Comments (5)
legorie
commented on July 16, 2024
1
Hi @Ankurk99 @daemon1024 , I would like to work on this issue. To restate my understanding
Requirement: If the kubearmor-visibility annotation is set on the node, the karmor probe should display this parameter in its output.
Sample output 1:
Node 1 :
OS Image: Ubuntu 20.04.5 LTS
Kernel Version: 5.15.0-52-generic
Kubelet Version: v1.25.2
Container Runtime: docker://20.10.18
Active LSM: AppArmor
Host Security: false
Container Security: true
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: block(File) block(Capabilities) block(Network)
==> Host Visibility Level: Process File Capabilities Network
Sample Output 2:
Node 1 :
.....
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: block(File) block(Capabilities) block(Network)
==> Host Visibility Level: Process File
Sample Output 3:
Node 1 :
.....
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: block(File) block(Capabilities) block(Network)
==> Host Visibility Level: None
The dev work is to be done on the probe package.
from kubearmor-client.
Ankurk99
commented on July 16, 2024
1
@legorie Thanks for your interest. Yes your understanding is correct and the sample outputs are what we expect.
from kubearmor-client.
Ankurk99
commented on July 16, 2024
1
Hi @legorie, Sorry for the late response. Yes, you seems to be on the right track. Can you please create a draft PR with your changes and then we can suggests there?
from kubearmor-client.
legorie
commented on July 16, 2024
1
Hi @Ankurk99, No worries, thanks for the suggestion. I've created an issue (enhancement) in the core project. If the type and details are okay, please assign this to my name. I'll update the changes to the karmorprobedata.go in that issue.
from kubearmor-client.
legorie
commented on July 16, 2024
Hi @Ankurk99 , After initial analysis, it looks like we need to update the code in the core KubeArmor code too here ..
https://github.com/kubearmor/KubeArmor/blob/main/KubeArmor/core/karmorprobedata.go
Edit : 22/11/2022 few updates after testing
type KarmorData struct {
OSImage string
KernelVersion string
KubeletVersion string
ContainerRuntime string
ActiveLSM string
KernelHeaderPresent bool
HostSecurity bool
ContainerSecurity bool
ContainerDefaultPosture tp.DefaultPosture
HostDefaultPosture tp.DefaultPosture
HostVisibility string <===
}
func (dm *KubeArmorDaemon) SetKarmorData() {
....
kd.HostVisibility = dm.Node.Annotations["kubearmor-visibility"]
$ sudo cat /tmp/karmorProbeData.cfg
{"OSImage":"Ubuntu 22.04.1 LTS","KernelVersion":"5.15.0-53-generic","KubeletVersion":"v1.25.3+k3s1","ContainerRuntime":"containerd://1.6.8-k3s1","ActiveLSM":"AppArmor","KernelHeaderPresent":true,"HostSecurity":true,"ContainerSecurity":true,"ContainerDefaultPosture":{"file":"block","network":"block","capabilties":"block"},"HostDefaultPosture":{"file":"block","network":"block","capabilties":"block"},**"HostVisibility":"process,file,network,capabilities"**}
Do you think I'm in the right direction ? I would be glad to make the change in the core package too, to test them together.
from kubearmor-client.
Related Issues (20)
- `karmor install --local` does not set `ImagePullPolicy` to `IfNotPresent` for all containers HOT 10
- KubeArmor Security HTML report is broken
- feat: add support for detection of AKS HOT 3
- Support for gRPC flag in karmor recommend HOT 5
- karmor summary doesn't give any output when type is passed.
- Issue with karmor summary output HOT 4
- Summary Json file not valid
- recommend feature remove dependency on discovery engine
- karmor install to check if the target env supports enforcement
- Karmor Profile improvements
- docs: broken-link-check HOT 3
- failed to connect to localhost:9089 inside namespace HOT 2
- [Testing] Updating test framework for karmor client HOT 4
- [Bug] Karmor logs sometimes not showing syscall events HOT 1
- [feat] Improving Broken-link-check scope HOT 3
- Update Long description for karmor install HOT 3
- `--save` command is broken in karmor profile HOT 2
- karmor probe panic HOT 2
- `karmor install --env=generic --save` should work without kubernetes cluster access HOT 4
- karmor install percentage completion showing more than 100% HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubearmor-client.