Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP Display summary data per deployment #299

Closed
wants to merge 1 commit into from
Closed

WIP Display summary data per deployment #299

wants to merge 1 commit into from

Conversation

vishnusomank
Copy link
Contributor

@vishnusomank vishnusomank commented Mar 27, 2023
edited
Loading

  • Modified summary code to have deployment name as a parameter
  • Updated code to display summary per deployment if pod name is not mentioned
  • Updated table display with a list of pod names if pod name is not mentioned in the request

Related PR's

  1. discovery engine #697

This PR depends on the above-mentioned PR and can be marked as ready once it is merged. With this change, the summary data will be displayed per deployment by default unless the user explicitly uses the -p flag and mention a pod name.

Sample Output

  1. karmor summary with podname
 karmor summary -n wordpress-mysql -p wordpress-787f45786f-tspm8  --gRPC :9089 

  Pod Name        wordpress-787f45786f-tspm8  
  Namespace Name  wordpress-mysql             
  Cluster Name    default                     
  Container Name  wordpress                   
  Labels          app=wordpress               

File Data
+--------------------+-----------------------+-------+------------------------------+--------+
|    SRC PROCESS     | DESTINATION FILE PATH | COUNT |      LAST UPDATED TIME       | STATUS |
+--------------------+-----------------------+-------+------------------------------+--------+
| /usr/local/bin/php | /etc/hosts            | 1     | Thu Mar 23 19:22:18 IST 2023 | Allow  |
+--------------------+-----------------------+-------+------------------------------+--------+


Egress connections
+----------+--------------------+------------+------+-----------------+-----------+-------+------------------------------+
| PROTOCOL |      COMMAND       | POD/SVC/IP | PORT |    NAMESPACE    |  LABELS   | COUNT |      LAST UPDATED TIME       |
+----------+--------------------+------------+------+-----------------+-----------+-------+------------------------------+
| TCP      | /usr/local/bin/php | svc/mysql  | 3306 | wordpress-mysql | app=mysql | 1     | Thu Mar 23 19:22:18 IST 2023 |
+----------+--------------------+------------+------+-----------------+-----------+-------+------------------------------+
  1. karmor summary with deployment name
karmor summary -n wordpress-mysql -d wordpress  --gRPC :9089 

  Deployment Name  wordpress                   
  Pod Name(s)      wordpress-787f45786f-tspm8  
                   wordpress-787f45786f-9nddp  
                   wordpress-787f45786f-hgksb  
                   wordpress-787f45786f-k5vlj  
                   wordpress-787f45786f-s2rzr  
                   wordpress-787f45786f-ptbwp  
                   wordpress-787f45786f-hcqsc  
                   wordpress-5ffc47cff4-blm9v  
  Namespace Name   wordpress-mysql             
  Cluster Name     default                     
  Container Name   wordpress                   
  Labels           app=wordpress               
                   tier=frontend               

Process Data
+----------------------------------+-----------------------------------+-------+------------------------------+--------+
|           SRC PROCESS            |     DESTINATION PROCESS PATH      | COUNT |      LAST UPDATED TIME       | STATUS |
+----------------------------------+-----------------------------------+-------+------------------------------+--------+
| /bin/bash                        | /bin/mkdir                        | 3     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /bin/rm                           | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /bin/sed                          | 31    | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/cut                      | 5     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/dirname                  | 6     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/head                     | 5     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/sha1sum                  | 4     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/local/bin/php                | 10    | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /usr/bin/containerd-shim-runc-v2 | /usr/local/bin/apache2-foreground | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /usr/bin/containerd-shim-runc-v2 | /usr/sbin/apache2                 | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
+----------------------------------+-----------------------------------+-------+------------------------------+--------+
  1. karmor summary without any input
karmor summary  --gRPC :9089

