Merge pull request #1396 from Aryan-sharma11/karmor_systemd

.github/workflows/ci-latest-release.yml

@@ -87,7 +87,7 @@ jobs:
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-          make -C tests/
+          make -C tests/k8s_env/
         timeout-minutes: 30
 
       - name: Login to Docker Hub

.github/workflows/ci-test-controllers.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-          make -C tests/
+          make -C tests/k8s_env/
         timeout-minutes: 20
 
       - name: Get karmor sysdump

.github/workflows/ci-test-ginkgo.yml

@@ -56,7 +56,7 @@ jobs:
 
       - name: deploy pre existing pod 
         run: |
-          kubectl apply -f ./tests/ksp/pre-run-pod.yaml
+          kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
           sleep 60
           kubectl get pods -A
 
@@ -87,7 +87,7 @@ jobs:
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
           make
-        working-directory: ./tests
+        working-directory: ./tests/k8s_env
         timeout-minutes: 30
 
       - name: Get karmor sysdump

.github/workflows/ci-test-systemd.yml

@@ -51,3 +51,12 @@ jobs:
 
       - name: Check journalctl
         run: sudo journalctl -u kubearmor --no-pager
+
+      - name: Test kubearmor using ginkgo 
+        run: |
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+          make
+        working-directory: ./tests/nonk8s_env
+        timeout-minutes: 30
+
+

.github/workflows/ci-test-ubi-image.yml

@@ -75,7 +75,7 @@ jobs:
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
           make
-        working-directory: ./tests
+        working-directory: ./tests/k8s_env
         timeout-minutes: 30
 
       - name: Get karmor sysdump

KubeArmor/core/karmorprobedata.go

@@ -4,9 +4,13 @@
 package core
 
 import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
 	cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
+	pb "github.com/kubearmor/KubeArmor/protobuf"
 )
 
 // KarmorData Structure
@@ -24,6 +28,12 @@ type KarmorData struct {
 	HostVisibility          string
 }
 
+// Karmor provides structure to serve Policy gRPC service
+type Probe struct {
+	pb.ProbeServiceServer
+	GetContainerData func() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies)
+}
+
 // SetKarmorData generates runtime configuration for KubeArmor to be consumed by kArmor
 func (dm *KubeArmorDaemon) SetKarmorData() {
 	var kd KarmorData
@@ -62,3 +72,72 @@ func (dm *KubeArmorDaemon) SetKarmorData() {
 	}
 
 }
+
+// SetKarmorContainerData() keeps track of containers and the applied policies
+func (dm *KubeArmorDaemon) SetProbeContainerData() ([]string, map[string]*pb.ContainerData, map[string]*pb.HostSecurityPolicies) {
+	var containerlist []string
+	dm.ContainersLock.Lock()
+	for _, value := range dm.Containers {
+
+		containerlist = append(containerlist, value.ContainerName)
+	}
+	dm.ContainersLock.Unlock()
+
+	containerMap := make(map[string]*pb.ContainerData)
+	dm.EndPointsLock.Lock()
+
+	for _, ep := range dm.EndPoints {
+
+		var policyNames []string
+
+		for _, policy := range ep.SecurityPolicies {
+
+			policyNames = append(policyNames, policy.Metadata["policyName"])
+
+		}
+		containerMap[ep.EndPointName] = &pb.ContainerData{
+			PolicyList:    policyNames,
+			PolicyEnabled: int32(ep.PolicyEnabled),
+		}
+	}
+	dm.EndPointsLock.Unlock()
+
+	// Mapping Hostpolicies to their host hostName : HostPolicy
+	hostMap := make(map[string]*pb.HostSecurityPolicies)
+
+	dm.HostSecurityPoliciesLock.Lock()
+	for _, hp := range dm.HostSecurityPolicies {
+
+		hostName := dm.Node.NodeName
+
+		if val, ok := hostMap[hostName]; ok {
+
+			val.PolicyList = append(val.PolicyList, hp.Metadata["policyName"])
+			hostMap[hostName] = val
+
+		} else {
+
+			hostMap[hostName] = &pb.HostSecurityPolicies{
+				PolicyList: []string{hp.Metadata["policyName"]},
+			}
+
+		}
+	}
+	dm.HostSecurityPoliciesLock.Unlock()
+
+	return containerlist, containerMap, hostMap
+
+}
+
+// GetProbeData() sends policy data through grpc client
+func (p *Probe) GetProbeData(c context.Context, in *empty.Empty) (*pb.ProbeResponse, error) {
+
+	containerList, containerMap, hostMap := p.GetContainerData()
+	res := &pb.ProbeResponse{
+		ContainerList: containerList,
+		ContainerMap:  containerMap,
+		HostMap:       hostMap,
+	}
+
+	return res, nil
+}

KubeArmor/core/kubeArmor.go

@@ -644,8 +644,12 @@ func KubeArmor() {
 			dm.Node.PolicyEnabled = tp.KubeArmorPolicyEnabled
 			dm.Logger.Print("Started to monitor host security policies on gRPC")
 		}
-
 		pb.RegisterPolicyServiceServer(dm.Logger.LogServer, policyService)
+		//Enable grpc service to send kubearmor data to client in unorchestrated mode
+		probe := &Probe{}
+		probe.GetContainerData = dm.SetProbeContainerData
+		pb.RegisterProbeServiceServer(dm.Logger.LogServer, probe)
+
 	}
 
 	reflection.Register(dm.Logger.LogServer) // Helps grpc clients list out what all svc/endpoints available
@@ -657,14 +661,12 @@ func KubeArmor() {
 	// == //
 	go dm.SetKarmorData()
 	dm.Logger.Print("Initialized KubeArmor")
-
 	// == //
 
 	if cfg.GlobalCfg.KVMAgent || !dm.K8sEnabled {
 		// Restore and apply all kubearmor host security policies
 		dm.restoreKubeArmorPolicies()
 	}
-
 	// == //
 
 	// Init KvmAgent

KubeArmor/go.mod

@@ -31,6 +31,7 @@ require (
 	github.com/containerd/containerd v1.7.1
 	github.com/containerd/typeurl/v2 v2.1.1
 	github.com/docker/docker v23.0.6+incompatible
+	github.com/golang/protobuf v1.5.3
 	github.com/google/uuid v1.3.0
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230510133055-4e30a28b6352
 	github.com/kubearmor/KubeArmor/protobuf v0.0.0-20230510133055-4e30a28b6352
@@ -67,7 +68,6 @@ require (
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect