diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml index 20d43f08b2..ae87c44833 100644 --- a/.github/workflows/ci-test-controllers.yml +++ b/.github/workflows/ci-test-controllers.yml @@ -80,8 +80,31 @@ jobs: kubectl apply -f - fi kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test - kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor - kubectl get pods -A + timeout 7m bash -c -- ' + while true; do + all_running=true + echo "Checking pod status..." + for pod_status in $(kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch --output=jsonpath="{.items[*].status.phase}" 2>/dev/null); do + if [ "$pod_status" != "Running" ]; then + all_running=false + echo "Waiting for pods to be Running..." + break + fi + done + + if $all_running; then + echo "All pods are Running." + break + fi + + if kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch | grep CrashLoopBackOff; then + echo "Error: Pod in CrashLoopBackOff state" + exit 1 + fi + + sleep 1 + done + ' - name: Test KubeArmor using Ginkgo run: | diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index 3daa58bb4b..29eb3b6e88 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -129,7 +129,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index a0bd320a29..fab51b363e 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -127,7 +127,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index 7b34b7f53f..b43f19c30b 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -50,7 +50,6 @@ type KubeArmorConfigSpec struct { // +kubebuilder:validation:optional EnableStdOutMsgs bool `json:"enableStdOutMsgs,omitempty"` // +kubebuilder:validation:Optional - // +kubebuilder:default=true SeccompEnabled bool `json:"seccompEnabled,omitempty"` } diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 251eb3f636..f79dfa6ba6 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -113,7 +113,7 @@ var ConfigMapData = map[string]string{ ConfigDefaultPostureLogs: "true", } -var ConfigDefaultSeccompEnabled = "true" +var ConfigDefaultSeccompEnabled = "false" var KubearmorRelayEnvMap = map[string]string{ EnableStdOutAlerts: "false", diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index 3daa58bb4b..29eb3b6e88 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -129,7 +129,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml index 0778ee3486..c99076b94a 100644 --- a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml +++ b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml @@ -14,7 +14,7 @@ spec: defaultFilePosture: block defaultNetworkPosture: block defaultVisibility: process,file,network,capabilities - seccompEnabled: true + seccompEnabled: false kubearmorImage: image: kubearmor/kubearmor:latest imagePullPolicy: Never diff --git a/pkg/KubeArmorOperator/config/samples/sample-config.yml b/pkg/KubeArmorOperator/config/samples/sample-config.yml index da168530ba..c14a0fc57c 100644 --- a/pkg/KubeArmorOperator/config/samples/sample-config.yml +++ b/pkg/KubeArmorOperator/config/samples/sample-config.yml @@ -17,7 +17,7 @@ spec: enableStdOutLogs: false enableStdOutAlerts: false enableStdOutMsgs: false - seccompEnabled: true + seccompEnabled: false kubearmorImage: image: kubearmor/kubearmor:stable imagePullPolicy: Always diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index fe93ee1418..d9369bbf90 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -449,26 +449,28 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorSeccomp(cfg *opv1.KubeArmor res = err } else { for _, ds := range dsList.Items { - if cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile == nil { - ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeLocalhost, - LocalhostProfile: &common.SeccompProfile, - } - ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeLocalhost, - LocalhostProfile: &common.SeccompInitProfile, + if ds.Spec.Template.Labels[common.SeccompLabel] == "yes" { + if cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile == nil { + ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeLocalhost, + LocalhostProfile: &common.SeccompProfile, + } + ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeLocalhost, + LocalhostProfile: &common.SeccompInitProfile, + } + } else if !cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile != nil { + ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = nil + ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = nil } - } else if !cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile != nil { - ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = nil - ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = nil - } - _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) - if err != nil { - clusterWatcher.Log.Warnf("Cannot update daemonset=%s error=%s", ds.Name, err.Error()) - res = err - } else { - clusterWatcher.Log.Infof("Updated daemonset=%s", ds.Name) + _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) + if err != nil { + clusterWatcher.Log.Warnf("Cannot update daemonset=%s error=%s", ds.Name, err.Error()) + res = err + } else { + clusterWatcher.Log.Infof("Updated daemonset=%s", ds.Name) + } } } } diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index b715e3f74d..0af91b25cc 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -52,6 +52,7 @@ func generateDaemonset(name, enforcer, runtime, socket, btfPresent, apparmorfs, common.SocketLabel: socket, common.OsLabel: "linux", common.BTFLabel: btfPresent, + common.SeccompLabel: seccompPresent, } daemonset.Spec.Template.Spec.NodeSelector = common.CopyStrMap(labels) labels["kubearmor-app"] = "kubearmor" diff --git a/pkg/KubeArmorOperator/seccomp/defaults.go b/pkg/KubeArmorOperator/seccomp/defaults.go index 90e7bfef5c..5f252cf346 100644 --- a/pkg/KubeArmorOperator/seccomp/defaults.go +++ b/pkg/KubeArmorOperator/seccomp/defaults.go @@ -7,6 +7,8 @@ var ( Archx86_64 = "SCMP_ARCH_X86_64" Archx86 = "SCMP_ARCH_X86" Archx32 = "SCMP_ARCH_X32" + ArchARM64 = "SCMP_ARCH_AARCH64" + ArchARM = "SCMP_ARCH_ARM" ActErrno = "SCMP_ACT_ERRNO" ActAllow = "SCMP_ACT_ALLOW" diff --git a/pkg/KubeArmorOperator/seccomp/seccomp.go b/pkg/KubeArmorOperator/seccomp/seccomp.go index 0ed8a6f164..0774232891 100644 --- a/pkg/KubeArmorOperator/seccomp/seccomp.go +++ b/pkg/KubeArmorOperator/seccomp/seccomp.go @@ -18,7 +18,7 @@ func LoadSeccompInNode() { seccompProfile := Seccomp{ DefaultAction: ActErrno, - Architectures: []string{Archx32, Archx86_64, Archx86}, + Architectures: []string{Archx32, Archx86_64, Archx86, ArchARM, ArchARM64}, Syscalls: []*Syscalls{{ Names: []string{ "getsockopt", @@ -126,7 +126,7 @@ func LoadSeccompInNode() { seccompInitProfile := Seccomp{ DefaultAction: ActErrno, - Architectures: []string{Archx32, Archx86_64, Archx86}, + Architectures: []string{Archx32, Archx86_64, Archx86, ArchARM, ArchARM64}, Syscalls: []*Syscalls{{ Names: []string{ "dup2", @@ -138,9 +138,15 @@ func LoadSeccompInNode() { "memfd_create", "capset", "read", + "dup3", + "getpgid", "getrandom", "close", "fchown", + "mremap", + "unlinkat", + "readlink", + "sigaltstack", "getegid", "arch_prctl", "lseek", @@ -162,6 +168,7 @@ func LoadSeccompInNode() { "capget", "sysinfo", "connect", + "pipe2", "openat", "access", "set_robust_list", @@ -216,8 +223,12 @@ func LoadSeccompInNode() { } func CheckIfSeccompProfilePresent() string { - if _, err := os.Stat(filepath.Clean(seccompPath)); err == nil { + _, err1 := os.Stat(filepath.Clean(seccompPath + "/kubearmor-init-seccomp.json")) + _, err2 := os.Stat(filepath.Clean(seccompPath + "/kubearmor-seccomp.json")) + + if err1 == nil && err2 == nil { return "yes" } + return "no" }