Server URL: %s", err.Error()) + return nil + } + fd.RelayServerURL = fmt.Sprintf("%s:%s", host, port) - // initialize log structs - LogStructs = make(map[string]LogStruct) - LogLock = &sync.RWMutex{} + fd.Context, fd.Cancel = context.WithCancel(context.Background()) - // set wait group - fd.WgServer = sync.WaitGroup{} + // Feeder // // initialize security policies fd.SecurityPolicies = map[string]tp.MatchPolicies{} @@ -388,30 +342,19 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd.DefaultPostures = map[string]tp.DefaultPosture{} fd.DefaultPosturesLock = new(sync.Mutex) - // check if GKE - if kl.IsInK8sCluster() { - if b, err := os.ReadFile(filepath.Clean("/media/root/etc/os-release")); err == nil { - s := string(b) - if strings.Contains(s, "Container-Optimized OS") { - fd.IsGKE = true - } - } - } - - // default enforcer - fd.Enforcer = "eBPF Monitor" - return fd } // DestroyFeeder Function -func (fd *Feeder) DestroyFeeder() error { +func (fd *BaseFeeder) DestroyFeeder() error { // stop gRPC service - Running = false + fd.Running = false // wait for a while time.Sleep(time.Second * 1) + fd.Cancel() + // close listener if fd.Listener != nil { if err := fd.Listener.Close(); err != nil { @@ -428,6 +371,16 @@ func (fd *Feeder) DestroyFeeder() error { fd.LogFile = nil } + // close reverse log server + if fd.ReverseLogServer != nil { + if fd.ReverseLogServer.Conn != nil { + err := fd.ReverseLogServer.Conn.Close() + if err != nil { + return err + } + } + } + // wait for other routines fd.WgServer.Wait() @@ -523,7 +476,7 @@ func (fd *Feeder) UpdateEnforcer(enforcer string) { // =============== // // ServeLogFeeds Function -func (fd *Feeder) ServeLogFeeds() { +func (fd *BaseFeeder) ServeLogFeeds() { fd.WgServer.Add(1) defer fd.WgServer.Done() @@ -533,6 +486,44 @@ func (fd *Feeder) ServeLogFeeds() { } } +func (fd *BaseFeeder) ServeReverseLogFeeds() { + fd.WgServer.Add(1) + defer fd.WgServer.Done() + + for fd.Running { + fd.ReverseLogServer = fd.ConnectWithRelay() + if fd.ReverseLogServer == nil { + return + } + + kg.Printf("Connected with RelayServer for pushing logs in reverse (%s)", fd.RelayServerURL) + + fd.ReverseLogServer.Wg.Add(1) + go fd.ReverseLogServer.WatchLogs() + + fd.ReverseLogServer.Wg.Add(1) + go fd.ReverseLogServer.WatchAlerts() + + fd.ReverseLogServer.Wg.Add(1) + go fd.ReverseLogServer.WatchMessages() + + time.Sleep(time.Second * 1) + + // wait for other routines to terminate before creating a new connection + fd.ReverseLogServer.Wg.Wait() + + // destroy client + if err := fd.ReverseLogServer.Conn.Close(); err != nil { + kg.Warnf("Failed to delete ReverseLogClient: %s", err.Error()) + } + kg.Printf("Closed ReverseLogClient for %s", fd.RelayServerURL) + + fd.ReverseLogServer = nil + } + + kg.Print("Stopped Pushing events on gRPC ReverseLogService") +} + // PushMessage Function func (fd *Feeder) PushMessage(level, message string) { if !cfg.GlobalCfg.Debug { @@ -547,7 +538,8 @@ func (fd *Feeder) PushMessage(level, message string) { pbMsg.Timestamp = timestamp pbMsg.UpdatedTime = updatedTime - pbMsg.ClusterName = cfg.GlobalCfg.Cluster + //pbMsg.ClusterName = cfg.GlobalCfg.Cluster + pbMsg.ClusterName = fd.Node.ClusterName pbMsg.HostName = cfg.GlobalCfg.Host pbMsg.HostIP = fd.Node.NodeIP @@ -557,13 +549,14 @@ func (fd *Feeder) PushMessage(level, message string) { pbMsg.Level = level pbMsg.Message = message - MsgLock.Lock() - defer MsgLock.Unlock() + // broadcast to all logserver and reverselogserver receivers + fd.EventStructs.MsgLock.Lock() + defer fd.EventStructs.MsgLock.Unlock() counter := 0 - lenMsg := len(MsgStructs) - for uid := range MsgStructs { + lenMsg := len(fd.EventStructs.MsgStructs) + for uid := range fd.EventStructs.MsgStructs { select { - case MsgStructs[uid].Broadcast <- &pbMsg: + case fd.EventStructs.MsgStructs[uid].Broadcast <- &pbMsg: default: counter++ if counter == lenMsg { @@ -705,14 +698,14 @@ func (fd *Feeder) PushLog(log tp.Log) { pbAlert.Result = log.Result - AlertLock.Lock() - defer AlertLock.Unlock() + fd.EventStructs.AlertLock.Lock() + defer fd.EventStructs.AlertLock.Unlock() counter := 0 - lenAlert := len(AlertStructs) + lenAlert := len(fd.EventStructs.AlertStructs) - for uid := range AlertStructs { + for uid := range fd.EventStructs.AlertStructs { select { - case AlertStructs[uid].Broadcast <- &pbAlert: + case fd.EventStructs.AlertStructs[uid].Broadcast <- &pbAlert: default: counter++ if counter == lenAlert { @@ -776,13 +769,13 @@ func (fd *Feeder) PushLog(log tp.Log) { pbLog.Result = log.Result - LogLock.Lock() - defer LogLock.Unlock() + fd.EventStructs.LogLock.Lock() + defer fd.EventStructs.LogLock.Unlock() counter := 0 - lenlog := len(LogStructs) - for uid := range LogStructs { + lenlog := len(fd.EventStructs.LogStructs) + for uid := range fd.EventStructs.LogStructs { select { - case LogStructs[uid].Broadcast <- &pbLog: + case fd.EventStructs.LogStructs[uid].Broadcast <- &pbLog: default: counter++ if counter == lenlog { diff --git a/KubeArmor/feeder/logServer.go b/KubeArmor/feeder/logServer.go new file mode 100644 index 0000000000..f5bf95fab6 --- /dev/null +++ b/KubeArmor/feeder/logServer.go @@ -0,0 +1,125 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package feeder + +import ( + "context" + "fmt" + + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + pb "github.com/kubearmor/KubeArmor/protobuf" +) + +// LogServer Structure +type LogService struct { + QueueSize int + EventStructs *EventStructs + Running *bool +} + +// HealthCheck Function +// Deprecated: use google.golang.org/grpc/health/grpc_health_v1 +func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { + replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} + return &replyMessage, nil +} + +// WatchMessages Function +func (ls *LogService) WatchMessages(req *pb.RequestMessage, svr pb.LogService_WatchMessagesServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + uid, conn := ls.EventStructs.AddMsgStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s) for WatchMessages", uid) + + defer func() { + close(conn) + ls.EventStructs.RemoveMsgStruct(uid) + kg.Printf("Deleted the client (%s) for WatchMessages", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send a message=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} + +// WatchAlerts Function +func (ls *LogService) WatchAlerts(req *pb.RequestMessage, svr pb.LogService_WatchAlertsServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + if req.Filter != "all" && req.Filter != "policy" { + return nil + } + + uid, conn := ls.EventStructs.AddAlertStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s, %s) for WatchAlerts", uid, req.Filter) + + defer func() { + close(conn) + ls.EventStructs.RemoveAlertStruct(uid) + kg.Printf("Deleted the client (%s) for WatchAlerts", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send an alert=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} + +// WatchLogs Function +func (ls *LogService) WatchLogs(req *pb.RequestMessage, svr pb.LogService_WatchLogsServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + if req.Filter != "all" && req.Filter != "system" { + return nil + } + + uid, conn := ls.EventStructs.AddLogStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s, %s) for WatchLogs", uid, req.Filter) + + defer func() { + close(conn) + ls.EventStructs.RemoveLogStruct(uid) + kg.Printf("Deleted the client (%s) for WatchLogs", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send a log=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 27c8962473..4f4bfd7094 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -202,12 +202,12 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = npt.Protocol match.ResourceType = "Protocol" + // TODO: Handle cases where AppArmor network enforcement is not present + // https://github.com/kubearmor/KubeArmor/issues/1285 if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Allow" { match.Action = "Audit (" + npt.Action + ")" } else if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Block" { match.Action = "Audit (" + npt.Action + ")" - } else if policyEnabled == tp.KubeArmorPolicyEnabled && fd.IsGKE && npt.Action == "Block" { - match.Action = "Audit (" + npt.Action + ")" } else { match.Action = npt.Action } diff --git a/KubeArmor/feeder/reverseLogserver.go b/KubeArmor/feeder/reverseLogserver.go new file mode 100644 index 0000000000..772fe1c71b --- /dev/null +++ b/KubeArmor/feeder/reverseLogserver.go @@ -0,0 +1,260 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package feeder + +import ( + "sync" + "time" + + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + pb "github.com/kubearmor/KubeArmor/protobuf" + "google.golang.org/grpc" + "google.golang.org/grpc/health/grpc_health_v1" + "google.golang.org/grpc/keepalive" +) + +// ReverseLogService Structure +type ReverseLogService struct { + Conn *grpc.ClientConn + Client pb.ReverseLogServiceClient + + ReverseLogClient pb.ReverseLogService_PushLogsClient + ReverseAlertClient pb.ReverseLogService_PushAlertsClient + ReverseMessageClient pb.ReverseLogService_PushMessagesClient + + QueueSize int + EventStructs *EventStructs + Running *bool + Wg sync.WaitGroup +} + +func (ls *ReverseLogService) WatchMessages() { + defer ls.Wg.Done() + if ls.Running == nil { + return + } + + // add a new message struct + uid, conn := ls.EventStructs.AddMsgStruct("none", ls.QueueSize) + kg.Printf("Added a new connection (%s) for ReverseWatchMessages", uid) + + defer func() { + close(conn) + ls.EventStructs.RemoveMsgStruct(uid) + kg.Printf("Deleted the connection (%s) for ReverseWatchMessages", uid) + kg.Printf("Stopped pushing messages to ReverseWatchMessages Client (%s)", uid) + }() + + closeChan := make(chan *pb.ReplyMessage, 1) + + // handle if server closes connection + go func() { + defer close(closeChan) + resp, err := ls.ReverseMessageClient.Recv() + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Debugf("Error while receiving ReplyMessage msg from relay %s", err.Error()) + closeChan <- &pb.ReplyMessage{} + return + } + closeChan <- resp + }() + + for *ls.Running { + select { + case <-ls.ReverseMessageClient.Context().Done(): + return + case <-closeChan: + kg.Printf("Relay closed connection for Messages") + return + case resp := <-conn: + if err := kl.HandleGRPCErrors(ls.ReverseMessageClient.Send(resp)); err != nil { + kg.Warnf("feeder failed to send a message=[%+v] err=[%s]", resp, err.Error()) + return + } + } + } + +} + +func (ls *ReverseLogService) WatchAlerts() { + defer ls.Wg.Done() + if ls.Running == nil { + return + } + + uid, conn := ls.EventStructs.AddAlertStruct("none", ls.QueueSize) + kg.Printf("Added a new connection (%s) for ReverseWatchAlerts", uid) + + defer func() { + close(conn) + ls.EventStructs.RemoveAlertStruct(uid) + kg.Printf("Deleted connection (%s) for ReverseWatchAlerts", uid) + kg.Printf("Stopped pushing alerts to ReverseWatchAlerts client (%s)", uid) + }() + + closeChan := make(chan *pb.ReplyMessage, 1) + + go func() { + defer close(closeChan) + resp, err := ls.ReverseAlertClient.Recv() + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Debugf("Error while receiving ReplyMessage alert from relay %s", err.Error()) + closeChan <- &pb.ReplyMessage{} + return + } + closeChan <- resp + }() + + for *ls.Running { + select { + case <-ls.ReverseAlertClient.Context().Done(): + return + case <-closeChan: + kg.Printf("Relay closed connection for Alerts") + return + case resp := <-conn: + if err := kl.HandleGRPCErrors(ls.ReverseAlertClient.Send(resp)); err != nil { + kg.Warnf("feeder failed to push an alert=[%+v] err=[%s]", resp, err.Error()) + return + } + } + } + +} + +func (ls *ReverseLogService) WatchLogs() { + defer ls.Wg.Done() + if ls.Running == nil { + return + } + + uid, conn := ls.EventStructs.AddLogStruct("none", ls.QueueSize) + kg.Printf("Added a new connection (%s) for ReverseWatchLogs", uid) + + defer func() { + close(conn) + ls.EventStructs.RemoveLogStruct(uid) + kg.Printf("Deleted connection (%s) for ReverseWatchLogs", uid) + kg.Printf("Stopped pushing logs to ReverseWatchLogs client (%s)", uid) + }() + + closeChan := make(chan *pb.ReplyMessage, 1) + + go func() { + defer close(closeChan) + resp, err := ls.ReverseLogClient.Recv() + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Debugf("Error while receiving ReplyMessage log from relay %s", err.Error()) + closeChan <- &pb.ReplyMessage{} + return + } + closeChan <- resp + }() + + for *ls.Running { + select { + case <-ls.ReverseLogClient.Context().Done(): + return + case <-closeChan: + kg.Printf("Relay closed connection for Logs") + return + case resp := <-conn: + if err := kl.HandleGRPCErrors(ls.ReverseLogClient.Send(resp)); err != nil { + kg.Warnf("failed to push a log=[%+v] err=[%s]", resp, err.Error()) + return + } + } + } + +} + +// ConnectWithRelay attemtps to establish a connection with kubearmor-relay +// until the relay is healthy +func (fd *BaseFeeder) ConnectWithRelay() *ReverseLogService { + var ( + err error + conn *grpc.ClientConn + client pb.ReverseLogServiceClient + ) + + kacp := keepalive.ClientParameters{ + Time: 1 * time.Second, + Timeout: 5 * time.Second, + PermitWithoutStream: true, + } + + for fd.Running { + //conn, err = grpc.Dial(fd.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) + conn, err = grpc.DialContext(fd.Context, fd.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) + if err != nil { + time.Sleep(time.Second * 5) + _ = conn.Close() + continue + } + + client = pb.NewReverseLogServiceClient(conn) + + healthClient := grpc_health_v1.NewHealthClient(conn) + healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ + Service: pb.ReverseLogService_ServiceDesc.ServiceName, + } + + resp, err := healthClient.Check(fd.Context, healthCheckRequest) + grpcErr := kl.HandleGRPCErrors(err) + if grpcErr != nil { + kg.Debugf("ReverseLogServer unhealthy. Error: %s", grpcErr.Error()) + _ = conn.Close() + time.Sleep(time.Second * 5) + continue + } + + switch resp.Status { + case grpc_health_v1.HealthCheckResponse_SERVING: + break + case grpc_health_v1.HealthCheckResponse_NOT_SERVING: + _ = conn.Close() + return nil + default: + kg.Debugf("ReverseLogServer unhealthy. Status: %s", resp.Status.String()) + _ = conn.Close() + time.Sleep(time.Second * 5) + continue + } + + break + } + + lc := &ReverseLogService{ + Conn: conn, + Client: client, + Wg: sync.WaitGroup{}, + EventStructs: fd.EventStructs, + QueueSize: 1000, + Running: &fd.Running, + } + + //lc.ReverseLogClient, err = lc.Client.PushLogs(context.Background()) + lc.ReverseLogClient, err = lc.Client.PushLogs(fd.Context) + if err != nil { + kg.Warnf("Failed to create ReversePushLogs (%s) err=%s", fd.RelayServerURL, err.Error()) + return nil + } + + //lc.ReverseAlertClient, err = lc.Client.PushAlerts(context.Background()) + lc.ReverseAlertClient, err = lc.Client.PushAlerts(fd.Context) + if err != nil { + kg.Warnf("Failed to create ReversePushAlerts (%s) err=%s", fd.RelayServerURL, err.Error()) + return nil + } + + //lc.ReverseMessageClient, err = lc.Client.PushMessages(context.Background()) + lc.ReverseMessageClient, err = lc.Client.PushMessages(fd.Context) + if err != nil { + kg.Warnf("Failed to create ReversePushMessages (%s) err=%s", fd.RelayServerURL, err.Error()) + return nil + } + + return lc +} diff --git a/KubeArmor/policy/policy.go b/KubeArmor/policy/policy.go index 897609e1f1..6f9457fa13 100644 --- a/KubeArmor/policy/policy.go +++ b/KubeArmor/policy/policy.go @@ -13,15 +13,15 @@ import ( pb "github.com/kubearmor/KubeArmor/protobuf" ) -// ServiceServer provides structure to serve Policy gRPC service -type ServiceServer struct { +// PolicyServer provides structure to serve Policy gRPC service +type PolicyServer struct { pb.PolicyServiceServer UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus } // ContainerPolicy accepts container events on gRPC and update container security policies -func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { +func (p *PolicyServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { policyEvent := tp.K8sKubeArmorPolicyEvent{} res := new(pb.Response) @@ -49,7 +49,7 @@ func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb } // HostPolicy accepts host policy event on gRPC service and updates host security policies. It responds with 1 if success else 0. -func (p *ServiceServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { +func (p *PolicyServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { policyEvent := tp.K8sKubeArmorHostPolicyEvent{} res := new(pb.Response) diff --git a/KubeArmor/policy/reversePolicyServer.go b/KubeArmor/policy/reversePolicyServer.go new file mode 100644 index 0000000000..7591152d9d --- /dev/null +++ b/KubeArmor/policy/reversePolicyServer.go @@ -0,0 +1,242 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package policy + +import ( + "context" + "encoding/json" + "fmt" + "sync" + "time" + + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + pb "github.com/kubearmor/KubeArmor/protobuf" + "google.golang.org/grpc" + "google.golang.org/grpc/health/grpc_health_v1" + "google.golang.org/grpc/keepalive" +) + +type ReversePolicyServer struct { + RelayServerURL string + Running bool + Wg sync.WaitGroup + + Conn *grpc.ClientConn + Client pb.ReversePolicyServiceClient + + ContainerPolicyClient pb.ReversePolicyService_ContainerPolicyClient + HostPolicyClient pb.ReversePolicyService_HostPolicyClient + + UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus + UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus +} + +func (p *ReversePolicyServer) ContainerPolicy() { + defer p.Wg.Done() + + var err error + for p.Running { + var event *pb.Policy + + if event, err = p.ContainerPolicyClient.Recv(); err != nil { + kg.Warnf("Failed to receive a ContainerPolicy %s", err) + return + } + + policyEvent := tp.K8sKubeArmorPolicyEvent{} + + res := new(pb.Response) + + err := json.Unmarshal(event.Policy, &policyEvent) + if err == nil { + if policyEvent.Object.Metadata.Name != "" { + res.Status = p.UpdateContainerPolicy(policyEvent) + } else { + kg.Warn("Empty Container Policy Event") + res.Status = pb.PolicyStatus_Invalid + } + } else { + kg.Warnf("Invalid Container Policy: Failed to clone a policy: %s", err) + res.Status = pb.PolicyStatus_Invalid + } + + if err = kl.HandleGRPCErrors(p.ContainerPolicyClient.Send(res)); err != nil { + kg.Warnf("Failed to send a ContainerPolicy status response=[%+v] err=[%s]", res, err.Error()) + continue + } + } + + return +} + +func (p *ReversePolicyServer) HostPolicy() { + defer p.Wg.Done() + + var err error + for p.Running { + var event *pb.Policy + + if event, err = p.HostPolicyClient.Recv(); err != nil { + kg.Warnf("Failed to receive a HostPolicy %s", err) + return + } + + policyEvent := tp.K8sKubeArmorHostPolicyEvent{} + res := new(pb.Response) + + err := json.Unmarshal(event.Policy, &policyEvent) + if err == nil { + if policyEvent.Object.Metadata.Name != "" { + res.Status = p.UpdateHostPolicy(policyEvent) + } else { + kg.Warn("Empty HostPolicy Event") + res.Status = pb.PolicyStatus_Invalid + } + } else { + kg.Warnf("Invalid HostPolicy: Failed to clone a policy: %s", err) + res.Status = pb.PolicyStatus_Invalid + } + + if err = kl.HandleGRPCErrors(p.HostPolicyClient.Send(res)); err != nil { + kg.Warnf("Failed to send a HostPolicy status response=[%+v] err=[%s]", res, err.Error()) + continue + } + } + + return +} + +// TODO: use single gRPC connection for both the clients +func (ps *ReversePolicyServer) connectWithRelay() { + var ( + err error + conn *grpc.ClientConn + client pb.ReversePolicyServiceClient + ) + + kacp := keepalive.ClientParameters{ + Time: 1 * time.Second, + Timeout: 5 * time.Second, + PermitWithoutStream: true, + } + + for ps.Running { + conn, err = grpc.Dial(ps.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) + if err != nil { + kg.Warnf("Failed to connect to relay's gRPC listener. %s", err.Error()) + time.Sleep(time.Second * 5) + _ = conn.Close() + continue + } + + client = pb.NewReversePolicyServiceClient(conn) + + healthClient := grpc_health_v1.NewHealthClient(conn) + healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ + Service: pb.ReversePolicyService_ServiceDesc.ServiceName, + } + + resp, err := healthClient.Check(context.Background(), healthCheckRequest) + grpcErr := kl.HandleGRPCErrors(err) + if grpcErr != nil { + kg.Debugf("ReversePolicyServer unhealthy. Error: %s", grpcErr.Error()) + _ = conn.Close() + time.Sleep(time.Second * 5) + continue + } + + switch resp.Status { + case grpc_health_v1.HealthCheckResponse_SERVING: + break + case grpc_health_v1.HealthCheckResponse_NOT_SERVING: + _ = conn.Close() + return + default: + kg.Debugf("ReversePolicyServer unhealthy. Status: %s", resp.Status.String()) + continue + } + + break + } + + ps.Conn = conn + ps.Client = client + + ps.ContainerPolicyClient, err = ps.Client.ContainerPolicy(context.Background()) + if err != nil { + kg.Warnf("Failed to start ContainerPolicy stream reader err=%s", err.Error()) + return + } + + ps.HostPolicyClient, err = ps.Client.HostPolicy(context.Background()) + if err != nil { + kg.Warnf("Failed to start HostPolicy stream reader err=%s", err.Error()) + return + } + + return +} + +func NewReversePolicyServer(address string) *ReversePolicyServer { + host, port, err := kl.ParseURL(address) + if err != nil { + kg.Errf("Failed to parse Relay Server URL: %s", err.Error()) + return nil + } + + return &ReversePolicyServer{ + Running: true, + RelayServerURL: fmt.Sprintf("%s:%s", host, port), + Wg: sync.WaitGroup{}, + } +} + +func (ps *ReversePolicyServer) DestroyReversePolicyServer() error { + ps.Running = false + + if ps.Conn != nil { + if err := ps.Conn.Close(); err != nil { + return err + } + } + + return nil +} + +func (ps *ReversePolicyServer) WatchPolicies() { + for ps.Running { + ps.connectWithRelay() + if ps.Client == nil { + kg.Errf("Error while connecting with relay for streaming policies") + return + } + + kg.Printf("Connected with Relay server for streaming policies") + + if ps.UpdateContainerPolicy != nil { + ps.Wg.Add(1) + go ps.ContainerPolicy() + kg.Printf("Started to stream ContainerPolicy") + } + + if ps.UpdateHostPolicy != nil { + ps.Wg.Add(1) + go ps.HostPolicy() + kg.Printf("Started to stream HostPolicy") + } + + ps.Wg.Wait() + + if err := ps.Conn.Close(); err != nil { + kg.Warnf("Failed to delete PolicyClient: %s", err.Error()) + } + kg.Printf("Closed PolicyClient for %s", ps.RelayServerURL) + + ps.Client = nil + } + + return +} diff --git a/KubeArmor/state/data.go b/KubeArmor/state/data.go index 483fe1411c..e1b99dace0 100644 --- a/KubeArmor/state/data.go +++ b/KubeArmor/state/data.go @@ -5,8 +5,8 @@ package state import ( "encoding/json" + "time" - "github.com/kubearmor/KubeArmor/KubeArmor/common" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" "github.com/kubearmor/KubeArmor/KubeArmor/types" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" @@ -27,30 +27,36 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { // create this kubearmor ns if it doesn't exist // currently only "container_namespace" until we have config agent - if _, ok := sa.KubeArmorNamespaces[namespace]; !ok { - sa.KubeArmorNamespaces[namespace] = []string{} - sa.KubeArmorNamespaces[namespace] = append(sa.KubeArmorNamespaces[container.NamespaceName], container.ContainerID) + if ns, ok := sa.KubeArmorNamespaces[namespace]; !ok { + nsObj := types.Namespace{ + Name: namespace, + //Labels: "", + KubearmorFilePosture: "audit", + KubearmorNetworkPosture: "audit", + LastUpdatedAt: container.LastUpdatedAt, + + ContainerCount: 1, + } + sa.KubeArmorNamespaces[namespace] = nsObj - sa.PushNamespaceEvent(namespace, EventAdded) + sa.PushNamespaceEvent(nsObj, EventAdded) } else { - sa.KubeArmorNamespaces[namespace] = append(sa.KubeArmorNamespaces[container.NamespaceName], container.ContainerID) + // update the container count + ns.ContainerCount++ + sa.KubeArmorNamespaces[namespace] = ns } } else if event == EventDeleted { - if containers, ok := sa.KubeArmorNamespaces[namespace]; ok { - containerDeleted := false - for i, c := range containers { - if c == container.ContainerID { - newNSList := common.RemoveStringElement(containers, i) - sa.KubeArmorNamespaces[namespace] = newNSList - break - } - } + if ns, ok := sa.KubeArmorNamespaces[namespace]; ok { + ns.ContainerCount-- + sa.KubeArmorNamespaces[namespace] = ns - // no containers left - namespace deleted - if containerDeleted && len(sa.KubeArmorNamespaces[namespace]) > 0 { - sa.PushNamespaceEvent(namespace, EventDeleted) + // delete ns if no containers left in it + if ns.ContainerCount == 0 { + ns.LastUpdatedAt = time.Now().UTC().String() + sa.PushNamespaceEvent(ns, EventDeleted) + delete(sa.KubeArmorNamespaces, namespace) } } @@ -119,15 +125,8 @@ func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { return } -func (sa *StateAgent) PushNamespaceEvent(namespace string, event string) { - ns := types.Namespace{ - Name: namespace, - //Labels: "", - KubearmorFilePosture: "audit", - KubearmorNetworkPosture: "audit", - } - - nsBytes, err := json.Marshal(ns) +func (sa *StateAgent) PushNamespaceEvent(namespace tp.Namespace, event string) { + nsBytes, err := json.Marshal(namespace) if err != nil { kg.Warnf("Failed to marshal ns event: %s", err.Error()) return @@ -136,7 +135,7 @@ func (sa *StateAgent) PushNamespaceEvent(namespace string, event string) { nsEvent := &pb.StateEvent{ Kind: KindNamespace, Type: event, - Name: namespace, + Name: namespace.Name, Object: nsBytes, } diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go index 8ec8d0886d..ec64d703b7 100644 --- a/KubeArmor/state/stateAgent.go +++ b/KubeArmor/state/stateAgent.go @@ -13,8 +13,8 @@ import ( "github.com/kubearmor/KubeArmor/KubeArmor/common" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" - cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/types" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" pb "github.com/kubearmor/KubeArmor/protobuf" "google.golang.org/grpc" @@ -31,10 +31,6 @@ const ( KindPod = "pod" KindNode = "node" KindNamespace = "namespace" - - PodEntityK8s = "pod" - PodEntityECS = "task" - PodEntityNone = "none" ) type StateAgent struct { @@ -42,8 +38,7 @@ type StateAgent struct { StateAgentAddr string - Running bool - PodEntity string + Running bool SAClient *StateAgentClient @@ -53,16 +48,16 @@ type StateAgent struct { Containers map[string]tp.Container ContainersLock *sync.RWMutex - KubeArmorNamespaces map[string][]string + KubeArmorNamespaces map[string]types.Namespace KubeArmorNamespacesLock *sync.RWMutex - Wg *sync.WaitGroup + Wg *sync.WaitGroup Context context.Context - Cancel context.CancelFunc + Cancel context.CancelFunc } type StateAgentClient struct { - Conn *grpc.ClientConn + Conn *grpc.ClientConn WatchClient pb.StateAgent_WatchStateClient GetClient pb.StateAgent_GetStateClient @@ -75,40 +70,25 @@ func NewStateAgent(addr string, node *tp.Node, nodeLock *sync.RWMutex, container return nil } - var podEntity string - if ok := kl.IsK8sEnv(); ok && cfg.GlobalCfg.K8sEnv { - // pod == K8s pod - podEntity = PodEntityK8s - } else if ok := kl.IsECSEnv(); ok { - // pod == ECS task - // taskMetaURL, ok := os.LookupEnv("ECS_CONTAINER_METADATA_URI_V4") - podEntity = PodEntityECS - } else { - // pod == Container - // PodEntity == "" - podEntity = PodEntityNone - } - context, cancel := context.WithCancel(context.Background()) sa := &StateAgent{ StateAgentAddr: fmt.Sprintf("%s:%s", host, port), - Running: true, - PodEntity: podEntity, + Running: true, - Node: node, + Node: node, NodeLock: nodeLock, - Containers: containers, + Containers: containers, ContainersLock: containersLock, - KubeArmorNamespaces: make(map[string][]string), + KubeArmorNamespaces: make(map[string]tp.Namespace), KubeArmorNamespacesLock: new(sync.RWMutex), - Wg: new(sync.WaitGroup), + Wg: new(sync.WaitGroup), Context: context, - Cancel: cancel, + Cancel: cancel, } return sa @@ -253,24 +233,8 @@ func (sa *StateAgent) GetStateClient() { } stateEventList = append(stateEventList, nodeEvent) - for _, container := range sa.Containers { - containerBytes, err := json.Marshal(container) - if err != nil { - kg.Warnf("Error while trying to marshal container data. %s", err.Error()) - } - - containerEvent := &pb.StateEvent{ - Kind: KindContainer, - Type: EventAdded, - Name: container.ContainerName, - Object: containerBytes, - } - - stateEventList = append(stateEventList, containerEvent) - } - sa.KubeArmorNamespacesLock.RLock() - for ns := range sa.KubeArmorNamespaces { + for nsName, ns := range sa.KubeArmorNamespaces { nsBytes, err := json.Marshal(ns) if err != nil { kg.Warnf("Failed to marshal ns event: %s", err.Error()) @@ -279,7 +243,7 @@ func (sa *StateAgent) GetStateClient() { nsEvent := &pb.StateEvent{ Kind: KindNamespace, Type: EventAdded, - Name: ns, + Name: nsName, Object: nsBytes, } @@ -287,6 +251,22 @@ func (sa *StateAgent) GetStateClient() { } sa.KubeArmorNamespacesLock.RUnlock() + for _, container := range sa.Containers { + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container data. %s", err.Error()) + } + + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: EventAdded, + Name: container.ContainerName, + Object: containerBytes, + } + + stateEventList = append(stateEventList, containerEvent) + } + stateEvents := &pb.StateEvents{ StateEvents: stateEventList, } @@ -303,8 +283,8 @@ func (sa *StateAgent) GetStateClient() { func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) { var ( - err error - conn *grpc.ClientConn + err error + conn *grpc.ClientConn client pb.StateAgentClient ) @@ -320,14 +300,14 @@ func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) conn, err = grpc.DialContext(sa.Context, sa.StateAgentAddr, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) if err != nil { time.Sleep(time.Second * 5) - conn.Close() + _ = conn.Close() continue } client = pb.NewStateAgentClient(conn) if client == nil { time.Sleep(time.Second * 5) - conn.Close() + _ = conn.Close() continue } @@ -340,7 +320,7 @@ func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) grpcErr := kl.HandleGRPCErrors(err) if grpcErr != nil { kg.Debugf("State Agent Service unhealthy. Error: %s", grpcErr.Error()) - conn.Close() + _ = conn.Close() time.Sleep(time.Second * 5) continue } @@ -349,11 +329,11 @@ func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) case grpc_health_v1.HealthCheckResponse_SERVING: break case grpc_health_v1.HealthCheckResponse_NOT_SERVING: - conn.Close() + _ = conn.Close() return nil, fmt.Errorf("State Agent server is not serving") default: kg.Debugf("State Agent Service unhealthy. Status: %s", resp.Status.String()) - conn.Close() + _ = conn.Close() time.Sleep(time.Second * 5) continue } @@ -374,9 +354,9 @@ func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) } saClient := &StateAgentClient{ - Conn: conn, + Conn: conn, WatchClient: watchClient, - GetClient: getClient, + GetClient: getClient, } return saClient, nil diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index 04eaaf58e0..85e9db3201 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -37,10 +37,11 @@ type Container struct { // == // - NodeName string `json:"node_name"` - ProtocolPort string `json:"protocolPort"` - Status string `json:"status"` - ContainerIP string `json:"container_ip"` + NodeName string `json:"node_name"` + ProtocolPort string `json:"protocolPort"` + Status string `json:"status"` + ContainerIP string `json:"container_ip"` + LastUpdatedAt string `json:"last_updated_at"` // == // @@ -65,6 +66,9 @@ type Namespace struct { Labels string `json:"labels,omitempty"` KubearmorFilePosture string `json:"kubearmor_file_posture,omitempty"` KubearmorNetworkPosture string `json:"kubearmor_network_posture,omitempty"` + LastUpdatedAt string `json:"last_updated_at,omitempty"` + + ContainerCount int `json:"container_count,omitempty"` } // EndPoint Structure @@ -116,6 +120,10 @@ type Node struct { // == // + LastUpdatedAt string `json:"last_updated_at"` + + // == // + PolicyEnabled int `json:"policyEnabled"` ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"` From 2fbceac788fe31b5128d42da11890c04dd6053ca Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Thu, 26 Oct 2023 15:43:59 +0530 Subject: [PATCH 4/8] iterate runtime socket map in order Signed-off-by: Rudraksh Pareek --- KubeArmor/common/common.