modify option names for karmor

initial sysdump utility

Collect required System Information to troubleshoot issues from the various k8s resources available

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

collect logs from kubearmor pod

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Archive sysdump

Create dump files in the temp directory and then archive them into `karmor-sysdump.zip`

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

dump more infromation using exec syscalls

added boot-config, ls,m, apparmor, dmesg to dump

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

add timestamp to sysdump archive name

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

copy from inside kubearmor pod

* Removed host side deps
* Used Remote Command executor for streaming file for sysdump ( inspired from kubectl cp )
* Fixed sec vuln for file permission bits

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

volume mount apparmor.d if not minikube env

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Add description of annotated pods to sysdump

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

concurrently dump resources

Fetch all the resources for sysdump concurrently, if there's an empty dump we return err, else if we have dump but there's an error, we create the partial sysdump and return error.

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Add pod events to sysdump

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Add sysdump usage to README

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

update deps

updated direct dependencies
pinned archiver dep to latest commit to fix vulnerability in a transitive dep

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

add codeql analysis workflow

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

docs: updates README.md

Signed-off-by: Thiago Navarro <navarro@accuknox.com>

add namespace flag to install and unistall

Increase timeout for lint action

Add troubleshoot information in log client

Failure to connect to log grpc server is mostly due to not port-forwarding, so added relevant commands in the error message for convenience

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Add eks environment detection

Configure daemonset options w.r.t. eks

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

reconfigure daemonset

- added k3s support
- use maps to store environment specific configuration

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

[VM] Added new command to download vm installation script from kvmsoperator

[VM Support]Added option for providing external IP as input

Support for VM command :
1. added option to provide namespace
2. option to provide port value

Karmor VM support -- Addressed review comments

using revive for go-lint

[VM Support] Modified code to identify the namespace of kvmservice instead of inputting the same

[VM Support] Modified code to identify the namespace of kvmservice instead of inputting the same

Fixed protobuf package definition to match the same as KVMService protobuf package

Fixed protobuf package definition to match the same as KVMService proto

added karmor install --image option

fixed lint warnings

add GH workflow for just code build

fixed gosec issue with kvm option

prepare for release 0.3

* cleanup duplicate protobuf
* add vm usage to README

Signed-off-by: Barun Acharya <barun.acharya@accuknox.com>

Modifying/Adding support for karmor to support non-k8s control plane

Signed-off-by: Eswar Rajan Subramanian <eswar@accuknox.com>

refactor vm policy boilerplate code

added argument validation

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>

Add policy handling mechanism

configure gRPC client in kArmor to send host policy event based on argument policy YAML

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>

Prepare for release 0.4

- Update README with vm related commands
- Remove fork based KubeArmor dep
- Remove duplicate VM policy subcommand

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>

fix: fix mounts for minikube

Karmor now works with minikube.

Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com>

sync with deploygen

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

add license headers

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

fix golint issues

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

clean up whitespaces

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

add license headers

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

update Makefile

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

fix typo

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

update log

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

update logClient

Signed-off-by: Jaehyun Nam <jn@accuknox.com>

Fetch installation deployments from KubeArmor

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>

new containerImage field added

Signed-off-by: Rahul Jadhav <nyrahul@gmail.com>

update karmor to use stable KubeArmor release instead of latest

Signed-off-by: Ankur Kothiwal <ankur.kothiwal@accuknox.com>

update deployment package

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>

Added new commands and modified existing vm commands for vm onboarding,
policy enforcement for nonk8s control plane

Signed-off-by: Eswar Rajan Subramanian <eswar@accuknox.com>

.github/workflows/ci-go.yml

@@ -7,6 +7,19 @@ on:
     branches: [main]
 
 jobs:
+  go-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: v1.16
+
+      - name: Build karmor
+        run: make
+
   go-fmt:
     runs-on: ubuntu-latest
     steps:
@@ -39,5 +52,7 @@ jobs:
       - name: Checkout Source
         uses: actions/checkout@v2
 
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+      - name: Run Revive Action by pulling pre-built imag
+        uses: morphy2k/revive-action@v2
+        with:
+          path: "./..."