  Deployment Name  istio-egressgateway                                  
  Pod Name(s)      istio-egressgateway-6dcb97b99-7wtgh                  
  Namespace Name   istio-system                                         
  Cluster Name     default                                              
  Container Name   istio-proxy                                          
  Labels           release=istio heritage=Tiller                        
                   install.operator.istio.io/owning-resource=unknown    
                   istio=egressgateway                                  
                   operator.istio.io/component=EgressGateways           
                   chart=gateways istio.io/rev=default                  
                   app=istio-egressgateway                              
                   service.istio.io/canonical-name=istio-egressgateway  
                   service.istio.io/canonical-revision=latest           
                   sidecar.istio.io/inject=false                        

File Data
+----------------------------+-------------------------------------------------------------------+-------+------------------------------+--------+
|        SRC PROCESS         |                       DESTINATION FILE PATH                       | COUNT |      LAST UPDATED TIME       | STATUS |
+----------------------------+-------------------------------------------------------------------+-------+------------------------------+--------+
| /usr/local/bin/envoy       | /etc/hosts                                                        | 3     | Thu Mar 23 19:25:14 IST 2023 | Allow  |
| /usr/local/bin/pilot-agent | /run/secrets/istio/..2023_03_16_14_54_31.1188651676/root-cert.pem | 9     | Thu Mar 23 19:24:43 IST 2023 | Allow  |
+----------------------------+-------------------------------------------------------------------+-------+------------------------------+--------+


Ingress connections
+----------+----------------------+------------+-------+-----------+--------+-------+------------------------------+
| PROTOCOL |       COMMAND        | POD/SVC/IP | PORT  | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+----------------------+------------+-------+-----------+--------+-------+------------------------------+
| TCP      | /usr/local/bin/envoy | 10.42.0.1  | 15021 |           |        | 110   | Thu Mar 23 19:25:20 IST 2023 |
+----------+----------------------+------------+-------+-----------+--------+-------+------------------------------+


Bind Points
+------------+----------------------+-----------+--------------+-------+------------------------------+
|  PROTOCOL  |       COMMAND        | BIND PORT | BIND ADDRESS | COUNT |      LAST UPDATED TIME       |
+------------+----------------------+-----------+--------------+-------+------------------------------+
| AF_NETLINK | /usr/local/bin/envoy |           |              | 6     | Thu Mar 23 19:24:44 IST 2023 |
+------------+----------------------+-----------+--------------+-------+------------------------------+


  Deployment Name  spire-server                                       
  Pod Name(s)      spire-server-0                                     
  Namespace Name   spire                                              
  Cluster Name     default                                            
  Container Name   spire-server                                       
  Labels           statefulset.kubernetes.io/pod-name=spire-server-0  
                   app=spire-server                                   

Ingress connections
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           | POD/SVC/IP | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| TCPv6    | /opt/spire/bin/spire-server | 10.42.0.1  | 8080 |           |        | 48    | Thu Mar 23 19:25:20 IST 2023 |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+


Egress connections
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           |             POD/SVC/IP             | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| AF_UNIX  | /opt/spire/bin/spire-server | /tmp/spire-server/private/api.sock | 0    |           |        | 4     | Thu Mar 23 19:25:19 IST 2023 |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+


  Deployment Name  istiod                                             
  Pod Name(s)      istiod-6d9d7b6745-tdttd                            
  Namespace Name   istio-system                                       
  Cluster Name     default                                            
  Container Name   discovery                                          
  Labels           sidecar.istio.io/inject=false app=istiod           
                   install.operator.istio.io/owning-resource=unknown  
                   istio=pilot istio.io/rev=default                   
                   operator.istio.io/component=Pilot                  

File Data
+--------------------------------+----------------------------------------------------------------------------------+-------+------------------------------+--------+
|          SRC PROCESS           |                              DESTINATION FILE PATH                               | COUNT |      LAST UPDATED TIME       | STATUS |
+--------------------------------+----------------------------------------------------------------------------------+-------+------------------------------+--------+
| /usr/local/bin/pilot-discovery | /run/secrets/kubernetes.io/serviceaccount/..2023_03_23_13_07_31.3409455990/token | 6     | Thu Mar 23 19:25:07 IST 2023 | Allow
  |
+--------------------------------+----------------------------------------------------------------------------------+-------+------------------------------+--------+


