diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index fdb55bf62..c2be68516 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -55,7 +55,7 @@ run: build .PHONY: run-container run-container: build cd $(CURDIR); sudo rm -f /tmp/kubearmor.log - cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false + cd $(CURDIR); DEBUG=true sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorHostPolicy -enableKubeArmorPolicy -k8s=false -criSocket=unix:///var/run/docker.sock .PHONY: run-host-only run-host-only: build diff --git a/KubeArmor/common/common.go b/KubeArmor/common/common.go index 3271cf720..29e622b86 100644 --- a/KubeArmor/common/common.go +++ b/KubeArmor/common/common.go @@ -9,6 +9,7 @@ import ( "fmt" "io" "net" + "net/url" "os" "os/exec" "path/filepath" @@ -19,6 +20,9 @@ import ( kc "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "golang.org/x/sys/unix" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -375,6 +379,9 @@ func IsK8sEnv() bool { return false } +// ContainerRuntimeSocketKeys contains FIFO ordered keys of container runtimes +var ContainerRuntimeSocketKeys = []string{"docker", "containerd", "cri-o"} + // ContainerRuntimeSocketMap Structure var ContainerRuntimeSocketMap = map[string][]string{ "docker": { @@ -396,7 +403,7 @@ var ContainerRuntimeSocketMap = map[string][]string{ // GetCRISocket Function func GetCRISocket(ContainerRuntime string) string { - for k := range ContainerRuntimeSocketMap { + for _, k := range ContainerRuntimeSocketKeys { if ContainerRuntime != "" && k != ContainerRuntime { continue } @@ -456,3 +463,61 @@ func WriteToFile(val interface{}, destFile string) error { } return nil } + +// ParseURL with/without scheme and return host, port or error +func ParseURL(address string) (string, string, error) { + var host string + port := "80" + + addr, err := url.Parse(address) + if err != nil || addr.Host == "" { + // URL without scheme + u, repErr := url.ParseRequestURI("http://" + address) + if repErr != nil { + return "", "", fmt.Errorf("Error while parsing URL: %s", err) + } + + addr = u + } + + host = addr.Hostname() + if addr.Port() != "" { + port = addr.Port() + } + + return host, port, nil +} + +// handle gRPC errors +func HandleGRPCErrors(err error) error { + if err == nil { + return nil + } + + if status, ok := status.FromError(err); ok { + switch status.Code() { + case codes.OK: + // noop + return nil + //case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: + // return status.Err() + default: + return status.Err() + } + } + + return nil +} + +// get boot time +// credits: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/util/boottime_util_linux.go +func GetBootTime() string { + currentTime := time.Now() + + var info unix.Sysinfo_t + if err := unix.Sysinfo(&info); err != nil { + return "" + } + + return currentTime.Add(-time.Duration(info.Uptime) * time.Second).Truncate(time.Second).UTC().String() +} diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index ab384f50b..b6d14e00d 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -50,6 +50,7 @@ type KubearmorConfig struct { EnforcerAlerts bool // policy enforcer DefaultPostureLogs bool // Enable/Disable Default Posture logs for AppArmor LSM + StateAgent bool // enable KubeArmor state agent } // GlobalCfg Global configuration for Kubearmor @@ -84,6 +85,7 @@ const ( BPFFsPath string = "bpfFsPath" EnforcerAlerts string = "enforcerAlerts" ConfigDefaultPostureLogs string = "defaultPostureLogs" + ConfigStateAgent string = "enableKubeArmorStateAgent" ) func readCmdLineParams() { @@ -125,6 +127,8 @@ func readCmdLineParams() { defaultPostureLogs := flag.Bool(ConfigDefaultPostureLogs, true, "Default Posture Alerts (for Apparmor only)") + stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") + flags := []string{} flag.VisitAll(func(f *flag.Flag) { kv := fmt.Sprintf("%s:%v", f.Name, f.Value) @@ -171,6 +175,8 @@ func readCmdLineParams() { viper.SetDefault(EnforcerAlerts, *enforcerAlerts) viper.SetDefault(ConfigDefaultPostureLogs, *defaultPostureLogs) + + viper.SetDefault(ConfigStateAgent, *stateAgent) } // LoadConfig Load configuration @@ -198,6 +204,9 @@ func LoadConfig() error { GlobalCfg.Cluster = viper.GetString(ConfigCluster) GlobalCfg.Host = viper.GetString(ConfigHost) + if hostname, err := os.Hostname(); GlobalCfg.Host == "" && err == nil { + GlobalCfg.Host = strings.Split(hostname, ".")[0] + } GlobalCfg.GRPC = viper.GetString(ConfigGRPC) GlobalCfg.LogPath = viper.GetString(ConfigLogPath) @@ -256,6 +265,8 @@ func LoadConfig() error { GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs) + GlobalCfg.StateAgent = viper.GetBool(ConfigStateAgent) + kg.Printf("Final Configuration [%+v]", GlobalCfg) return nil diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index c0886d635..be77b0683 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -9,11 +9,13 @@ import ( "fmt" "os" "strconv" + "strings" "time" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" pb "github.com/containerd/containerd/api/services/containers/v1" @@ -132,6 +134,10 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s if val, ok := containerLabels["io.kubernetes.pod.name"]; ok { container.EndPointName = val } + } else if val, ok := containerLabels["kubearmor.io/namespace"]; ok { + container.NamespaceName = val + } else { + container.NamespaceName = "container_namespace" } iface, err := typeurl.UnmarshalAny(res.Container.Spec) @@ -169,6 +175,23 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s // == // + if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { + container.ContainerImage = res.Container.Image //+ kl.GetSHA256ofImage(inspect.Image) + + container.NodeName = cfg.GlobalCfg.Host + + labels := []string{} + for k, v := range res.Container.Labels { + labels = append(labels, k+"="+v) + } + for k, v := range spec.Annotations { + labels = append(labels, k+"="+v) + } + container.Labels = strings.Join(labels, ",") + } + + // == // + return container, nil } @@ -305,6 +328,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + container.Status = "running" + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + dm.Logger.Printf("Detected a container (added/%.12s/pidns=%d/mntns=%d)", containerID, container.PidNS, container.MntNS) } else if action == "destroy" { @@ -345,6 +373,11 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai dm.RuntimeEnforcer.UnregisterContainer(containerID) } + if cfg.GlobalCfg.StateAgent { + container.Status = "terminated" + go dm.StateAgent.PushContainerEvent(container, state.EventDeleted) + } + dm.Logger.Printf("Detected a container (removed/%.12s/pidns=%d/mntns=%d)", containerID, container.PidNS, container.MntNS) } diff --git a/KubeArmor/core/dockerHandler.go b/KubeArmor/core/dockerHandler.go index 0ffeea9e3..a4c500209 100644 --- a/KubeArmor/core/dockerHandler.go +++ b/KubeArmor/core/dockerHandler.go @@ -10,6 +10,7 @@ import ( "os" "strconv" "strings" + "time" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/events" @@ -18,6 +19,7 @@ import ( kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" ) @@ -37,6 +39,9 @@ type DockerVersion struct { type DockerHandler struct { DockerClient *client.Client Version DockerVersion + + // needed for container info + NodeIP string } // NewDockerHandler Function @@ -65,6 +70,8 @@ func NewDockerHandler() (*DockerHandler, error) { docker.DockerClient = DockerClient + docker.NodeIP = kl.GetExternalIPAddr() + kg.Printf("Initialized Docker Handler (version: %s)", clientVersion) return docker, nil @@ -112,6 +119,10 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err if val, ok := containerLabels["io.kubernetes.pod.name"]; ok { container.EndPointName = val } + } else if val, ok := containerLabels["kubearmor.io/namespace"]; ok { + container.NamespaceName = val + } else { + container.NamespaceName = "container_namespace" } container.AppArmorProfile = inspect.AppArmorProfile @@ -134,6 +145,48 @@ func (dh *DockerHandler) GetContainerInfo(containerID string) (tp.Container, err // == // + if cfg.GlobalCfg.StateAgent && !cfg.GlobalCfg.K8sEnv { + container.ContainerImage = inspect.Config.Image //+ kl.GetSHA256ofImage(inspect.Image) + + container.NodeName = cfg.GlobalCfg.Host + + labels := []string{} + for k, v := range inspect.Config.Labels { + labels = append(labels, k+"="+v) + } + + if _, ok := containerLabels["kubearmor.io/container.name"]; !ok { + labels = append(labels, "kubearmor.io/container.name="+container.ContainerName) + } + + container.Labels = strings.Join(labels, ",") + + var podIP string + if inspect.HostConfig.NetworkMode.IsNone() || inspect.HostConfig.NetworkMode.IsContainer() { + podIP = "" + } else if inspect.HostConfig.NetworkMode.IsHost() { + podIP = dh.NodeIP + } else if inspect.HostConfig.NetworkMode.IsDefault() { + podIP = inspect.NetworkSettings.Networks["bridge"].IPAddress + } else { + networkName := inspect.HostConfig.NetworkMode.NetworkName() + podIP = inspect.NetworkSettings.Networks[networkName].IPAddress + } + container.ContainerIP = podIP + + // time format used by docker engine is RFC3339Nano + lastUpdatedAt, err := time.Parse(time.RFC3339Nano, inspect.State.StartedAt) + if err == nil { + container.LastUpdatedAt = lastUpdatedAt.UTC().String() + } + // finished at is IsZero until a container exits + timeFinished, err := time.Parse(time.RFC3339Nano, inspect.State.FinishedAt) + if err == nil && !timeFinished.IsZero() && timeFinished.After(lastUpdatedAt) { + lastUpdatedAt = timeFinished + } + + } + return container, nil } @@ -258,6 +311,10 @@ func (dm *KubeArmorDaemon) GetAlreadyDeployedDockerContainers() { dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy { // update NsMap dm.SystemMonitor.AddContainerIDToNsMap(container.ContainerID, container.NamespaceName, container.PidNS, container.MntNS) @@ -358,6 +415,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { dm.ContainersLock.Unlock() } + if cfg.GlobalCfg.StateAgent { + container.Status = "running" + go dm.StateAgent.PushContainerEvent(container, state.EventAdded) + } + dm.Logger.Printf("Detected a container (added/%.12s)", containerID) } else if action == "stop" || action == "destroy" { @@ -399,6 +461,11 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { } dm.EndPointsLock.Unlock() + if cfg.GlobalCfg.StateAgent { + container.Status = "terminated" + go dm.StateAgent.PushContainerEvent(container, state.EventDeleted) + } + if dm.SystemMonitor != nil && cfg.GlobalCfg.Policy { // update NsMap dm.SystemMonitor.DeleteContainerIDFromNsMap(containerID, container.NamespaceName, container.PidNS, container.MntNS) @@ -406,6 +473,18 @@ func (dm *KubeArmorDaemon) UpdateDockerContainer(containerID, action string) { } dm.Logger.Printf("Detected a container (removed/%.12s)", containerID) + } else if action == "die" && cfg.GlobalCfg.StateAgent { + // handle die - keep map but update state + dm.ContainersLock.Lock() + container, ok := dm.Containers[containerID] + if !ok { + dm.ContainersLock.Unlock() + return + } + dm.ContainersLock.Unlock() + + container.Status = "waiting" + go dm.StateAgent.PushContainerEvent(container, state.EventUpdated) } } diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index a9cad23ae..34ef082d0 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -16,7 +16,10 @@ import ( cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" kg "github.com/kubearmor/KubeArmor/KubeArmor/log" "github.com/kubearmor/KubeArmor/KubeArmor/policy" + "github.com/kubearmor/KubeArmor/KubeArmor/state" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + "google.golang.org/grpc/health" + "google.golang.org/grpc/health/grpc_health_v1" "google.golang.org/grpc/reflection" efc "github.com/kubearmor/KubeArmor/KubeArmor/enforcer" @@ -88,11 +91,17 @@ type KubeArmorDaemon struct { // kvm agent KVMAgent *kvm.KVMAgent + // state agent + StateAgent *state.StateAgent + // WgDaemon Handler WgDaemon sync.WaitGroup // system monitor lock MonitorLock *sync.RWMutex + + // health-server + GRPCHealthServer *health.Server } // NewKubeArmorDaemon Function @@ -165,6 +174,13 @@ func (dm *KubeArmorDaemon) DestroyKubeArmorDaemon() { kg.Print("Terminated KubeArmor") } + if dm.StateAgent != nil { + //go dm.StateAgent.PushNodeEvent(dm.Node, state.EventDeleted) + if dm.CloseStateAgent() { + kg.Print("Destroyed StateAgent") + } + } + // wait for a while time.Sleep(time.Second * 1) @@ -300,6 +316,25 @@ func (dm *KubeArmorDaemon) CloseKVMAgent() bool { return true } +// ================= // +// == State Agent == // +// ================= // + +// InitStateAgent Function +func (dm *KubeArmorDaemon) InitStateAgent() bool { + dm.StateAgent = state.NewStateAgent(&dm.Node, dm.NodeLock, dm.Containers, dm.ContainersLock) + return dm.StateAgent != nil +} + +// CloseStateAgent Function +func (dm *KubeArmorDaemon) CloseStateAgent() bool { + if err := dm.StateAgent.DestroyStateAgent(); err != nil { + dm.Logger.Errf("Failed to destory State Agent (%s)", err.Error()) + return false + } + return true +} + // ==================== // // == Signal Handler == // // ==================== // @@ -318,6 +353,18 @@ func GetOSSigChannel() chan os.Signal { return c } +// =================== // +// == Health Server == // +// =================== // +func (dm *KubeArmorDaemon) SetHealthStatus(serviceName string, healthStatus grpc_health_v1.HealthCheckResponse_ServingStatus) bool { + if dm.GRPCHealthServer != nil { + dm.GRPCHealthServer.SetServingStatus(serviceName, healthStatus) + return true + } + + return false +} + // ========== // // == Main == // // ========== // @@ -345,6 +392,8 @@ func KubeArmor() { } } + dm.Node.LastUpdatedAt = kl.GetBootTime() + dm.Node.KernelVersion = kl.GetCommandOutputWithoutErr("uname", []string{"-r"}) dm.Node.KernelVersion = strings.TrimSuffix(dm.Node.KernelVersion, "\n") @@ -429,6 +478,39 @@ func KubeArmor() { // == // + // health server + if dm.Logger.LogServer != nil { + dm.GRPCHealthServer = health.NewServer() + grpc_health_v1.RegisterHealthServer(dm.Logger.LogServer, dm.GRPCHealthServer) + } + + // Init StateAgent + if !dm.K8sEnabled && cfg.GlobalCfg.StateAgent { + dm.NodeLock.Lock() + dm.Node.ClusterName = cfg.GlobalCfg.Cluster + dm.NodeLock.Unlock() + + // initialize state agent + if !dm.InitStateAgent() { + dm.Logger.Err("Failed to initialize State Agent Server") + + // destroy the daemon + dm.DestroyKubeArmorDaemon() + + return + } + dm.Logger.Print("Initialized State Agent Server") + + pb.RegisterStateAgentServer(dm.Logger.LogServer, dm.StateAgent) + dm.SetHealthStatus(pb.StateAgent_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) + } + + if dm.StateAgent != nil { + go dm.StateAgent.PushNodeEvent(dm.Node, state.EventAdded) + } + + // == // + // Containerized workloads with Host if cfg.GlobalCfg.Policy || cfg.GlobalCfg.HostPolicy { // initialize system monitor @@ -634,7 +716,7 @@ func KubeArmor() { } if !dm.K8sEnabled && (enableContainerPolicy || cfg.GlobalCfg.HostPolicy) { - policyService := &policy.ServiceServer{} + policyService := &policy.PolicyServer{} if enableContainerPolicy { policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy dm.Logger.Print("Started to monitor container security policies on gRPC") @@ -645,11 +727,13 @@ func KubeArmor() { dm.Logger.Print("Started to monitor host security policies on gRPC") } pb.RegisterPolicyServiceServer(dm.Logger.LogServer, policyService) + //Enable grpc service to send kubearmor data to client in unorchestrated mode probe := &Probe{} probe.GetContainerData = dm.SetProbeContainerData pb.RegisterProbeServiceServer(dm.Logger.LogServer, probe) + dm.SetHealthStatus(pb.PolicyService_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) } reflection.Register(dm.Logger.LogServer) // Helps grpc clients list out what all svc/endpoints available @@ -657,6 +741,7 @@ func KubeArmor() { // serve log feeds go dm.ServeLogFeeds() dm.Logger.Print("Started to serve gRPC-based log feeds") + dm.SetHealthStatus(pb.LogService_ServiceDesc.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING) // == // go dm.SetKarmorData() diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index 9a89b83ab..94b8f8a74 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -6,7 +6,6 @@ package feeder import ( "bufio" - "context" "encoding/json" "fmt" "net" @@ -24,8 +23,7 @@ import ( "github.com/google/uuid" pb "github.com/kubearmor/KubeArmor/protobuf" "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" + "google.golang.org/grpc/keepalive" ) // ============ // @@ -46,245 +44,156 @@ func init() { // == gRPC == // // ========== // -// MsgStruct Structure -type MsgStruct struct { +// EventStruct Structure +type EventStruct[T any] struct { Filter string - Broadcast chan *pb.Message + Broadcast chan *T } -// MsgStructs Map -var MsgStructs map[string]MsgStruct +type EventStructs struct { + MsgStructs map[string]EventStruct[pb.Message] + MsgLock sync.RWMutex -// MsgLock Lock -var MsgLock *sync.RWMutex + AlertStructs map[string]EventStruct[pb.Alert] + AlertLock sync.RWMutex -// AlertStruct Structure -type AlertStruct struct { - Filter string - Broadcast chan *pb.Alert + LogStructs map[string]EventStruct[pb.Log] + LogLock sync.RWMutex } -// AlertStructs Map -var AlertStructs map[string]AlertStruct - -// AlertLock Lock -var AlertLock *sync.RWMutex - -// LogStruct Structure -type LogStruct struct { - Filter string - Broadcast chan *pb.Log -} +// AddMsgStruct Function +func (es *EventStructs) AddMsgStruct(filter string, queueSize int) (string, chan *pb.Message) { + es.MsgLock.Lock() + defer es.MsgLock.Unlock() -// LogStructs Map -var LogStructs map[string]LogStruct + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.Message, queueSize) -// LogLock Lock -var LogLock *sync.RWMutex + msgStruct := EventStruct[pb.Message]{ + Filter: filter, + Broadcast: conn, + } -// LogService Structure -type LogService struct { - // -} + es.MsgStructs[uid] = msgStruct -// HealthCheck Function -func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { - replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} - return &replyMessage, nil + return uid, conn } -// addMsgStruct Function -func (ls *LogService) addMsgStruct(uid string, conn chan *pb.Message, filter string) { - MsgLock.Lock() - defer MsgLock.Unlock() +// RemoveMsgStruct Function +func (es *EventStructs) RemoveMsgStruct(uid string) { + es.MsgLock.Lock() + defer es.MsgLock.Unlock() - msgStruct := MsgStruct{} - msgStruct.Filter = filter - msgStruct.Broadcast = conn - MsgStructs[uid] = msgStruct - - kg.Printf("Added a new client (%s) for WatchMessages", uid) + delete(es.MsgStructs, uid) } -// removeMsgStruct Function -func (ls *LogService) removeMsgStruct(uid string) { - MsgLock.Lock() - defer MsgLock.Unlock() - - delete(MsgStructs, uid) - - kg.Printf("Deleted the client (%s) for WatchMessages", uid) -} +// AddAlertStruct Function +func (es *EventStructs) AddAlertStruct(filter string, queueSize int) (string, chan *pb.Alert) { + es.AlertLock.Lock() + defer es.AlertLock.Unlock() -// WatchMessages Function -func (ls *LogService) WatchMessages(req *pb.RequestMessage, svr pb.LogService_WatchMessagesServer) error { uid := uuid.Must(uuid.NewRandom()).String() - conn := make(chan *pb.Message, QueueSize) - defer close(conn) - ls.addMsgStruct(uid, conn, req.Filter) - defer ls.removeMsgStruct(uid) + conn := make(chan *pb.Alert, queueSize) - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send a message=[%+v] err=[%s]", resp, status.Err().Error()) - return status.Err() - default: - return nil - } - } - } + alertStruct := EventStruct[pb.Alert]{ + Filter: filter, + Broadcast: conn, } - return nil -} + es.AlertStructs[uid] = alertStruct -// addAlertStruct Function -func (ls *LogService) addAlertStruct(uid string, conn chan *pb.Alert, filter string) { - AlertLock.Lock() - defer AlertLock.Unlock() - - alertStruct := AlertStruct{} - alertStruct.Filter = filter - alertStruct.Broadcast = conn - AlertStructs[uid] = alertStruct - - kg.Printf("Added a new client (%s, %s) for WatchAlerts", uid, filter) + return uid, conn } // removeAlertStruct Function -func (ls *LogService) removeAlertStruct(uid string) { - AlertLock.Lock() - defer AlertLock.Unlock() - - delete(AlertStructs, uid) +func (es *EventStructs) RemoveAlertStruct(uid string) { + es.AlertLock.Lock() + defer es.AlertLock.Unlock() - kg.Printf("Deleted the client (%s) for WatchAlerts", uid) + delete(es.AlertStructs, uid) } -// WatchAlerts Function -func (ls *LogService) WatchAlerts(req *pb.RequestMessage, svr pb.LogService_WatchAlertsServer) error { +// addLogStruct Function +func (es *EventStructs) AddLogStruct(filter string, queueSize int) (string, chan *pb.Log) { + es.LogLock.Lock() + defer es.LogLock.Unlock() + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.Log, queueSize) - if req.Filter != "all" && req.Filter != "policy" { - return nil + logStruct := EventStruct[pb.Log]{ + Filter: filter, + Broadcast: conn, } - conn := make(chan *pb.Alert, QueueSize) - defer close(conn) - ls.addAlertStruct(uid, conn, req.Filter) - defer ls.removeAlertStruct(uid) - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send an alert=[%+v] err=[%s]", resp, status.Err().Error()) - return status.Err() - default: - return nil - } - } - } - } - - return nil -} - -// addLogStruct Function -func (ls *LogService) addLogStruct(uid string, conn chan *pb.Log, filter string) { - LogLock.Lock() - defer LogLock.Unlock() + es.LogStructs[uid] = logStruct - logStruct := LogStruct{} - logStruct.Filter = filter - logStruct.Broadcast = conn - LogStructs[uid] = logStruct - - kg.Printf("Added a new client (%s, %s) for WatchLogs", uid, filter) + return uid, conn } // removeLogStruct Function -func (ls *LogService) removeLogStruct(uid string) { - LogLock.Lock() - defer LogLock.Unlock() - - delete(LogStructs, uid) +func (es *EventStructs) RemoveLogStruct(uid string) { + es.LogLock.Lock() + defer es.LogLock.Unlock() - kg.Printf("Deleted the client (%s) for WatchLogs", uid) + delete(es.LogStructs, uid) } -// WatchLogs Function -func (ls *LogService) WatchLogs(req *pb.RequestMessage, svr pb.LogService_WatchLogsServer) error { - uid := uuid.Must(uuid.NewRandom()).String() +// ============ // +// == Feeder == // +// ============ // +type FeederInterface interface { + // Methods - if req.Filter != "all" && req.Filter != "system" { - return nil - } - conn := make(chan *pb.Log, QueueSize) - defer close(conn) - ls.addLogStruct(uid, conn, req.Filter) - defer ls.removeLogStruct(uid) + // How does the feeder pushes logs and messages + PushLog(tp.Log) + PushMessage(string, string) - for Running { - select { - case <-svr.Context().Done(): - return nil - case resp := <-conn: - if status, ok := status.FromError(svr.Send(resp)); ok { - switch status.Code() { - case codes.OK: - // noop - case codes.Unavailable, codes.Canceled, codes.DeadlineExceeded: - kg.Warnf("Failed to send a log=[%+v] err=[%s] CODE=%d", resp, status.Err().Error(), status.Code()) - return status.Err() - default: - return nil - } - } - } - } + // How does this feeder match log with policy + UpdateMatchedPolicy(tp.Log) - return nil + // How this feeder serves log feeds + ServeLogFeeds() } -// ============ // -// == Feeder == // -// ============ // - -// Feeder Structure -type Feeder struct { +type BaseFeeder struct { // node Node *tp.Node NodeLock **sync.RWMutex - // port - Port string + // wait group + WgServer sync.WaitGroup // output Output string LogFile *os.File + // Activated Enforcer + Enforcer string + + // Msg, log and alert connection stores + EventStructs *EventStructs + + // True if feeder and its workers are working + Running bool + + // LogServer // + + // port + Port string + // gRPC listener Listener net.Listener // log server LogServer *grpc.Server +} - // wait group - WgServer sync.WaitGroup +// Feeder Structure +type Feeder struct { + BaseFeeder + + // KubeArmor feeder // // namespace name + endpoint name / host name -> corresponding security policies SecurityPolicies map[string]tp.MatchPolicies @@ -293,24 +202,20 @@ type Feeder struct { // DefaultPosture (namespace -> postures) DefaultPostures map[string]tp.DefaultPosture DefaultPosturesLock *sync.Mutex - - // GKE - IsGKE bool - - // Activated Enforcer - Enforcer string } // NewFeeder Function func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd := &Feeder{} + // base feeder // + // node fd.Node = node fd.NodeLock = nodeLock - // gRPC configuration - fd.Port = fmt.Sprintf(":%s", cfg.GlobalCfg.GRPC) + // set wait group + fd.WgServer = sync.WaitGroup{} // output fd.Output = cfg.GlobalCfg.LogPath @@ -326,6 +231,30 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd.LogFile = logFile } + // default enforcer + fd.Enforcer = "eBPF Monitor" + + // initialize msg structs + fd.EventStructs = &EventStructs{ + MsgStructs: make(map[string]EventStruct[pb.Message]), + MsgLock: sync.RWMutex{}, + + // initialize alert structs + AlertStructs: make(map[string]EventStruct[pb.Alert]), + AlertLock: sync.RWMutex{}, + + // initialize log structs + LogStructs: make(map[string]EventStruct[pb.Log]), + LogLock: sync.RWMutex{}, + } + + fd.Running = true + + // LogServer // + + // gRPC configuration + fd.Port = fmt.Sprintf(":%s", cfg.GlobalCfg.GRPC) + // listen to gRPC port listener, err := net.Listen("tcp", fd.Port) if err != nil { @@ -359,26 +288,26 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { } // create a log server - fd.LogServer = grpc.NewServer() - // register a log service - logService := &LogService{} - pb.RegisterLogServiceServer(fd.LogServer, logService) + logService := &LogService{ + QueueSize: 1000, + Running: &fd.Running, + EventStructs: fd.EventStructs, + } - // initialize msg structs - MsgStructs = make(map[string]MsgStruct) - MsgLock = &sync.RWMutex{} + kaep := keepalive.EnforcementPolicy{ + PermitWithoutStream: true, + } + kasp := keepalive.ServerParameters{ + Time: 1 * time.Second, + Timeout: 5 * time.Second, + } - // initialize alert structs - AlertStructs = make(map[string]AlertStruct) - AlertLock = &sync.RWMutex{} + fd.LogServer = grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) - // initialize log structs - LogStructs = make(map[string]LogStruct) - LogLock = &sync.RWMutex{} + pb.RegisterLogServiceServer(fd.LogServer, logService) - // set wait group - fd.WgServer = sync.WaitGroup{} + // Feeder // // initialize security policies fd.SecurityPolicies = map[string]tp.MatchPolicies{} @@ -388,26 +317,13 @@ func NewFeeder(node *tp.Node, nodeLock **sync.RWMutex) *Feeder { fd.DefaultPostures = map[string]tp.DefaultPosture{} fd.DefaultPosturesLock = new(sync.Mutex) - // check if GKE - if kl.IsInK8sCluster() { - if b, err := os.ReadFile(filepath.Clean("/media/root/etc/os-release")); err == nil { - s := string(b) - if strings.Contains(s, "Container-Optimized OS") { - fd.IsGKE = true - } - } - } - - // default enforcer - fd.Enforcer = "eBPF Monitor" - return fd } // DestroyFeeder Function -func (fd *Feeder) DestroyFeeder() error { +func (fd *BaseFeeder) DestroyFeeder() error { // stop gRPC service - Running = false + fd.Running = false // wait for a while time.Sleep(time.Second * 1) @@ -523,7 +439,7 @@ func (fd *Feeder) UpdateEnforcer(enforcer string) { // =============== // // ServeLogFeeds Function -func (fd *Feeder) ServeLogFeeds() { +func (fd *BaseFeeder) ServeLogFeeds() { fd.WgServer.Add(1) defer fd.WgServer.Done() @@ -547,7 +463,8 @@ func (fd *Feeder) PushMessage(level, message string) { pbMsg.Timestamp = timestamp pbMsg.UpdatedTime = updatedTime - pbMsg.ClusterName = cfg.GlobalCfg.Cluster + //pbMsg.ClusterName = cfg.GlobalCfg.Cluster + pbMsg.ClusterName = fd.Node.ClusterName pbMsg.HostName = cfg.GlobalCfg.Host pbMsg.HostIP = fd.Node.NodeIP @@ -557,13 +474,14 @@ func (fd *Feeder) PushMessage(level, message string) { pbMsg.Level = level pbMsg.Message = message - MsgLock.Lock() - defer MsgLock.Unlock() + // broadcast to all logserver and reverselogserver receivers + fd.EventStructs.MsgLock.Lock() + defer fd.EventStructs.MsgLock.Unlock() counter := 0 - lenMsg := len(MsgStructs) - for uid := range MsgStructs { + lenMsg := len(fd.EventStructs.MsgStructs) + for uid := range fd.EventStructs.MsgStructs { select { - case MsgStructs[uid].Broadcast <- &pbMsg: + case fd.EventStructs.MsgStructs[uid].Broadcast <- &pbMsg: default: counter++ if counter == lenMsg { @@ -705,14 +623,14 @@ func (fd *Feeder) PushLog(log tp.Log) { pbAlert.Result = log.Result - AlertLock.Lock() - defer AlertLock.Unlock() + fd.EventStructs.AlertLock.Lock() + defer fd.EventStructs.AlertLock.Unlock() counter := 0 - lenAlert := len(AlertStructs) + lenAlert := len(fd.EventStructs.AlertStructs) - for uid := range AlertStructs { + for uid := range fd.EventStructs.AlertStructs { select { - case AlertStructs[uid].Broadcast <- &pbAlert: + case fd.EventStructs.AlertStructs[uid].Broadcast <- &pbAlert: default: counter++ if counter == lenAlert { @@ -776,13 +694,13 @@ func (fd *Feeder) PushLog(log tp.Log) { pbLog.Result = log.Result - LogLock.Lock() - defer LogLock.Unlock() + fd.EventStructs.LogLock.Lock() + defer fd.EventStructs.LogLock.Unlock() counter := 0 - lenlog := len(LogStructs) - for uid := range LogStructs { + lenlog := len(fd.EventStructs.LogStructs) + for uid := range fd.EventStructs.LogStructs { select { - case LogStructs[uid].Broadcast <- &pbLog: + case fd.EventStructs.LogStructs[uid].Broadcast <- &pbLog: default: counter++ if counter == lenlog { diff --git a/KubeArmor/feeder/logServer.go b/KubeArmor/feeder/logServer.go new file mode 100644 index 000000000..03e45896e --- /dev/null +++ b/KubeArmor/feeder/logServer.go @@ -0,0 +1,125 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package feeder + +import ( + "context" + "fmt" + + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + pb "github.com/kubearmor/KubeArmor/protobuf" +) + +// LogService struct holds the state of feeder's log server +type LogService struct { + QueueSize int + EventStructs *EventStructs + Running *bool +} + +// HealthCheck Function +// Deprecated: use the server created with google.golang.org/grpc/health/grpc_health_v1 +func (ls *LogService) HealthCheck(ctx context.Context, nonce *pb.NonceMessage) (*pb.ReplyMessage, error) { + replyMessage := pb.ReplyMessage{Retval: nonce.Nonce} + return &replyMessage, nil +} + +// WatchMessages Function +func (ls *LogService) WatchMessages(req *pb.RequestMessage, svr pb.LogService_WatchMessagesServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + uid, conn := ls.EventStructs.AddMsgStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s) for WatchMessages", uid) + + defer func() { + close(conn) + ls.EventStructs.RemoveMsgStruct(uid) + kg.Printf("Deleted the client (%s) for WatchMessages", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send a message=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} + +// WatchAlerts Function +func (ls *LogService) WatchAlerts(req *pb.RequestMessage, svr pb.LogService_WatchAlertsServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + if req.Filter != "all" && req.Filter != "policy" { + return nil + } + + uid, conn := ls.EventStructs.AddAlertStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s, %s) for WatchAlerts", uid, req.Filter) + + defer func() { + close(conn) + ls.EventStructs.RemoveAlertStruct(uid) + kg.Printf("Deleted the client (%s) for WatchAlerts", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send an alert=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} + +// WatchLogs Function +func (ls *LogService) WatchLogs(req *pb.RequestMessage, svr pb.LogService_WatchLogsServer) error { + if ls.Running == nil { + return fmt.Errorf("Feeder is not running") + } + + if req.Filter != "all" && req.Filter != "system" { + return nil + } + + uid, conn := ls.EventStructs.AddLogStruct(req.Filter, ls.QueueSize) + kg.Printf("Added a new client (%s, %s) for WatchLogs", uid, req.Filter) + + defer func() { + close(conn) + ls.EventStructs.RemoveLogStruct(uid) + kg.Printf("Deleted the client (%s) for WatchLogs", uid) + }() + + for *ls.Running { + select { + case <-svr.Context().Done(): + return nil + case resp := <-conn: + if err := kl.HandleGRPCErrors(svr.Send(resp)); err != nil { + kg.Warnf("Failed to send a log=[%+v] err=[%s]", resp, err.Error()) + return err + } + } + } + + return nil +} diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 27c896247..c3d71a5d0 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -19,7 +19,7 @@ import ( // == Security Policies == // // ======================= // -// GetProtocolFromName() Function +// GetProtocolFromName function gets protocol name from visibility data func GetProtocolFromName(proto string) string { switch strings.ToLower(proto) { case "tcp": @@ -202,12 +202,12 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = npt.Protocol match.ResourceType = "Protocol" + // TODO: Handle cases where AppArmor network enforcement is not present + // https://github.com/kubearmor/KubeArmor/issues/1285 if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Allow" { match.Action = "Audit (" + npt.Action + ")" } else if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Block" { match.Action = "Audit (" + npt.Action + ")" - } else if policyEnabled == tp.KubeArmorPolicyEnabled && fd.IsGKE && npt.Action == "Block" { - match.Action = "Audit (" + npt.Action + ")" } else { match.Action = npt.Action } diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index 10de20e11..9184d2c43 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -32,14 +32,15 @@ require ( github.com/containerd/typeurl/v2 v2.1.1 github.com/docker/docker v24.0.7+incompatible github.com/golang/protobuf v1.5.3 - github.com/google/uuid v1.3.0 + github.com/google/uuid v1.3.1 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230510133055-4e30a28b6352 github.com/kubearmor/KubeArmor/protobuf v0.0.0-20230510133055-4e30a28b6352 github.com/opencontainers/runtime-spec v1.1.0-rc.2 github.com/spf13/viper v1.15.0 go.uber.org/zap v1.24.0 - golang.org/x/sys v0.10.0 - google.golang.org/grpc v1.56.3 + golang.org/x/sys v0.16.0 + google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 k8s.io/api v0.27.1 k8s.io/apimachinery v0.27.1 k8s.io/client-go v0.27.1 @@ -102,19 +103,18 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.9.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.1 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index e919bcc0d..243c1b589 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -201,8 +201,8 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJY github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -369,8 +369,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -445,8 +445,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -456,8 +456,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -469,7 +469,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -515,13 +515,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -531,9 +531,10 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -622,8 +623,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -662,8 +664,8 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -683,8 +685,8 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= -google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= +google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -698,8 +700,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/KubeArmor/policy/policy.go b/KubeArmor/policy/policy.go index 897609e1f..6f9457fa1 100644 --- a/KubeArmor/policy/policy.go +++ b/KubeArmor/policy/policy.go @@ -13,15 +13,15 @@ import ( pb "github.com/kubearmor/KubeArmor/protobuf" ) -// ServiceServer provides structure to serve Policy gRPC service -type ServiceServer struct { +// PolicyServer provides structure to serve Policy gRPC service +type PolicyServer struct { pb.PolicyServiceServer UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus UpdateHostPolicy func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus } // ContainerPolicy accepts container events on gRPC and update container security policies -func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { +func (p *PolicyServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { policyEvent := tp.K8sKubeArmorPolicyEvent{} res := new(pb.Response) @@ -49,7 +49,7 @@ func (p *ServiceServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb } // HostPolicy accepts host policy event on gRPC service and updates host security policies. It responds with 1 if success else 0. -func (p *ServiceServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { +func (p *PolicyServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) { policyEvent := tp.K8sKubeArmorHostPolicyEvent{} res := new(pb.Response) diff --git a/KubeArmor/state/data.go b/KubeArmor/state/data.go new file mode 100644 index 000000000..6eb03db99 --- /dev/null +++ b/KubeArmor/state/data.go @@ -0,0 +1,160 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +package state + +import ( + "encoding/json" + "time" + + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/types" + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + pb "github.com/kubearmor/KubeArmor/protobuf" +) + +// PushContainerEvent function pushes (container + pod) event +func (sa *StateAgent) PushContainerEvent(container tp.Container, event string) { + if container.ContainerID == "" { + kg.Debug("Error while pushing container event. Missing data.") + return + } + + // create ns first + namespace := container.NamespaceName + sa.KubeArmorNamespacesLock.Lock() + if event == EventAdded { + // create this kubearmor ns if it doesn't exist + // currently only "container_namespace" until we have config agent + if ns, ok := sa.KubeArmorNamespaces[namespace]; !ok { + nsObj := types.Namespace{ + Name: namespace, + // no way to change ns annotations in non-kubernetes mode right now + // thus use defaults + KubearmorFilePosture: "audit", + KubearmorNetworkPosture: "audit", + LastUpdatedAt: container.LastUpdatedAt, + + ContainerCount: 1, + } + sa.KubeArmorNamespaces[namespace] = nsObj + + sa.PushNamespaceEvent(nsObj, EventAdded) + } else { + // update the container count + ns.ContainerCount++ + sa.KubeArmorNamespaces[namespace] = ns + } + + } else if event == EventDeleted { + if ns, ok := sa.KubeArmorNamespaces[namespace]; ok { + ns.ContainerCount-- + sa.KubeArmorNamespaces[namespace] = ns + + // delete ns if no containers left in it + if ns.ContainerCount == 0 { + ns.LastUpdatedAt = time.Now().UTC().String() + sa.PushNamespaceEvent(ns, EventDeleted) + delete(sa.KubeArmorNamespaces, namespace) + } + } + + } + sa.KubeArmorNamespacesLock.Unlock() + + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container data: %s", err.Error()) + return + } + + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: event, + Name: container.ContainerName, + Object: containerBytes, + } + + // skip sending message as no state receiver is connected + if sa.StateEventChans == nil { + return + } + + for uid, conn := range sa.StateEventChans { + select { + case conn <- containerEvent: + default: + kg.Debugf("Failed to send container %s event to connection: %s", event, uid) + return + } + } + + return +} + +// PushNodeEvent function pushes node event +func (sa *StateAgent) PushNodeEvent(node