Merge pull request kubearmor#1246 from rksharma95/rehdat-certified-op…

…erator
Shreyas220 · Aug 3, 2023 · 52eb6fe · 52eb6fe
2 parents f1b41d0 + 94c5227
commit 52eb6fe
Show file tree

Hide file tree

Showing 77 changed files with 6,392 additions and 15 deletions.
diff --git a/.github/workflows/ci-operator-release.yaml b/.github/workflows/ci-operator-release.yaml
@@ -0,0 +1,43 @@
+name: ci-release-operator
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "pkg/KubeArmorOperator/**"
+
+env:
+  PLATFORM: linux/amd64,linux/arm64/v8
+
+jobs:  
+  kubearmor-operator-release:
+    name: Build & Push KubeArmor Operator
+    defaults:
+      run:
+        working-directory: ./pkg/KubeArmorOperator
+    runs-on: ubuntu-20.04
+    timeout-minutes: 60
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "v1.20"
+
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          platforms: linux/amd64,linux/arm64/v8
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Build & Push KubeArmor Operator
+        run: PLATFORM=$PLATFORM make docker-buildx TAG=latest
diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml
@@ -48,28 +48,32 @@ jobs:
       - name: Generate KubeArmor artifacts
         run: |
           GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
+      
+      - name: Build Kubearmor-Operator
+        working-directory: pkg/KubeArmorOperator
+        run: |
+          make docker-build
 
       - name: Run KubeArmor
+        working-directory: pkg/KubeArmorOperator
         run: |
           if [ ${{ matrix.runtime }} == "containerd" ]; then
             docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import -
             docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
-
-            helm upgrade --install kubearmor ./deployments/helm \
-            --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
-            --set environment.name=k3s \
-            -n kube-system;
+            docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import -
           else
             if [ ${{ matrix.runtime }} == "crio" ]; then
               sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
               sudo podman pull docker-daemon:kubearmor/kubearmor:latest
+              sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
             fi
-            helm upgrade --install kubearmor ./deployments/helm \
-            --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
-            --set environment.name=${{ matrix.runtime }} \
-            -n kube-system;
           fi
-          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app
+          helm upgrade --install kubearmor-operator ./deployments/helm -n kube-system
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app=kubearmor-operator
+          kubectl get pods -A
+          kubectl apply -f ./config/samples/kubearmor-test.yaml
+          kubectl wait -n kube-system --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
+          kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kube-system
           kubectl get pods -A
 
       - name: Test KubeArmor using Ginkgo

diff --git a/.github/workflows/ci-test-operator.yaml b/.github/workflows/ci-test-operator.yaml
@@ -0,0 +1,31 @@
+name: ci-test-operator
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "pkg/KubeArmorOperator/**"
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "pkg/KubeArmorOperator/**"
+
+jobs:
+  kubearmor-operator-test:
+    name: Build KubeArmor Operator
+    defaults:
+      run:
+        working-directory: ./pkg/KubeArmorOperator
+    runs-on: ubuntu-20.04
+    timeout-minutes: 20
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: v1.20
+
+      - uses: actions/checkout@v3
+
+      - name: Build kubearmor operator
+        run: make docker-build TAG=latest
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,8 @@
 # KubeArmor
 kubearmor
 karmor
+snitch
+kubearmor-operator
 
 # KubeArmor YAML Generator
 deploygen
@@ -33,4 +35,4 @@ vmlinux.h
 **/cflags.lst
 
 # gingko test tmp file
-**/*.test
+**/*.test
diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go
@@ -379,14 +379,18 @@ func IsK8sEnv() bool {
 var ContainerRuntimeSocketMap = map[string][]string{
 	"docker": {
 		"/var/run/docker.sock",
+		"/run/docker.sock",
 	},
 	"containerd": {
 		"/var/snap/microk8s/common/run/containerd.sock",
 		"/run/k3s/containerd/containerd.sock",
+		"/run/containerd/containerd.sock",
 		"/var/run/containerd/containerd.sock",
+		"/run/dockershim.sock",
 	},
-	"crio": {
+	"cri-o": {
 		"/var/run/crio/crio.sock",
+		"/run/crio/crio.sock",
 	},
 }
 

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -488,7 +488,7 @@ func KubeArmor() {
 		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
 			// monitor containerd events
 			go dm.MonitorContainerdEvents()
-		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "crio") {
+		} else if strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") {
 			// monitor crio events
 			go dm.MonitorCrioEvents()
 		} else {
@@ -520,7 +520,7 @@ func KubeArmor() {
 			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") {
 				// monitor containerd events
 				go dm.MonitorContainerdEvents()
-			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "crio") {
+			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") {
 				// monitor crio events
 				go dm.MonitorCrioEvents()
 			} else {
@@ -582,7 +582,7 @@ func KubeArmor() {
 					return
 				}
 			} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o
-				socketFile := kl.GetCRISocket("crio")
+				socketFile := kl.GetCRISocket("cri-o")
 
 				if socketFile != "" {
 					cfg.GlobalCfg.CRISocket = "unix://" + socketFile

diff --git a/pkg/KubeArmorOperator/Dockerfile b/pkg/KubeArmorOperator/Dockerfile
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2022 Authors of KubeArmor
+
+FROM docker.io/golang:1.20 as builder
+ARG GOARCH
+ARG GOOS
+WORKDIR /app
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# Copy the go source
+
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+COPY api api
+COPY client client
+COPY cmd cmd
+COPY common common
+COPY internal/controller internal/controller
+COPY enforcer enforcer
+COPY k8s k8s
+COPY runtime runtime
+# Build
+RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o operator cmd/main.go
+
+FROM scratch
+COPY --from=builder /app/operator /operator
+ENTRYPOINT ["/operator"]
diff --git a/pkg/KubeArmorOperator/Dockerfile.ubi b/pkg/KubeArmorOperator/Dockerfile.ubi
@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2022 Authors of KubeArmor
+
+FROM redhat/ubi9-minimal as builder
+WORKDIR /app
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# Copy the go source
+RUN microdnf -y update && \
+    microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 tar gzip && \
+    microdnf clean all && \
+    rm -rf /var/cache/yum
+# install go
+RUN curl -sfL -o go1.19.tar.gz https://go.dev/dl/go1.19.linux-amd64.tar.gz && \
+    rm -rf /usr/local/go && tar -C /usr/local -xzf go1.19.tar.gz && \
+    rm go1.19.tar.gz
+ENV PATH=${PATH}:/usr/local/go/bin
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+COPY cmd cmd
+COPY common common
+COPY internal/controller internal/controller
+COPY enforcer enforcer
+COPY k8s k8s
+COPY runtime runtime
+# Build
+RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o kubearmor-operator cmd/main.go
+RUN ln -s kubearmor-operator snitch
+
+FROM redhat/ubi9-minimal
+LABEL name="kubearmor-operator" \
+      vendor="Accuknox" \
+      version="1.0.0" \
+      release="1.0.0" \
+      summary="kubearmor-operator container image based on redhat ubi" \
+      description="kubearmor-operator to deploy and manage KubeArmor"
+
+RUN microdnf -y update && \
+    microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils && \
+    microdnf clean all && \
+    rm -rf /var/cache/yum
+
+RUN groupadd --gid 1000 default \
+  && useradd --uid 1000 --gid default --shell /bin/bash --create-home default          
+
+COPY --from=builder /app/kubearmor-operator /kubearmor-operator
+RUN ln -s /kubearmor-operator /snitch
+
+USER default
+ENTRYPOINT ["/kubearmor-operator"]