Skip to content

Commit

Permalink
fix: Remove CRI Storage volume and volume mounts (#1507)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anurag Rajawat <[email protected]>
  • Loading branch information
@anurag-rajawat
anurag-rajawat authored Nov 22, 2023
1 parent 664647e commit e3cadec
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 455 deletions.
240 changes: 0 additions & 240 deletions deployments/get/defaults.go
View file

Large diffs are not rendered by default.

107 changes: 0 additions & 107 deletions deployments/helm/KubeArmor/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,14 +136,6 @@ kubearmor:
- mountPath: /var/run/containerd/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true
- mountPath: /var/lib/docker
mountPropagation: HostToContainer
name: docker-storage-path
readOnly: true

volumeMountsDocker:
- mountPath: /usr/src
Expand All @@ -166,10 +158,6 @@ kubearmor:
- mountPath: /var/run/docker.sock
name: docker-sock-path
readOnly: true
- mountPath: /var/lib/docker
mountPropagation: HostToContainer
name: docker-storage-path
readOnly: true

volumeMountsCRIO:
- mountPath: /usr/src
Expand All @@ -192,10 +180,6 @@ kubearmor:
- mountPath: /var/run/crio/crio.sock
name: crio-sock-path
readOnly: true
- mountPath: /var/lib/containers/storage
mountPropagation: HostToContainer
name: crio-storage-path
readOnly: true

volumeMountsMicroK8s:
- mountPath: /usr/src
Expand All @@ -218,10 +202,6 @@ kubearmor:
- mountPath: /var/snap/microk8s/common/run/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true

volumeMountsK0s:
- mountPath: /usr/src
Expand All @@ -244,9 +224,6 @@ kubearmor:
- mountPath: /var/run/containerd/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path

volumeMountsK3s:
- mountPath: /usr/src
Expand All @@ -269,10 +246,6 @@ kubearmor:
- mountPath: /var/run/containerd/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true

volumeMountsMinikube:
- mountPath: /usr/src
Expand Down Expand Up @@ -316,14 +289,6 @@ kubearmor:
- mountPath: /var/run/containerd/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true
- mountPath: /var/lib/docker
mountPropagation: HostToContainer
name: docker-storage-path
readOnly: true

volumeMountsBottleRocket:
- mountPath: /lib/modules
Expand All @@ -346,14 +311,6 @@ kubearmor:
- mountPath: /run/dockershim.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true
- mountPath: /var/lib/docker
mountPropagation: HostToContainer
name: docker-storage-path
readOnly: true

volumeMountsEKS:
- mountPath: /lib/modules
Expand All @@ -376,14 +333,6 @@ kubearmor:
- mountPath: /var/run/containerd/containerd.sock
name: containerd-sock-path
readOnly: true
- mountPath: /run/containerd
mountPropagation: HostToContainer
name: containerd-storage-path
readOnly: true
- mountPath: /var/lib/docker
mountPropagation: HostToContainer
name: docker-storage-path
readOnly: true

volumesGeneric:
- hostPath:
Expand Down Expand Up @@ -418,14 +367,6 @@ kubearmor:
path: /var/run/containerd/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/containerd
type: DirectoryOrCreate
name: containerd-storage-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path

volumesDocker:
- hostPath:
Expand Down Expand Up @@ -460,10 +401,6 @@ kubearmor:
path: /var/run/docker.sock
type: Socket
name: docker-sock-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path

volumesCRIO:
- hostPath:
Expand Down Expand Up @@ -498,10 +435,6 @@ kubearmor:
path: /var/run/crio/crio.sock
type: Socket
name: crio-sock-path
- hostPath:
path: /var/lib/containers/storage
type: DirectoryOrCreate
name: crio-storage-path

volumesMicroK8s:
- hostPath:
Expand Down Expand Up @@ -536,10 +469,6 @@ kubearmor:
path: /var/snap/microk8s/common/run/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /var/snap/microk8s/common/run/containerd
type: DirectoryOrCreate
name: containerd-storage-path

volumesK0s:
- hostPath:
Expand Down Expand Up @@ -574,10 +503,6 @@ kubearmor:
path: /run/k0s/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/k0s/containerd
type: Directory
name: containerd-storage-path

volumesK3s:
- hostPath:
Expand Down Expand Up @@ -612,10 +537,6 @@ kubearmor:
path: /run/k3s/containerd/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/k3s/containerd
type: DirectoryOrCreate
name: containerd-storage-path