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go index 5867f3b578..8ea0d9c0cc 100644 --- a/KubeArmor/common/common.go +++ b/KubeArmor/common/common.go @@ -379,6 +379,9 @@ func IsK8sEnv() bool { return false } +// ContainerRuntimeSocketKeys contains FIFO ordered keys of container runtimes +var ContainerRuntimeSocketKeys = []string{"docker", "containerd", "cri-o"} + // ContainerRuntimeSocketMap Structure var ContainerRuntimeSocketMap = map[string][]string{ "docker": { @@ -400,7 +403,7 @@ var ContainerRuntimeSocketMap = map[string][]string{ // GetCRISocket Function func GetCRISocket(ContainerRuntime string) string { - for k := range ContainerRuntimeSocketMap { + for _, k := range ContainerRuntimeSocketKeys { if ContainerRuntime != "" && k != ContainerRuntime { continue } From 34efdaf2d40d231b583ea43ff51e07af28753d11 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Fri, 24 Nov 2023 02:49:07 +0530 Subject: [PATCH 5/8] cleanup protos Signed-off-by: Rudraksh Pareek --- protobuf/kubearmor.pb.go | 40 ++---- protobuf/kubearmor.proto | 6 - protobuf/kubearmor_grpc.pb.go | 258 ---------------------------------- protobuf/policy.pb.go | 61 +++----- protobuf/policy.proto | 7 +- protobuf/policy_grpc.pb.go | 191 +------------------------ protobuf/state.pb.go | 106 +++----------- protobuf/state.proto | 8 +- protobuf/state_grpc.pb.go | 103 +++++++------- 9 files changed, 108 insertions(+), 672 deletions(-) diff --git a/protobuf/kubearmor.pb.go b/protobuf/kubearmor.pb.go index c5426a2fc4..5556458387 100644 --- a/protobuf/kubearmor.pb.go +++ b/protobuf/kubearmor.pb.go @@ -1035,22 +1035,10 @@ var file_kubearmor_proto_rawDesc = []byte{ 0x32, 0x0a, 0x09, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, - 0x67, 0x30, 0x01, 0x32, 0xb8, 0x01, 0x0a, 0x11, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x4c, - 0x6f, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x50, 0x75, 0x73, - 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x0f, 0x2e, 0x66, 0x65, 0x65, 0x64, - 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, - 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x28, 0x01, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0a, 0x50, 0x75, 0x73, 0x68, 0x41, 0x6c, 0x65, 0x72, - 0x74, 0x73, 0x12, 0x0d, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, 0x65, 0x72, - 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, - 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x31, 0x0a, 0x08, 0x50, - 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, - 0x2e, 0x4c, 0x6f, 0x67, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, - 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, - 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, - 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x67, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, + 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1082,18 +1070,12 @@ var file_kubearmor_proto_depIdxs = []int32{ 5, // 3: feeder.LogService.WatchMessages:input_type -> feeder.RequestMessage 5, // 4: feeder.LogService.WatchAlerts:input_type -> feeder.RequestMessage 5, // 5: feeder.LogService.WatchLogs:input_type -> feeder.RequestMessage - 1, // 6: feeder.ReverseLogService.PushMessages:input_type -> feeder.Message - 3, // 7: feeder.ReverseLogService.PushAlerts:input_type -> feeder.Alert - 4, // 8: feeder.ReverseLogService.PushLogs:input_type -> feeder.Log - 6, // 9: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage - 1, // 10: feeder.LogService.WatchMessages:output_type -> feeder.Message - 3, // 11: feeder.LogService.WatchAlerts:output_type -> feeder.Alert - 4, // 12: feeder.LogService.WatchLogs:output_type -> feeder.Log - 6, // 13: feeder.ReverseLogService.PushMessages:output_type -> feeder.ReplyMessage - 6, // 14: feeder.ReverseLogService.PushAlerts:output_type -> feeder.ReplyMessage - 6, // 15: feeder.ReverseLogService.PushLogs:output_type -> feeder.ReplyMessage - 9, // [9:16] is the sub-list for method output_type - 2, // [2:9] is the sub-list for method input_type + 6, // 6: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage + 1, // 7: feeder.LogService.WatchMessages:output_type -> feeder.Message + 3, // 8: feeder.LogService.WatchAlerts:output_type -> feeder.Alert + 4, // 9: feeder.LogService.WatchLogs:output_type -> feeder.Log + 6, // [6:10] is the sub-list for method output_type + 2, // [2:6] is the sub-list for method input_type 2, // [2:2] is the sub-list for extension type_name 2, // [2:2] is the sub-list for extension extendee 0, // [0:2] is the sub-list for field type_name @@ -1198,7 +1180,7 @@ func file_kubearmor_proto_init() { NumEnums: 0, NumMessages: 7, NumExtensions: 0, - NumServices: 2, + NumServices: 1, }, GoTypes: file_kubearmor_proto_goTypes, DependencyIndexes: file_kubearmor_proto_depIdxs, diff --git a/protobuf/kubearmor.proto b/protobuf/kubearmor.proto index a76e4d5577..3a360edcc9 100644 --- a/protobuf/kubearmor.proto +++ b/protobuf/kubearmor.proto @@ -131,9 +131,3 @@ service LogService { rpc WatchAlerts(RequestMessage) returns (stream Alert); rpc WatchLogs(RequestMessage) returns (stream Log); } - -service ReverseLogService { - rpc PushMessages(stream Message) returns (stream ReplyMessage); - rpc PushAlerts(stream Alert) returns (stream ReplyMessage); - rpc PushLogs(stream Log) returns (stream ReplyMessage); -} diff --git a/protobuf/kubearmor_grpc.pb.go b/protobuf/kubearmor_grpc.pb.go index b866f8ac68..34a3ce0dbf 100644 --- a/protobuf/kubearmor_grpc.pb.go +++ b/protobuf/kubearmor_grpc.pb.go @@ -300,261 +300,3 @@ var LogService_ServiceDesc = grpc.ServiceDesc{ }, Metadata: "kubearmor.proto", } - -const ( - ReverseLogService_PushMessages_FullMethodName = "/feeder.ReverseLogService/PushMessages" - ReverseLogService_PushAlerts_FullMethodName = "/feeder.ReverseLogService/PushAlerts" - ReverseLogService_PushLogs_FullMethodName = "/feeder.ReverseLogService/PushLogs" -) - -// ReverseLogServiceClient is the client API for ReverseLogService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type ReverseLogServiceClient interface { - PushMessages(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushMessagesClient, error) - PushAlerts(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushAlertsClient, error) - PushLogs(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushLogsClient, error) -} - -type reverseLogServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewReverseLogServiceClient(cc grpc.ClientConnInterface) ReverseLogServiceClient { - return &reverseLogServiceClient{cc} -} - -func (c *reverseLogServiceClient) PushMessages(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushMessagesClient, error) { - stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[0], ReverseLogService_PushMessages_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &reverseLogServicePushMessagesClient{stream} - return x, nil -} - -type ReverseLogService_PushMessagesClient interface { - Send(*Message) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type reverseLogServicePushMessagesClient struct { - grpc.ClientStream -} - -func (x *reverseLogServicePushMessagesClient) Send(m *Message) error { - return x.ClientStream.SendMsg(m) -} - -func (x *reverseLogServicePushMessagesClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *reverseLogServiceClient) PushAlerts(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushAlertsClient, error) { - stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[1], ReverseLogService_PushAlerts_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &reverseLogServicePushAlertsClient{stream} - return x, nil -} - -type ReverseLogService_PushAlertsClient interface { - Send(*Alert) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type reverseLogServicePushAlertsClient struct { - grpc.ClientStream -} - -func (x *reverseLogServicePushAlertsClient) Send(m *Alert) error { - return x.ClientStream.SendMsg(m) -} - -func (x *reverseLogServicePushAlertsClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *reverseLogServiceClient) PushLogs(ctx context.Context, opts ...grpc.CallOption) (ReverseLogService_PushLogsClient, error) { - stream, err := c.cc.NewStream(ctx, &ReverseLogService_ServiceDesc.Streams[2], ReverseLogService_PushLogs_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &reverseLogServicePushLogsClient{stream} - return x, nil -} - -type ReverseLogService_PushLogsClient interface { - Send(*Log) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type reverseLogServicePushLogsClient struct { - grpc.ClientStream -} - -func (x *reverseLogServicePushLogsClient) Send(m *Log) error { - return x.ClientStream.SendMsg(m) -} - -func (x *reverseLogServicePushLogsClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// ReverseLogServiceServer is the server API for ReverseLogService service. -// All implementations should embed UnimplementedReverseLogServiceServer -// for forward compatibility -type ReverseLogServiceServer interface { - PushMessages(ReverseLogService_PushMessagesServer) error - PushAlerts(ReverseLogService_PushAlertsServer) error - PushLogs(ReverseLogService_PushLogsServer) error -} - -// UnimplementedReverseLogServiceServer should be embedded to have forward compatible implementations. -type UnimplementedReverseLogServiceServer struct { -} - -func (UnimplementedReverseLogServiceServer) PushMessages(ReverseLogService_PushMessagesServer) error { - return status.Errorf(codes.Unimplemented, "method PushMessages not implemented") -} -func (UnimplementedReverseLogServiceServer) PushAlerts(ReverseLogService_PushAlertsServer) error { - return status.Errorf(codes.Unimplemented, "method PushAlerts not implemented") -} -func (UnimplementedReverseLogServiceServer) PushLogs(ReverseLogService_PushLogsServer) error { - return status.Errorf(codes.Unimplemented, "method PushLogs not implemented") -} - -// UnsafeReverseLogServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to ReverseLogServiceServer will -// result in compilation errors. -type UnsafeReverseLogServiceServer interface { - mustEmbedUnimplementedReverseLogServiceServer() -} - -func RegisterReverseLogServiceServer(s grpc.ServiceRegistrar, srv ReverseLogServiceServer) { - s.RegisterService(&ReverseLogService_ServiceDesc, srv) -} - -func _ReverseLogService_PushMessages_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(ReverseLogServiceServer).PushMessages(&reverseLogServicePushMessagesServer{stream}) -} - -type ReverseLogService_PushMessagesServer interface { - Send(*ReplyMessage) error - Recv() (*Message, error) - grpc.ServerStream -} - -type reverseLogServicePushMessagesServer struct { - grpc.ServerStream -} - -func (x *reverseLogServicePushMessagesServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *reverseLogServicePushMessagesServer) Recv() (*Message, error) { - m := new(Message) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _ReverseLogService_PushAlerts_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(ReverseLogServiceServer).PushAlerts(&reverseLogServicePushAlertsServer{stream}) -} - -type ReverseLogService_PushAlertsServer interface { - Send(*ReplyMessage) error - Recv() (*Alert, error) - grpc.ServerStream -} - -type reverseLogServicePushAlertsServer struct { - grpc.ServerStream -} - -func (x *reverseLogServicePushAlertsServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *reverseLogServicePushAlertsServer) Recv() (*Alert, error) { - m := new(Alert) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _ReverseLogService_PushLogs_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(ReverseLogServiceServer).PushLogs(&reverseLogServicePushLogsServer{stream}) -} - -type ReverseLogService_PushLogsServer interface { - Send(*ReplyMessage) error - Recv() (*Log, error) - grpc.ServerStream -} - -type reverseLogServicePushLogsServer struct { - grpc.ServerStream -} - -func (x *reverseLogServicePushLogsServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *reverseLogServicePushLogsServer) Recv() (*Log, error) { - m := new(Log) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// ReverseLogService_ServiceDesc is the grpc.ServiceDesc for ReverseLogService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var ReverseLogService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "feeder.ReverseLogService", - HandlerType: (*ReverseLogServiceServer)(nil), - Methods: []grpc.MethodDesc{}, - Streams: []grpc.StreamDesc{ - { - StreamName: "PushMessages", - Handler: _ReverseLogService_PushMessages_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "PushAlerts", - Handler: _ReverseLogService_PushAlerts_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "PushLogs", - Handler: _ReverseLogService_PushLogs_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "kubearmor.proto", -} diff --git a/protobuf/policy.pb.go b/protobuf/policy.pb.go index c509f88202..e7713c9db2 100644 --- a/protobuf/policy.pb.go +++ b/protobuf/policy.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.31.0 -// protoc v4.24.3 +// protoc v4.25.0 // source: policy.proto package protobuf @@ -21,10 +21,6 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -// Symbols defined in public import of google/protobuf/empty.proto. - -type Empty = emptypb.Empty - type PolicyStatus int32 const ( @@ -404,19 +400,10 @@ var file_policy_proto_rawDesc = []byte{ 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x83, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x76, - 0x65, 0x72, 0x73, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, - 0x65, 0x12, 0x37, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x12, 0x32, 0x0a, 0x0a, 0x68, 0x6f, - 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, - 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, - 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, + 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -445,26 +432,22 @@ var file_policy_proto_goTypes = []interface{}{ (*emptypb.Empty)(nil), // 8: google.protobuf.Empty } var file_policy_proto_depIdxs = []int32{ - 0, // 0: policy.response.status:type_name -> policy.PolicyStatus - 6, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry - 7, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry - 3, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData - 4, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies - 8, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty - 2, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy - 2, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy - 1, // 8: policy.ReversePolicyService.containerPolicy:input_type -> policy.response - 1, // 9: policy.ReversePolicyService.hostPolicy:input_type -> policy.response - 5, // 10: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse - 1, // 11: policy.PolicyService.containerPolicy:output_type -> policy.response - 1, // 12: policy.PolicyService.hostPolicy:output_type -> policy.response - 2, // 13: policy.ReversePolicyService.containerPolicy:output_type -> policy.policy - 2, // 14: policy.ReversePolicyService.hostPolicy:output_type -> policy.policy - 10, // [10:15] is the sub-list for method output_type - 5, // [5:10] is the sub-list for method input_type - 5, // [5:5] is the sub-list for extension type_name - 5, // [5:5] is the sub-list for extension extendee - 0, // [0:5] is the sub-list for field type_name + 0, // 0: policy.response.status:type_name -> policy.PolicyStatus + 6, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry + 7, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry + 3, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData + 4, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies + 8, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty + 2, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy + 2, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy + 5, // 8: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse + 1, // 9: policy.PolicyService.containerPolicy:output_type -> policy.response + 1, // 10: policy.PolicyService.hostPolicy:output_type -> policy.response + 8, // [8:11] is the sub-list for method output_type + 5, // [5:8] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name } func init() { file_policy_proto_init() } @@ -542,7 +525,7 @@ func file_policy_proto_init() { NumEnums: 1, NumMessages: 7, NumExtensions: 0, - NumServices: 3, + NumServices: 2, }, GoTypes: file_policy_proto_goTypes, DependencyIndexes: file_policy_proto_depIdxs, diff --git a/protobuf/policy.proto b/protobuf/policy.proto index 122dc356a0..f3620a7424 100644 --- a/protobuf/policy.proto +++ b/protobuf/policy.