Skip to content

Commit

Permalink
Merge pull request #1658 from daemon1024/remove-init-container-dep-wi…
Browse files Browse the repository at this point in the history
…th-btf-core

Remove init container dep with BTF CORE
  • Loading branch information
DelusionalOptimist authored Jun 11, 2024
2 parents 14c7943 + 215260d commit b9ea20c
Show file tree
Hide file tree
Showing 18 changed files with 161 additions and 141 deletions.
6 changes: 5 additions & 1 deletion .github/workflows/ci-test-ubi-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,11 @@ jobs:
kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch,kubearmor-app!=kubearmor-controller -n kubearmor
kubectl wait --timeout=1m --for=condition=ready pod -l kubearmor-app=kubearmor-controller -n kubearmor
kubectl get pods -A
- name: Operator may take upto 10 sec to enable TLS, Sleep for 15Sec
run: |
sleep 15
- name: Test KubeArmor using Ginkgo
run: |
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/cleanup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
cleanup() {
echo "Performing cleanup..."

./usr/local/bin/k3s-killall.sh
/usr/local/bin/k3s-killall.sh

/usr/local/bin/k3s-uninstall.sh

docker system prune -a -f

sudo podman system prune -a -f

# rm -rf /home/vagrant/actions-runner/_work/KubeArmor

echo "Cleanup complete."
Expand Down
26 changes: 24 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

### Builder

FROM golang:1.22-alpine3.19 as builder
FROM golang:1.22-alpine3.20 as builder

RUN apk --no-cache update
RUN apk add --no-cache git clang llvm make gcc protobuf
Expand All @@ -18,16 +18,37 @@ RUN go install github.com/golang/protobuf/protoc-gen-go@latest
RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
RUN make


WORKDIR /usr/src/KubeArmor/BPF

RUN apk add curl
# install bpftool
RUN arch=$(uname -m) bpftool_version=v7.3.0 && \
if [[ "$arch" == "aarch64" ]]; then \
arch=arm64; \
elif [[ "$arch" == "x86_64" ]]; then \
arch=amd64; \
fi && \
curl -LO https://github.com/libbpf/bpftool/releases/download/$bpftool_version/bpftool-$bpftool_version-$arch.tar.gz && \
tar -xzf bpftool-$bpftool_version-$arch.tar.gz -C /usr/local/bin && \
chmod +x /usr/local/bin/bpftool


COPY ./KubeArmor/BPF .

RUN make

### Make executable image

FROM alpine:3.18 as kubearmor
FROM alpine:3.20 as kubearmor

RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories

RUN apk --no-cache update
RUN apk add apparmor@community apparmor-utils@community bash

COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
COPY --from=builder /usr/src/KubeArmor/BPF/*.o /opt/kubearmor/BPF/
COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/

ENTRYPOINT ["/KubeArmor/kubearmor"]
Expand Down Expand Up @@ -67,6 +88,7 @@ RUN groupadd --gid 1000 default \

COPY LICENSE /licenses/license.txt
COPY --from=builder --chown=default:default /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
COPY --from=builder --chown=default:default /usr/src/KubeArmor/BPF/*.o /opt/kubearmor/BPF/
COPY --from=builder --chown=default:default /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/

# TODO
Expand Down
2 changes: 1 addition & 1 deletion KubeArmor/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/kubearmor/KubeArmor/KubeArmor

go 1.21.0

toolchain go1.21.9
toolchain go1.21.11

replace (
github.com/kubearmor/KubeArmor => ../../
Expand Down
13 changes: 0 additions & 13 deletions deployments/get/objects.go
Original file line number Diff line number Diff line change
Expand Up @@ -270,10 +270,6 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
MountPath: "/lib/modules",
ReadOnly: true,
},
{
Name: "sys-fs-bpf-path", //BPF (read-write)
MountPath: "/sys/fs/bpf",
},
{
Name: "sys-kernel-security-path", //LSM (read-only)
MountPath: "/sys/kernel/security",
Expand Down Expand Up @@ -305,15 +301,6 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
},
},
},
{
Name: "sys-fs-bpf-path",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/sys/fs/bpf",
Type: &hostPathDirectory,
},
},
},
{
Name: "sys-kernel-security-path",
VolumeSource: corev1.VolumeSource{
Expand Down
2 changes: 1 addition & 1 deletion deployments/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/kubearmor/KubeArmor/deployments

go 1.21.0

toolchain go1.21.9
toolchain go1.21.11

replace (
github.com/kubearmor/KubeArmor => ../
Expand Down
62 changes: 0 additions & 62 deletions deployments/helm/KubeArmor/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -183,8 +181,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -205,8 +201,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -227,8 +221,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -249,8 +241,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -271,8 +261,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -293,8 +281,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -315,8 +301,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -333,8 +317,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -355,8 +337,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -377,8 +357,6 @@ kubearmor:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /sys/fs/bpf
name: sys-fs-bpf-path
- mountPath: /sys/kernel/security
name: sys-kernel-security-path
- mountPath: /sys/kernel/debug
Expand All @@ -404,10 +382,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -438,10 +412,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -472,10 +442,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -506,10 +472,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -540,10 +502,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -574,10 +532,6 @@ kubearmor:
path: /lib/modules
type: Directory
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -608,10 +562,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -642,10 +592,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand All @@ -672,10 +618,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down Expand Up @@ -706,10 +648,6 @@ kubearmor:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /sys/fs/bpf
type: Directory
name: sys-fs-bpf-path
- hostPath:
path: /sys/kernel/security
type: Directory
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,13 @@ rules:
- customresourcedefinitions
verbs:
- create
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
9 changes: 9 additions & 0 deletions deployments/helm/KubeArmorOperator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,13 @@ spec:
{{- end }}
image: {{ include "operatorImage" . }}
imagePullPolicy: {{ .Values.kubearmorOperator.imagePullPolicy }}

{{- $tag := (split ":" (include "operatorImage" .))._1 -}}
{{- if or (eq $tag "latest") (and (hasPrefix "v" $tag) (semverCompare "^1.4.0" $tag)) }}
# initDeploy flag is only supported from v1.4.0
args:
- --initDeploy={{.Values.kubearmorOperator.initDeploy }}
{{- end }}

serviceAccountName: {{ .Values.kubearmorOperator.name }}

1 change: 1 addition & 0 deletions deployments/helm/KubeArmorOperator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ kubearmorOperator:
repository: kubearmor/kubearmor-operator
tag: ""
imagePullPolicy: IfNotPresent
initDeploy: true

kubearmorConfig:
defaultCapabilitiesPosture: audit
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorController/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/kubearmor/KubeArmor/pkg/KubeArmorController

go 1.21.0

toolchain go1.21.9
toolchain go1.21.11

require (
github.com/go-logr/logr v1.4.1
Expand Down
Loading

0 comments on commit b9ea20c

Please sign in to comment.