Ingress connections
+----------+--------------------------------+------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |            COMMAND             | POD/SVC/IP | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+--------------------------------+------------+------+-----------+--------+-------+------------------------------+
| TCPv6    | /usr/local/bin/pilot-discovery | 10.42.0.1  | 8080 |           |        | 74    | Thu Mar 23 19:25:20 IST 2023 |
+----------+--------------------------------+------------+------+-----------+--------+-------+------------------------------+

@vishnusomank vishnusomank linked an issue Mar 27, 2023 that may be closed by this pull request
Display summary data per deployment #296
Open
@vishnusomank vishnusomank marked this pull request as draft March 27, 2023 04:29
@nyrahul nyrahul changed the title Display summary data per deployment WIP Display summary data per deployment Mar 31, 2023
@vishnusomank vishnusomank mentioned this pull request Apr 3, 2023
Merged
@Vyom-Yadav
Copy link
Contributor

Vyom-Yadav commented Apr 3, 2023
edited
Loading 

karmor summary -n wordpress-mysql -d wordpress  --gRPC :9089 

  Deployment Name  wordpress                   
  Pod Name(s)      wordpress-787f45786f-tspm8  
                   wordpress-787f45786f-9nddp  
                   wordpress-787f45786f-hgksb  
                   wordpress-787f45786f-k5vlj  
                   wordpress-787f45786f-s2rzr  
                   wordpress-787f45786f-ptbwp  
                   wordpress-787f45786f-hcqsc  
                   wordpress-5ffc47cff4-blm9v  
  Namespace Name   wordpress-mysql             
  Cluster Name     default                     
  Container Name   wordpress                   
  Labels           app=wordpress               
                   tier=frontend               

Process Data
+----------------------------------+-----------------------------------+-------+------------------------------+--------+
|           SRC PROCESS            |     DESTINATION PROCESS PATH      | COUNT |      LAST UPDATED TIME       | STATUS |
+----------------------------------+-----------------------------------+-------+------------------------------+--------+
| /bin/bash                        | /bin/mkdir                        | 3     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /bin/rm                           | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /bin/sed                          | 31    | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/cut                      | 5     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/dirname                  | 6     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/head                     | 5     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/bin/sha1sum                  | 4     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /bin/bash                        | /usr/local/bin/php                | 10    | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /usr/bin/containerd-shim-runc-v2 | /usr/local/bin/apache2-foreground | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
| /usr/bin/containerd-shim-runc-v2 | /usr/sbin/apache2                 | 1     | Mon Mar 27 09:41:03 IST 2023 | Allow  |
+----------------------------------+-----------------------------------+-------+------------------------------+--------+

If an admin exec'd into a pod, the summary data will be inconsistent across pods, there would be no to tell which pod was exec'd into to perform some operations (which process was triggered in which pod). Won't hamper the summary much but just something that should be considered once.

@nyrahul
Copy link
Contributor

nyrahul commented Apr 5, 2023

Super! This is very useful.

seswarrajan
seswarrajan requested changes Apr 6, 2023
View reviewed changes
go.mod Show resolved Hide resolved
go.sum Outdated Show resolved Hide resolved
@vishnusomank vishnusomank marked this pull request as ready for review April 20, 2023 15:18
@vishnusomank vishnusomank changed the title WIP Display summary data per deployment Display summary data per deployment Apr 20, 2023
nyrahul
nyrahul requested changes May 5, 2023
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR works only for deployments but not for stateful sets and other resource types.

