fix permissions

Signed-off-by: Aryan-sharma11 <[email protected]>
kubearmor · Feb 6, 2025 · 253ace0 · 253ace0
1 parent d325cfd
commit 253ace0
Show file tree

Hide file tree

Showing 9 changed files with 61 additions and 160 deletions.
diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -612,13 +612,8 @@ func GetKubeArmorControllerClusterRole() *rbacv1.ClusterRole {
 			},
 			{
 				APIGroups: []string{"apps"},
-				Resources: []string{"deployments", "statefulsets", "daemonsets"},
-				Verbs:     []string{"get", "list", "watch", "update"},
-			},
-			{
-				APIGroups: []string{"apps"},
-				Resources: []string{"replicasets"},
-				Verbs:     []string{"get", "list"},
+				Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"},
+				Verbs:     []string{"get", "update"},
 			},
 
 			{

diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml
@@ -104,10 +104,9 @@ rules:
   - deployments
   - statefulsets
   - daemonsets
+  - replicasets
   verbs:
   - get
-  - list
-  - watch  
   - update  
 - apiGroups:
   - security.kubearmor.com

diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
@@ -161,18 +161,10 @@ rules:
   - deployments
   - statefulsets
   - daemonsets
-  verbs:
-  - get
-  - list
-  - watch  
-  - update
-- apiGroups:
-  - "apps"
-  resources:
   - replicasets
   verbs:
   - get
-  - list
+  - update
 - apiGroups:
   - ""
   resources:

diff --git a/pkg/KubeArmorController/cmd/main.go b/pkg/KubeArmorController/cmd/main.go
@@ -170,10 +170,10 @@ func main() {
 	})
 	setupLog.Info("Adding pod refresher controller")
 	if err = (&controllers.PodRefresherReconciler{
-		Client:  mgr.GetClient(),
-		Scheme:  mgr.GetScheme(),
-		Cluster: &cluster,
-		Corev1:  client,
+		Client:    mgr.GetClient(),
+		Scheme:    mgr.GetScheme(),
+		Cluster:   &cluster,
+		ClientSet: client,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Pod")
 		os.Exit(1)

diff --git a/pkg/KubeArmorController/common/common.go b/pkg/KubeArmorController/common/common.go
@@ -15,11 +15,10 @@ import (
 
 const k8sVisibility = "process,file,network,capabilities"
 const appArmorAnnotation = "container.apparmor.security.beta.kubernetes.io/"
-const KubeArmorRestartedAnnotation = "kubearmor.io/restarted"
-const KubeArmorForceAppArmorAnnotation = "kubearmor.io/force-apparmor"
+const KubeArmorRestartedAnnotation = "kubearmor.kubernetes.io/restartedAt"
 
 // == Add AppArmor annotations == //
-func AppArmorAnnotator(pod *corev1.Pod) {
+func AppArmorAnnotator(pod *corev1.Pod, binding *corev1.Binding, isBinding bool) {
 	podAnnotations := map[string]string{}
 	var podOwnerName string
 
@@ -67,146 +66,57 @@ func AppArmorAnnotator(pod *corev1.Pod) {
 		if v == "unconfined" {
 			continue
 		}
-		pod.Annotations[appArmorAnnotation+k] = "localhost/" + v
-	}
-}
-func AddCommonAnnotations(pod *corev1.Pod) {
-	if pod.Annotations == nil {
-		pod.Annotations = map[string]string{}
-	}
-
-	// == Policy == //
-
-	if _, ok := pod.Annotations["kubearmor-policy"]; !ok {
-		// if no annotation is set enable kubearmor by default
-		pod.Annotations["kubearmor-policy"] = "enabled"
-	} else if pod.Annotations["kubearmor-policy"] != "enabled" && pod.Annotations["kubearmor-policy"] != "disabled" && pod.Annotations["kubearmor-policy"] != "audited" {
-		// if kubearmor policy is not set correctly, default it to enabled
-		pod.Annotations["kubearmor-policy"] = "enabled"
-	}
-	// == Exception == //
-
-	// exception: kubernetes app
-	if pod.Namespace == "kube-system" {
-		if _, ok := pod.Labels["k8s-app"]; ok {
-			pod.Annotations["kubearmor-policy"] = "audited"
+		if isBinding {
+			binding.Annotations[appArmorAnnotation+k] = "localhost/" + v
+		} else {
+			pod.Annotations[appArmorAnnotation+k] = "localhost/" + v
 		}
-
-		if value, ok := pod.Labels["component"]; ok {
-			if value == "etcd" || value == "kube-apiserver" || value == "kube-controller-manager" || value == "kube-scheduler" || value == "kube-proxy" {
-				pod.Annotations["kubearmor-policy"] = "audited"
-			}
-		}
-	}
-
-	// exception: cilium-operator
-	if _, ok := pod.Labels["io.cilium/app"]; ok {
-		pod.Annotations["kubearmor-policy"] = "audited"
-	}
-
-	// exception: kubearmor
-	if _, ok := pod.Labels["kubearmor-app"]; ok {
-		pod.Annotations["kubearmor-policy"] = "audited"
-	}
-
-	// == Visibility == //
-
-	if _, ok := pod.Annotations["kubearmor-visibility"]; !ok {
-		pod.Annotations["kubearmor-visibility"] = k8sVisibility
 	}
 }
-func AddCommonAnnotationsbinding(pod *corev1.Binding) {
-	if pod.Annotations == nil {
-		pod.Annotations = map[string]string{}
+func AddCommonAnnotations(obj *metav1.ObjectMeta) {
+
+	if obj.Annotations == nil {
+		obj.Annotations = map[string]string{}
 	}
 