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package policy; -import public "google/protobuf/empty.proto"; +import "google/protobuf/empty.proto"; option go_package="github.com/kubearmor/KubeArmor/protobuf"; @@ -44,8 +44,3 @@ service PolicyService { rpc containerPolicy (policy) returns (response); rpc hostPolicy (policy) returns (response); } - -service ReversePolicyService { - rpc containerPolicy (stream response) returns (stream policy); - rpc hostPolicy (stream response) returns (stream policy); -} diff --git a/protobuf/policy_grpc.pb.go b/protobuf/policy_grpc.pb.go index 0531574d86..32cc880e97 100644 --- a/protobuf/policy_grpc.pb.go +++ b/protobuf/policy_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v4.24.3 +// - protoc v4.25.0 // source: policy.proto package protobuf @@ -231,192 +231,3 @@ var PolicyService_ServiceDesc = grpc.ServiceDesc{ Streams: []grpc.StreamDesc{}, Metadata: "policy.proto", } - -const ( - ReversePolicyService_ContainerPolicy_FullMethodName = "/policy.ReversePolicyService/containerPolicy" - ReversePolicyService_HostPolicy_FullMethodName = "/policy.ReversePolicyService/hostPolicy" -) - -// ReversePolicyServiceClient is the client API for ReversePolicyService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type ReversePolicyServiceClient interface { - ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_ContainerPolicyClient, error) - HostPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_HostPolicyClient, error) -} - -type reversePolicyServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewReversePolicyServiceClient(cc grpc.ClientConnInterface) ReversePolicyServiceClient { - return &reversePolicyServiceClient{cc} -} - -func (c *reversePolicyServiceClient) ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_ContainerPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &ReversePolicyService_ServiceDesc.Streams[0], ReversePolicyService_ContainerPolicy_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &reversePolicyServiceContainerPolicyClient{stream} - return x, nil -} - -type ReversePolicyService_ContainerPolicyClient interface { - Send(*Response) error - Recv() (*Policy, error) - grpc.ClientStream -} - -type reversePolicyServiceContainerPolicyClient struct { - grpc.ClientStream -} - -func (x *reversePolicyServiceContainerPolicyClient) Send(m *Response) error { - return x.ClientStream.SendMsg(m) -} - -func (x *reversePolicyServiceContainerPolicyClient) Recv() (*Policy, error) { - m := new(Policy) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *reversePolicyServiceClient) HostPolicy(ctx context.Context, opts ...grpc.CallOption) (ReversePolicyService_HostPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &ReversePolicyService_ServiceDesc.Streams[1], ReversePolicyService_HostPolicy_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &reversePolicyServiceHostPolicyClient{stream} - return x, nil -} - -type ReversePolicyService_HostPolicyClient interface { - Send(*Response) error - Recv() (*Policy, error) - grpc.ClientStream -} - -type reversePolicyServiceHostPolicyClient struct { - grpc.ClientStream -} - -func (x *reversePolicyServiceHostPolicyClient) Send(m *Response) error { - return x.ClientStream.SendMsg(m) -} - -func (x *reversePolicyServiceHostPolicyClient) Recv() (*Policy, error) { - m := new(Policy) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// ReversePolicyServiceServer is the server API for ReversePolicyService service. -// All implementations should embed UnimplementedReversePolicyServiceServer -// for forward compatibility -type ReversePolicyServiceServer interface { - ContainerPolicy(ReversePolicyService_ContainerPolicyServer) error - HostPolicy(ReversePolicyService_HostPolicyServer) error -} - -// UnimplementedReversePolicyServiceServer should be embedded to have forward compatible implementations. -type UnimplementedReversePolicyServiceServer struct { -} - -func (UnimplementedReversePolicyServiceServer) ContainerPolicy(ReversePolicyService_ContainerPolicyServer) error { - return status.Errorf(codes.Unimplemented, "method ContainerPolicy not implemented") -} -func (UnimplementedReversePolicyServiceServer) HostPolicy(ReversePolicyService_HostPolicyServer) error { - return status.Errorf(codes.Unimplemented, "method HostPolicy not implemented") -} - -// UnsafeReversePolicyServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to ReversePolicyServiceServer will -// result in compilation errors. -type UnsafeReversePolicyServiceServer interface { - mustEmbedUnimplementedReversePolicyServiceServer() -} - -func RegisterReversePolicyServiceServer(s grpc.ServiceRegistrar, srv ReversePolicyServiceServer) { - s.RegisterService(&ReversePolicyService_ServiceDesc, srv) -} - -func _ReversePolicyService_ContainerPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(ReversePolicyServiceServer).ContainerPolicy(&reversePolicyServiceContainerPolicyServer{stream}) -} - -type ReversePolicyService_ContainerPolicyServer interface { - Send(*Policy) error - Recv() (*Response, error) - grpc.ServerStream -} - -type reversePolicyServiceContainerPolicyServer struct { - grpc.ServerStream -} - -func (x *reversePolicyServiceContainerPolicyServer) Send(m *Policy) error { - return x.ServerStream.SendMsg(m) -} - -func (x *reversePolicyServiceContainerPolicyServer) Recv() (*Response, error) { - m := new(Response) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _ReversePolicyService_HostPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(ReversePolicyServiceServer).HostPolicy(&reversePolicyServiceHostPolicyServer{stream}) -} - -type ReversePolicyService_HostPolicyServer interface { - Send(*Policy) error - Recv() (*Response, error) - grpc.ServerStream -} - -type reversePolicyServiceHostPolicyServer struct { - grpc.ServerStream -} - -func (x *reversePolicyServiceHostPolicyServer) Send(m *Policy) error { - return x.ServerStream.SendMsg(m) -} - -func (x *reversePolicyServiceHostPolicyServer) Recv() (*Response, error) { - m := new(Response) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// ReversePolicyService_ServiceDesc is the grpc.ServiceDesc for ReversePolicyService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var ReversePolicyService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "policy.ReversePolicyService", - HandlerType: (*ReversePolicyServiceServer)(nil), - Methods: []grpc.MethodDesc{}, - Streams: []grpc.StreamDesc{ - { - StreamName: "containerPolicy", - Handler: _ReversePolicyService_ContainerPolicy_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "hostPolicy", - Handler: _ReversePolicyService_HostPolicy_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "policy.proto", -} diff --git a/protobuf/state.pb.go b/protobuf/state.pb.go index 54300eac32..1062cffac0 100644 --- a/protobuf/state.pb.go +++ b/protobuf/state.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.1 -// protoc v4.24.2 +// protoc-gen-go v1.31.0 +// protoc v4.25.0 // source: state.proto package protobuf @@ -139,53 +139,6 @@ func (x *StateEvents) GetStateEvents() []*StateEvent { return nil } -type StatusCode struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Code int32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"` -} - -func (x *StatusCode) Reset() { - *x = StatusCode{} - if protoimpl.UnsafeEnabled { - mi := &file_state_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *StatusCode) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*StatusCode) ProtoMessage() {} - -func (x *StatusCode) ProtoReflect() protoreflect.Message { - mi := &file_state_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use StatusCode.ProtoReflect.Descriptor instead. -func (*StatusCode) Descriptor() ([]byte, []int) { - return file_state_proto_rawDescGZIP(), []int{2} -} - -func (x *StatusCode) GetCode() int32 { - if x != nil { - return x.Code - } - return 0 -} - var File_state_proto protoreflect.FileDescriptor var file_state_proto_rawDesc = []byte{ @@ -203,21 +156,19 @@ var file_state_proto_rawDesc = []byte{ 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, - 0x6e, 0x74, 0x73, 0x22, 0x20, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, - 0x65, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, - 0x04, 0x63, 0x6f, 0x64, 0x65, 0x32, 0x92, 0x01, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, 0x41, - 0x67, 0x65, 0x6e, 0x74, 0x12, 0x42, 0x0a, 0x0a, 0x57, 0x61, 0x74, 0x63, 0x68, 0x53, 0x74, 0x61, - 0x74, 0x65, 0x12, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, - 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x1a, 0x17, 0x2e, 0x73, 0x74, - 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x43, 0x6f, 0x64, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x40, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x53, - 0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, - 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0x16, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, - 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x74, 0x73, 0x32, 0x8d, 0x01, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, 0x41, 0x67, 0x65, + 0x6e, 0x74, 0x12, 0x3f, 0x0a, 0x0a, 0x57, 0x61, 0x74, 0x63, 0x68, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, + 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, + 0x74, 0x30, 0x01, 0x12, 0x3e, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, + 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x18, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, + 0x73, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, + 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -232,19 +183,18 @@ func file_state_proto_rawDescGZIP() []byte { return file_state_proto_rawDescData } -var file_state_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_state_proto_msgTypes = make([]protoimpl.MessageInfo, 2) var file_state_proto_goTypes = []interface{}{ (*StateEvent)(nil), // 0: state_agent.StateEvent (*StateEvents)(nil), // 1: state_agent.StateEvents - (*StatusCode)(nil), // 2: state_agent.StatusCode - (*emptypb.Empty)(nil), // 3: google.protobuf.Empty + (*emptypb.Empty)(nil), // 2: google.protobuf.Empty } var file_state_proto_depIdxs = []int32{ 0, // 0: state_agent.StateEvents.StateEvents:type_name -> state_agent.StateEvent - 0, // 1: state_agent.StateAgent.WatchState:input_type -> state_agent.StateEvent - 1, // 2: state_agent.StateAgent.GetState:input_type -> state_agent.StateEvents - 2, // 3: state_agent.StateAgent.WatchState:output_type -> state_agent.StatusCode - 3, // 4: state_agent.StateAgent.GetState:output_type -> google.protobuf.Empty + 2, // 1: state_agent.StateAgent.WatchState:input_type -> google.protobuf.Empty + 2, // 2: state_agent.StateAgent.GetState:input_type -> google.protobuf.Empty + 0, // 3: state_agent.StateAgent.WatchState:output_type -> state_agent.StateEvent + 1, // 4: state_agent.StateAgent.GetState:output_type -> state_agent.StateEvents 3, // [3:5] is the sub-list for method output_type 1, // [1:3] is the sub-list for method input_type 1, // [1:1] is the sub-list for extension type_name @@ -282,18 +232,6 @@ func file_state_proto_init() { return nil } } - file_state_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*StatusCode); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } } type x struct{} out := protoimpl.TypeBuilder{ @@ -301,7 +239,7 @@ func file_state_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_state_proto_rawDesc, NumEnums: 0, - NumMessages: 3, + NumMessages: 2, NumExtensions: 0, NumServices: 1, }, diff --git a/protobuf/state.proto b/protobuf/state.proto index ff8c4e6061..34a8a9cba5 100644 --- a/protobuf/state.proto +++ b/protobuf/state.proto @@ -17,14 +17,10 @@ message StateEvents { repeated StateEvent StateEvents=1; } -message StatusCode { - int32 code=1; -} - service StateAgent { // stream which continuously pushes state events - rpc WatchState (stream StateEvent) returns (stream StatusCode); + rpc WatchState (google.protobuf.Empty) returns (stream StateEvent); // get all state events in one go - rpc GetState (stream StateEvents) returns (stream google.protobuf.Empty); + rpc GetState (google.protobuf.Empty) returns (stream StateEvents); } diff --git a/protobuf/state_grpc.pb.go b/protobuf/state_grpc.pb.go index 0c614b0ea1..42f0d833d0 100644 --- a/protobuf/state_grpc.pb.go +++ b/protobuf/state_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v4.24.2 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.25.0 // source: state.proto package protobuf @@ -19,14 +19,19 @@ import ( // Requires gRPC-Go v1.32.0 or later. const _ = grpc.SupportPackageIsVersion7 +const ( + StateAgent_WatchState_FullMethodName = "/state_agent.StateAgent/WatchState" + StateAgent_GetState_FullMethodName = "/state_agent.StateAgent/GetState" +) + // StateAgentClient is the client API for StateAgent service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type StateAgentClient interface { // stream which continuously pushes state events - WatchState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) + WatchState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) // get all state events in one go - GetState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) + GetState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) } type stateAgentClient struct { @@ -37,18 +42,23 @@ func NewStateAgentClient(cc grpc.ClientConnInterface) StateAgentClient { return &stateAgentClient{cc} } -func (c *stateAgentClient) WatchState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) { - stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[0], "/state_agent.StateAgent/WatchState", opts...) +func (c *stateAgentClient) WatchState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[0], StateAgent_WatchState_FullMethodName, opts...) if err != nil { return nil, err } x := &stateAgentWatchStateClient{stream} + if err := x.ClientStream.SendMsg(in); err != nil { + return nil, err + } + if err := x.ClientStream.CloseSend(); err != nil { + return nil, err + } return x, nil } type StateAgent_WatchStateClient interface { - Send(*StateEvent) error - Recv() (*StatusCode, error) + Recv() (*StateEvent, error) grpc.ClientStream } @@ -56,30 +66,31 @@ type stateAgentWatchStateClient struct { grpc.ClientStream } -func (x *stateAgentWatchStateClient) Send(m *StateEvent) error { - return x.ClientStream.SendMsg(m) -} - -func (x *stateAgentWatchStateClient) Recv() (*StatusCode, error) { - m := new(StatusCode) +func (x *stateAgentWatchStateClient) Recv() (*StateEvent, error) { + m := new(StateEvent) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err } return m, nil } -func (c *stateAgentClient) GetState(ctx context.Context, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) { - stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[1], "/state_agent.StateAgent/GetState", opts...) +func (c *stateAgentClient) GetState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[1], StateAgent_GetState_FullMethodName, opts...) if err != nil { return nil, err } x := &stateAgentGetStateClient{stream} + if err := x.ClientStream.SendMsg(in); err != nil { + return nil, err + } + if err := x.ClientStream.CloseSend(); err != nil { + return nil, err + } return x, nil } type StateAgent_GetStateClient interface { - Send(*StateEvents) error - Recv() (*emptypb.Empty, error) + Recv() (*StateEvents, error) grpc.ClientStream } @@ -87,12 +98,8 @@ type stateAgentGetStateClient struct { grpc.ClientStream } -func (x *stateAgentGetStateClient) Send(m *StateEvents) error { - return x.ClientStream.SendMsg(m) -} - -func (x *stateAgentGetStateClient) Recv() (*emptypb.Empty, error) { - m := new(emptypb.Empty) +func (x *stateAgentGetStateClient) Recv() (*StateEvents, error) { + m := new(StateEvents) if err := x.ClientStream.RecvMsg(m); err != nil { return nil, err } @@ -104,19 +111,19 @@ func (x *stateAgentGetStateClient) Recv() (*emptypb.Empty, error) { // for forward compatibility type StateAgentServer interface { // stream which continuously pushes state events - WatchState(StateAgent_WatchStateServer) error + WatchState(*emptypb.Empty, StateAgent_WatchStateServer) error // get all state events in one go - GetState(StateAgent_GetStateServer) error + GetState(*emptypb.Empty, StateAgent_GetStateServer) error } // UnimplementedStateAgentServer should be embedded to have forward compatible implementations. type UnimplementedStateAgentServer struct { } -func (UnimplementedStateAgentServer) WatchState(StateAgent_WatchStateServer) error { +func (UnimplementedStateAgentServer) WatchState(*emptypb.Empty, StateAgent_WatchStateServer) error { return status.Errorf(codes.Unimplemented, "method WatchState not implemented") } -func (UnimplementedStateAgentServer) GetState(StateAgent_GetStateServer) error { +func (UnimplementedStateAgentServer) GetState(*emptypb.Empty, StateAgent_GetStateServer) error { return status.Errorf(codes.Unimplemented, "method GetState not implemented") } @@ -132,12 +139,15 @@ func RegisterStateAgentServer(s grpc.ServiceRegistrar, srv StateAgentServer) { } func _StateAgent_WatchState_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(StateAgentServer).WatchState(&stateAgentWatchStateServer{stream}) + m := new(emptypb.Empty) + if err := stream.RecvMsg(m); err != nil { + return err + } + return srv.