@vishnusomank
Display summary data per resource type
2a0ff14 
- Modified summary code to have deployment name and deployment type as a parameter
- Updated code to display summary per resource type if podname is not mentioned

Signed-off-by: Vishnu Soman <vishnu@accuknox.com>
@vishnusomank vishnusomank marked this pull request as draft May 24, 2023 13:07
@vishnusomank vishnusomank changed the title Display summary data per deployment WIP Display summary data per deployment May 24, 2023
@vishnusomank
Copy link
Contributor Author

Updated Outputs

Summary Help

./karmor summary --help                                                                                                                                         (summary|✔)
Discovery engine keeps the telemetry information from the policy enforcement engines and the karmor connects to it to provide this as observability data

Usage:
  karmor summary [flags]

Flags:
      --agg                     Aggregate destination files/folder path
      --cluster string          Cluster name
      --container string        Container name
      --gRPC string             gRPC server information
  -h, --help                    help for summary
  -l, --labels string           Labels
  -n, --namespace string        Namespace
  -o, --output string           Export Summary Data in JSON (karmor summary -o json)
  -p, --pod string              PodName
      --rev-dns-lookup          Reverse DNS Lookup
  -t, --type string             Summary filter type : process|file|network  (default "process,file,network")
  -w, --workload string         Workload Resource Name
  -f, --workloadfilter string   Workload Resource Type filter (Deployment,ReplicaSet, StatefulSet etc)

Global Flags:
      --context string      Name of the kubeconfig context to use
      --kubeconfig string   Path to the kubeconfig file to use

Summary without any input

./karmor summary --gRPC :9089                                                                                                                                   (summary|✔)

  Name            user          
  Resource Type   Deployment    
  Namespace Name  sock-shop     
  Cluster Name    default       
  Container Name  user-db       
  Labels          name=user-db  

File Data
+-----------------+-----------------------------------------------------+-------+------------------------------+--------+
|   SRC PROCESS   |                DESTINATION FILE PATH                | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------+-----------------------------------------------------+-------+------------------------------+--------+
| /usr/bin/mongod | /data/db-users/diagnostic.data/metrics.interim.temp | 802   | Wed May 24 18:40:43 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db-users/journal                              | 12352 | Wed May 24 18:40:52 IST 2023 | Allow  |
+-----------------+-----------------------------------------------------+-------+------------------------------+--------+


  Name            orders          
  Resource Type   Deployment      
  Namespace Name  sock-shop       
  Cluster Name    default         
  Container Name  orders-db       
  Labels          name=orders-db  

File Data
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
|   SRC PROCESS   |             DESTINATION FILE PATH             | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
| /usr/bin/mongod | /data/db/                                     | 136   | Wed May 24 18:40:30 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle                    | 138   | Wed May 24 18:40:30 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle.set                | 131   | Wed May 24 18:40:30 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/diagnostic.data/metrics.interim.temp | 802   | Wed May 24 18:40:44 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/journal                              | 12178 | Wed May 24 18:40:52 IST 2023 | Allow  |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+


  Name            agents-operator      
  Resource Type   Deployment           
  Namespace Name  accuknox-agents      
  Cluster Name    default              
  Container Name  agents-operator      
  Labels          app=agents-operator  

File Data
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+
|          SRC PROCESS          |                DESTINATION FILE PATH                 | COUNT |      LAST UPDATED TIME       | STATUS |
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+
| /config/plugin/k8s-sat        | /var/run/secrets/kubernetes.io/serviceaccount/token  | 137   | Wed May 24 18:39:55 IST 2023 | Allow  |
| /config/plugin/keymanager-k8s | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | 20    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /config/plugin/keymanager-k8s | /var/run/secrets/kubernetes.io/serviceaccount/token  | 19    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /home/agents-operator/main    | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | 29    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /home/agents-operator/main    | /var/run/secrets/kubernetes.io/serviceaccount/token  | 83    | Wed May 24 18:40:28 IST 2023 | Allow  |
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+


