Merge pull request #1380 from Aryan-sharma11/systemd-policy

feat(policy): enhance handling of policy additon and deletion in systemd mode

KubeArmor/core/kubeUpdate.go

@@ -20,6 +20,7 @@ import (
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
 	ksp "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1"
 	kspinformer "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/client/informers/externalversions"
+	pb "github.com/kubearmor/KubeArmor/protobuf"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -1435,7 +1436,7 @@ func (dm *KubeArmorDaemon) UpdateHostSecurityPolicies() {
 }
 
 // ParseAndUpdateHostSecurityPolicy Function
-func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmorHostPolicyEvent) {
+func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus {
 	// create a host security policy
 
 	secPolicy := tp.HostSecurityPolicy{}
@@ -1445,7 +1446,7 @@ func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmo
 
 	if err := kl.Clone(event.Object.Spec, &secPolicy.Spec); err != nil {
 		dm.Logger.Errf("Failed to clone a spec (%s)", err.Error())
-		return
+		return pb.PolicyStatus_Failure
 	}
 
 	kl.ObjCommaExpandFirstDupOthers(&secPolicy.Spec.Network.MatchProtocols)
@@ -1843,12 +1844,19 @@ func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmo
 			}
 		}
 	} else if event.Type == "DELETED" {
+		// check that a security policy should exist before performing delete operation
+		policymatch := false
 		for idx, policy := range dm.HostSecurityPolicies {
 			if policy.Metadata["policyName"] == secPolicy.Metadata["policyName"] {
 				dm.HostSecurityPolicies = append(dm.HostSecurityPolicies[:idx], dm.HostSecurityPolicies[idx+1:]...)
+				policymatch = true
 				break
 			}
 		}
+		if !policymatch {
+			dm.Logger.Warnf("Failed to delete security policy. Policy doesn't exist")
+			return pb.PolicyStatus_NotExist
+		}
 	}
 
 	dm.HostSecurityPoliciesLock.Unlock()
@@ -1866,6 +1874,12 @@ func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmo
 			dm.removeBackUpPolicy(secPolicy.Metadata["policyName"])
 		}
 	}
+	if event.Type == "ADDED" {
+		return pb.PolicyStatus_Applied
+	} else if event.Type == "DELETED" {
+		return pb.PolicyStatus_Deleted
+	}
+	return pb.PolicyStatus_Modified
 }
 
 // WatchHostSecurityPolicies Function

KubeArmor/core/unorchestratedUpdates.go

@@ -13,6 +13,7 @@ import (
 	cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
 	kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
+	pb "github.com/kubearmor/KubeArmor/protobuf"
 )
 
 // SetContainerVisibility function enables visibility flag arguments for un-orchestrated container and updates the visibility map
@@ -80,7 +81,8 @@ func (dm *KubeArmorDaemon) MatchandRemoveContainerFromEndpoint(cid string) {
 }
 
 // ParseAndUpdateContainerSecurityPolicy Function
-func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKubeArmorPolicyEvent) {
+func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus {
+
 	// create a container security policy
 	secPolicy := tp.SecurityPolicy{}
 
@@ -90,7 +92,7 @@ func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKub
 
 	if err := kl.Clone(event.Object.Spec, &secPolicy.Spec); err != nil {
 		dm.Logger.Errf("Failed to clone a spec (%s)", err.Error())
-		return
+		return pb.PolicyStatus_Failure
 	}
 
 	kl.ObjCommaExpandFirstDupOthers(&secPolicy.Spec.Network.MatchProtocols)
@@ -121,7 +123,7 @@ func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKub
 			containername = v
 		} else {
 			dm.Logger.Warnf("Fail to apply policy. The MatchLabels container name key should be `kubearmor.io/container.name` ")
-			return
+			return pb.PolicyStatus_Invalid
 		}
 	}
 
@@ -455,7 +457,7 @@ func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKub
 	// policy doesn't exist and the policy is being removed
 	if policymatch == 0 && event.Type == "DELETED" {
 		dm.Logger.Warnf("Failed to delete security policy. Policy doesn't exist")
-		return
+		return pb.PolicyStatus_NotExist
 	}
 
 	for idx, policy := range newPoint.SecurityPolicies {
@@ -543,6 +545,13 @@ func (dm *KubeArmorDaemon) ParseAndUpdateContainerSecurityPolicy(event tp.K8sKub
 			dm.removeBackUpPolicy(secPolicy.Metadata["policyName"])
 		}
 	}
+	if event.Type == "ADDED" {
+		return pb.PolicyStatus_Applied
+	} else if event.Type == "DELETED" {
+		return pb.PolicyStatus_Deleted
+	}
+	return pb.PolicyStatus_Modified
+
 }
 
 // ================================= //

KubeArmor/kvmAgent/kvmAgent.go

@@ -31,7 +31,7 @@ type KVMAgent struct {
 	gRPCServer       string
 	gRPCConnection   *grpc.ClientConn
 	gRPCClient       pb.KVMClient
-	UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent)
+	UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus
 }
 
 func getgRPCAddress() (string, error) {

KubeArmor/policy/policy.go

@@ -16,8 +16,8 @@ import (
 // ServiceServer provides structure to serve Policy gRPC service
 type ServiceServer struct {
 	pb.PolicyServiceServer
-	UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent)
-	UpdateHostPolicy      func(tp.K8sKubeArmorHostPolicyEvent)
+	UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus
+	UpdateHostPolicy      func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus
 }
 
 // ContainerPolicy accepts container events on gRPC and update container security policies
@@ -31,20 +31,18 @@ func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb
 
 		if policyEvent.Object.Metadata.Name != "" {
 
-			p.UpdateContainerPolicy(policyEvent)
-
-			res.Status = 1
+			res.Status = p.UpdateContainerPolicy(policyEvent)
 
 		} else {
-
+			res.Status = pb.PolicyStatus_Invalid
 			kg.Warn("Empty Container Policy Event")
-
-			res.Status = 0
 		}
 
 	} else {
+
 		kg.Warn("Invalid Container Policy Event")
-		res.Status = 0
+
+		res.Status = pb.PolicyStatus_Invalid
 	}
 
 	return res, nil
@@ -61,21 +59,19 @@ func (p *ServiceServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Resp
 
 		if policyEvent.Object.Metadata.Name != "" {
 
-			p.UpdateHostPolicy(policyEvent)
-
-			res.Status = 1
+			res.Status = p.UpdateHostPolicy(policyEvent)
 
 		} else {
 
 			kg.Warn("Empty Host Policy Event")
 
-			res.Status = 0
+			res.Status = pb.PolicyStatus_Invalid
 
 		}
 
 	} else {
 		kg.Warn("Invalid Host Policy Event")
-		res.Status = 0
+		res.Status = pb.PolicyStatus_Invalid
 	}
 
 	return res, nil

KubeArmor/types/types.go

@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"time"
 
+	pb "github.com/kubearmor/KubeArmor/protobuf"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -605,4 +606,4 @@ type PidNode struct {
 // =============== //
 
 // KubeArmorHostPolicyEventCallback Function
-type KubeArmorHostPolicyEventCallback func(K8sKubeArmorHostPolicyEvent)
+type KubeArmorHostPolicyEventCallback func(K8sKubeArmorHostPolicyEvent) pb.PolicyStatus