(StateAgentServer).WatchState(m, &stateAgentWatchStateServer{stream}) } type StateAgent_WatchStateServer interface { - Send(*StatusCode) error - Recv() (*StateEvent, error) + Send(*StateEvent) error grpc.ServerStream } @@ -145,25 +155,20 @@ type stateAgentWatchStateServer struct { grpc.ServerStream } -func (x *stateAgentWatchStateServer) Send(m *StatusCode) error { +func (x *stateAgentWatchStateServer) Send(m *StateEvent) error { return x.ServerStream.SendMsg(m) } -func (x *stateAgentWatchStateServer) Recv() (*StateEvent, error) { - m := new(StateEvent) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - func _StateAgent_GetState_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(StateAgentServer).GetState(&stateAgentGetStateServer{stream}) + m := new(emptypb.Empty) + if err := stream.RecvMsg(m); err != nil { + return err + } + return srv.(StateAgentServer).GetState(m, &stateAgentGetStateServer{stream}) } type StateAgent_GetStateServer interface { - Send(*emptypb.Empty) error - Recv() (*StateEvents, error) + Send(*StateEvents) error grpc.ServerStream } @@ -171,18 +176,10 @@ type stateAgentGetStateServer struct { grpc.ServerStream } -func (x *stateAgentGetStateServer) Send(m *emptypb.Empty) error { +func (x *stateAgentGetStateServer) Send(m *StateEvents) error { return x.ServerStream.SendMsg(m) } -func (x *stateAgentGetStateServer) Recv() (*StateEvents, error) { - m := new(StateEvents) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - // StateAgent_ServiceDesc is the grpc.ServiceDesc for StateAgent service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -195,13 +192,11 @@ var StateAgent_ServiceDesc = grpc.ServiceDesc{ StreamName: "WatchState", Handler: _StateAgent_WatchState_Handler, ServerStreams: true, - ClientStreams: true, }, { StreamName: "GetState", Handler: _StateAgent_GetState_Handler, ServerStreams: true, - ClientStreams: true, }, }, Metadata: "state.proto", From f9acb19b859ae856e8d23ca68d8e0f052d5d63d4 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Sun, 3 Dec 2023 20:51:50 +0530 Subject: [PATCH 6/8] refactor: improve implementation by preserving interfaces Signed-off-by: Rudraksh Pareek --- KubeArmor/config/config.go | 22 +- KubeArmor/core/kubeArmor.go | 49 +--- KubeArmor/feeder/feeder.go | 81 ------ KubeArmor/feeder/reverseLogserver.go | 260 ----------------- KubeArmor/go.mod | 2 +- KubeArmor/policy/reversePolicyServer.go | 242 ---------------- KubeArmor/state/data.go | 53 ++-- KubeArmor/state/stateAgent.go | 353 ++++++------------------ 8 files changed, 124 insertions(+), 938 deletions(-) delete mode 100644 KubeArmor/feeder/reverseLogserver.go delete mode 100644 KubeArmor/policy/reversePolicyServer.go diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index ee64078432..cb5908427a 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -50,11 +50,7 @@ type KubearmorConfig struct { EnforcerAlerts bool // policy enforcer DefaultPostureLogs bool // Enable/Disable Default Posture logs for AppArmor LSM - ReverseGRPCServer bool // to enable/disable reverse grpc server - RelayServerURL string // URL of relay server - - StateAgent bool // Enable/Disable State Agent Client - StateAgentAddr string // Address to State Agent Server + StateAgent bool // enable KubeArmor state agent } // GlobalCfg Global configuration for Kubearmor @@ -89,20 +85,9 @@ const ( BPFFsPath string = "bpfFsPath" EnforcerAlerts string = "enforcerAlerts" ConfigDefaultPostureLogs string = "defaultPostureLogs" + ConfigStateAgent string = "enableKubeArmorStateAgent" ) -// ConfigReverseGRPCServer state agent key -const ConfigReverseGRPCServer string = "enableReverseGRPC" - -// ConfigRelayServerURL Path key -const ConfigRelayServerURL string = "relayServerURL" - -// ConfigStateAgent state agent key -const ConfigStateAgent string = "enableStateAgent" - -// ConfigStateAgentAddr state agent address key -const ConfigStateAgentAddr string = "stateAgentAddr" - func readCmdLineParams() { hostname, _ := os.Hostname() clusterStr := flag.String(ConfigCluster, "default", "cluster name") @@ -146,7 +131,6 @@ func readCmdLineParams() { relayServerURLStr := flag.String(ConfigRelayServerURL, "http://localhost:2801/", "relay-server http URL listening for logs") stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") - stateAgentAddr := flag.String(ConfigStateAgentAddr, "localhost:8801", "address of State Agent Server") flags := []string{} flag.VisitAll(func(f *flag.Flag) { @@ -199,7 +183,6 @@ func readCmdLineParams() { viper.SetDefault(ConfigRelayServerURL, *relayServerURLStr) viper.SetDefault(ConfigStateAgent, *stateAgent) - viper.SetDefault(ConfigStateAgentAddr, *stateAgentAddr) } // LoadConfig Load configuration @@ -292,7 +275,6 @@ func LoadConfig() error { GlobalCfg.RelayServerURL = viper.GetString(ConfigRelayServerURL) GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent) - GlobalCfg.StateAgentAddr = viper.GetString(ConfigStateAgentAddr) kg.Printf("Final Configuration [%+v]", GlobalCfg) diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index 9dd820ddff..addb54207b 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -92,9 +92,6 @@ type KubeArmorDaemon struct { // state agent StateAgent *state.StateAgent - // reverse policy server - ReversePolicyServer *policy.ReversePolicyServer - // WgDaemon Handler WgDaemon sync.WaitGroup @@ -189,12 +186,6 @@ func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon() { } } - if dm.ReversePolicyServer != nil { - if dm.CloseReversePolicyServer() { - kg.Print("Destroyed ReversePolicyServer") - } - } - // wait for other routines kg.Print("Waiting for routine terminations") dm.WgDaemon.Wait() @@ -226,10 +217,6 @@ func (dm *KubeArmorDaemon) ServeLogFeeds() { defer dm.WgDaemon.Done() go dm.Logger.ServeLogFeeds() - - if cfg.GlobalCfg.ReverseGRPCServer { - go dm.Logger.ServeReverseLogFeeds() - } } // CloseLogger Function @@ -241,13 +228,6 @@ func (dm *KubeArmorDaemon) CloseLogger() bool { return true } -func (dm *KubeArmorDaemon) CloseReversePolicyServer() bool { - if err := dm.ReversePolicyServer.DestroyReversePolicyServer(); err != nil { - return false - } - return true -} - // ==================== // // == System Monitor == // // ==================== // @@ -337,14 +317,10 @@ func (dm *KubeArmorDaemon) CloseKVMAgent() bool { // InitStateAgent Function func (dm *KubeArmorDaemon) InitStateAgent() bool { - dm.StateAgent = state.NewStateAgent(cfg.GlobalCfg.StateAgentAddr, &dm.Node, dm.NodeLock, dm.Containers, dm.ContainersLock) + dm.StateAgent = state.NewStateAgent(&dm.Node, dm.NodeLock, dm.Containers, dm.ContainersLock) return dm.StateAgent != nil } -func (dm *KubeArmorDaemon) RunStateAgent() { - go dm.StateAgent.RunStateAgent() -} - // CloseStateAgent Function func (dm *KubeArmorDaemon) CloseStateAgent() bool { if err := dm.StateAgent.DestroyStateAgent(); err != nil { @@ -493,17 +469,16 @@ func KubeArmor() { // initialize state agent if !dm.InitStateAgent() { - dm.Logger.Err("Failed to initialize State Agent Client") + dm.Logger.Err("Failed to initialize State Agent Server") // destroy the daemon dm.DestroyKubeArmorDaemon() return } - dm.Logger.Print("Initialized State Agent Client") + dm.Logger.Print("Initialized State Agent Server") - // connect to state agent server - go dm.RunStateAgent() + pb.RegisterStateAgentServer(dm.Logger.LogServer, dm.StateAgent) } if dm.StateAgent != nil { @@ -733,22 +708,6 @@ func KubeArmor() { probe := &Probe{} probe.GetContainerData = dm.SetProbeContainerData pb.RegisterProbeServiceServer(dm.Logger.LogServer, probe) - - if cfg.GlobalCfg.ReverseGRPCServer { - dm.ReversePolicyServer = policy.NewReversePolicyServer(dm.Logger.RelayServerURL) - - if enableContainerPolicy { - dm.ReversePolicyServer.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy - dm.Logger.Print("Started to monitor container security policies over reverse gRPC connection") - } - - if cfg.GlobalCfg.HostPolicy { - dm.ReversePolicyServer.UpdateHostPolicy = dm.ParseAndUpdateHostSecurityPolicy - dm.Logger.Print("Started to monitor host security policies over reverse gRPC connection") - } - - go dm.ReversePolicyServer.WatchPolicies() - } } reflection.Register(dm.Logger.LogServer) // Helps grpc clients list out what all svc/endpoints available diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index ccefb16402..a956fb8994 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -6,7 +6,6 @@ package feeder import ( "bufio" - "context" "encoding/json" "fmt" "net" @@ -141,14 +140,6 @@ func (es *EventStructs) RemoveLogStruct(uid string) { delete(es.LogStructs, uid) } -/* -// HealthCheck Function -func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { - replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} - return &replyMessage, nil -} -*/ - // ============ // // == Feeder == // // ============ // @@ -197,17 +188,6 @@ type BaseFeeder struct { // log server LogServer *grpc.Server - - // ReverseLogServer // - - // URL of RelayServer - RelayServerURL string - - // log server with connection initalized by KubeArmor - ReverseLogServer *ReverseLogService - - Context context.Context - Cancel context.CancelFunc } // Feeder Structure @@ -321,17 +301,6 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { pb.RegisterLogServiceServer(fd.LogServer, logService) grpc_health_v1.RegisterHealthServer(fd.LogServer, health.NewServer()) - // ReverseLogServer // - - host, port, err := kl.ParseURL(cfg.GlobalCfg.RelayServerURL) - if err != nil { - kg.Errf("Failed to parse Relay Server URL: %s", err.Error()) - return nil - } - fd.RelayServerURL = fmt.Sprintf("%s:%s", host, port) - - fd.Context, fd.Cancel = context.WithCancel(context.Background()) - // Feeder // // initialize security policies @@ -353,8 +322,6 @@ func (fd *BaseFeeder) DestroyFeeder() error { // wait for a while time.Sleep(time.Second * 1) - fd.Cancel() - // close listener if fd.Listener != nil { if err := fd.Listener.Close(); err != nil { @@ -371,16 +338,6 @@ func (fd *BaseFeeder) DestroyFeeder() error { fd.LogFile = nil } - // close reverse log server - if fd.ReverseLogServer != nil { - if fd.ReverseLogServer.Conn != nil { - err := fd.ReverseLogServer.Conn.Close() - if err != nil { - return err - } - } - } - // wait for other routines fd.WgServer.Wait() @@ -486,44 +443,6 @@ func (fd *BaseFeeder) ServeLogFeeds() { } } -func (fd *BaseFeeder) ServeReverseLogFeeds() { - fd.WgServer.Add(1) - defer fd.WgServer.Done() - - for fd.Running { - fd.ReverseLogServer = fd.ConnectWithRelay() - if fd.ReverseLogServer == nil { - return - } - - kg.Printf("Connected with RelayServer for pushing logs in reverse (%s)", fd.RelayServerURL) - - fd.ReverseLogServer.Wg.Add(1) - go fd.ReverseLogServer.WatchLogs() - - fd.ReverseLogServer.Wg.Add(1) - go fd.ReverseLogServer.WatchAlerts() - - fd.ReverseLogServer.Wg.Add(1) - go fd.ReverseLogServer.WatchMessages() - - time.Sleep(time.Second * 1) - - // wait for other routines to terminate before creating a new connection - fd.ReverseLogServer.Wg.Wait() - - // destroy client - if err := fd.ReverseLogServer.Conn.Close(); err != nil { - kg.Warnf("Failed to delete ReverseLogClient: %s", err.Error()) - } - kg.Printf("Closed ReverseLogClient for %s", fd.RelayServerURL) - - fd.ReverseLogServer = nil - } - - kg.Print("Stopped Pushing events on gRPC ReverseLogService") -} - // PushMessage Function func (fd *Feeder) PushMessage(level, message string) { if !cfg.GlobalCfg.Debug { diff --git a/KubeArmor/feeder/reverseLogserver.go b/KubeArmor/feeder/reverseLogserver.go deleted file mode 100644 index 772fe1c71b..0000000000 --- a/KubeArmor/feeder/reverseLogserver.go +++ /dev/null @@ -1,260 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of KubeArmor - -package feeder - -import ( - "sync" - "time" - - kl "github.com/kubearmor/KubeArmor/KubeArmor/common" - kg "github.com/kubearmor/KubeArmor/KubeArmor/log" - pb "github.com/kubearmor/KubeArmor/protobuf" - "google.golang.org/grpc" - "google.golang.org/grpc/health/grpc_health_v1" - "google.golang.org/grpc/keepalive" -) - -// ReverseLogService Structure -type ReverseLogService struct { - Conn *grpc.ClientConn - Client pb.ReverseLogServiceClient - - ReverseLogClient pb.ReverseLogService_PushLogsClient - ReverseAlertClient pb.ReverseLogService_PushAlertsClient - ReverseMessageClient pb.ReverseLogService_PushMessagesClient - - QueueSize int - EventStructs *EventStructs - Running *bool - Wg sync.WaitGroup -} - -func (ls *ReverseLogService) WatchMessages() { - defer ls.Wg.Done() - if ls.Running == nil { - return - } - - // add a new message struct - uid, conn := ls.EventStructs.AddMsgStruct("none", ls.QueueSize) - kg.Printf("Added a new connection (%s) for ReverseWatchMessages", uid) - - defer func() { - close(conn) - ls.EventStructs.RemoveMsgStruct(uid) - kg.Printf("Deleted the connection (%s) for ReverseWatchMessages", uid) - kg.Printf("Stopped pushing messages to ReverseWatchMessages Client (%s)", uid) - }() - - closeChan := make(chan *pb.ReplyMessage, 1) - - // handle if server closes connection - go func() { - defer close(closeChan) - resp, err := ls.ReverseMessageClient.Recv() - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Debugf("Error while receiving ReplyMessage msg from relay %s", err.Error()) - closeChan <- &pb.ReplyMessage{} - return - } - closeChan <- resp - }() - - for *ls.Running { - select { - case <-ls.ReverseMessageClient.Context().Done(): - return - case <-closeChan: - kg.Printf("Relay closed connection for Messages") - return - case resp := <-conn: - if err := kl.HandleGRPCErrors(ls.ReverseMessageClient.Send(resp)); err != nil { - kg.Warnf("feeder