From 779f0dbe48411fcb1ad3ca00edcef8e86a81a7e6 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Tue, 12 Mar 2024 02:04:22 +0530 Subject: [PATCH 1/3] fix(seccomp): More seccomp added Signed-off-by: PrimalPimmy fix(operator): Seccomp logic if file doesn't exist Signed-off-by: PrimalPimmy --- .../internal/controller/cluster.go | 38 ++++++++++--------- .../internal/controller/resources.go | 1 + pkg/KubeArmorOperator/seccomp/seccomp.go | 4 ++ 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index fe93ee1418..d9369bbf90 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -449,26 +449,28 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorSeccomp(cfg *opv1.KubeArmor res = err } else { for _, ds := range dsList.Items { - if cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile == nil { - ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeLocalhost, - LocalhostProfile: &common.SeccompProfile, - } - ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeLocalhost, - LocalhostProfile: &common.SeccompInitProfile, + if ds.Spec.Template.Labels[common.SeccompLabel] == "yes" { + if cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile == nil { + ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeLocalhost, + LocalhostProfile: &common.SeccompProfile, + } + ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeLocalhost, + LocalhostProfile: &common.SeccompInitProfile, + } + } else if !cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile != nil { + ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = nil + ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = nil } - } else if !cfg.Spec.SeccompEnabled && ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile != nil { - ds.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile = nil - ds.Spec.Template.Spec.InitContainers[0].SecurityContext.SeccompProfile = nil - } - _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) - if err != nil { - clusterWatcher.Log.Warnf("Cannot update daemonset=%s error=%s", ds.Name, err.Error()) - res = err - } else { - clusterWatcher.Log.Infof("Updated daemonset=%s", ds.Name) + _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) + if err != nil { + clusterWatcher.Log.Warnf("Cannot update daemonset=%s error=%s", ds.Name, err.Error()) + res = err + } else { + clusterWatcher.Log.Infof("Updated daemonset=%s", ds.Name) + } } } } diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index b715e3f74d..0af91b25cc 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -52,6 +52,7 @@ func generateDaemonset(name, enforcer, runtime, socket, btfPresent, apparmorfs, common.SocketLabel: socket, common.OsLabel: "linux", common.BTFLabel: btfPresent, + common.SeccompLabel: seccompPresent, } daemonset.Spec.Template.Spec.NodeSelector = common.CopyStrMap(labels) labels["kubearmor-app"] = "kubearmor" diff --git a/pkg/KubeArmorOperator/seccomp/seccomp.go b/pkg/KubeArmorOperator/seccomp/seccomp.go index 0ed8a6f164..1f8e83d39e 100644 --- a/pkg/KubeArmorOperator/seccomp/seccomp.go +++ b/pkg/KubeArmorOperator/seccomp/seccomp.go @@ -141,6 +141,10 @@ func LoadSeccompInNode() { "getrandom", "close", "fchown", + "mremap", + "unlinkat", + "readlink", + "sigaltstack", "getegid", "arch_prctl", "lseek", From 5ec11b868e7963bbbe3c2638e3133e4255429185 Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Thu, 14 Mar 2024 14:42:03 +0530 Subject: [PATCH 2/3] fix(operator): Seccomp defaulted to false and ARM based seccomp added Signed-off-by: PrimalPimmy fix(operator): arm syscall for init Signed-off-by: PrimalPimmy fix(operator): arm syscall for init-2 Signed-off-by: PrimalPimmy --- .github/workflows/ci-test-controllers.yml | 27 +++++++++++++++++-- ...erator.kubearmor.com_kubearmorconfigs.yaml | 1 - deployments/operator/operator.yaml | 1 - .../v1/kubearmorconfig_types.go | 1 - pkg/KubeArmorOperator/common/defaults.go | 2 +- ...erator.kubearmor.com_kubearmorconfigs.yaml | 1 - .../config/samples/kubearmor-test.yaml | 2 +- .../config/samples/sample-config.yml | 2 +- pkg/KubeArmorOperator/seccomp/defaults.go | 2 ++ pkg/KubeArmorOperator/seccomp/seccomp.go | 7 +++-- 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml index 20d43f08b2..ae87c44833 100644 --- a/.github/workflows/ci-test-controllers.yml +++ b/.github/workflows/ci-test-controllers.yml @@ -80,8 +80,31 @@ jobs: kubectl apply -f - fi kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test - kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor - kubectl get pods -A + timeout 7m bash -c -- ' + while true; do + all_running=true + echo "Checking pod status..." + for pod_status in $(kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch --output=jsonpath="{.items[*].status.phase}" 2>/dev/null); do + if [ "$pod_status" != "Running" ]; then + all_running=false + echo "Waiting for pods to be Running..." + break + fi + done + + if $all_running; then + echo "All pods are Running." + break + fi + + if kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch | grep CrashLoopBackOff; then + echo "Error: Pod in CrashLoopBackOff state" + exit 1 + fi + + sleep 1 + done + ' - name: Test KubeArmor using Ginkgo run: | diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index 3daa58bb4b..29eb3b6e88 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -129,7 +129,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index a0bd320a29..fab51b363e 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -127,7 +127,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index 7b34b7f53f..b43f19c30b 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -50,7 +50,6 @@ type KubeArmorConfigSpec struct { // +kubebuilder:validation:optional EnableStdOutMsgs bool `json:"enableStdOutMsgs,omitempty"` // +kubebuilder:validation:Optional - // +kubebuilder:default=true SeccompEnabled bool `json:"seccompEnabled,omitempty"` } diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 251eb3f636..f79dfa6ba6 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -113,7 +113,7 @@ var ConfigMapData = map[string]string{ ConfigDefaultPostureLogs: "true", } -var ConfigDefaultSeccompEnabled = "true" +var ConfigDefaultSeccompEnabled = "false" var KubearmorRelayEnvMap = map[string]string{ EnableStdOutAlerts: "false", diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index 3daa58bb4b..29eb3b6e88 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -129,7 +129,6 @@ spec: type: string type: object seccompEnabled: - default: true type: boolean type: object status: diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml index 0778ee3486..c99076b94a 100644 --- a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml +++ b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml @@ -14,7 +14,7 @@ spec: defaultFilePosture: block defaultNetworkPosture: block defaultVisibility: process,file,network,capabilities - seccompEnabled: true + seccompEnabled: false kubearmorImage: image: kubearmor/kubearmor:latest imagePullPolicy: Never diff --git a/pkg/KubeArmorOperator/config/samples/sample-config.yml b/pkg/KubeArmorOperator/config/samples/sample-config.yml index da168530ba..c14a0fc57c 100644 --- a/pkg/KubeArmorOperator/config/samples/sample-config.yml +++ b/pkg/KubeArmorOperator/config/samples/sample-config.yml @@ -17,7 +17,7 @@ spec: enableStdOutLogs: false enableStdOutAlerts: false enableStdOutMsgs: false - seccompEnabled: true + seccompEnabled: false kubearmorImage: image: kubearmor/kubearmor:stable imagePullPolicy: Always diff --git a/pkg/KubeArmorOperator/seccomp/defaults.go b/pkg/KubeArmorOperator/seccomp/defaults.go index 90e7bfef5c..5f252cf346 100644 --- a/pkg/KubeArmorOperator/seccomp/defaults.go +++ b/pkg/KubeArmorOperator/seccomp/defaults.go @@ -7,6 +7,8 @@ var ( Archx86_64 = "SCMP_ARCH_X86_64" Archx86 = "SCMP_ARCH_X86" Archx32 = "SCMP_ARCH_X32" + ArchARM64 = "SCMP_ARCH_AARCH64" + ArchARM = "SCMP_ARCH_ARM" ActErrno = "SCMP_ACT_ERRNO" ActAllow = "SCMP_ACT_ALLOW" diff --git a/pkg/KubeArmorOperator/seccomp/seccomp.go b/pkg/KubeArmorOperator/seccomp/seccomp.go index 1f8e83d39e..cbdee43b66 100644 --- a/pkg/KubeArmorOperator/seccomp/seccomp.go +++ b/pkg/KubeArmorOperator/seccomp/seccomp.go @@ -18,7 +18,7 @@ func LoadSeccompInNode() { seccompProfile := Seccomp{ DefaultAction: ActErrno, - Architectures: []string{Archx32, Archx86_64, Archx86}, + Architectures: []string{Archx32, Archx86_64, Archx86, ArchARM, ArchARM64}, Syscalls: []*Syscalls{{ Names: []string{ "getsockopt", @@ -126,7 +126,7 @@ func LoadSeccompInNode() { seccompInitProfile := Seccomp{ DefaultAction: ActErrno, - Architectures: []string{Archx32, Archx86_64, Archx86}, + Architectures: []string{Archx32, Archx86_64, Archx86, ArchARM, ArchARM64}, Syscalls: []*Syscalls{{ Names: []string{ "dup2", @@ -138,6 +138,8 @@ func LoadSeccompInNode() { "memfd_create", "capset", "read", + "dup3", + "getpgid", "getrandom", "close", "fchown", @@ -166,6 +168,7 @@ func LoadSeccompInNode() { "capget", "sysinfo", "connect", + "pipe2", "openat", "access", "set_robust_list", From 9d8a94616d5706c9fcc177a57eae073ef893a7cd Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Thu, 14 Mar 2024 20:15:29 +0530 Subject: [PATCH 3/3] fixed checking for filepath Signed-off-by: PrimalPimmy --- pkg/KubeArmorOperator/seccomp/seccomp.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/KubeArmorOperator/seccomp/seccomp.go b/pkg/KubeArmorOperator/seccomp/seccomp.go index cbdee43b66..0774232891 100644 --- a/pkg/KubeArmorOperator/seccomp/seccomp.go +++ b/pkg/KubeArmorOperator/seccomp/seccomp.go @@ -223,8 +223,12 @@ func LoadSeccompInNode() { } func CheckIfSeccompProfilePresent() string { - if _, err := os.Stat(filepath.Clean(seccompPath)); err == nil { + _, err1 := os.Stat(filepath.Clean(seccompPath + "/kubearmor-init-seccomp.json")) + _, err2 := os.Stat(filepath.Clean(seccompPath + "/kubearmor-seccomp.json")) + + if err1 == nil && err2 == nil { return "yes" } + return "no" }