kubearmor · itsCheithanya · Jul 22, 2024
diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go
@@ -24,6 +24,7 @@ import (
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
 
 	pb "github.com/containerd/containerd/api/services/containers/v1"
+	nm "github.com/containerd/containerd/api/services/namespaces/v1"
 	pt "github.com/containerd/containerd/api/services/tasks/v1"
 	"github.com/containerd/containerd/namespaces"
 	"google.golang.org/grpc"
@@ -57,6 +58,7 @@ var defaultCaps = []string{
 
 // Containerd Handler
 var Containerd *ContainerdHandler
+var IsK8sEnabled bool
 
 // init Function
 func init() {
@@ -75,14 +77,17 @@ type ContainerdHandler struct {
 	// connection
 	conn *grpc.ClientConn
 
+	//namespace client
+	namespacesClient nm.NamespacesClient
+
 	// container client
 	client pb.ContainersClient
 
 	// task client
 	taskClient pt.TasksClient
 
 	// context
-	containerd context.Context
+	containerd []context.Context
 	docker     context.Context
 
 	// active containers
@@ -99,6 +104,8 @@ func NewContainerdHandler() *ContainerdHandler {
 	}
 
 	ch.conn = conn
+	// namespace client
+	ch.namespacesClient = nm.NewNamespacesClient(conn)
 
 	// container client
 	ch.client = pb.NewContainersClient(ch.conn)
@@ -109,8 +116,20 @@ func NewContainerdHandler() *ContainerdHandler {
 	// docker namespace
 	ch.docker = namespaces.WithNamespace(context.Background(), "moby")
 
-	// containerd namespace
-	ch.containerd = namespaces.WithNamespace(context.Background(), "k8s.io")
+	// Get the list of namespaces
+	ctx := context.Background()
+	listedNamespaces, err := ch.namespacesClient.List(ctx, &nm.ListNamespacesRequest{})
+	if err != nil {
+		return nil
+	}
+
+	if !IsK8sEnabled {
+		for _, namespace := range listedNamespaces.Namespaces {
+			ch.containerd = append(ch.containerd, namespaces.WithNamespace(context.Background(), namespace.Name))
+		}
+	} else {
+		ch.containerd = append(ch.containerd, namespaces.WithNamespace(context.Background(), "k8s.io"))
+	}
 
 	// active containers
 	ch.containers = map[string]context.Context{}
@@ -146,7 +165,11 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s
 	// == container base == //
 
 	container.ContainerID = res.Container.ID
-	container.ContainerName = res.Container.ID
+	if val, ok := res.Container.Labels["nerdctl/name"]; ok {
+		container.ContainerName = val
+	} else {
+		container.ContainerName = res.Container.ID
+	}
 	container.NamespaceName = "Unknown"
 	container.EndPointName = "Unknown"
 
@@ -253,9 +276,11 @@ func (ch *ContainerdHandler) GetContainerdContainers() map[string]context.Contex
 		}
 	}
 
-	if containerList, err := ch.client.List(ch.containerd, &req, grpc.MaxCallRecvMsgSize(kl.DefaultMaxRecvMaxSize)); err == nil {
-		for _, container := range containerList.Containers {
-			containers[container.ID] = ch.containerd
+	for _, containerdContext := range ch.containerd {
+		if containerList, err := ch.client.List(containerdContext, &req, grpc.MaxCallRecvMsgSize(kl.DefaultMaxRecvMaxSize)); err == nil {
+			for _, container := range containerList.Containers {
+				containers[container.ID] = containerdContext
+			}
 		}
 	}
 
@@ -291,6 +316,34 @@ func (ch *ContainerdHandler) GetDeletedContainerdContainers(containers map[strin
 	return deletedContainers
 }
 
+// SetContainerVisibility function enables visibility flag arguments for un-orchestrated container
+func (dm *KubeArmorDaemon) SetContainerdVisibility(ctx context.Context, containerID string) {
+
+	// get container information from docker client
+	container, err := Containerd.GetContainerInfo(ctx, containerID, dm.OwnerInfo)
+	if err != nil {
+		return
+	}
+
+	if strings.Contains(cfg.GlobalCfg.Visibility, "process") {
+		container.ProcessVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "file") {
+		container.FileVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "network") {
+		container.NetworkVisibilityEnabled = true
+	}
+	if strings.Contains(cfg.GlobalCfg.Visibility, "capabilities") {
+		container.CapabilitiesVisibilityEnabled = true
+	}
+
+	container.EndPointName = container.ContainerName
+	container.NamespaceName = "container_namespace"
+
+	dm.Containers[container.ContainerID] = container
+}
+
 // UpdateContainerdContainer Function
 func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID, action string) bool {
 	// check if Containerd exists
@@ -455,6 +508,13 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 			return false
 		}
 
+		if !dm.K8sEnabled {
+			dm.ContainersLock.Lock()
+			dm.SetContainerdVisibility(ctx, containerID)
+			container = dm.Containers[containerID]
+			dm.ContainersLock.Unlock()
+		}
+
 		if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy {
 			// for throttling
 			dm.SystemMonitor.Logger.ContainerNsKey[containerID] = common.OuterKey{
@@ -555,6 +615,12 @@ func (dm *KubeArmorDaemon) MonitorContainerdEvents() {
 	dm.WgDaemon.Add(1)
 	defer dm.WgDaemon.Done()
 
+	if !dm.K8sEnabled {
+		IsK8sEnabled = false
+	} else {
+		IsK8sEnabled = true
+	}
+
 	Containerd = NewContainerdHandler()
 
 	// check if Containerd exists