failed to send a message=[%+v] err=[%s]", resp, err.Error()) - return - } - } - } - -} - -func (ls *ReverseLogService) WatchAlerts() { - defer ls.Wg.Done() - if ls.Running == nil { - return - } - - uid, conn := ls.EventStructs.AddAlertStruct("none", ls.QueueSize) - kg.Printf("Added a new connection (%s) for ReverseWatchAlerts", uid) - - defer func() { - close(conn) - ls.EventStructs.RemoveAlertStruct(uid) - kg.Printf("Deleted connection (%s) for ReverseWatchAlerts", uid) - kg.Printf("Stopped pushing alerts to ReverseWatchAlerts client (%s)", uid) - }() - - closeChan := make(chan *pb.ReplyMessage, 1) - - go func() { - defer close(closeChan) - resp, err := ls.ReverseAlertClient.Recv() - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Debugf("Error while receiving ReplyMessage alert from relay %s", err.Error()) - closeChan <- &pb.ReplyMessage{} - return - } - closeChan <- resp - }() - - for *ls.Running { - select { - case <-ls.ReverseAlertClient.Context().Done(): - return - case <-closeChan: - kg.Printf("Relay closed connection for Alerts") - return - case resp := <-conn: - if err := kl.HandleGRPCErrors(ls.ReverseAlertClient.Send(resp)); err != nil { - kg.Warnf("feeder failed to push an alert=[%+v] err=[%s]", resp, err.Error()) - return - } - } - } - -} - -func (ls *ReverseLogService) WatchLogs() { - defer ls.Wg.Done() - if ls.Running == nil { - return - } - - uid, conn := ls.EventStructs.AddLogStruct("none", ls.QueueSize) - kg.Printf("Added a new connection (%s) for ReverseWatchLogs", uid) - - defer func() { - close(conn) - ls.EventStructs.RemoveLogStruct(uid) - kg.Printf("Deleted connection (%s) for ReverseWatchLogs", uid) - kg.Printf("Stopped pushing logs to ReverseWatchLogs client (%s)", uid) - }() - - closeChan := make(chan *pb.ReplyMessage, 1) - - go func() { - defer close(closeChan) - resp, err := ls.ReverseLogClient.Recv() - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Debugf("Error while receiving ReplyMessage log from relay %s", err.Error()) - closeChan <- &pb.ReplyMessage{} - return - } - closeChan <- resp - }() - - for *ls.Running { - select { - case <-ls.ReverseLogClient.Context().Done(): - return - case <-closeChan: - kg.Printf("Relay closed connection for Logs") - return - case resp := <-conn: - if err := kl.HandleGRPCErrors(ls.ReverseLogClient.Send(resp)); err != nil { - kg.Warnf("failed to push a log=[%+v] err=[%s]", resp, err.Error()) - return - } - } - } - -} - -// ConnectWithRelay attemtps to establish a connection with kubearmor-relay -// until the relay is healthy -func (fd *BaseFeeder) ConnectWithRelay() *ReverseLogService { - var ( - err error - conn *grpc.ClientConn - client pb.ReverseLogServiceClient - ) - - kacp := keepalive.ClientParameters{ - Time: 1 * time.Second, - Timeout: 5 * time.Second, - PermitWithoutStream: true, - } - - for fd.Running { - //conn, err = grpc.Dial(fd.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) - conn, err = grpc.DialContext(fd.Context, fd.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) - if err != nil { - time.Sleep(time.Second * 5) - _ = conn.Close() - continue - } - - client = pb.NewReverseLogServiceClient(conn) - - healthClient := grpc_health_v1.NewHealthClient(conn) - healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ - Service: pb.ReverseLogService_ServiceDesc.ServiceName, - } - - resp, err := healthClient.Check(fd.Context, healthCheckRequest) - grpcErr := kl.HandleGRPCErrors(err) - if grpcErr != nil { - kg.Debugf("ReverseLogServer unhealthy. Error: %s", grpcErr.Error()) - _ = conn.Close() - time.Sleep(time.Second * 5) - continue - } - - switch resp.Status { - case grpc_health_v1.HealthCheckResponse_SERVING: - break - case grpc_health_v1.HealthCheckResponse_NOT_SERVING: - _ = conn.Close() - return nil - default: - kg.Debugf("ReverseLogServer unhealthy. Status: %s", resp.Status.String()) - _ = conn.Close() - time.Sleep(time.Second * 5) - continue - } - - break - } - - lc := &ReverseLogService{ - Conn: conn, - Client: client, - Wg: sync.WaitGroup{}, - EventStructs: fd.EventStructs, - QueueSize: 1000, - Running: &fd.Running, - } - - //lc.ReverseLogClient, err = lc.Client.PushLogs(context.Background()) - lc.ReverseLogClient, err = lc.Client.PushLogs(fd.Context) - if err != nil { - kg.Warnf("Failed to create ReversePushLogs (%s) err=%s", fd.RelayServerURL, err.Error()) - return nil - } - - //lc.ReverseAlertClient, err = lc.Client.PushAlerts(context.Background()) - lc.ReverseAlertClient, err = lc.Client.PushAlerts(fd.Context) - if err != nil { - kg.Warnf("Failed to create ReversePushAlerts (%s) err=%s", fd.RelayServerURL, err.Error()) - return nil - } - - //lc.ReverseMessageClient, err = lc.Client.PushMessages(context.Background()) - lc.ReverseMessageClient, err = lc.Client.PushMessages(fd.Context) - if err != nil { - kg.Warnf("Failed to create ReversePushMessages (%s) err=%s", fd.RelayServerURL, err.Error()) - return nil - } - - return lc -} diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index 10de20e116..adb829e2ef 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -40,6 +40,7 @@ require ( go.uber.org/zap v1.24.0 golang.org/x/sys v0.10.0 google.golang.org/grpc v1.56.3 + google.golang.org/protobuf v1.30.0 k8s.io/api v0.27.1 k8s.io/apimachinery v0.27.1 k8s.io/client-go v0.27.1 @@ -114,7 +115,6 @@ require ( gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/protobuf v1.30.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/KubeArmor/policy/reversePolicyServer.go b/KubeArmor/policy/reversePolicyServer.go deleted file mode 100644 index 7591152d9d..0000000000 --- a/KubeArmor/policy/reversePolicyServer.go +++ /dev/null @@ -1,242 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of KubeArmor - -package policy - -import ( - "context" - "encoding/json" - "fmt" - "sync" - "time" - - kl "github.com/kubearmor/KubeArmor/KubeArmor/common" - kg "github.com/kubearmor/KubeArmor/KubeArmor/log" - tp "github.com/kubearmor/KubeArmor/KubeArmor/types" - pb "github.com/kubearmor/KubeArmor/protobuf" - "google.golang.org/grpc" - "google.golang.org/grpc/health/grpc_health_v1" - "google.golang.org/grpc/keepalive" -) - -type ReversePolicyServer struct { - RelayServerURL string - Running bool - Wg sync.WaitGroup - - Conn *grpc.ClientConn - Client pb.ReversePolicyServiceClient - - ContainerPolicyClient pb.ReversePolicyService_ContainerPolicyClient - HostPolicyClient pb.ReversePolicyService_HostPolicyClient - - UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus - UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus -} - -func (p *ReversePolicyServer) ContainerPolicy() { - defer p.Wg.Done() - - var err error - for p.Running { - var event *pb.Policy - - if event, err = p.ContainerPolicyClient.Recv(); err != nil { - kg.Warnf("Failed to receive a ContainerPolicy %s", err) - return - } - - policyEvent := tp.K8sKubeArmorPolicyEvent{} - - res := new(pb.Response) - - err := json.Unmarshal(event.Policy, &policyEvent) - if err == nil { - if policyEvent.Object.Metadata.Name != "" { - res.Status = p.UpdateContainerPolicy(policyEvent) - } else { - kg.Warn("Empty Container Policy Event") - res.Status = pb.PolicyStatus_Invalid - } - } else { - kg.Warnf("Invalid Container Policy: Failed to clone a policy: %s", err) - res.Status = pb.PolicyStatus_Invalid - } - - if err = kl.HandleGRPCErrors(p.ContainerPolicyClient.Send(res)); err != nil { - kg.Warnf("Failed to send a ContainerPolicy status response=[%+v] err=[%s]", res, err.Error()) - continue - } - } - - return -} - -func (p *ReversePolicyServer) HostPolicy() { - defer p.Wg.Done() - - var err error - for p.Running { - var event *pb.Policy - - if event, err = p.HostPolicyClient.Recv(); err != nil { - kg.Warnf("Failed to receive a HostPolicy %s", err) - return - } - - policyEvent := tp.K8sKubeArmorHostPolicyEvent{} - res := new(pb.Response) - - err := json.Unmarshal(event.Policy, &policyEvent) - if err == nil { - if policyEvent.Object.Metadata.Name != "" { - res.Status = p.UpdateHostPolicy(policyEvent) - } else { - kg.Warn("Empty HostPolicy Event") - res.Status = pb.PolicyStatus_Invalid - } - } else { - kg.Warnf("Invalid HostPolicy: Failed to clone a policy: %s", err) - res.Status = pb.PolicyStatus_Invalid - } - - if err = kl.HandleGRPCErrors(p.HostPolicyClient.Send(res)); err != nil { - kg.Warnf("Failed to send a HostPolicy status response=[%+v] err=[%s]", res, err.Error()) - continue - } - } - - return -} - -// TODO: use single gRPC connection for both the clients -func (ps *ReversePolicyServer) connectWithRelay() { - var ( - err error - conn *grpc.ClientConn - client pb.ReversePolicyServiceClient - ) - - kacp := keepalive.ClientParameters{ - Time: 1 * time.Second, - Timeout: 5 * time.Second, - PermitWithoutStream: true, - } - - for ps.Running { - conn, err = grpc.Dial(ps.RelayServerURL, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) - if err != nil { - kg.Warnf("Failed to connect to relay's gRPC listener. %s", err.Error()) - time.Sleep(time.Second * 5) - _ = conn.Close() - continue - } - - client = pb.NewReversePolicyServiceClient(conn) - - healthClient := grpc_health_v1.NewHealthClient(conn) - healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ - Service: pb.ReversePolicyService_ServiceDesc.ServiceName, - } - - resp, err := healthClient.Check(context.Background(), healthCheckRequest) - grpcErr := kl.HandleGRPCErrors(err) - if grpcErr != nil { - kg.Debugf("ReversePolicyServer unhealthy. Error: %s", grpcErr.Error()) - _ = conn.Close() - time.Sleep(time.Second * 5) - continue - } - - switch resp.Status { - case grpc_health_v1.HealthCheckResponse_SERVING: - break - case grpc_health_v1.HealthCheckResponse_NOT_SERVING: - _ = conn.Close() - return - default: - kg.Debugf("ReversePolicyServer unhealthy. Status: %s", resp.Status.String()) - continue - } - - break - } - - ps.Conn = conn - ps.Client = client - - ps.ContainerPolicyClient, err = ps.Client.ContainerPolicy(context.Background()) - if err != nil { - kg.Warnf("Failed to start ContainerPolicy stream reader err=%s", err.Error()) - return - } - - ps.HostPolicyClient, err = ps.Client.HostPolicy(context.Background()) - if err != nil { - kg.Warnf("Failed to start HostPolicy stream reader err=%s", err.Error()) - return - } - - return -} - -func NewReversePolicyServer(address string) *ReversePolicyServer { - host, port, err := kl.ParseURL(address) - if err != nil { - kg.Errf("Failed to parse Relay Server URL: %s", err.Error()) - return nil - } - - return &ReversePolicyServer{ - Running: true, - RelayServerURL: fmt.Sprintf("%s:%s", host, port), - Wg: sync.WaitGroup{}, - } -} - -func (ps *ReversePolicyServer) DestroyReversePolicyServer() error { - ps.Running = false - - if ps.Conn != nil { - if err := ps.Conn.Close(); err != nil { - return err - } - } - - return nil -} - -func (ps *ReversePolicyServer) WatchPolicies() { - for ps.Running { - ps.connectWithRelay() - if ps.Client == nil { - kg.Errf("Error while connecting with relay for streaming policies") - return - } - - kg.Printf("Connected with Relay server for streaming policies") - - if ps.UpdateContainerPolicy != nil { - ps.Wg.Add(1) - go ps.ContainerPolicy() - kg.Printf("Started to stream ContainerPolicy") - } - - if ps.UpdateHostPolicy != nil { - ps.Wg.Add(1) - go ps.HostPolicy() - kg.Printf("Started to stream HostPolicy") - } - - ps.Wg.Wait() - - if err := ps.Conn.Close(); err != nil { - kg.Warnf("Failed to delete PolicyClient: %s", err.Error()) - } - kg.Printf("Closed PolicyClient for %s", ps.RelayServerURL) - - ps.Client = nil - } - - return -} diff --git a/KubeArmor/state/data.go b/KubeArmor/state/data.go index e1b99dace0..5524a3da69 100644 --- a/KubeArmor/state/data.go +++ b/KubeArmor/state/data.go @@ -13,7 +13,7 @@ import ( pb "github.com/kubearmor/KubeArmor/protobuf" ) -// pushes (container + pod) & workload event +// pushes (container + pod) event func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { if container.ContainerID == "" { kg.Debug("Error while pushing container event. Missing data.") @@ -24,13 +24,13 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { namespace := container.NamespaceName sa.KubeArmorNamespacesLock.Lock() if event == EventAdded { - // create this kubearmor ns if it doesn't exist // currently only "container_namespace" until we have config agent if ns, ok := sa.KubeArmorNamespaces[namespace]; !ok { nsObj := types.Namespace{ Name: namespace, - //Labels: "", + // no way to change ns annotations in non-kubernetes mode right now + // thus use defaults KubearmorFilePosture: "audit", KubearmorNetworkPosture: "audit", LastUpdatedAt: container.LastUpdatedAt, @@ -47,7 +47,6 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { } } else if event == EventDeleted { - if ns, ok := sa.KubeArmorNamespaces[namespace]; ok { ns.ContainerCount-- sa.KubeArmorNamespaces[namespace] = ns @@ -65,7 +64,7 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { containerBytes, err := json.Marshal(container) if err != nil { - kg.Warnf("Error while trying to marshal container data. %s", err.Error()) + kg.Warnf("Error while trying to marshal container data: %s", err.Error()) return } @@ -77,15 +76,17 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { } // skip sending message as no state receiver is connected - if sa.StateEvents == nil { + if sa.StateEventChans == nil { return } - select { - case sa.StateEvents <- containerEvent: - default: - kg.Debugf("Failed to send container %s state event", event) - return + for uid, conn := range sa.StateEventChans { + select { + case conn <- containerEvent: + default: + kg.Debugf("Failed to send container %s event to connection: %s", event, uid) + return + } } return @@ -99,7 +100,7 @@ func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { nodeData, err := json.Marshal(node) if err != nil { - kg.Warnf("Error while trying to marshal node data. %s", err.Error()) + kg.Warnf("Error while trying to marshal node data: %s", err.Error()) return } @@ -111,15 +112,17 @@ func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { } // skip sending message as no state receiver is connected - if sa.StateEvents == nil { + if sa.StateEventChans == nil { return } - select { - case sa.StateEvents <- nodeEvent: - default: - kg.Debugf("Failed to send node %s state event.", event) - return + for uid, conn := range sa.StateEventChans { + select { + case conn <- nodeEvent: + default: + kg.Debugf("Failed to send node %s event to connection: %s", event, uid) + return + } } return @@ -140,14 +143,16 @@ func (sa *StateAgent) PushNamespaceEvent(namespace tp.Namespace, event string) { } // skip sending message as no state receiver is connected - if sa.StateEvents == nil { + if sa.StateEventChans == nil { return } - select { - case sa.StateEvents <- nsEvent: - default: - kg.Debugf("Failed to send namespace %s state event", event) - return + for uid, conn := range sa.StateEventChans { + select { + case conn <- nsEvent: + default: + kg.Debugf("Failed to send namespace %s event to connection: %s", event, uid) + return + } } } diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go index ec64d703b7..171905ddc0 100644 --- a/KubeArmor/state/stateAgent.go +++ b/KubeArmor/state/stateAgent.go @@ -5,24 +5,22 @@ package state import ( - "context" "encoding/json" - "fmt" "sync" "time" - "github.com/kubearmor/KubeArmor/KubeArmor/common" + "github.com/google/uuid" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" "github.com/kubearmor/KubeArmor/KubeArmor/types" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" pb "github.com/kubearmor/KubeArmor/protobuf" - "google.golang.org/grpc" - "google.golang.org/grpc/health/grpc_health_v1" - "google.golang.org/grpc/keepalive" + "google.golang.org/protobuf/types/known/emptypb" ) const ( + stateEventBufferSize = 25 + EventAdded = "added" EventUpdated = "updated" EventDeleted = "deleted" @@ -34,13 +32,10 @@ const ( ) type StateAgent struct { - StateEvents chan *pb.StateEvent - - StateAgentAddr string - Running