volumesMinikube:
- hostPath:
Expand Down Expand Up @@ -650,10 +571,6 @@ kubearmor:
path: /var/run/docker.sock
type: Socket
name: docker-sock-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path

volumesGKE:
- hostPath:
Expand Down Expand Up @@ -688,14 +605,6 @@ kubearmor:
path: /var/run/containerd/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/containerd
type: DirectoryOrCreate
name: containerd-storage-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path

volumesBottleRocket:
- hostPath:
Expand Down Expand Up @@ -730,14 +639,6 @@ kubearmor:
path: /run/dockershim.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/containerd
type: DirectoryOrCreate
name: containerd-storage-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path

volumesEKS:
- hostPath:
Expand Down Expand Up @@ -772,11 +673,3 @@ kubearmor:
path: /var/run/containerd/containerd.sock
type: Socket
name: containerd-sock-path
- hostPath:
path: /run/containerd
type: DirectoryOrCreate
name: containerd-storage-path
- hostPath:
path: /var/lib/docker
type: DirectoryOrCreate
name: docker-storage-path
2 changes: 1 addition & 1 deletion deployments/helm/KubeArmorOperator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ service/kubearmor-controller-metrics-service ClusterIP 10.43.241.84 <none
service/kubearmor ClusterIP 10.43.216.156 <none> 32767/TCP 2m53s

NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/kubearmor-bpf-docker-d4651 1 1 1 1 1 kubearmor.io/btf=yes,kubearmor.io/enforcer=bpf,kubearmor.io/runtime-storage=var_lib_docker,kubearmor.io/runtime=docker,kubearmor.io/socket=run_docker.sock,kubernetes.io/os=linux 30s
daemonset.apps/kubearmor-bpf-docker-d4651 1 1 1 1 1 kubearmor.io/btf=yes,kubearmor.io/enforcer=bpf,kubearmor.io/runtime=docker,kubearmor.io/socket=run_docker.sock,kubernetes.io/os=linux 30s

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/kubearmor-operator 1/1 1 1 11m
Expand Down
8 changes: 0 additions & 8 deletions pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,13 +114,6 @@ func snitch() {
Logger.Errorf("Not able to detect runtime")
os.Exit(1)
}
runtimeStorage := runtimepkg.DetectRuntimeStorage(PathPrefix, runtime, *Logger)
if runtimeStorage != "NA" {
Logger.Infof("Detected runtime storage location %s", runtimeStorage)
} else {
Logger.Errorf("Not able to detect runtime storage location")
os.Exit(1)
}

// Check BTF support
btfPresent := enforcer.CheckBtfSupport(PathPrefix, *Logger)
Expand All @@ -131,7 +124,6 @@ func snitch() {
patchNode.Metadata.Labels[common.RuntimeLabel] = runtime
patchNode.Metadata.Labels[common.SocketLabel] = strings.ReplaceAll(socket[1:], "/", "_")
patchNode.Metadata.Labels[common.EnforcerLabel] = nodeEnforcer
patchNode.Metadata.Labels[common.RuntimeStorageLabel] = strings.ReplaceAll(runtimeStorage[1:], "/", "_")
patchNode.Metadata.Labels[common.RandLabel] = rand.String(4)
patchNode.Metadata.Labels[common.BTFLabel] = btfPresent
patch, err := json.Marshal(patchNode)
Expand Down
22 changes: 0 additions & 22 deletions pkg/KubeArmorOperator/common/defaults.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ var OperatorConfigCrd *opv1.KubeArmorConfig
var (
EnforcerLabel string = "kubearmor.io/enforcer"
RuntimeLabel string = "kubearmor.io/runtime"
RuntimeStorageLabel string = "kubearmor.io/runtime-storage"
SocketLabel string = "kubearmor.io/socket"
RandLabel string = "kubearmor.io/rand"
OsLabel string = "kubernetes.io/os"
Expand Down Expand Up @@ -130,7 +129,6 @@ var ContainerRuntimeSocketMap = map[string][]string{
var HostPathDirectory = corev1.HostPathDirectory
var HostPathSocket = corev1.HostPathSocket
var HostPathFile = corev1.HostPathFile
var HostToContainerMountPropagation = corev1.MountPropagationHostToContainer

