reduce the usage of k8s client api

Signed-off-by: Ankur Kothiwal <ankur.kothiwal@accuknox.com>

src/Makefile

@@ -11,7 +11,7 @@ GIT_INFO := $(shell govvv -flags -pkg $(PKG))
 .PHONY: build
 build:
 	@# for build_image -> CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -ldflags '-s -w' -o knoxAutoPolicy main.go
-	@# for delve -> cd $(CURDIR); go mod tidy; go build -tags debugger -gcflags="all=-N -l" -o knoxAutoPolicy main.go
+	@# for delve -> cd $(CURDIR); go mod tidy; go build -O -tags debugger -gcflags="all=-N -l -m" -o knoxAutoPolicy main.go
 	go mod tidy
 	go build -ldflags "$(GIT_INFO)" -o knoxAutoPolicy main.go
 

src/cluster/clusterResourceHandler.go

@@ -66,13 +66,13 @@ func GetAllClusterResources(cluster string) ([]string, []types.Service, []types.
 }
 
 // ExtractPodSvcInfoFromIP -- Extract respective podname/ns/labels from pod/svc ip
-func ExtractPodSvcInfoFromIP(ip, clustername string) (string, string, string) {
+func ExtractPodSvcInfoFromIP(ip, clustername string, pods []types.Pod, services []types.Service) (string, string, string) {
 	podSvcName := ip
 
-	_, services, _, pods, err := GetAllClusterResources(clustername)
-	if err != nil {
-		return podSvcName, "", ""
-	}
+	// _, services, _, pods, err := GetAllClusterResources(clustername)
+	// if err != nil {
+	// 	return podSvcName, "", ""
+	// }
 
 	for _, pod := range pods {
 		if pod.PodIP == ip {

src/go.mod

@@ -111,12 +111,12 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
-	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/net v0.3.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	golang.org/x/term v0.1.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect

src/go.sum

@@ -1073,8 +1073,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.3.0 h1:VWL6FNY2bEEmsGVKabSlHu5Irp34xmMRoqb/9lF9lxk=
+golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1105,8 +1105,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1206,14 +1206,14 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1224,8 +1224,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

src/libs/common.go

@@ -18,6 +18,9 @@ import (
 
 	"github.com/clarketm/json"
 
+	"net/http"
+	"net/http/pprof"
+
 	cfg "github.com/accuknox/auto-policy-discovery/src/config"
 	logger "github.com/accuknox/auto-policy-discovery/src/logging"
 	"github.com/accuknox/auto-policy-discovery/src/types"
@@ -159,17 +162,55 @@ func (i *cfgArray) Set(str string) error {
 	return nil
 }
 
+// Manually recreate routes for profiling
+func pprofinit() {
+	pprofServeMux := http.NewServeMux()
+	pprofServeMux.Handle("/debug/pprof", http.HandlerFunc(pprof.Index))
+	pprofServeMux.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
+	pprofServeMux.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
+	pprofServeMux.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
+	pprofServeMux.Handle("/debug/pprof/heap", pprof.Handler("heap"))
+	pprofServeMux.Handle("/debug/pprof/block", pprof.Handler("block"))
+	pprofServeMux.Handle("/debug/pprof/goroutine", pprof.Handler("goroutine"))
+	pprofServeMux.Handle("/debug/pprof/threadcreate", pprof.Handler("threadcreate"))
+
+	server := &http.Server{
+		Addr:              "localhost:6060",
+		ReadHeaderTimeout: 90 * time.Second,
+		ReadTimeout:       90 * time.Second,
+		WriteTimeout:      90 * time.Second,
+		Handler:           pprofServeMux,
+	}
+
+	go func() {
+		log.Info().Msgf("Starting pprof... (on port 6060) \n")
+		err := server.ListenAndServe()
+		if err != nil {
+			log.Error().Msg("ListenAndServe: " + err.Error())
+		}
+	}()
+}
+
 /* configuration file values are final values */
 func CheckCommandLineConfig() {
 	var cmdlineCfg cfgArray
 
+	pprofflag := flag.Bool("pprof", false, "enable pprof")
 	version1 := flag.Bool("v", false, "print version and exit")
 	version2 := flag.Bool("version", false, "print version and exit")
 	flag.Var(&cmdlineCfg, "cfg", "Configuration key=val")
 
 	configFilePath := flag.String("config-path", "conf/", "conf/")
 	flag.Parse()
 