bool - SAClient *StateAgentClient + StateEventChans map[string]chan *pb.StateEvent + StateEventChansLock *sync.RWMutex Node *tp.Node NodeLock *sync.RWMutex @@ -50,33 +45,15 @@ type StateAgent struct { KubeArmorNamespaces map[string]types.Namespace KubeArmorNamespacesLock *sync.RWMutex - - Wg *sync.WaitGroup - Context context.Context - Cancel context.CancelFunc } -type StateAgentClient struct { - Conn *grpc.ClientConn - - WatchClient pb.StateAgent_WatchStateClient - GetClient pb.StateAgent_GetStateClient -} - -func NewStateAgent(addr string, node *tp.Node, nodeLock *sync.RWMutex, containers map[string]tp.Container, containersLock *sync.RWMutex) *StateAgent { - host, port, err := common.ParseURL(addr) - if err != nil { - kg.Err("Error while parsing State Agent URL") - return nil - } - - context, cancel := context.WithCancel(context.Background()) - - sa := &StateAgent{ - StateAgentAddr: fmt.Sprintf("%s:%s", host, port), - +func NewStateAgent(node *tp.Node, nodeLock *sync.RWMutex, containers map[string]tp.Container, containersLock *sync.RWMutex) *StateAgent { + return &StateAgent{ Running: true, + StateEventChans: make(map[string]chan *pb.StateEvent), + StateEventChansLock: new(sync.RWMutex), + Node: node, NodeLock: nodeLock, @@ -85,279 +62,125 @@ func NewStateAgent(addr string, node *tp.Node, nodeLock *sync.RWMutex, container KubeArmorNamespaces: make(map[string]tp.Namespace), KubeArmorNamespacesLock: new(sync.RWMutex), - - Wg: new(sync.WaitGroup), - Context: context, - Cancel: cancel, } - - return sa } -func (sa *StateAgent) RunStateAgent() { - var err error - - for sa.Running { - // connect with state agent service - sa.SAClient, err = sa.connectWithStateAgentService() - if err != nil { - kg.Debugf("Failed to connect with StateAgent at %s: %s", sa.StateAgentAddr, err.Error()) - continue - } - - kg.Printf("Connected with State Agent Service for reporting state") - - // run RPCs - sa.Wg.Add(1) - go sa.WatchStateClient() +// add new channel for broadcast +func (sa *StateAgent) addStateEventChan() (string, chan *pb.StateEvent) { + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.StateEvent, stateEventBufferSize) - sa.Wg.Add(1) - go sa.GetStateClient() + sa.StateEventChansLock.Lock() + sa.StateEventChans[uid] = conn + sa.StateEventChansLock.Unlock() - sa.Wg.Wait() - - if err := sa.SAClient.Conn.Close(); err != nil { - kg.Warnf("Failed to close State Agent client: %s", err.Error()) - } - kg.Printf("Closed State Agent client") - - // reset connection - sa.SAClient = nil - if sa.StateEvents != nil { - sa.StateEvents = nil - } - } - - kg.Printf("Stop streaming state events") + return uid, conn } -// DestroyStateAgent -func (sa *StateAgent) DestroyStateAgent() error { - sa.Cancel() - sa.Running = false - time.Sleep(1 * time.Second) - - if sa.SAClient != nil { - if sa.SAClient.Conn != nil { - err := sa.SAClient.Conn.Close() - if err != nil { - return err - } - } - } - - // wait for terminations - sa.Wg.Wait() - - return nil +// close chan and delete connection +func (sa *StateAgent) removeStateEventChan(uid string) { + sa.StateEventChansLock.Lock() + close(sa.StateEventChans[uid]) + delete(sa.StateEventChans, uid) + sa.StateEventChansLock.Unlock() } // sends state events in a continuous stream -func (sa *StateAgent) WatchStateClient() { - defer sa.Wg.Done() - - kg.Print("Streaming State Events with WatchState Client") - defer kg.Print("Closed WatchState Client") - - client := sa.SAClient.WatchClient - closeChan := make(chan struct{}) - - // initialize this chan - sa.StateEvents = make(chan *pb.StateEvent, 25) +func (sa *StateAgent) WatchState(msg *emptypb.Empty, srv pb.StateAgent_WatchStateServer) error { + uid, conn := sa.addStateEventChan() + kg.Printf("Added a new client (%s) for WatchState", uid) - go func() { - defer close(closeChan) - _, err := client.Recv() - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Warnf("Error while receiving reply from State Agent WatchClient. %s", err.Error()) - } - closeChan <- struct{}{} + defer func() { + sa.removeStateEventChan(uid) + kg.Printf("Deleted client (%s) for WatchState", uid) }() for sa.Running { select { - - case <-client.Context().Done(): - return - - case <-closeChan: - kg.Printf("Closing connection with State Agent Client") - return - - case event := <-sa.StateEvents: - if err := kl.HandleGRPCErrors(client.Send(event)); err != nil { - kg.Warnf("Failed to send state event.", err.Error()) - return + case <-srv.Context().Done(): + return nil + case event := <-conn: + if err := kl.HandleGRPCErrors(srv.Send(event)); err != nil { + kg.Warnf("Failed to send state event to WatchState client %s: %s", uid, err.Error()) + return err } - } } + + return nil } // sends current state upon request -func (sa *StateAgent) GetStateClient() { - defer sa.Wg.Done() - - kg.Print("Streaming State Events with GetState Client") - defer kg.Print("Closed GetState Client") - - client := sa.SAClient.GetClient - - // create a new stream and start listening for incoming msgs - // only send the state when a receiver sends an emptypb.Empty request message - for sa.Running { - select { - // avoid panics when the connection has been terminated - case <-client.Context().Done(): - return - - default: - _, err := client.Recv() - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Warnf("Error while receiving request from GetState Client %s", err.Error()) - continue - } - - stateEventList := make([]*pb.StateEvent, 0) - - nodeData, err := json.Marshal(sa.Node) - if err != nil { - kg.Warnf("Error while trying to marshal node data. %s", err.Error()) - } - - nodeEvent := &pb.StateEvent{ - Kind: KindNode, - Type: EventAdded, - Name: sa.Node.NodeName, - Object: nodeData, - } - stateEventList = append(stateEventList, nodeEvent) - - sa.KubeArmorNamespacesLock.RLock() - for nsName, ns := range sa.KubeArmorNamespaces { - nsBytes, err := json.Marshal(ns) - if err != nil { - kg.Warnf("Failed to marshal ns event: %s", err.Error()) - } - - nsEvent := &pb.StateEvent{ - Kind: KindNamespace, - Type: EventAdded, - Name: nsName, - Object: nsBytes, - } - - stateEventList = append(stateEventList, nsEvent) - } - sa.KubeArmorNamespacesLock.RUnlock() - - for _, container := range sa.Containers { - containerBytes, err := json.Marshal(container) - if err != nil { - kg.Warnf("Error while trying to marshal container data. %s", err.Error()) - } - - containerEvent := &pb.StateEvent{ - Kind: KindContainer, - Type: EventAdded, - Name: container.ContainerName, - Object: containerBytes, - } - - stateEventList = append(stateEventList, containerEvent) - } +func (sa *StateAgent) GetState(msg *emptypb.Empty, srv pb.StateAgent_GetStateServer) error { + kg.Printf("Received a new request for GetState") + defer kg.Printf("Closing connection for GetState") - stateEvents := &pb.StateEvents{ - StateEvents: stateEventList, - } - - err = client.Send(stateEvents) - if err := kl.HandleGRPCErrors(err); err != nil { - kg.Warnf("Failed to send State Events to GetState Client: ", err.Error()) - return - } + stateEventList := make([]*pb.StateEvent, 0) - } + nodeData, err := json.Marshal(sa.Node) + if err != nil { + kg.Warnf("Error while trying to marshal node data: %s", err.Error()) } -} -func (sa *StateAgent) connectWithStateAgentService() (*StateAgentClient, error) { - var ( - err error - conn *grpc.ClientConn - client pb.StateAgentClient - ) - - kacp := keepalive.ClientParameters{ - Time: 1 * time.Second, - Timeout: 5 * time.Second, - PermitWithoutStream: true, + nodeEvent := &pb.StateEvent{ + Kind: KindNode, + Type: EventAdded, + Name: sa.Node.NodeName, + Object: nodeData, } + stateEventList = append(stateEventList, nodeEvent) - // dial state agent server at the specified address and wait until it is - // healthy - for sa.Running { - conn, err = grpc.DialContext(sa.Context, sa.StateAgentAddr, grpc.WithInsecure(), grpc.WithKeepaliveParams(kacp)) + sa.KubeArmorNamespacesLock.RLock() + for nsName, ns := range sa.KubeArmorNamespaces { + nsBytes, err := json.Marshal(ns) if err != nil { - time.Sleep(time.Second * 5) - _ = conn.Close() - continue + kg.Warnf("Failed to marshal ns %s event: %s", nsName, err.Error()) } - client = pb.NewStateAgentClient(conn) - if client == nil { - time.Sleep(time.Second * 5) - _ = conn.Close() - continue + nsEvent := &pb.StateEvent{ + Kind: KindNamespace, + Type: EventAdded, + Name: nsName, + Object: nsBytes, } - healthClient := grpc_health_v1.NewHealthClient(conn) - healthCheckRequest := &grpc_health_v1.HealthCheckRequest{ - Service: pb.StateAgent_ServiceDesc.ServiceName, - } + stateEventList = append(stateEventList, nsEvent) + } + sa.KubeArmorNamespacesLock.RUnlock() - resp, err := healthClient.Check(sa.Context, healthCheckRequest) - grpcErr := kl.HandleGRPCErrors(err) - if grpcErr != nil { - kg.Debugf("State Agent Service unhealthy. Error: %s", grpcErr.Error()) - _ = conn.Close() - time.Sleep(time.Second * 5) - continue + for _, container := range sa.Containers { + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container %.6s data: %s", container.ContainerID, err.Error()) } - switch resp.Status { - case grpc_health_v1.HealthCheckResponse_SERVING: - break - case grpc_health_v1.HealthCheckResponse_NOT_SERVING: - _ = conn.Close() - return nil, fmt.Errorf("State Agent server is not serving") - default: - kg.Debugf("State Agent Service unhealthy. Status: %s", resp.Status.String()) - _ = conn.Close() - time.Sleep(time.Second * 5) - continue + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: EventAdded, + Name: container.ContainerName, + Object: containerBytes, } - break + stateEventList = append(stateEventList, containerEvent) } - watchClient, err := client.WatchState(sa.Context) - if err != nil { - err := fmt.Errorf("Failed to create StateAgent WatchClient: %s", err.Error()) - return nil, err + stateEvents := &pb.StateEvents{ + StateEvents: stateEventList, } - getClient, err := client.GetState(sa.Context) - if err != nil { - err := fmt.Errorf("Failed to create StateAgent GetClient: %s", err.Error()) - return nil, err + err = srv.Send(stateEvents) + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Warnf("Failed to send state events to GetState: ", err.Error()) + return err } - saClient := &StateAgentClient{ - Conn: conn, - WatchClient: watchClient, - GetClient: getClient, - } + return nil +} + +// DestroyStateAgent +func (sa *StateAgent) DestroyStateAgent() error { + sa.Running = false + time.Sleep(1 * time.Second) - return saClient, nil + return nil } From 8c95ee6c4f73ea74e243b2de8f8ea61771e9431f Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Thu, 18 Jan 2024 15:31:46 +0530 Subject: [PATCH 7/8] chores and address review comments Signed-off-by: Rudraksh Pareek --- KubeArmor/Makefile | 2 +- KubeArmor/common/common.go | 2 +- KubeArmor/core/containerdHandler.go | 11 ----------- KubeArmor/core/dockerHandler.go | 11 ----------- KubeArmor/core/kubeArmor.go | 27 +++++++++++++++++++++++++++ KubeArmor/feeder/feeder.go | 14 ++++++++++---- KubeArmor/feeder/logServer.go | 2 +- KubeArmor/state/stateAgent.go | 3 --- 8 files changed, 40 insertions(+), 32 deletions(-) diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index a1acd227cc..c2be685160 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -55,7 +55,7 @@ run: build .PHONY: run-container run-container: build cd $(CURDIR); sudo rm -f /tmp/kubearmor.log - cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false -criSocket=unix:///var/run/docker.sock + cd $(CURDIR); DEBUG=true sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false -criSocket=unix:///var/run/docker.sock .PHONY: run-host-only run-host-only: build diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go index 8ea0d9c0cc..29e622b860 100644 --- a/KubeArmor/common/common.go +++ b/KubeArmor/common/common.go @@ -480,8 +480,8 @@ func ParseURL(address string) (string, string, error) { addr = u } + host = addr.Hostname() if addr.Port() != "" { - host = strings.Split(addr.Host, ":")[0] port = addr.Port() } diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index d062d6b384..2233ddf3d7 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -177,9 +177,6 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { container.ContainerImage = res.Container.Image //+ kl.GetSHA256ofImage(inspect.Image) - // TODO - container.ProtocolPort = "0" - container.NodeName = cfg.GlobalCfg.Host labels := []string{} @@ -190,14 +187,6 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s labels = append(labels, k+"="+v) } container.Labels = strings.Join(labels, ",") - - /* - container.Owner = tp.PodOwner{ - Name: container.ContainerName, - Namespace: container.NamespaceName, - Ref: "Deployment", - } - */ } // == // diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index ee6ebcb392..a4c500209f 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -185,17 +185,6 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err lastUpdatedAt = timeFinished } - // TODO - container.ProtocolPort = "0" - - /* - container.Owner = tp.PodOwner{ - Name: container.ContainerName, - Namespace: container.NamespaceName, - Ref: "Deployment", - } - */ - } return container, nil diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index addb54207b..34ef082d00 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -18,6 +18,8 @@ import ( "github.com/kubearmor/KubeArmor/KubeArmor/policy" "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + "google.golang.org/grpc/health" + "google.golang.org/grpc/health/grpc_health_v1" "google.golang.org/grpc/reflection" efc "github.com/kubearmor/KubeArmor/KubeArmor/enforcer" @@ -97,6 +99,9 @@ type KubeArmorDaemon struct { // system monitor lock MonitorLock *sync.RWMutex + + // health-server + GRPCHealthServer *health.Server } // NewKubeArmorDaemon Function @@ -348,6 +353,18 @@ func GetOSSigChannel() chan os.Signal { return c } +// =================== // +// == Health Server == // +// =================== // +func (dm *KubeArmorDaemon) SetHealthStatus(serviceName string, healthStatus grpc_health_v1.HealthCheckResponse_ServingStatus) bool { + if dm.GRPCHealthServer != nil { + dm.GRPCHealthServer.SetServingStatus(serviceName, healthStatus) + return true + } + + return false +} + // ========== // // == Main == // // ========== // @@ -461,6 +478,12 @@ func KubeArmor() { // == // + // health server + if dm.Logger.LogServer != nil { + dm.GRPCHealthServer = health.NewServer() + grpc_health_v1.RegisterHealthServer(dm.Logger.LogServer, dm.GRPCHealthServer) + } + // Init StateAgent if !dm.K8sEnabled && cfg.GlobalCfg.StateAgent { dm.NodeLock.Lock() @@ -479,6 +502,7 @@ func KubeArmor() { dm.Logger.Print("Initialized State Agent Server") pb.RegisterStateAgentServer(dm.Logger.LogServer, dm.StateAgent) + dm.SetHealthStatus(pb.StateAgent_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) } if dm.StateAgent != nil { @@ -708,6 +732,8 @@ func KubeArmor() { probe := &Probe{} probe.GetContainerData = dm.SetProbeContainerData pb.RegisterProbeServiceServer(dm.Logger.LogServer, probe) + + dm.SetHealthStatus(pb.PolicyService_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) } reflection.Register(dm.Logger.LogServer) // Helps grpc clients list out what all svc/endpoints available @@ -715,6 +741,7 @@ func KubeArmor() { // serve log feeds go dm.ServeLogFeeds() dm.Logger.Print("Started to serve gRPC-based log feeds") + dm.SetHealthStatus(pb.LogService_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) // == // go dm.SetKarmorData() diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index a956fb8994..94b8f8a749 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -23,8 +23,7 @@ import ( "github.com/google/uuid" pb "github.com/kubearmor/KubeArmor/protobuf" "google.golang.org/grpc" - "google.golang.org/grpc/health" - "google.golang.org/grpc/health/grpc_health_v1" + "google.golang.org/grpc/keepalive" ) // ============ // @@ -296,10 +295,17 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { EventStructs: