Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add hostvisibility information to karmor probe #199

Open
Ankurk99 opened this issue Oct 27, 2022 · 5 comments
Open

add hostvisibility information to karmor probe #199

Ankurk99 opened this issue Oct 27, 2022 · 5 comments
Assignees
@legorie
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@Ankurk99
Copy link
Member

karmor probe should show if the host visibility for KubeArmor is enabled or not
@Ankurk99 Ankurk99 added the enhancement New feature or request label Oct 27, 2022
@daemon1024 daemon1024 added the good first issue Good for newcomers label Oct 28, 2022
@legorie
Copy link
Contributor

legorie commented Oct 31, 2022

Hi @Ankurk99 @daemon1024 , I would like to work on this issue. To restate my understanding
Requirement: If the kubearmor-visibility annotation is set on the node, the karmor probe should display this parameter in its output.
Sample output 1:

Node 1 : 
        OS Image:                       Ubuntu 20.04.5 LTS
        Kernel Version:                 5.15.0-52-generic 
        Kubelet Version:                v1.25.2           
        Container Runtime:              docker://20.10.18 
        Active LSM:                     AppArmor          
        Host Security:                  false             
        Container Security:             true              
        Container Default Posture:      block(File)             block(Capabilities)     block(Network)
        Host Default Posture:           block(File)             block(Capabilities)     block(Network)
==>	Host Visibility Level:          Process                 File                    Capabilities            Network

Sample Output 2:

Node 1 : 
        .....
        Container Default Posture:      block(File)             block(Capabilities)     block(Network)
        Host Default Posture:           block(File)             block(Capabilities)     block(Network)
==>	Host Visibility Level:          Process                 File

Sample Output 3:

Node 1 : 
       .....
        Container Default Posture:      block(File)             block(Capabilities)     block(Network)
        Host Default Posture:           block(File)             block(Capabilities)     block(Network)
==>	Host Visibility Level:          None

The dev work is to be done on the probe package.

@Ankurk99
Copy link
Member Author

Ankurk99 commented Nov 9, 2022

@legorie Thanks for your interest. Yes your understanding is correct and the sample outputs are what we expect.

@legorie
Copy link
Contributor

legorie commented Nov 13, 2022
edited

Hi @Ankurk99 , After initial analysis, it looks like we need to update the code in the core KubeArmor code too here ..
https://github.com/kubearmor/KubeArmor/blob/main/KubeArmor/core/karmorprobedata.go
Edit : 22/11/2022 few updates after testing

type KarmorData struct {
	OSImage                 string
	KernelVersion           string
	KubeletVersion          string
	ContainerRuntime        string
	ActiveLSM               string
	KernelHeaderPresent     bool
	HostSecurity            bool
	ContainerSecurity       bool
	ContainerDefaultPosture tp.DefaultPosture
	HostDefaultPosture      tp.DefaultPosture
        HostVisibility          string     <===
}

func (dm *KubeArmorDaemon) SetKarmorData() {
....
	kd.HostVisibility = dm.Node.Annotations["kubearmor-visibility"]

$ sudo cat /tmp/karmorProbeData.cfg                                                                           
{"OSImage":"Ubuntu 22.04.1 LTS","KernelVersion":"5.15.0-53-generic","KubeletVersion":"v1.25.3+k3s1","ContainerRuntime":"containerd://1.6.8-k3s1","ActiveLSM":"AppArmor","KernelHeaderPresent":true,"HostSecurity":true,"ContainerSecurity":true,"ContainerDefaultPosture":{"file":"block","network":"block","capabilties":"block"},"HostDefaultPosture":{"file":"block","network":"block","capabilties":"block"},**"HostVisibility":"process,file,network,capabilities"**}

Do you think I'm in the right direction ? I would be glad to make the change in the core package too, to test them together.

@Ankurk99
Copy link
Member Author

Hi @legorie, Sorry for the late response. Yes, you seems to be on the right track. Can you please create a draft PR with your changes and then we can suggests there?

@legorie legorie mentioned this issue Jan 29, 2023
Closed
@legorie
Copy link
Contributor

legorie commented Jan 29, 2023

Hi @Ankurk99, No worries, thanks for the suggestion. I've created an issue (enhancement) in the core project. If the type and details are okay, please assign this to my name. I'll update the changes to the karmorprobedata.go in that issue.

@legorie legorie mentioned this issue Feb 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legorie legorie

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@legorie @Ankurk99 @daemon1024