 	// == Policy == //
 
-	if _, ok := pod.Annotations["kubearmor-policy"]; !ok {
+	if _, ok := obj.Annotations["kubearmor-policy"]; !ok {
 		// if no annotation is set enable kubearmor by default
-		pod.Annotations["kubearmor-policy"] = "enabled"
-	} else if pod.Annotations["kubearmor-policy"] != "enabled" && pod.Annotations["kubearmor-policy"] != "disabled" && pod.Annotations["kubearmor-policy"] != "audited" {
+		obj.Annotations["kubearmor-policy"] = "enabled"
+	} else if obj.Annotations["kubearmor-policy"] != "enabled" && obj.Annotations["kubearmor-policy"] != "disabled" && obj.Annotations["kubearmor-policy"] != "audited" {
 		// if kubearmor policy is not set correctly, default it to enabled
-		pod.Annotations["kubearmor-policy"] = "enabled"
+		obj.Annotations["kubearmor-policy"] = "enabled"
 	}
 	// == Exception == //
 
 	// exception: kubernetes app
-	if pod.Namespace == "kube-system" {
-		if _, ok := pod.Labels["k8s-app"]; ok {
-			pod.Annotations["kubearmor-policy"] = "audited"
+	if obj.Namespace == "kube-system" {
+		if _, ok := obj.Labels["k8s-app"]; ok {
+			obj.Annotations["kubearmor-policy"] = "audited"
 		}
 
-		if value, ok := pod.Labels["component"]; ok {
+		if value, ok := obj.Labels["component"]; ok {
 			if value == "etcd" || value == "kube-apiserver" || value == "kube-controller-manager" || value == "kube-scheduler" || value == "kube-proxy" {
-				pod.Annotations["kubearmor-policy"] = "audited"
+				obj.Annotations["kubearmor-policy"] = "audited"
 			}
 		}
 	}
 
 	// exception: cilium-operator
-	if _, ok := pod.Labels["io.cilium/app"]; ok {
-		pod.Annotations["kubearmor-policy"] = "audited"
+	if _, ok := obj.Labels["io.cilium/app"]; ok {
+		obj.Annotations["kubearmor-policy"] = "audited"
 	}
 
 	// exception: kubearmor
-	if _, ok := pod.Labels["kubearmor-app"]; ok {
-		pod.Annotations["kubearmor-policy"] = "audited"
+	if _, ok := obj.Labels["kubearmor-app"]; ok {
+		obj.Annotations["kubearmor-policy"] = "audited"
 	}
 
 	// == Visibility == //
 
-	if _, ok := pod.Annotations["kubearmor-visibility"]; !ok {
-		pod.Annotations["kubearmor-visibility"] = k8sVisibility
-	}
-}
-func AppArmorAnnotatorBinding(binding *corev1.Binding, pod *corev1.Pod) {
-	podAnnotations := map[string]string{}
-	var podOwnerName string
-
-	// podOwnerName is the pod name for static pods and parent object's name
-	// in other cases
-	for _, ownerRef := range pod.ObjectMeta.OwnerReferences {
-		// pod is owned by a replicaset, daemonset etc thus we use the managing
-		// controller's name
-		if ownerRef.Controller != nil && *ownerRef.Controller {
-			podOwnerName = ownerRef.Name
-
-			if ownerRef.Kind == "ReplicaSet" {
-				// if it belongs to a replicaset, we also remove the pod template hash
-				podOwnerName = strings.TrimSuffix(podOwnerName, fmt.Sprintf("-%s", pod.ObjectMeta.Labels["pod-template-hash"]))
-			}
-		}
-	}
-	if podOwnerName == "" {
-		// pod is standalone, name remains constant
-		podOwnerName = pod.ObjectMeta.Name
-	}
-	// Get existant kubearmor annotations
-	for k, v := range pod.Annotations {
-		if strings.HasPrefix(k, appArmorAnnotation) {
-			if v == "unconfined" {
-				containerName := strings.Split(k, "/")[1]
-				podAnnotations[containerName] = v
-			} else {
-				containerName := strings.Split(k, "/")[1]
-				podAnnotations[containerName] = strings.Split(v, "/")[1]
-			}
-		}
-	}
-
-	// Get the remaining containers / not addressed explecitly in the annotation
-	for _, container := range pod.Spec.Containers {
-		if _, ok := podAnnotations[container.Name]; !ok {
-			podAnnotations[container.Name] = "kubearmor-" + pod.Namespace + "-" + podOwnerName + "-" + container.Name
-		}
-	}
-	// Add kubearmor annotations to the pod
-	for k, v := range podAnnotations {
-		if v == "unconfined" {
-			continue
-		}
-		binding.Annotations[appArmorAnnotation+k] = "localhost/" + v
+	if _, ok := obj.Annotations["kubearmor-visibility"]; !ok {
+		obj.Annotations["kubearmor-visibility"] = k8sVisibility
 	}
 }
 