Egress connections
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+
| PROTOCOL |            COMMAND            |         POD/SVC/IP          | PORT | NAMESPACE |                 LABELS                  | COUNT |      LAST UPDATED TIME       |
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+
| TCP      | /home/agents-operator/main    | 3.130.171.29                | 8081 |           |                                         | 34    | Wed May 24 18:39:51 IST 2023 |
| AF_UNIX  | /home/agents-operator/main    | /run/spire/agent/agent.sock | 0    |           |                                         | 105   | Wed May 24 18:39:55 IST 2023 |
| TCP      | /home/agents-operator/main    | 18.217.156.246              | 8081 |           |                                         | 37    | Wed May 24 18:40:29 IST 2023 |
| TCP      | /home/agents-operator/main    | 18.116.208.17               | 8081 |           |                                         | 33    | Wed May 24 18:40:52 IST 2023 |
| TCP      | /config/plugin/keymanager-k8s | svc/kubernetes              | 443  | default   | provider=kubernetes,component=apiserver | 1     | Wed May 24 12:28:45 IST 2023 |
| TCP      | /config/plugin/keymanager-k8s | svc/kubernetes              | 443  | default   | component=apiserver,provider=kubernetes | 2     | Wed May 24 17:58:32 IST 2023 |
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+


  Name            rabbitmq       
  Resource Type   Deployment     
  Namespace Name  sock-shop      
  Cluster Name    default        
  Container Name  rabbitmq       
  Labels          name=rabbitmq  

File Data
+-------------------------------------------+-----------------------+-------+------------------------------+--------+
|                SRC PROCESS                | DESTINATION FILE PATH | COUNT |      LAST UPDATED TIME       | STATUS |
+-------------------------------------------+-----------------------+-------+------------------------------+--------+
| /usr/lib/erlang/erts-8.3/bin/inet_gethost | /etc/hosts            | 139   | Wed May 24 18:39:58 IST 2023 | Allow  |
+-------------------------------------------+-----------------------+-------+------------------------------+--------+


Ingress connections
+----------+-----------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+
| PROTOCOL |              COMMAND              |          POD/SVC/IP           | PORT | NAMESPACE |    LABELS     | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+
| TCP      | /usr/lib/erlang/erts-8.3/bin/epmd | pod/rabbitmq-6c9f69c5c6-8cnrs | 4369 | sock-shop | name=rabbitmq | 93    | Wed May 24 18:38:58 IST 2023 |
+----------+-----------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+


Egress connections
+----------+---------------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+
| PROTOCOL |                COMMAND                |          POD/SVC/IP           | PORT | NAMESPACE |    LABELS     | COUNT |      LAST UPDATED TIME       |
+----------+---------------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+
| TCP      | /usr/lib/erlang/erts-8.3/bin/beam.smp | pod/rabbitmq-6c9f69c5c6-8cnrs | 4369 | sock-shop | name=rabbitmq | 108   | Wed May 24 18:39:58 IST 2023 |
+----------+---------------------------------------+-------------------------------+------+-----------+---------------+-------+------------------------------+


Bind Points
+----------+---------------------------------------+-----------+--------------+-------+------------------------------+
| PROTOCOL |                COMMAND                | BIND PORT | BIND ADDRESS | COUNT |      LAST UPDATED TIME       |
+----------+---------------------------------------+-----------+--------------+-------+------------------------------+
| AF_INET  | /usr/lib/erlang/erts-8.3/bin/beam.smp | 0         | 0.0.0.0      | 96    | Wed May 24 18:39:58 IST 2023 |
+----------+---------------------------------------+-----------+--------------+-------+------------------------------+


  Name            carts          
  Resource Type   Deployment     
  Namespace Name  sock-shop      
  Cluster Name    default        
  Container Name  carts-db       
  Labels          name=carts-db  

File Data
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
|   SRC PROCESS   |             DESTINATION FILE PATH             | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
| /usr/bin/mongod | /data/db/                                     | 135   | Wed May 24 18:39:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle                    | 139   | Wed May 24 18:39:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle.set                | 138   | Wed May 24 18:39:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/diagnostic.data/metrics.interim.temp | 808   | Wed May 24 18:40:50 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/journal                              | 12166 | Wed May 24 18:40:52 IST 2023 | Allow  |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+


  Name            shared-informer-agent      
  Resource Type   Deployment                 
  Namespace Name  accuknox-agents            
  Cluster Name    default                    
  Container Name  shared-informer-agent      
  Labels          app=shared-informer-agent  

