Merge pull request #297 from kubescape/sbomtoolarge

add support for too large SBOM
kubescape · May 27, 2024 · dd255f4 · dd255f4
2 parents 789d536 + b5e67d8
commit dd255f4
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 14 deletions.
diff --git a/main.go b/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"node-agent/pkg/healthmanager"
 	"strings"
 
 	"net/http"
@@ -240,6 +241,10 @@ func main() {
 	// Start the prometheusExporter
 	prometheusExporter.Start()
 
+	// Start the health manager
+	healthManager := healthmanager.NewHealthManager(mainHandler)
+	healthManager.Start(ctx)
+
 	// Start the container handler
 	err = mainHandler.Start(ctx)
 	if err != nil {

diff --git a/pkg/containerwatcher/container_watcher_interface.go b/pkg/containerwatcher/container_watcher_interface.go
@@ -5,6 +5,7 @@ import (
 )
 
 type ContainerWatcher interface {
+	Ready() bool
 	Start(ctx context.Context) error
 	Stop()
 }
diff --git a/pkg/containerwatcher/container_watcher_mock.go b/pkg/containerwatcher/container_watcher_mock.go
@@ -6,6 +6,10 @@ import (
 
 type ContainerWatcherMock struct{}
 
+func (c ContainerWatcherMock) Ready() bool {
+	return true
+}
+
 func (c ContainerWatcherMock) Start(_ context.Context) error {
 	return nil
 }

diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go
@@ -332,3 +332,7 @@ func (ch *IGContainerWatcher) Stop() {
 		ch.running = false
 	}
 }
+
+func (ch *IGContainerWatcher) Ready() bool {
+	return ch.running
+}
diff --git a/pkg/healthmanager/health_manager.go b/pkg/healthmanager/health_manager.go
@@ -0,0 +1,52 @@
+package healthmanager
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"node-agent/pkg/containerwatcher/v1"
+	"time"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+)
+
+type HealthManager struct {
+	containerWatcher *containerwatcher.IGContainerWatcher
+	port             int
+}
+
+func NewHealthManager(containerWatcher *containerwatcher.IGContainerWatcher) *HealthManager {
+	return &HealthManager{
+		containerWatcher: containerWatcher,
+		port:             7888,
+	}
+}
+
+func (h *HealthManager) Start(ctx context.Context) {
+	go func() {
+		http.HandleFunc("/livez", h.livenessProbe)
+		http.HandleFunc("/readyz", h.readinessProbe)
+		srv := &http.Server{
+			Addr:         fmt.Sprintf(":%d", h.port),
+			WriteTimeout: 15 * time.Second,
+			ReadTimeout:  15 * time.Second,
+		}
+		logger.L().Info("starting health manager", helpers.Int("port", h.port))
+		if err := srv.ListenAndServe(); err != nil {
+			logger.L().Ctx(ctx).Fatal("failed to start health manager", helpers.Error(err), helpers.Int("port", h.port))
+		}
+	}()
+}
+
+func (h *HealthManager) livenessProbe(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
+}
+
+func (h *HealthManager) readinessProbe(w http.ResponseWriter, _ *http.Request) {
+	if h.containerWatcher.Ready() {
+		w.WriteHeader(http.StatusOK)
+	} else {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go
@@ -30,7 +30,7 @@ const ScannedFilesMaxBufferLength = 10000
 type MalwareManager struct {
 	scannedFiles         maps.SafeMap[string, mapset.Set[string]]
 	containerIdToPid     maps.SafeMap[string, uint32]
-	podToWlid            maps.SafeMap[string, string]
+	podToWlid            maps.SafeMap[string, string] // key is namespace/podName
 	exporter             exporters.Exporter
 	metrics              metricsmanager.MetricsManager
 	k8sClient            k8sclient.K8sClientInterface
@@ -74,12 +74,13 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven
 	switch notif.Type {
 	case containercollection.EventTypeAddContainer:
 		mm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.Pid)
-		if !mm.podToWlid.Has(notif.Container.K8s.PodName) {
+		podID := utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName)
+		if !mm.podToWlid.Has(podID) {
 			w, err := mm.getWorkloadIdentifier(notif.Container.K8s.Namespace, notif.Container.K8s.PodName)
 			if err != nil {
 				logger.L().Debug("MalwareManager - failed to get workload identifier", helpers.Error(err), helpers.String("k8s workload", notif.Container.K8s.PodName))
 			} else {
-				mm.podToWlid.Set(notif.Container.K8s.PodName, w)
+				mm.podToWlid.Set(podID, w)
 			}
 		}
 		shim, err := utils.GetProcessStat(int(notif.Container.Pid))
@@ -92,7 +93,7 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven
 		mm.containerIdToPid.Delete(notif.Container.Runtime.ContainerID)
 		t.Stop()
 		mm.scannedFiles.Delete(notif.Container.Runtime.ContainerID)
-		mm.podToWlid.Delete(notif.Container.K8s.PodName)
+		mm.podToWlid.Delete(utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName))
 		mm.containerIdToShimPid.Delete(notif.Container.Runtime.ContainerID)
 	}
 
