remove annotation logic & update ci

Signed-off-by: Achref Ben Saadd <achref9612@gmail.com>

.github/workflows/ci-test.yml

@@ -56,6 +56,34 @@ jobs:
         run: |
           ./contribution/k3s/install_k3s.sh
 
+      - name: Setup self-hosted docker registry
+        run: |
+          docker run -d -p 0.0.0.0:5000:5000 --restart=always --name registry registry:2
+          REGIP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
+          sudo cat <<EOF > daemon.json
+          {
+            "insecure-registries" : ["$REGIP:5000"]
+          }
+          EOF
+          sudo cp daemon.json /etc/docker/daemon.json
+          sudo cat /etc/docker/daemon.json
+          sudo systemctl restart docker.service
+
+      - name: Install cert manager
+        run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+
+      - name: Install annotation controller
+        run: |
+          pushd $(pwd)
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+          cd pkg/KubeArmorAnnotation
+          REGIP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
+          make docker-build  docker-push IMG=$REGIP:5000/webhook
+          make deploy IMG=$REGIP:5000/webhook
+          sleep 10
+          kubectl describe po -n kube-system
+          popd
+
       - name: Run kubectl proxy
         run: kubectl proxy &
 

.github/workflows/latest-release.yml

@@ -36,7 +36,35 @@ jobs:
           fi
 
           ./contribution/k3s/install_k3s.sh
+      
+      - name: Setup self-hosted docker registry
+        run: |
+          docker run -d -p 0.0.0.0:5000:5000 --restart=always --name registry registry:2
+          REGIP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
+          sudo cat <<EOF > daemon.json
+          {
+            "insecure-registries" : ["$REGIP:5000"]
+          }
+          EOF
+          sudo cp daemon.json /etc/docker/daemon.json
+          sudo cat /etc/docker/daemon.json
+          sudo systemctl restart docker.service
 
+      - name: Install cert manager
+        run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+
+      - name: Install annotation controller
+        run: |
+          pushd $(pwd)
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+          cd pkg/KubeArmorAnnotation
+          REGIP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
+          make docker-build  docker-push IMG=$REGIP:5000/webhook
+          make deploy IMG=$REGIP:5000/webhook
+          sleep 10
+          kubectl describe po -n kube-system
+          popd
+      
       - name: Generate KubeArmor artifacts
         run: |
             GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh ${{ steps.vars.outputs.tag }}

KubeArmor/core/kubeUpdate.go

@@ -429,10 +429,6 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 					break
 				}
 
-				if event.Type != "ADDED" && event.Type != "MODIFIED" && event.Type != "DELETED" {
-					continue
-				}
-
 				// create a pod
 
 				pod := tp.K8sPod{}
@@ -487,85 +483,10 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 					}
 				}
 
-				// == Policy == //
-
-				if _, ok := pod.Annotations["kubearmor-policy"]; !ok {
-					pod.Annotations["kubearmor-policy"] = "enabled"
-				}
-
-				if pod.Annotations["kubearmor-policy"] != "enabled" && pod.Annotations["kubearmor-policy"] != "disabled" && pod.Annotations["kubearmor-policy"] != "audited" {
-					pod.Annotations["kubearmor-policy"] = "enabled"
-				}
-
-				// == LSM == //
-
-				if dm.RuntimeEnforcer == nil {
-					// exception: no LSM
-					if pod.Annotations["kubearmor-policy"] == "enabled" {
-						pod.Annotations["kubearmor-policy"] = "audited"
-					}
-				} else if dm.RuntimeEnforcer != nil && dm.RuntimeEnforcer.EnforcerType == "SELinux" {
-					// exception: no SELinux support for containers
-					if pod.Annotations["kubearmor-policy"] == "enabled" {
-						pod.Annotations["kubearmor-policy"] = "audited"
-					}
-				}
-
-				// == Exception == //
-
-				// exception: kubernetes app
-				if pod.Metadata["namespaceName"] == "kube-system" {
-					if _, ok := pod.Labels["k8s-app"]; ok {
-						pod.Annotations["kubearmor-policy"] = "audited"
-					}
-
-					if value, ok := pod.Labels["component"]; ok {
-						if value == "etcd" || value == "kube-apiserver" || value == "kube-controller-manager" || value == "kube-scheduler" {
-							pod.Annotations["kubearmor-policy"] = "audited"
-						}
-					}
-				}
-
-				// exception: cilium-operator
-				if _, ok := pod.Labels["io.cilium/app"]; ok {
-					pod.Annotations["kubearmor-policy"] = "audited"
-				}
-
-				// exception: kubearmor
-				if _, ok := pod.Labels["kubearmor-app"]; ok {
-					pod.Annotations["kubearmor-policy"] = "audited"
-				}
-
-				// == Visibility == //
-
-				if _, ok := pod.Annotations["kubearmor-visibility"]; !ok {
-					pod.Annotations["kubearmor-visibility"] = cfg.GlobalCfg.Visibility
-				}
-
 				// == AppArmor == //
 
