From 84faeccf224f301c5d215993872708d30d8fa5dd Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Mon, 8 Jul 2024 21:37:30 +0200 Subject: [PATCH] simplify container creation logic for ap and nnh Signed-off-by: Matthias Bertschy --- .../v1/applicationprofile_manager.go | 80 ++++++++----------- pkg/networkmanager/v2/network_manager.go | 49 +++++------- 2 files changed, 52 insertions(+), 77 deletions(-) diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go index 4e2d9ed9..ed296d02 100644 --- a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go +++ b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go @@ -391,11 +391,11 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon helpers.String("k8s workload", watchedContainer.K8sContainerID)) } else { var replaceOperations []utils.PatchOperation + containerNames := watchedContainer.ContainerNames[watchedContainer.ContainerType] // check existing container existingContainer := utils.GetApplicationProfileContainer(existingObject, watchedContainer.ContainerType, watchedContainer.ContainerIndex) - var addContainer bool if existingContainer == nil { - name := watchedContainer.ContainerNames[watchedContainer.ContainerType][watchedContainer.ContainerIndex] + name := containerNames[watchedContainer.ContainerIndex] seccompProfile, err := am.seccompManager.GetSeccompProfile(name, watchedContainer.SeccompProfilePath) if err != nil { logger.L().Ctx(ctx).Error("ApplicationProfileManager - failed to get seccomp profile", helpers.Error(err), @@ -406,16 +406,14 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon } logger.L().Debug("ApplicationProfileManager - got seccomp profile", helpers.Interface("profile", seccompProfile)) existingContainer = &v1beta1.ApplicationProfileContainer{ - Name: watchedContainer.ContainerNames[watchedContainer.ContainerType][watchedContainer.ContainerIndex], + Name: containerNames[watchedContainer.ContainerIndex], Execs: make([]v1beta1.ExecCalls, 0), Opens: make([]v1beta1.OpenCalls, 0), Capabilities: make([]string, 0), Syscalls: make([]string, 0), SeccompProfile: seccompProfile, } - addContainer = true } - // update it utils.EnrichApplicationProfileContainer(existingContainer, capabilities, observedSyscalls, execs, opens) // get existing containers @@ -428,55 +426,44 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon existingContainers = existingObject.Spec.EphemeralContainers } // replace or add container using patch - switch { - case existingContainers == nil: - // 3a. insert a new container slice, with the new container at the right index - containers := make([]v1beta1.ApplicationProfileContainer, watchedContainer.ContainerIndex+1) - containers[watchedContainer.ContainerIndex] = *existingContainer + // 3a. ensure we have a container slice + if existingContainers == nil { replaceOperations = append(replaceOperations, utils.PatchOperation{ Op: "add", Path: fmt.Sprintf("/spec/%s", watchedContainer.ContainerType), - Value: containers, + Value: make([]v1beta1.ApplicationProfileContainer, 0), }) - case addContainer: - // 3b. insert a new container at the right index - for i := len(existingContainers); i < watchedContainer.ContainerIndex; i++ { - name := watchedContainer.ContainerNames[watchedContainer.ContainerType][i] - seccompProfile, err := am.seccompManager.GetSeccompProfile(name, watchedContainer.SeccompProfilePath) - if err != nil { - logger.L().Ctx(ctx).Error("ApplicationProfileManager - failed to get seccomp profile", helpers.Error(err), - helpers.String("slug", slug), - helpers.Int("container index", watchedContainer.ContainerIndex), - helpers.String("container ID", watchedContainer.ContainerID), - helpers.String("k8s workload", watchedContainer.K8sContainerID)) - } - logger.L().Debug("ApplicationProfileManager - got seccomp profile", helpers.Interface("profile", seccompProfile)) - replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i), - Value: v1beta1.ApplicationProfileContainer{ - Name: watchedContainer.ContainerNames[watchedContainer.ContainerType][i], - Execs: make([]v1beta1.ExecCalls, 0), - Opens: make([]v1beta1.OpenCalls, 0), - Capabilities: make([]string, 0), - Syscalls: make([]string, 0), - SeccompProfile: seccompProfile, - }, - }) + } + // 3b. ensure the slice has all the containers + for i := len(existingContainers); i < len(containerNames); i++ { + name := containerNames[i] + seccompProfile, err := am.seccompManager.GetSeccompProfile(name, watchedContainer.SeccompProfilePath) + if err != nil { + logger.L().Ctx(ctx).Error("ApplicationProfileManager - failed to get seccomp profile", helpers.Error(err), + helpers.String("slug", slug), + helpers.Int("container index", watchedContainer.ContainerIndex), + helpers.String("container