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [main]
+  schedule:
+    - cron: "27 20 * * 2"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

.github/workflows/release.yml

@@ -30,4 +30,4 @@ jobs:
           version: latest
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -1,25 +1,32 @@
-CURDIR=$(shell pwd)
-INSTALLDIR=$(shell go env GOPATH)/bin/
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2021 Authors of KubeArmor
 
-ifeq (,$(shell which govvv))
-$(shell go install github.com/ahmetb/govvv@latest)
+CURDIR     := $(shell pwd)
+INSTALLDIR := $(shell go env GOPATH)/bin/
+
+ifeq (, $(shell which govvv))
+$(shell go get github.com/ahmetb/govvv@latest)
 endif
 
-PKG := $(shell go list ./version)
+PKG      := $(shell go list ./version)
 GIT_INFO := $(shell govvv -flags -pkg $(PKG))
 
 .PHONY: build
 build:
-	cd $(CURDIR)
-	go mod tidy
-	CGO_ENABLED=0 go build \
-	-ldflags "-w -s ${GIT_INFO}" \
-	-o karmor
+	cd $(CURDIR); go mod tidy; CGO_ENABLED=0 go build -ldflags "-w -s ${GIT_INFO}" -o karmor
 
 .PHONY: install
 install: build
 	install -m 0755 karmor $(DESTDIR)$(INSTALLDIR)
-
+
+.PHONY: clean
+clean:
+	cd $(CURDIR); rm -f karmor
+
+.PHONY: protobuf
+vm-protobuf:
+	cd $(CURDIR)/vm/protobuf; protoc --proto_path=. --go_opt=paths=source_relative --go_out=plugins=grpc:. vm.proto
+
 .PHONY: gofmt
 gofmt:
 	cd $(CURDIR); gofmt -s -d $(shell find . -type f -name '*.go' -print)

README.md

@@ -1,19 +1,32 @@
 # kArmor
 
-**kArmor** is a CLI client to help manage [KubeArmor](github.com/kubearmor/KubeArmor)
+**kArmor** is a CLI client to help manage [KubeArmor](github.com/kubearmor/KubeArmor).
 
 KubeArmor is a container-aware runtime security enforcement system that
 restricts the behavior (such as process execution, file access, and networking
 operation) of containers at the system level.
 
 ## Installation
 
+The following sections show how to install the kArmor. It can be installed either from source, or from pre-built binary releases.
+
+### From Script
+
+kArmor has an installer script that will automatically grab the latest version of kArmor and install it locally.
+
 ```
-curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sh
+curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
 ```
 
-To build and install, clone the repository and
+The binary will be installed in `/usr/local/bin` folder.
+
+### From Source 
+
+Building kArmor from source is slightly more work, but is the best way to go if you want to test the latest (pre-release) kArmor version.
+
 ```
+git clone https://github.com/kubearmor/kubearmor-client.git
+cd kubearmor-client
 make install
 ```
 
@@ -31,11 +44,17 @@ Available Commands:
   help        Help about any command
   install     Install KubeArmor in a Kubernetes Cluster
   log         Observe Logs from KubeArmor
+  sysdump     Collect system dump information for troubleshooting and error report
   uninstall   Uninstall KubeArmor from a Kubernetes Cluster
   version     Display version information
+  vm          VM commands
+
+Available VM SubCommands:
+  getscript   download vm installation script for nonk8s control plane
+  policy      policy handling for vm nonk8s control plane
 