fd.EventStructs, } - fd.LogServer = grpc.NewServer() + kaep := keepalive.EnforcementPolicy{ + PermitWithoutStream: true, + } + kasp := keepalive.ServerParameters{ + Time: 1 * time.Second, + Timeout: 5 * time.Second, + } + + fd.LogServer = grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) pb.RegisterLogServiceServer(fd.LogServer, logService) - grpc_health_v1.RegisterHealthServer(fd.LogServer, health.NewServer()) // Feeder // diff --git a/KubeArmor/feeder/logServer.go b/KubeArmor/feeder/logServer.go index f5bf95fab6..38ad3cfb4c 100644 --- a/KubeArmor/feeder/logServer.go +++ b/KubeArmor/feeder/logServer.go @@ -20,7 +20,7 @@ type LogService struct { } // HealthCheck Function -// Deprecated: use google.golang.org/grpc/health/grpc_health_v1 +// Deprecated: use the server created with google.golang.org/grpc/health/grpc_health_v1 func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} return &replyMessage, nil diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go index 171905ddc0..3717e0833b 100644 --- a/KubeArmor/state/stateAgent.go +++ b/KubeArmor/state/stateAgent.go @@ -112,9 +112,6 @@ func (sa *StateAgent) WatchState(msg *emptypb.Empty, srv pb.StateAgent_WatchStat // sends current state upon request func (sa *StateAgent) GetState(msg *emptypb.Empty, srv pb.StateAgent_GetStateServer) error { - kg.Printf("Received a new request for GetState") - defer kg.Printf("Closing connection for GetState") - stateEventList := make([]*pb.StateEvent, 0) nodeData, err := json.Marshal(sa.Node) From f642a76c3cd131f88f9601d356087c52ec426b09 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Thu, 18 Jan 2024 15:53:30 +0530 Subject: [PATCH 8/8] syncup go mods; lint & protos Signed-off-by: Rudraksh Pareek --- KubeArmor/config/config.go | 9 ------ KubeArmor/core/containerdHandler.go | 1 + KubeArmor/feeder/logServer.go | 2 +- KubeArmor/feeder/policyMatcher.go | 2 +- KubeArmor/go.mod | 22 +++++++------- KubeArmor/go.sum | 46 +++++++++++++++-------------- KubeArmor/state/data.go | 4 ++- KubeArmor/state/stateAgent.go | 15 ++++++++-- pkg/KubeArmorOperator/go.mod | 16 +++++----- pkg/KubeArmorOperator/go.sum | 41 +++++++++++++++---------- protobuf/go.mod | 12 ++++---- protobuf/kvm.pb.go | 4 +-- protobuf/kvm_grpc.pb.go | 15 ++++++---- protobuf/policy.pb.go | 8 +++-- protobuf/policy.proto | 2 +- protobuf/policy_grpc.pb.go | 2 +- protobuf/state.pb.go | 2 +- protobuf/state_grpc.pb.go | 2 +- 18 files changed, 115 insertions(+), 90 deletions(-) diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index cb5908427a..b6d14e00d8 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -127,9 +127,6 @@ func readCmdLineParams() { defaultPostureLogs := flag.Bool(ConfigDefaultPostureLogs, true, "Default Posture Alerts (for Apparmor only)") - reverseGRPCServer := flag.Bool(ConfigReverseGRPCServer, false, "enabling KubeArmor Reverse Log and Policy gRPC Service") - relayServerURLStr := flag.String(ConfigRelayServerURL, "http://localhost:2801/", "relay-server http URL listening for logs") - stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") flags := []string{} @@ -179,9 +176,6 @@ func readCmdLineParams() { viper.SetDefault(ConfigDefaultPostureLogs, *defaultPostureLogs) - viper.SetDefault(ConfigReverseGRPCServer, *reverseGRPCServer) - viper.SetDefault(ConfigRelayServerURL, *relayServerURLStr) - viper.SetDefault(ConfigStateAgent, *stateAgent) } @@ -271,9 +265,6 @@ func LoadConfig() error { GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs) - GlobalCfg.ReverseGRPCServer = viper.GetBool(ConfigReverseGRPCServer) - GlobalCfg.RelayServerURL = viper.GetString(ConfigRelayServerURL) - GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent) kg.Printf("Final Configuration [%+v]", GlobalCfg) diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index 2233ddf3d7..be77b0683d 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -9,6 +9,7 @@ import ( "fmt" "os" "strconv" + "strings" "time" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" diff --git a/KubeArmor/feeder/logServer.go b/KubeArmor/feeder/logServer.go index 38ad3cfb4c..03e45896ee 100644 --- a/KubeArmor/feeder/logServer.go +++ b/KubeArmor/feeder/logServer.go @@ -12,7 +12,7 @@ import ( pb "github.com/kubearmor/KubeArmor/protobuf" ) -// LogServer Structure +// LogService struct holds the state of feeder's log server type LogService struct { QueueSize int EventStructs *EventStructs diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 4f4bfd7094..c3d71a5d04 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -19,7 +19,7 @@ import ( // == Security Policies == // // ======================= // -// GetProtocolFromName() Function +// GetProtocolFromName function gets protocol name from visibility data func GetProtocolFromName(proto string) string { switch strings.ToLower(proto) { case "tcp": diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index adb829e2ef..9184d2c439 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -32,15 +32,15 @@ require ( github.com/containerd/typeurl/v2 v2.1.1 github.com/docker/docker v24.0.7+incompatible github.com/golang/protobuf v1.5.3 - github.com/google/uuid v1.3.0 + github.com/google/uuid v1.3.1 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230510133055-4e30a28b6352 github.com/kubearmor/KubeArmor/protobuf v0.0.0-20230510133055-4e30a28b6352 github.com/opencontainers/runtime-spec v1.1.0-rc.2 github.com/spf13/viper v1.15.0 go.uber.org/zap v1.24.0 - golang.org/x/sys v0.10.0 - google.golang.org/grpc v1.56.3 - google.golang.org/protobuf v1.30.0 + golang.org/x/sys v0.16.0 + google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 k8s.io/api v0.27.1 k8s.io/apimachinery v0.27.1 k8s.io/client-go v0.27.1 @@ -103,18 +103,18 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.9.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.1 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index e919bcc0d8..243c1b589c 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -201,8 +201,8 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJY github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -369,8 +369,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -445,8 +445,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -456,8 +456,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -469,7 +469,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -515,13 +515,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -531,9 +531,10 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -622,8 +623,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -662,8 +664,8 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -683,8 +685,8 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= -google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= +google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -698,8 +700,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/KubeArmor/state/data.go b/KubeArmor/state/data.go index 5524a3da69..6eb03db998 100644 --- a/KubeArmor/state/data.go +++ b/KubeArmor/state/data.go @@ -13,7 +13,7 @@ import ( pb "github.com/kubearmor/KubeArmor/protobuf" ) -// pushes (container + pod) event +// PushContainerEvent function pushes (container + pod) event func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { if container.ContainerID == "" { kg.Debug("Error while pushing container event. Missing data.") @@ -92,6 +92,7 @@ func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { return } +// PushNodeEvent function pushes node event func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { if node.NodeName == "" { kg.Warn("Received empty node event") @@ -128,6 +129,7 @@ func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { return } +// PushNamespaceEvent function pushes namespace event func (sa *StateAgent) PushNamespaceEvent(namespace tp.Namespace, event string) { nsBytes, err := json.Marshal(namespace) if err != nil { diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go index 3717e0833b..8e1c6e7543 100644 --- a/KubeArmor/state/stateAgent.go +++ b/KubeArmor/state/stateAgent.go @@ -21,16 +21,24 @@ import ( const ( stateEventBufferSize = 25 + // EventAdded denotes an add event EventAdded = "added" + // EventUpdated denotes an update event EventUpdated = "updated" + // EventDeleted denotes an delete event EventDeleted = "deleted" + // KindContainer denotes a container kind KindContainer = "container" + // KindPod denotes a pod kind KindPod = "pod" + // KindNode denotes a node kind KindNode = "node" + // KindNamespace denotes a namespace kind KindNamespace = "namespace" ) +// StateAgent reports the state of containers/nodes protected by KubeArmor type StateAgent struct { Running bool @@ -47,6 +55,7 @@ type StateAgent struct { KubeArmorNamespacesLock *sync.RWMutex } +// NewStateAgent returns a new initialized state agent func NewStateAgent(node *tp.Node, nodeLock *sync.RWMutex, containers map[string]tp.Container, containersLock *sync.RWMutex) *StateAgent { return &StateAgent{ Running: true, @@ -85,7 +94,7 @@ func (sa *StateAgent) removeStateEventChan(uid string) { sa.StateEventChansLock.Unlock() } -// sends state events in a continuous stream +// WatchState sends state events in a continuous stream func (sa *StateAgent) WatchState(msg *emptypb.Empty, srv pb.StateAgent_WatchStateServer) error { uid, conn := sa.addStateEventChan() kg.Printf("Added a new client (%s) for WatchState", uid) @@ -110,7 +119,7 @@ func (sa *StateAgent) WatchState(msg *emptypb.Empty, srv pb.StateAgent_WatchStat return nil } -// sends current state upon request +// GetState sends current state upon request func (sa *StateAgent) GetState(msg *emptypb.Empty, srv pb.StateAgent_GetStateServer) error { stateEventList := make([]*pb.StateEvent, 0) @@ -174,7 +183,7 @@ func (sa *StateAgent) GetState(msg *emptypb.Empty, srv pb.StateAgent_GetStateSer return nil } -// DestroyStateAgent +// DestroyStateAgent destroys the referenced state agent func (sa *StateAgent) DestroyStateAgent() error { sa.Running = false time.Sleep(1 * time.Second) diff --git a/pkg/KubeArmorOperator/go.mod b/pkg/KubeArmorOperator/go.mod index 4a811281ab..3c13b2dfdf 100644 --- a/pkg/KubeArmorOperator/go.mod +++ b/pkg/KubeArmorOperator/go.mod @@ -37,7 +37,7 @@ require ( github.com/google/gnostic v0.6.9 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -59,14 +59,14 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect - golang.org/x/net v0.14.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.11.0 // indirect - golang.org/x/term v0.11.0 // indirect - golang.org/x/text v0.12.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/protobuf v1.32.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/pkg/KubeArmorOperator/go.sum b/pkg/KubeArmorOperator/go.sum index a9a902e90a..061a9a2f45 100644 --- a/pkg/KubeArmorOperator/go.sum +++ b/pkg/KubeArmorOperator/go.sum @@ -155,8 +155,8 @@ github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -251,6 +251,7 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -269,6 +270,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -305,6 +307,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -339,8 +342,9 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -350,8 +354,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -362,6 +366,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -399,12 +404,15 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -414,8 +422,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -470,6 +479,7 @@ golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -500,8 +510,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -572,8 +583,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/protobuf/go.mod b/protobuf/go.mod index f67b9cb035..668a149dd5 100644 --- a/protobuf/go.mod +++ b/protobuf/go.mod @@ -11,14 +11,14 @@ replace ( ) require ( - google.golang.org/grpc v1.56.3 - google.golang.org/protobuf v1.30.0 + google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 ) require ( github.com/golang/protobuf v1.5.3 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect ) diff --git a/protobuf/kvm.pb.go b/protobuf/kvm.pb.go index 82f3d71efe..41eb347305 100644 --- a/protobuf/kvm.pb.go +++ b/protobuf/kvm.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.27.1 -// protoc v3.19.4 +// protoc-gen-go v1.31.0 +// protoc v4.25.1 // source: kvm.proto package protobuf diff --git a/protobuf/kvm_grpc.pb.go b/protobuf/kvm_grpc.pb.go index 8e3e365f6c..cb2e95154a 100644 --- a/protobuf/kvm_grpc.pb.go +++ b/protobuf/kvm_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v3.19.4 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.25.1 // source: kvm.proto package protobuf @@ -18,6 +18,11 @@ import ( // Requires gRPC-Go v1.32.0 or later. const _ = grpc.SupportPackageIsVersion7 +const ( + KVM_RegisterAgentIdentity_FullMethodName = "/kvm.KVM/registerAgentIdentity" + KVM_SendPolicy_FullMethodName = "/kvm.KVM/sendPolicy" +) + // KVMClient is the client API for KVM service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. @@ -36,7 +41,7 @@ func NewKVMClient(cc grpc.ClientConnInterface) KVMClient { func (c *kVMClient) RegisterAgentIdentity(ctx context.Context, in *AgentIdentity, opts ...grpc.CallOption) (*Status, error) { out := new(Status) - err := c.cc.Invoke(ctx, "/kvm.KVM/registerAgentIdentity", in, out, opts...) + err := c.cc.Invoke(ctx, KVM_RegisterAgentIdentity_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -44,7 +49,7 @@ func (c *kVMClient) RegisterAgentIdentity(ctx context.Context, in *AgentIdentity } func (c *kVMClient) SendPolicy(ctx context.Context, opts ...grpc.CallOption) (KVM_SendPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &KVM_ServiceDesc.Streams[0], "/kvm.KVM/sendPolicy", opts...) + stream, err := c.cc.NewStream(ctx, &KVM_ServiceDesc.Streams[0], KVM_SendPolicy_FullMethodName, opts...) if err != nil { return nil, err } @@ -114,7 +119,7 @@ func _KVM_RegisterAgentIdentity_Handler(srv interface{}, ctx context.Context, de } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/kvm.KVM/registerAgentIdentity", + FullMethod: KVM_RegisterAgentIdentity_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KVMServer).RegisterAgentIdentity(ctx, req.(*AgentIdentity)) diff --git a/protobuf/policy.pb.go b/protobuf/policy.pb.go index e7713c9db2..48fe1d5eee 100644 --- a/protobuf/policy.pb.go +++ b/protobuf/policy.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.31.0 -// protoc v4.25.0 +// protoc v4.25.1 // source: policy.proto package protobuf @@ -21,6 +21,10 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// Symbols defined in public import of google/protobuf/empty.proto. + +type Empty = emptypb.Empty + type PolicyStatus int32 const ( @@ -403,7 +407,7 @@ var file_policy_proto_rawDesc = []byte{ 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/protobuf/policy.proto b/protobuf/policy.proto index f3620a7424..fc544a7114 100644 --- a/protobuf/policy.proto +++ b/protobuf/policy.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package policy; -import "google/protobuf/empty.proto"; +import public "google/protobuf/empty.proto"; option go_package="github.com/kubearmor/KubeArmor/protobuf"; diff --git a/protobuf/policy_grpc.pb.go b/protobuf/policy_grpc.pb.go index 32cc880e97..14d20d6fe9 100644 --- a/protobuf/policy_grpc.pb.go +++ b/protobuf/policy_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v4.25.0 +// - protoc v4.25.1 // source: policy.proto package protobuf diff --git a/protobuf/state.pb.go b/protobuf/state.pb.go index 1062cffac0..dc81b1e6ee 100644 --- a/protobuf/state.pb.go +++ b/protobuf/state.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.31.0 -// protoc v4.25.0 +// protoc v4.25.1 // source: state.proto package protobuf diff --git a/protobuf/state_grpc.pb.go b/protobuf/state_grpc.pb.go index 42f0d833d0..448e0907c9 100644 --- a/protobuf/state_grpc.pb.go +++ b/protobuf/state_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v4.25.0 +// - protoc v4.25.1 // source: state.proto package protobuf