ID", watchedContainer.ContainerID), + helpers.String("k8s workload", watchedContainer.K8sContainerID)) } replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), - Value: existingContainer, - }) - default: - // 3c. replace the existing container at the right index - replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "replace", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), - Value: existingContainer, + Op: "add", + Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i), + Value: v1beta1.ApplicationProfileContainer{ + Name: name, + Execs: make([]v1beta1.ExecCalls, 0), + Opens: make([]v1beta1.OpenCalls, 0), + Capabilities: make([]string, 0), + Syscalls: make([]string, 0), + SeccompProfile: seccompProfile, + }, }) } + // 3c. replace the existing container at the right index + replaceOperations = append(replaceOperations, utils.PatchOperation{ + Op: "replace", + Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), + Value: existingContainer, + }) replaceOperations = utils.AppendStatusAnnotationPatchOperations(replaceOperations, watchedContainer) if len(existingObject.Spec.Architectures) == 0 { @@ -502,7 +489,6 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon helpers.String("k8s workload", watchedContainer.K8sContainerID)) return } - if err := am.storageClient.PatchApplicationProfile(slug, namespace, patch, watchedContainer.SyncChannel); err != nil { gotErr = err logger.L().Ctx(ctx).Error("ApplicationProfileManager - failed to patch application profile", helpers.Error(err), diff --git a/pkg/networkmanager/v2/network_manager.go b/pkg/networkmanager/v2/network_manager.go index dab912a5..646d8195 100644 --- a/pkg/networkmanager/v2/network_manager.go +++ b/pkg/networkmanager/v2/network_manager.go @@ -358,14 +358,13 @@ func (nm *NetworkManager) saveNetworkEvents(ctx context.Context, watchedContaine helpers.String("k8s workload", watchedContainer.K8sContainerID)) } else { var replaceOperations []utils.PatchOperation + containerNames := watchedContainer.ContainerNames[watchedContainer.ContainerType] // check existing container existingContainer := utils.GetNetworkNeighborhoodContainer(existingObject, watchedContainer.ContainerType, watchedContainer.ContainerIndex) - var addContainer bool if existingContainer == nil { existingContainer = &v1beta1.NetworkNeighborhoodContainer{ - Name: watchedContainer.ContainerNames[watchedContainer.ContainerType][watchedContainer.ContainerIndex], + Name: containerNames[watchedContainer.ContainerIndex], } - addContainer = true } // update it utils.EnrichNeighborhoodContainer(existingContainer, ingress, egress) @@ -379,40 +378,30 @@ func (nm *NetworkManager) saveNetworkEvents(ctx context.Context, watchedContaine existingContainers = existingObject.Spec.EphemeralContainers } // replace or add container using patch - switch { - case existingContainers == nil: - // 3a. insert a new container slice, with the new container at the right index - containers := make([]v1beta1.NetworkNeighborhoodContainer, watchedContainer.ContainerIndex+1) - containers[watchedContainer.ContainerIndex] = *existingContainer + // 3a. ensure we have a container slice + if existingContainers == nil { replaceOperations = append(replaceOperations, utils.PatchOperation{ Op: "add", Path: fmt.Sprintf("/spec/%s", watchedContainer.ContainerType), - Value: containers, + Value: make([]v1beta1.NetworkNeighborhoodContainer, 0), }) - case addContainer: - // 3b. insert a new container at the right index - for i := len(existingContainers); i < watchedContainer.ContainerIndex; i++ { - replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i), - Value: v1beta1.NetworkNeighborhoodContainer{ - Name: watchedContainer.ContainerNames[watchedContainer.ContainerType][i], - }, - }) - } - replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), - Value: existingContainer, - }) - default: - // 3c. replace the existing container at the right index + } + // 3b. ensure the slice has all the containers + for i := len(existingContainers); i < len(containerNames); i++ { replaceOperations = append(replaceOperations, utils.PatchOperation{ - Op: "replace", - Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), - Value: existingContainer, + Op: "add", + Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i), + Value: v1beta1.NetworkNeighborhoodContainer{ + Name: containerNames[i], + }, }) } + // 3c. replace the existing container at the right index + replaceOperations = append(replaceOperations, utils.PatchOperation{ + Op: "replace", + Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex), + Value: existingContainer, + }) replaceOperations = utils.AppendStatusAnnotationPatchOperations(replaceOperations, watchedContainer)