@@ -136,7 +137,8 @@ func (mm *MalwareManager) getWorkloadIdentifier(podNamespace, podName string) (s
 func (mm *MalwareManager) ReportFileExec(_ string, event tracerexectype.Event) {
 	for _, scanner := range mm.malwareScanners {
 		if result := scanner.Scan(utils.ExecveEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil {
-			result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod()))
+			result = mm.enrichMalwareResult(result)
+			result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod())))
 			mm.exporter.SendMalwareAlert(result)
 		}
 	}
@@ -179,8 +181,8 @@ func (mm *MalwareManager) ReportFileOpen(_ string, event traceropentype.Event) {
 
 	for _, scanner := range mm.malwareScanners {
 		if result := scanner.Scan(utils.OpenEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil {
-			result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod()))
 			result = mm.enrichMalwareResult(result)
+			result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod())))
 			mm.exporter.SendMalwareAlert(result)
 			mm.metrics.ReportRuleAlert(result.GetBasicRuntimeAlert().AlertName)
 		}

diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go
@@ -399,8 +399,8 @@ func (rm *RuleManager) processEvent(eventType utils.EventType, event interface{}
 
 		res := rule.ProcessEvent(eventType, event, rm.objectCache)
 		if res != nil {
-			res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName)))
 			res = rm.enrichRuleFailure(res)
+			res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName)))
 			rm.exporter.SendRuleAlert(res)
 			rm.metrics.ReportRuleAlert(rule.Name())
 		}

diff --git a/pkg/sbomhandler/syfthandler/syft_handler.go b/pkg/sbomhandler/syfthandler/syft_handler.go
@@ -52,11 +52,8 @@ func (sc *SyftHandler) FilterSBOM(watchedContainer *utils.WatchedContainerData,
 	// check SBOM is complete
 	if syftData.Annotations != nil {
 		if status, ok := syftData.Annotations[helpersv1.StatusMetadataKey]; ok {
-			if status == helpersv1.Incomplete {
-				watchedContainer.SyncChannel <- utils.IncompleteSBOMError
-			}
-			// dwertent
-			if status == helpersv1.Unauthorize {
+			switch status {
+			case helpersv1.Incomplete, helpersv1.TooLarge, helpersv1.Unauthorize:
 				watchedContainer.SyncChannel <- utils.IncompleteSBOMError
 			}
 		}
@@ -206,10 +203,10 @@ func filterRelevantFilesInSBOM(watchedContainer *utils.WatchedContainerData, syf
 
 }
 
-func (sc *SyftHandler) IncrementImageUse(imageID string) {
+func (sc *SyftHandler) IncrementImageUse(_ string) {
 
 }
-func (sc *SyftHandler) DecrementImageUse(imageID string) {
+func (sc *SyftHandler) DecrementImageUse(_ string) {
 
 }