var EnforcerVolumesMounts = map[string][]corev1.VolumeMount{
"apparmor": {
Expand Down Expand Up @@ -173,26 +171,6 @@ var EnforcerVolumes = map[string][]corev1.Volume{
},
}

var RuntimeStorageVolumes = map[string][]string{
"docker": {
"/var/lib/docker",
},
"cri-o": {
"/var/lib/containers/storage",
},
"containerd": {
"/run/k0s/containerd",
"/run/k3s/containerd",
"/run/containerd",
},
}

var RuntimeStorageLocation = map[string]string{
"docker": "/var/lib/docker",
"containerd": "/run/containerd",
"cri-o": "/var/lib/containers/storage",
}

var RuntimeSocketLocation = map[string]string{
"docker": "/var/run/docker.sock",
"containerd": "/var/run/containerd/containerd.sock",
Expand Down
27 changes: 11 additions & 16 deletions pkg/KubeArmorOperator/internal/controller/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,12 @@ type ClusterWatcher struct {
DaemonsetsLock *sync.Mutex
}
type Node struct {
Name string
Enforcer string
Runtime string
RuntimeSocket string
RuntimeStorage string
Arch string
BTF string
Name string
Enforcer string
Runtime string
RuntimeSocket string
Arch string
BTF string
}

func NewClusterWatcher(client *kubernetes.Clientset, log *zap.SugaredLogger, extClient *apiextensionsclientset.Clientset, opv1Client *opv1client.Clientset, pathPrefix, deploy_name string) *ClusterWatcher {
Expand Down Expand Up @@ -120,9 +119,6 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() {
if val, ok := node.Labels[common.SocketLabel]; ok {
newNode.RuntimeSocket = val
}
if val, ok := node.Labels[common.RuntimeStorageLabel]; ok {
newNode.RuntimeStorage = val
}
if val, ok := node.Labels[common.BTFLabel]; ok {
newNode.BTF = val
}
Expand All @@ -143,7 +139,6 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() {
clusterWatcher.Nodes[i].Name != newNode.Name ||
clusterWatcher.Nodes[i].Runtime != newNode.Runtime ||
clusterWatcher.Nodes[i].RuntimeSocket != newNode.RuntimeSocket ||
clusterWatcher.Nodes[i].RuntimeStorage != newNode.RuntimeStorage ||
clusterWatcher.Nodes[i].BTF != newNode.BTF {
clusterWatcher.Nodes[i] = newNode
nodeModified = true
Expand All @@ -152,9 +147,9 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() {
}
clusterWatcher.NodesLock.Unlock()
if nodeModified {
clusterWatcher.UpdateDaemonsets(common.DeleteAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.RuntimeStorage, newNode.BTF)
clusterWatcher.UpdateDaemonsets(common.DeleteAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.BTF)
}
clusterWatcher.UpdateDaemonsets(common.AddAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.RuntimeStorage, newNode.BTF)
clusterWatcher.UpdateDaemonsets(common.AddAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.BTF)
}
} else {
log.Errorf("Cannot convert object to node struct")
Expand All @@ -173,15 +168,15 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() {
}
}
clusterWatcher.NodesLock.Unlock()
clusterWatcher.UpdateDaemonsets(common.DeleteAction, deletedNode.Enforcer, deletedNode.Runtime, deletedNode.RuntimeSocket, deletedNode.RuntimeStorage, deletedNode.BTF)
clusterWatcher.UpdateDaemonsets(common.DeleteAction, deletedNode.Enforcer, deletedNode.Runtime, deletedNode.RuntimeSocket, deletedNode.BTF)
}
},
})

nodeInformer.Run(wait.NeverStop)
}

func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime, socket, runtimeStorage, btfPresent string) {
func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime, socket, btfPresent string) {
clusterWatcher.Log.Info("updating daemonset")
daemonsetName := strings.Join([]string{
"kubearmor",
Expand Down Expand Up @@ -217,7 +212,7 @@ func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime
}
}
if newDaemonSet {
daemonset := generateDaemonset(daemonsetName, enforcer, runtime, socket, runtimeStorage, btfPresent)
daemonset := generateDaemonset(daemonsetName, enforcer, runtime, socket, btfPresent)
_, err := clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Create(context.Background(), daemonset, v1.CreateOptions{})
if err != nil {
clusterWatcher.Log.Warnf("Cannot Create daemonset %s, error=%s", daemonsetName, err.Error())
Expand Down
Loading

0 comments on commit e3cadec

Please sign in to comment.