Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide the ability to auto enable BPF LSM in nodes through operator #1783

Open
DelusionalOptimist opened this issue Jun 18, 2024 · 1 comment
Open

Provide the ability to auto enable BPF LSM in nodes through operator #1783

DelusionalOptimist opened this issue Jun 18, 2024 · 1 comment
Labels
discussion enhancement New feature or request

Comments

@DelusionalOptimist
Copy link
Member

Feature Request

Description

KubeArmor supports both AppArmor and BPF LSM as enforcers. However, there is a difference between the feature set. If it is possible, we ask users to enable BPF LSM for a better experience.
However, to enable BPF LSM certain steps as listed here must be followed. We provide a script that users can use to enable BPF LSM on their node however it has it's own caveats.

Thus, we need to provide the ability to enable BPF LSM on compatible nodes through the operator.

Describe the solution you'd like

KubeArmorConfig CR has an updateLSM field. When set to true, based on the annotations applied by snitch, it would either enable BPF LSM itself or through the above mentioned script. Points to keep in mind:

  • Reboot of nodes
    • Operators generally follow this mechanism of updating/restarting a node based on annotations set by the user. For example, the nvidia operator has a flag to determine whether a node should be upgraded or not.
    • Make sure that this happens in a rolling update manner.
  • Show users the status of nodes.
    • karmor probe is an option but it requires users to download the tool.
    • If possible, show this using KubeArmorConfig CR status field.
@DelusionalOptimist DelusionalOptimist added enhancement New feature or request discussion labels Jun 18, 2024
@itsCheithanya
Copy link
Contributor

So the flow would be like this @DelusionalOptimist ?
1: Extending KubeArmorConfig CR Specification
Modifying the spec section of the KubeArmorConfig CR to include an updateLSM field. This field will indicate whether the operator should attempt to enable BPF LSM on the node.


apiVersion: operator.kubearmor.com/v1
kind: KubeArmorConfig
metadata:
  labels:
    app.kubernetes.io/name: kubearmorconfig
    app.kubernetes.io/instance: kubearmorconfig-sample
    app.kubernetes.io/part-of: kubearmoroperator
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/created-by: kubearmoroperator
  name: kubearmorconfig-sample
spec:
  updateLSM: false

2: Implementing a function within the KubeArmor operator to check if the current kernel version supports BPF LSM

func isKernelBPFCompatible(kernelVersion string) bool {
  
    var supportedVersions = []string{"5.8", "5.9", "5.10"...and so on} 
    for _, v := range supportedVersions {
        if kernelVersion == v || kernelVersion == "v"+v { 
            return true
        }
    }
    return false
}

3: after that we apply Annotations based on compatibility...If the kernel version is compatible

if isKernelBPFCompatible(kernelVersion) && config.Spec.UpdateLSM {
    nodeClient.SetAnnotations(nodeName, map[string]string{
        "kubearmor.enable-bpf-lsm": "true",
    })
}

4: Ensuring the operator handles node reboots gracefully

nodeClient.MarkNodeForReboot(nodeName)
waitForNodeReady(nodeName)

5: Updating KubeArmorConfig CR Status based on actual status

status:
  bpfLsmEnabled: false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DelusionalOptimist @itsCheithanya