 Flags:
   -h, --help   help for karmor
 
 Use "karmor [command] --help" for more information about a command.
-```
+```

cmd/get.go

@@ -25,5 +25,6 @@ var getCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(getCmd)
+
 	getCmd.Flags().StringVarP(&options.Namespace, "namespace", "n", "", "Namespace for resources")
 }

cmd/install.go

@@ -8,13 +8,15 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var installOptions install.Options
+
 // installCmd represents the get command
 var installCmd = &cobra.Command{
 	Use:   "install",
 	Short: "Install KubeArmor in a Kubernetes Cluster",
 	Long:  `Install KubeArmor in a Kubernetes Clusters`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := install.K8sInstaller(client); err != nil {
+		if err := install.K8sInstaller(client, installOptions); err != nil {
 			return err
 		}
 		return nil
@@ -23,4 +25,7 @@ var installCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(installCmd)
+
+	installCmd.Flags().StringVarP(&installOptions.Namespace, "namespace", "n", "kube-system", "Namespace for resources")
+	installCmd.Flags().StringVarP(&installOptions.KubearmorImage, "image", "i", "kubearmor/kubearmor:stable", "Kubearmor daemonset image to use")
 }

cmd/policy.go

@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2021 Authors of KubeArmor
+
+package cmd
+
+import (
+	"errors"
+
+	"github.com/kubearmor/kubearmor-client/vm"
+	"github.com/spf13/cobra"
+)
+
+var policyOptions vm.PolicyOptions
+
+// vmPolicyCmd represents the vm command for policy enforcement
+var vmPolicyCmd = &cobra.Command{
+	Use:   "policy",
+	Short: "policy handling for vm/nonk8s control plane",
+	Long:  `policy handling for vm/nonk8s control plane`,
+}
+
+// vmPolicyAddCmd represents the vm add policy command for policy enforcement
+var vmPolicyAddCmd = &cobra.Command{
+	Use:   "add",
+	Short: "add policy for vm k8s/nonk8s control plane",
+	Long:  `add policy for vm k8s/nonk8s control plane`,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errors.New("requires a path to valid policy YAML as argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := vm.PolicyHandling("ADDED", args[0], policyOptions); err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+// vmPolicyDeleteCmd represents the vm delete policy command for policy enforcement
+var vmPolicyDeleteCmd = &cobra.Command{
+	Use:   "delete",
+	Short: "delete policy for vm k8s/nonk8s control plane",
+	Long:  `delete policy for vm k8s/nonk8s control plane`,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errors.New("requires a path to valid policy YAML as argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := vm.PolicyHandling("DELETED", args[0], policyOptions); err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+// ========== //
+// == Init == //
+// ========== //
+
+func init() {
+	vmCmd.AddCommand(vmPolicyCmd)
+
+	// Subcommand for policy command
+	vmPolicyCmd.AddCommand(vmPolicyAddCmd)
+	vmPolicyCmd.AddCommand(vmPolicyDeleteCmd)
+
+	// gRPC endpoint flag to communicate with KubeArmor. Available across subcommands.
+	vmPolicyCmd.PersistentFlags().StringVar(&policyOptions.GRPC, "gRPC", "", "gRPC server information")
+}

cmd/sysdump.go

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2021 Authors of KubeArmor
+
+package cmd
+
+import (
+	"github.com/kubearmor/kubearmor-client/sysdump"
+	"github.com/spf13/cobra"
+)
+
+// sysdumpCmd represents the get command
+var sysdumpCmd = &cobra.Command{
+	Use:   "sysdump",
+	Short: "Collect system dump information for troubleshooting and error report",
+	Long:  `Collect system dump information for troubleshooting and error reports`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := sysdump.Collect(client); err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(sysdumpCmd)
+}

cmd/uninstall.go

@@ -8,13 +8,15 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var uninstallOptions install.Options
+
 // uninstallCmd represents the get command
 var uninstallCmd = &cobra.Command{
 	Use:   "uninstall",
 	Short: "Uninstall KubeArmor from a Kubernetes Cluster",
 	Long:  `Uninstall KubeArmor from a Kubernetes Clusters`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := install.K8sUninstaller(client); err != nil {
+		if err := install.K8sUninstaller(client, uninstallOptions); err != nil {
 			return err
 		}
 		return nil
@@ -23,4 +25,6 @@ var uninstallCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(uninstallCmd)
+
+	uninstallCmd.Flags().StringVarP(&uninstallOptions.Namespace, "namespace", "n", "kube-system", "Namespace for resources")
 }