Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(improvements): Improve the usability of karmor probe by detailing… #362

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(improvements): Improve the usability of karmor probe by detailing… #362

wants to merge 1 commit into from

Conversation

haytok
Copy link

@haytok haytok commented Aug 21, 2023

… error messages

When KubeArmor is running in systemd mode, the following error may occur when executing "karmor probe".

> karmor probe
probe.go:380: error when getting kubearmor daemonset Get "http://localhost:8080/apis/apps/v1/namespaces/kube-system/daemonsets/kubearmor": dial tcp 127.0.0.1:8080: connect: connection refused

Didn't find KubeArmor in systemd or Kubernetes, probing for support for KubeArmor

Host:
  Observability/Audit: Supported (Kernel Version 5.15.0)
  Enforcement: Full (Supported LSMs: lockdown,capability,landlock,yama,apparmor)
To get full probe, a daemonset will be deployed in your cluster - This daemonset will be deleted after probing
Use --full tag to get full probing

When "karmor probe" is executed, "systemctl status kubearmor" is executed internally, but the systemctl command may require sudo. In this case, without sudo, an error occurs.

In this commit, to make it easier to understand the root cause of such an error, error messages have been modified to be more detailed.

@haytok
fix(improvements): Improve the usability of karmor probe by detailing…
eae62c5 
… error messages

The following error may occur when executing "karmor probe".

  ```
  > karmor probe
  probe.go:380: error when getting kubearmor daemonset Get "http://localhost:8080/apis/apps/v1/namespaces/kube-system/daemonsets/kubearmor": dial tcp 127.0.0.1:8080: connect: connection refused

  Didn't find KubeArmor in systemd or Kubernetes, probing for support for KubeArmor

  Host:
    Observability/Audit: Supported (Kernel Version 5.15.0)
    Enforcement: Full (Supported LSMs: lockdown,capability,landlock,yama,apparmor)
  To get full probe, a daemonset will be deployed in your cluster - This daemonset will be deleted after probing
  Use --full tag to get full probing
  ```

When "karmor probe" is executed, "systemctl status kubearmor" is executed
internally, but the systemctl command may require sudo. In this case,
without sudo, an error occurs.

In this commit, to make it easier to understand the root cause of such an
error, error messages have been modified to be more detailed.

Signed-off-by: Hayato Kiwata <[email protected]>
@Aryan-sharma11
Copy link
Member

@haytok 🤔I don't think we should handle it this way, as whenever someone will run karmor probe for k8s it will log this error. WDYT?

daemon1024
daemon1024 reviewed Nov 8, 2023
View reviewed changes
probe/probe.go
if err != nil {
log.Println("systemctl status kubearmor cannot be executed:", string(out))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should refactor the function to return error, and use Cobra Error handler to capture the errors. That way we will not show the error incase we find KubeArmor in kubernetes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daemon1024 daemon1024 daemon1024 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haytok @Aryan-sharma11 @daemon1024