File Data
+----------------+-----------------------------------------------------+-------+------------------------------+--------+
|  SRC PROCESS   |                DESTINATION FILE PATH                | COUNT |      LAST UPDATED TIME       | STATUS |
+----------------+-----------------------------------------------------+-------+------------------------------+--------+
| /home/sia/main | /var/run/secrets/kubernetes.io/serviceaccount/token | 83    | Wed May 24 18:39:00 IST 2023 | Allow  |
+----------------+-----------------------------------------------------+-------+------------------------------+--------+


Egress connections
+----------+----------------+--------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |    COMMAND     |  POD/SVC/IP  | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+----------------+--------------+------+-----------+--------+-------+------------------------------+
| TCP      | /home/sia/main | 3.128.141.99 | 3000 |           |        | 13    | Wed May 24 18:12:26 IST 2023 |
| TCP      | /home/sia/main | 3.128.72.187 | 3000 |           |        | 10    | Wed May 24 18:31:00 IST 2023 |
| TCP      | /home/sia/main | 3.13.111.17  | 3000 |           |        | 6     | Wed May 24 18:35:00 IST 2023 |
+----------+----------------+--------------+------+-----------+--------+-------+------------------------------+


  Name            spire-server                                       
  Resource Type   StatefulSet                                        
  Namespace Name  spire                                              
  Cluster Name    default                                            
  Container Name  spire-server                                       
  Labels          app=spire-server                                   
                  statefulset.kubernetes.io/pod-name=spire-server-0  

File Data
+-----------------------------+--------------------------------------+-------+------------------------------+--------+
|         SRC PROCESS         |        DESTINATION FILE PATH         | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------------------+--------------------------------------+-------+------------------------------+--------+
| /opt/spire/bin/spire-server | /run/spire-server                    | 4     | Wed May 24 12:31:16 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/ca/upstream_ca.crt | 1     | Wed May 24 12:30:26 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/ca/upstream_ca.key | 1     | Wed May 24 12:30:26 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/journal.pem.tmp    | 2     | Wed May 24 12:31:16 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/keys.json.tmp      | 2     | Wed May 24 12:31:16 IST 2023 | Allow  |
+-----------------------------+--------------------------------------+-------+------------------------------+--------+


Ingress connections
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           | POD/SVC/IP | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| TCPv6    | /opt/spire/bin/spire-server | 10.244.2.1 | 8081 |           |        | 1391  | Wed May 24 18:40:50 IST 2023 |
| TCPv6    | /opt/spire/bin/spire-server | 10.244.2.1 | 8080 |           |        | 3139  | Wed May 24 18:40:52 IST 2023 |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+


Egress connections
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           |             POD/SVC/IP             | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| AF_UNIX  | /opt/spire/bin/spire-server | /tmp/spire-server/private/api.sock | 0    |           |        | 107   | Wed May 24 18:39:27 IST 2023 |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+

Summary with filter type as statefulset

./karmor summary -f sts --gRPC :9089                                                                                                                            (summary|✔)

  Name            spire-server                                       
  Resource Type   StatefulSet                                        
  Namespace Name  spire                                              
  Cluster Name    default                                            
  Container Name  spire-server                                       
  Labels          app=spire-server                                   
                  statefulset.kubernetes.io/pod-name=spire-server-0  

File Data
+-----------------------------+--------------------------------------+-------+------------------------------+--------+
|         SRC PROCESS         |        DESTINATION FILE PATH         | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------------------+--------------------------------------+-------+------------------------------+--------+
| /opt/spire/bin/spire-server | /run/spire-server                    | 4     | Wed May 24 12:31:16 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/ca/upstream_ca.crt | 1     | Wed May 24 12:30:26 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/ca/upstream_ca.key | 1     | Wed May 24 12:30:26 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/journal.pem.tmp    | 2     | Wed May 24 12:31:16 IST 2023 | Allow  |
| /opt/spire/bin/spire-server | /run/spire-server/keys.json.tmp      | 2     | Wed May 24 12:31:16 IST 2023 | Allow  |
+-----------------------------+--------------------------------------+-------+------------------------------+--------+


