Merge pull request #1772 from Prateeknandle/cluster-level-policy

feat:Adding support for KubeArmorClusterPolicy
kubearmor · Jul 9, 2024 · 5139feb · 5139feb
2 parents 1fc5a38 + c53ff79
commit 5139feb
Show file tree

Hide file tree

Showing 66 changed files with 7,089 additions and 147 deletions.
diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml
@@ -76,10 +76,14 @@ jobs:
             docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import -
           else
             if [ ${{ matrix.runtime }} == "crio" ]; then
-              sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
-              sudo podman pull docker-daemon:kubearmor/kubearmor:latest
-              sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
-              sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
+              docker save kubearmor/kubearmor-init:latest | sudo podman load
+              sudo podman tag localhost/latest:latest docker.io/kubearmor/kubearmor-init:latest
+              docker save kubearmor/kubearmor:latest | sudo podman load
+              sudo podman tag localhost/latest:latest docker.io/kubearmor/kubearmor:latest
+              docker save kubearmor/kubearmor-operator:latest | sudo podman load
+              sudo podman tag localhost/latest:latest docker.io/kubearmor/kubearmor-operator:latest
+              docker save kubearmor/kubearmor-snitch:latest | sudo podman load
+              sudo podman tag localhost/latest:latest docker.io/kubearmor/kubearmor-snitch:latest
             fi
           fi
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest

diff --git a/.github/workflows/ci-test-ubi-image.yml b/.github/workflows/ci-test-ubi-image.yml
@@ -66,10 +66,10 @@ jobs:
 
       - name: Run KubeArmor
         run: |
-          sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
-          sudo podman pull docker-daemon:kubearmor/kubearmor-ubi:latest
-          sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
-          sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
+          docker save kubearmor/kubearmor-init:latest | sudo podman load
+          docker save kubearmor/kubearmor-ubi:latest | sudo podman load
+          docker save kubearmor/kubearmor-operator:latest | sudo podman load
+          docker save kubearmor/kubearmor-snitch:latest | sudo podman load
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest
           kubectl get pods -A
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator

diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile
@@ -46,6 +46,7 @@ build-test: testall
 .PHONY: run
 run: build
 	cd $(CRDDIR); kubectl apply -f KubeArmorPolicy.yaml
+	cd $(CRDDIR); kubectl apply -f KubeArmorClusterPolicy.yaml
 	cd $(CRDDIR); kubectl apply -f KubeArmorHostPolicy.yaml
 	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
 	cd $(CURDIR)/BPF; make clean

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -725,6 +725,16 @@ func KubeArmor() {
 		}
 		dm.Logger.Print("Started to monitor security policies")
 
+		// watch cluster security policies
+		clusterSecurityPoliciesSynced := dm.WatchClusterSecurityPolicies()
+		if clusterSecurityPoliciesSynced == nil {
+			// destroy the daemon
+			dm.DestroyKubeArmorDaemon()
+
+			return
+		}
+		dm.Logger.Print("Started to monitor cluster security policies")
+
 		// watch default posture
 		defaultPostureSynced := dm.WatchDefaultPosture()
 		if defaultPostureSynced == nil {