@@ -230,13 +140,13 @@ func CheckKubearmorStatus(nodeName string, c *kubernetes.Clientset) (bool, error
 	if err != nil {
 		return false, fmt.Errorf("failed to list pods: %v", err)
 	}
-
 	// Filter Pods by nodeName and return their status.phase
 	for _, pod := range pods.Items {
-		if pod.Spec.NodeName == nodeName && pod.Status.Phase == "Running" {
+		if pod.Spec.NodeName == nodeName {
 			return true, nil
 		}
 	}
+
 	return false, nil
 
 }

diff --git a/pkg/KubeArmorController/handlers/pod_mutation.go b/pkg/KubeArmorController/handlers/pod_mutation.go
@@ -46,7 +46,7 @@ func (a *PodAnnotator) Handle(ctx context.Context, req admission.Request) admiss
 		}
 
 		// == common annotations == //
-		common.AddCommonAnnotationsbinding(binding)
+		common.AddCommonAnnotations(&binding.ObjectMeta)
 
 		pod, err := a.ClientSet.CoreV1().Pods(binding.Namespace).Get(context.TODO(), binding.Name, metav1.GetOptions{})
 		if err != nil {
@@ -64,7 +64,7 @@ func (a *PodAnnotator) Handle(ctx context.Context, req admission.Request) admiss
 		}
 		a.Cluster.ClusterLock.RUnlock()
 		if annotate {
-			common.AppArmorAnnotatorBinding(binding, pod)
+			common.AppArmorAnnotator(pod, binding, true)
 		}
 		// == //
 		// send the mutation response
@@ -87,7 +87,7 @@ func (a *PodAnnotator) Handle(ctx context.Context, req admission.Request) admiss
 			pod.Namespace = req.Namespace
 		}
 		// == common annotations == //
-		common.AddCommonAnnotations(pod)
+		common.AddCommonAnnotations(&pod.ObjectMeta)
 		nodename := pod.Spec.NodeName
 		annotate := false
 		// == Apparmor annotations == //
@@ -100,7 +100,7 @@ func (a *PodAnnotator) Handle(ctx context.Context, req admission.Request) admiss
 		}
 		a.Cluster.ClusterLock.RUnlock()
 		if annotate {
-			common.AppArmorAnnotator(pod)
+			common.AppArmorAnnotator(pod, nil, false)
 		}
 
 	}

diff --git a/pkg/KubeArmorController/informer/nodewatcher.go b/pkg/KubeArmorController/informer/nodewatcher.go
@@ -54,7 +54,7 @@ func NodeWatcher(c *kubernetes.Clientset, cluster *types.Cluster, log logr.Logge
 							}
 							cluster.Nodes[node.Name].KubeArmorActive = kubearmorStatus
 							if !cluster.Nodes[node.Name].KubeArmorActive {
-								log.Info(fmt.Sprintf("kubearmor not found on node %s", node.Name))
+								log.Info(fmt.Sprintf("kubearmor not found on node %s :", node.Name))
 							}
 						}
 						// re-compute homogeneous status
@@ -95,8 +95,10 @@ func NodeWatcher(c *kubernetes.Clientset, cluster *types.Cluster, log logr.Logge
 							delete(cluster.Nodes, node.Name)
 						}
 					}
-
 					if enforcer == "apparmor" {
+						if _, ok := cluster.Nodes[node.Name]; !ok {
+							cluster.Nodes[node.Name] = &types.NodeInfo{}
+						}
 						cluster.Nodes[node.Name].Enforcer = enforcer
 						var err error
 						kubearmorStatus, err := common.CheckKubearmorStatus(node.Name, c)