+	// Reset default routes (removing access to profiling)
+	http.DefaultServeMux = http.NewServeMux()
+
+	// enable pprof profiling if enabled
+	if *pprofflag {
+		pprofinit()
+	}
+
 	if *version1 || *version2 {
 		os.Exit(0)
 	}

src/libs/dbHandler_test.go

@@ -88,7 +88,7 @@ func TestInsertNetworkPolicies(t *testing.T) {
 		).WillReturnResult(sqlmock.NewResult(0, 1))
 
 	nfe := []types.KnoxNetworkPolicy{
-		types.KnoxNetworkPolicy{
+		{
 			Kind: "kind",
 		},
 	}
@@ -132,7 +132,7 @@ func TestInsertNetworkPoliciesSQLite(t *testing.T) {
 		).WillReturnResult(sqlmock.NewResult(0, 1))
 
 	nfe := []types.KnoxNetworkPolicy{
-		types.KnoxNetworkPolicy{
+		{
 			Kind: "kind",
 		},
 	}

src/observability/summarizer.go

@@ -29,7 +29,14 @@ func extractNetworkInfoFromSystemLog(netLog pb.Log) (string, string, string, str
 		resslice := strings.Split(netLog.Resource, " ")
 		for _, locres := range resslice {
 			if strings.Contains(locres, "remoteip") {
-				ip, destLabel, destNs = cluster.ExtractPodSvcInfoFromIP(strings.Split(locres, "=")[1], netLog.ClusterName)
+				_, services, _, pods, err := cluster.GetAllClusterResources(netLog.ClusterName)
+				if err != nil {
+					ip = strings.Split(locres, "=")[1]
+					destLabel = ""
+					destNs = ""
+				} else {
+					ip, destLabel, destNs = cluster.ExtractPodSvcInfoFromIP(strings.Split(locres, "=")[1], netLog.ClusterName, pods, services)
+				}
 			}
 			if strings.Contains(locres, "port") {
 				port = strings.Split(locres, "=")[1]

src/plugin/kubearmor.go

@@ -556,6 +556,12 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL
 
 	results := []types.KnoxNetworkLog{}
 
+	var destPod, destLabels, destNs string
+	var services []types.Service
+	var pods []types.Pod
+	var err error
+	existingClustername := ""
+
 	for _, kalog := range kaNwLogs {
 		var ip, port string
 		locKnoxLog := types.KnoxNetworkLog{
@@ -590,13 +596,23 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL
 				continue
 			}
 
-			destPod, destLabels, destNs := cluster.ExtractPodSvcInfoFromIP(ip, kalog.ClusterName)
+			if existingClustername != kalog.ClusterName {
+				_, services, _, pods, err = cluster.GetAllClusterResources(kalog.ClusterName)
+				if err != nil {
+					destPod = ip
+					destLabels = ""
+					destNs = ""
+				}
+				existingClustername = kalog.ClusterName
+			}
 
+			destPod, destLabels, destNs = cluster.ExtractPodSvcInfoFromIP(ip, kalog.ClusterName, pods, services)
 			if ip != destPod && strings.Contains(destPod, "pod") {
 				locKnoxLog.DstPodName = strings.Split(destPod, "/")[1]
 				locKnoxLog.DstReservedLabels = strings.Split(destLabels, ",")
 				locKnoxLog.DstNamespace = destNs
 			}
+
 			locKnoxLog.DstIP = ip
 			locKnoxLog.DstPort, _ = strconv.Atoi(port)
 			locKnoxLog.SynFlag = true

src/systempolicy/deduplicator.go

@@ -124,7 +124,7 @@ func UpdateProcessOperation(newPolicy types.KnoxSystemPolicy, existingPolicies [
 
 			if src != "" {
 				matchDirs.FromSource = []types.KnoxFromSource{
-					types.KnoxFromSource{
+					{
 						Path: src,
 					},
 				}
@@ -143,7 +143,7 @@ func UpdateProcessOperation(newPolicy types.KnoxSystemPolicy, existingPolicies [
 
 			if src != "" {
 				matchPaths.FromSource = []types.KnoxFromSource{
-					types.KnoxFromSource{
+					{
 						Path: src,
 					},
 				}
@@ -264,7 +264,7 @@ func UpdateFileOperation(newPolicy types.KnoxSystemPolicy, existingPolicies []ty
 
 			if src != "" {
 				matchDirs.FromSource = []types.KnoxFromSource{
-					types.KnoxFromSource{
+					{
 						Path: src,
 					},
 				}
@@ -282,7 +282,7 @@ func UpdateFileOperation(newPolicy types.KnoxSystemPolicy, existingPolicies []ty
 
 			if src != "" {
 				matchPaths.FromSource = []types.KnoxFromSource{
-					types.KnoxFromSource{
+					{
 						Path: src,
 					},
 				}

src/systempolicy/helperFunctions.go

@@ -166,7 +166,7 @@ func GetWPFSSources() []string {
 
 	var fromSource []string
 
-	for wpfs, _ := range res {
+	for wpfs := range res {
 		if wpfs.FromSource != "" && wpfs.Namespace == types.PolicyDiscoveryVMNamespace {
 			fromSource = append(fromSource, wpfs.FromSource)
 		}