Ingress connections
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           | POD/SVC/IP | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+
| TCPv6    | /opt/spire/bin/spire-server | 10.244.2.1 | 8081 |           |        | 1402  | Wed May 24 18:41:56 IST 2023 |
| TCPv6    | /opt/spire/bin/spire-server | 10.244.2.1 | 8080 |           |        | 3164  | Wed May 24 18:42:01 IST 2023 |
+----------+-----------------------------+------------+------+-----------+--------+-------+------------------------------+


Egress connections
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| PROTOCOL |           COMMAND           |             POD/SVC/IP             | PORT | NAMESPACE | LABELS | COUNT |      LAST UPDATED TIME       |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+
| AF_UNIX  | /opt/spire/bin/spire-server | /tmp/spire-server/private/api.sock | 0    |           |        | 107   | Wed May 24 18:39:27 IST 2023 |
+----------+-----------------------------+------------------------------------+------+-----------+--------+-------+------------------------------+

Summary with filter type deployment and workload name carts

./karmor summary -f deploy -w carts --gRPC :9089                                                                                                                (summary|✔)

  Name            carts          
  Resource Type   Deployment     
  Namespace Name  sock-shop      
  Cluster Name    default        
  Container Name  carts-db       
  Labels          name=carts-db  

File Data
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
|   SRC PROCESS   |             DESTINATION FILE PATH             | COUNT |      LAST UPDATED TIME       | STATUS |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+
| /usr/bin/mongod | /data/db/                                     | 136   | Wed May 24 18:41:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle                    | 141   | Wed May 24 18:41:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/WiredTiger.turtle.set                | 140   | Wed May 24 18:41:59 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/diagnostic.data/metrics.interim.temp | 820   | Wed May 24 18:42:50 IST 2023 | Allow  |
| /usr/bin/mongod | /data/db/journal                              | 12338 | Wed May 24 18:42:52 IST 2023 | Allow  |
+-----------------+-----------------------------------------------+-------+------------------------------+--------+

Summary with podname

./karmor summary -n accuknox-agents -p agents-operator-58c5f4d587-89lhp --gRPC :9089                                                                            (summary|✔)

  Name            agents-operator-58c5f4d587-89lhp  
  Resource Type   Pod                               
  Namespace Name  accuknox-agents                   
  Cluster Name    default                           
  Container Name  agents-operator                   
  Labels          app=agents-operator               

File Data
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+
|          SRC PROCESS          |                DESTINATION FILE PATH                 | COUNT |      LAST UPDATED TIME       | STATUS |
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+
| /config/plugin/k8s-sat        | /var/run/secrets/kubernetes.io/serviceaccount/token  | 141   | Wed May 24 18:43:55 IST 2023 | Allow  |
| /config/plugin/keymanager-k8s | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | 20    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /config/plugin/keymanager-k8s | /var/run/secrets/kubernetes.io/serviceaccount/token  | 19    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /home/agents-operator/main    | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | 29    | Wed May 24 18:28:28 IST 2023 | Allow  |
| /home/agents-operator/main    | /var/run/secrets/kubernetes.io/serviceaccount/token  | 84    | Wed May 24 18:41:50 IST 2023 | Allow  |
+-------------------------------+------------------------------------------------------+-------+------------------------------+--------+


Egress connections
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+
| PROTOCOL |            COMMAND            |         POD/SVC/IP          | PORT | NAMESPACE |                 LABELS                  | COUNT |      LAST UPDATED TIME       |
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+
| TCP      | /home/agents-operator/main    | 3.130.171.29                | 8081 |           |                                         | 34    | Wed May 24 18:39:51 IST 2023 |
| AF_UNIX  | /home/agents-operator/main    | /run/spire/agent/agent.sock | 0    |           |                                         | 109   | Wed May 24 18:43:55 IST 2023 |
| TCP      | /home/agents-operator/main    | 18.217.156.246              | 8081 |           |                                         | 37    | Wed May 24 18:40:29 IST 2023 |
| TCP      | /home/agents-operator/main    | 18.116.208.17               | 8081 |           |                                         | 34    | Wed May 24 18:44:01 IST 2023 |
| TCP      | /config/plugin/keymanager-k8s | svc/kubernetes              | 443  | default   | provider=kubernetes,component=apiserver | 1     | Wed May 24 12:28:45 IST 2023 |
| TCP      | /config/plugin/keymanager-k8s | svc/kubernetes              | 443  | default   | component=apiserver,provider=kubernetes | 2     | Wed May 24 17:58:32 IST 2023 |
+----------+-------------------------------+-----------------------------+------+-----------+-----------------------------------------+-------+------------------------------+