-				if event.Type == "ADDED" || event.Type == "MODIFIED" {
-					exist := false
-
-					dm.K8sPodsLock.Lock()
-					for _, k8spod := range dm.K8sPods {
-						if k8spod.Metadata["namespaceName"] == pod.Metadata["namespaceName"] && k8spod.Metadata["podName"] == pod.Metadata["podName"] {
-							if k8spod.Annotations["kubearmor-policy"] == "patched" {
-								exist = true
-								break
-							}
-						}
-					}
-					dm.K8sPodsLock.Unlock()
-
-					if exist {
-						continue
-					}
-				}
-
 				if dm.RuntimeEnforcer != nil && dm.RuntimeEnforcer.EnforcerType == "AppArmor" {
 					appArmorAnnotations := map[string]string{}
-					updateAppArmor := false
 
 					for k, v := range pod.Annotations {
 						if strings.HasPrefix(k, "container.apparmor.security.beta.kubernetes.io") {
@@ -579,52 +500,9 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 						}
 					}
 
-					for _, container := range event.Object.Spec.Containers {
-						if _, ok := appArmorAnnotations[container.Name]; !ok {
-							appArmorAnnotations[container.Name] = "kubearmor-" + pod.Metadata["namespaceName"] + "-" + container.Name
-							updateAppArmor = true
-						}
-					}
-
 					if event.Type == "ADDED" {
 						// update apparmor profiles
 						dm.RuntimeEnforcer.UpdateAppArmorProfiles(pod.Metadata["podName"], "ADDED", appArmorAnnotations)
-
-						if updateAppArmor && pod.Annotations["kubearmor-policy"] == "enabled" {
-							if deploymentName, ok := pod.Metadata["deploymentName"]; ok {
-								// patch the deployment with apparmor annotations
-								if err := K8s.PatchDeploymentWithAppArmorAnnotations(pod.Metadata["namespaceName"], deploymentName, appArmorAnnotations); err != nil {
-									dm.Logger.Errf("Failed to update AppArmor Annotations (%s/%s/%s, %s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"], err.Error())
-								} else {
-									dm.Logger.Printf("Patched AppArmor Annotations (%s/%s/%s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"])
-								}
-								pod.Annotations["kubearmor-policy"] = "patched"
-							}
-						}
-					} else if event.Type == "MODIFIED" {
-						for _, k8spod := range dm.K8sPods {
-							if k8spod.Metadata["namespaceName"] == pod.Metadata["namespaceName"] && k8spod.Metadata["podName"] == pod.Metadata["podName"] {
-								prevPolicyEnabled := "disabled"
-
-								if val, ok := k8spod.Annotations["kubearmor-policy"]; ok {
-									prevPolicyEnabled = val
-								}
-
-								if updateAppArmor && prevPolicyEnabled != "enabled" && pod.Annotations["kubearmor-policy"] == "enabled" {
-									if deploymentName, ok := pod.Metadata["deploymentName"]; ok {
-										// patch the deployment with apparmor annotations
-										if err := K8s.PatchDeploymentWithAppArmorAnnotations(pod.Metadata["namespaceName"], deploymentName, appArmorAnnotations); err != nil {
-											dm.Logger.Errf("Failed to update AppArmor Annotations (%s/%s/%s, %s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"], err.Error())
-										} else {
-											dm.Logger.Printf("Patched AppArmor Annotations (%s/%s/%s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"])
-										}
-										pod.Annotations["kubearmor-policy"] = "patched"
-									}
-								}
-
-								break
-							}
-						}
 					} else if event.Type == "DELETED" {
 						// update apparmor profiles
 						dm.RuntimeEnforcer.UpdateAppArmorProfiles(pod.Metadata["podName"], "DELETED", appArmorAnnotations)
@@ -644,13 +522,6 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 					if new {
 						dm.K8sPods = append(dm.K8sPods, pod)
 					}
-				} else if event.Type == "MODIFIED" {
-					for idx, k8spod := range dm.K8sPods {
-						if k8spod.Metadata["namespaceName"] == pod.Metadata["namespaceName"] && k8spod.Metadata["podName"] == pod.Metadata["podName"] {
-							dm.K8sPods[idx] = pod
-							break
-						}
-					}
 				} else if event.Type == "DELETED" {
 					for idx, k8spod := range dm.K8sPods {
 						if k8spod.Metadata["namespaceName"] == pod.Metadata["namespaceName"] && k8spod.Metadata["podName"] == pod.Metadata["podName"] {
@@ -662,13 +533,7 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 
 				dm.K8sPodsLock.Unlock()
 
-				if pod.Annotations["kubearmor-policy"] == "patched" {
-					dm.Logger.Printf("Detected a Pod (patched/%s/%s)", pod.Metadata["namespaceName"], pod.Metadata["podName"])
-					continue
-				} else {
-					dm.Logger.Printf("Detected a Pod (%s/%s/%s)", strings.ToLower(event.Type), pod.Metadata["namespaceName"], pod.Metadata["podName"])
-				}
-
+				dm.Logger.Printf("Detected a Pod (%s/%s/%s)", strings.ToLower(event.Type), pod.Metadata["namespaceName"], pod.Metadata["podName"])
 				// update a endpoint corresponding to the pod
 				dm.UpdateEndPointWithPod(event.Type, pod)
 			}