Summary with wrong filter type and workload name

  • Here carts is a deployment
./karmor summary -w carts -f sts --gRPC :9089                                                                                                                   
Error: rpc error: code = Unknown desc = no pods matching the input request

Summary as JSON output

./karmor summary -f sts --gRPC :9089 -o json | jq .                                                                                                             (summary|✔)
{
  "DeploymentName": "spire-server",
  "PodName": "spire-server-0",
  "ClusterName": "default",
  "Namespace": "spire",
  "Label": "app=spire-server,statefulset.kubernetes.io/pod-name=spire-server-0",
  "ContainerName": "spire-server",
  "FileData": [
    {
      "Source": "/opt/spire/bin/spire-server",
      "Destination": "/run/spire-server/keys.json.tmp",
      "Count": "2",
      "UpdatedTime": "Wed May 24 12:31:16 IST 2023",
      "Status": "Allow"
    },
    {
      "Source": "/opt/spire/bin/spire-server",
      "Destination": "/run/spire-server",
      "Count": "4",
      "UpdatedTime": "Wed May 24 12:31:16 IST 2023",
      "Status": "Allow"
    },
    {
      "Source": "/opt/spire/bin/spire-server",
      "Destination": "/run/spire-server/ca/upstream_ca.key",
      "Count": "1",
      "UpdatedTime": "Wed May 24 12:30:26 IST 2023",
      "Status": "Allow"
    },
    {
      "Source": "/opt/spire/bin/spire-server",
      "Destination": "/run/spire-server/journal.pem.tmp",
      "Count": "2",
      "UpdatedTime": "Wed May 24 12:31:16 IST 2023",
      "Status": "Allow"
    },
    {
      "Source": "/opt/spire/bin/spire-server",
      "Destination": "/run/spire-server/ca/upstream_ca.crt",
      "Count": "1",
      "UpdatedTime": "Wed May 24 12:30:26 IST 2023",
      "Status": "Allow"
    }
  ],
  "IngressConnection": [
    {
      "Protocol": "TCPv6",
      "Command": "/opt/spire/bin/spire-server",
      "IP": "10.244.2.1",
      "Port": "8081",
      "Count": "1449",
      "UpdatedTime": "Wed May 24 18:46:39 IST 2023"
    },
    {
      "Protocol": "TCPv6",
      "Command": "/opt/spire/bin/spire-server",
      "IP": "10.244.2.1",
      "Port": "8080",
      "Count": "3269",
      "UpdatedTime": "Wed May 24 18:46:41 IST 2023"
    }
  ],
  "EgressConnection": [
    {
      "Protocol": "AF_UNIX",
      "Command": "/opt/spire/bin/spire-server",
      "IP": "/tmp/spire-server/private/api.sock",
      "Port": "0",
      "Count": "112",
      "UpdatedTime": "Wed May 24 18:46:27 IST 2023"
    }
  ],
  "DeployType": "StatefulSet"
}

@vishnusomank vishnusomank mentioned this pull request May 24, 2023
Closed
@daemon1024
Copy link
Member

karmor summary has been deprecated

@daemon1024 daemon1024 closed this Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul nyrahul requested changes

@seswarrajan seswarrajan seswarrajan approved these changes

@Ankurk99 Ankurk99 Awaiting requested review from Ankurk99

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Display summary data per deployment
5 participants
@vishnusomank @Vyom-Yadav @nyrahul @daemon1024 @seswarrajan