tp.Node, event string) { + if node.NodeName == "" { + kg.Warn("Received empty node event") + return + } + + nodeData, err := json.Marshal(node) + if err != nil { + kg.Warnf("Error while trying to marshal node data: %s", err.Error()) + return + } + + nodeEvent := &pb.StateEvent{ + Kind: KindNode, + Type: event, + Name: node.NodeName, + Object: nodeData, + } + + // skip sending message as no state receiver is connected + if sa.StateEventChans == nil { + return + } + + for uid, conn := range sa.StateEventChans { + select { + case conn <- nodeEvent: + default: + kg.Debugf("Failed to send node %s event to connection: %s", event, uid) + return + } + } + + return +} + +// PushNamespaceEvent function pushes namespace event +func (sa *StateAgent) PushNamespaceEvent(namespace tp.Namespace, event string) { + nsBytes, err := json.Marshal(namespace) + if err != nil { + kg.Warnf("Failed to marshal ns event: %s", err.Error()) + return + } + + nsEvent := &pb.StateEvent{ + Kind: KindNamespace, + Type: event, + Name: namespace.Name, + Object: nsBytes, + } + + // skip sending message as no state receiver is connected + if sa.StateEventChans == nil { + return + } + + for uid, conn := range sa.StateEventChans { + select { + case conn <- nsEvent: + default: + kg.Debugf("Failed to send namespace %s event to connection: %s", event, uid) + return + } + } +} diff --git a/KubeArmor/state/stateAgent.go b/KubeArmor/state/stateAgent.go new file mode 100644 index 000000000..8e1c6e754 --- /dev/null +++ b/KubeArmor/state/stateAgent.go @@ -0,0 +1,192 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +// package state implements the state agent service which reports details about the node and containers being protected by KubeArmor +package state + +import ( + "encoding/json" + "sync" + "time" + + "github.com/google/uuid" + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + kg "github.com/kubearmor/KubeArmor/KubeArmor/log" + "github.com/kubearmor/KubeArmor/KubeArmor/types" + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" + pb "github.com/kubearmor/KubeArmor/protobuf" + "google.golang.org/protobuf/types/known/emptypb" +) + +const ( + stateEventBufferSize = 25 + + // EventAdded denotes an add event + EventAdded = "added" + // EventUpdated denotes an update event + EventUpdated = "updated" + // EventDeleted denotes an delete event + EventDeleted = "deleted" + + // KindContainer denotes a container kind + KindContainer = "container" + // KindPod denotes a pod kind + KindPod = "pod" + // KindNode denotes a node kind + KindNode = "node" + // KindNamespace denotes a namespace kind + KindNamespace = "namespace" +) + +// StateAgent reports the state of containers/nodes protected by KubeArmor +type StateAgent struct { + Running bool + + StateEventChans map[string]chan *pb.StateEvent + StateEventChansLock *sync.RWMutex + + Node *tp.Node + NodeLock *sync.RWMutex + + Containers map[string]tp.Container + ContainersLock *sync.RWMutex + + KubeArmorNamespaces map[string]types.Namespace + KubeArmorNamespacesLock *sync.RWMutex +} + +// NewStateAgent returns a new initialized state agent +func NewStateAgent(node *tp.Node, nodeLock *sync.RWMutex, containers map[string]tp.Container, containersLock *sync.RWMutex) *StateAgent { + return &StateAgent{ + Running: true, + + StateEventChans: make(map[string]chan *pb.StateEvent), + StateEventChansLock: new(sync.RWMutex), + + Node: node, + NodeLock: nodeLock, + + Containers: containers, + ContainersLock: containersLock, + + KubeArmorNamespaces: make(map[string]tp.Namespace), + KubeArmorNamespacesLock: new(sync.RWMutex), + } +} + +// add new channel for broadcast +func (sa *StateAgent) addStateEventChan() (string, chan *pb.StateEvent) { + uid := uuid.Must(uuid.NewRandom()).String() + conn := make(chan *pb.StateEvent, stateEventBufferSize) + + sa.StateEventChansLock.Lock() + sa.StateEventChans[uid] = conn + sa.StateEventChansLock.Unlock() + + return uid, conn +} + +// close chan and delete connection +func (sa *StateAgent) removeStateEventChan(uid string) { + sa.StateEventChansLock.Lock() + close(sa.StateEventChans[uid]) + delete(sa.StateEventChans, uid) + sa.StateEventChansLock.Unlock() +} + +// WatchState sends state events in a continuous stream +func (sa *StateAgent) WatchState(msg *emptypb.Empty, srv pb.StateAgent_WatchStateServer) error { + uid, conn := sa.addStateEventChan() + kg.Printf("Added a new client (%s) for WatchState", uid) + + defer func() { + sa.removeStateEventChan(uid) + kg.Printf("Deleted client (%s) for WatchState", uid) + }() + + for sa.Running { + select { + case <-srv.Context().Done(): + return nil + case event := <-conn: + if err := kl.HandleGRPCErrors(srv.Send(event)); err != nil { + kg.Warnf("Failed to send state event to WatchState client %s: %s", uid, err.Error()) + return err + } + } + } + + return nil +} + +// GetState sends current state upon request +func (sa *StateAgent) GetState(msg *emptypb.Empty, srv pb.StateAgent_GetStateServer) error { + stateEventList := make([]*pb.StateEvent, 0) + + nodeData, err := json.Marshal(sa.Node) + if err != nil { + kg.Warnf("Error while trying to marshal node data: %s", err.Error()) + } + + nodeEvent := &pb.StateEvent{ + Kind: KindNode, + Type: EventAdded, + Name: sa.Node.NodeName, + Object: nodeData, + } + stateEventList = append(stateEventList, nodeEvent) + + sa.KubeArmorNamespacesLock.RLock() + for nsName, ns := range sa.KubeArmorNamespaces { + nsBytes, err := json.Marshal(ns) + if err != nil { + kg.Warnf("Failed to marshal ns %s event: %s", nsName, err.Error()) + } + + nsEvent := &pb.StateEvent{ + Kind: KindNamespace, + Type: EventAdded, + Name: nsName, + Object: nsBytes, + } + + stateEventList = append(stateEventList, nsEvent) + } + sa.KubeArmorNamespacesLock.RUnlock() + + for _, container := range sa.Containers { + containerBytes, err := json.Marshal(container) + if err != nil { + kg.Warnf("Error while trying to marshal container %.6s data: %s", container.ContainerID, err.Error()) + } + + containerEvent := &pb.StateEvent{ + Kind: KindContainer, + Type: EventAdded, + Name: container.ContainerName, + Object: containerBytes, + } + + stateEventList = append(stateEventList, containerEvent) + } + + stateEvents := &pb.StateEvents{ + StateEvents: stateEventList, + } + + err = srv.Send(stateEvents) + if err := kl.HandleGRPCErrors(err); err != nil { + kg.Warnf("Failed to send state events to GetState: ", err.Error()) + return err + } + + return nil +} + +// DestroyStateAgent destroys the referenced state agent +func (sa *StateAgent) DestroyStateAgent() error { + sa.Running = false + time.Sleep(1 * time.Second) + + return nil +} diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index f40fd30d0..85e9db320 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -37,6 +37,14 @@ type Container struct { // == // + NodeName string `json:"node_name"` + ProtocolPort string `json:"protocolPort"` + Status string `json:"status"` + ContainerIP string `json:"container_ip"` + LastUpdatedAt string `json:"last_updated_at"` + + // == // + PolicyEnabled int `json:"policyEnabled"` ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"` @@ -52,6 +60,17 @@ type PodOwner struct { Namespace string `json:"namespace,omitempty"` } +// Namespace struct +type Namespace struct { + Name string `json:"name,omitempty"` + Labels string `json:"labels,omitempty"` + KubearmorFilePosture string `json:"kubearmor_file_posture,omitempty"` + KubearmorNetworkPosture string `json:"kubearmor_network_posture,omitempty"` + LastUpdatedAt string `json:"last_updated_at,omitempty"` + + ContainerCount int `json:"container_count,omitempty"` +} + // EndPoint Structure type EndPoint struct { NamespaceName string `json:"namespaceName"` @@ -101,6 +120,10 @@ type Node struct { // == // + LastUpdatedAt string `json:"last_updated_at"` + + // == // + PolicyEnabled int `json:"policyEnabled"` ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"` diff --git a/pkg/KubeArmorOperator/go.mod b/pkg/KubeArmorOperator/go.mod index 4a811281a..3c13b2dfd 100644 --- a/pkg/KubeArmorOperator/go.mod +++ b/pkg/KubeArmorOperator/go.mod @@ -37,7 +37,7 @@ require ( github.com/google/gnostic v0.6.9 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -59,14 +59,14 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect - golang.org/x/net v0.14.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.11.0 // indirect - golang.org/x/term v0.11.0 // indirect - golang.org/x/text v0.12.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/protobuf v1.32.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/pkg/KubeArmorOperator/go.sum b/pkg/KubeArmorOperator/go.sum index a9a902e90..061a9a2f4 100644 --- a/pkg/KubeArmorOperator/go.sum +++ b/pkg/KubeArmorOperator/go.sum @@ -155,8 +155,8 @@ github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -251,6 +251,7 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -269,6 +270,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -305,6 +307,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -339,8 +342,9 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -350,8 +354,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -362,6 +366,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -399,12 +404,15 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -414,8 +422,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -470,6 +479,7 @@ golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -500,8 +510,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -572,8 +583,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/protobuf/Makefile b/protobuf/Makefile index d0e3179a0..2474cef5c 100644 --- a/protobuf/Makefile +++ b/protobuf/Makefile @@ -3,7 +3,7 @@ CURDIR=$(shell pwd) -PROTOS:=kubearmor.proto kvm.proto policy.proto +PROTOS:=kubearmor.proto kvm.proto policy.proto state.proto PBGO:=$(PROTOS:.proto=.pb.go) .PHONY: build diff --git a/protobuf/go.mod b/protobuf/go.mod index 76e7ce9ed..668a149dd 100644 --- a/protobuf/go.mod +++ b/protobuf/go.mod @@ -11,14 +11,14 @@ replace ( ) require ( - github.com/golang/protobuf v1.5.3 - google.golang.org/grpc v1.56.3 - google.golang.org/protobuf v1.30.0 + google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 ) require ( - golang.org/x/net v0.10.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect + github.com/golang/protobuf v1.5.3 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect ) diff --git a/protobuf/kubearmor.pb.go b/protobuf/kubearmor.pb.go index 7d415f6b5..555645838 100644 --- a/protobuf/kubearmor.pb.go +++ b/protobuf/kubearmor.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 -// protoc v3.12.4 +// protoc-gen-go v1.31.0 +// protoc v4.25.1 // source: kubearmor.proto package protobuf @@ -1035,25 +1035,10 @@ var file_kubearmor_proto_rawDesc = []byte{ 0x32, 0x0a, 0x09, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, - 0x67, 0x30, 0x01, 0x32, 0xf0, 0x01, 0x0a, 0x0e, 0x50, 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, - 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4e, - 0x6f, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, - 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, - 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x50, 0x75, 0x73, 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x73, 0x12, 0x0f, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, - 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x0a, - 0x50, 0x75, 0x73, 0x68, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x73, 0x12, 0x0d, 0x2e, 0x66, 0x65, 0x65, - 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, - 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x28, - 0x01, 0x30, 0x01, 0x12, 0x31, 0x0a, 0x08, 0x50, 0x75, 0x73, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, - 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x67, 0x1a, 0x14, 0x2e, 0x66, - 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, - 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x67, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, + 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1079,29 +1064,21 @@ var file_kubearmor_proto_goTypes = []interface{}{ (*ReplyMessage)(nil), // 6: feeder.ReplyMessage } var file_kubearmor_proto_depIdxs = []int32{ - 2, // 0: feeder.Alert.Owner:type_name -> feeder.Podowner - 2, // 1: feeder.Log.Owner:type_name -> feeder.Podowner - 0, // 2: feeder.LogService.HealthCheck:input_type -> feeder.NonceMessage - 5, // 3: feeder.LogService.WatchMessages:input_type -> feeder.RequestMessage - 5, // 4: feeder.LogService.WatchAlerts:input_type -> feeder.RequestMessage - 5, // 5: feeder.LogService.WatchLogs:input_type -> feeder.RequestMessage - 0, // 6: feeder.PushLogService.HealthCheck:input_type -> feeder.NonceMessage - 1, // 7: feeder.PushLogService.PushMessages:input_type -> feeder.Message - 3, // 8: feeder.PushLogService.PushAlerts:input_type -> feeder.Alert - 4, // 9: feeder.PushLogService.PushLogs:input_type -> feeder.Log - 6, // 10: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage - 1, // 11: feeder.LogService.WatchMessages:output_type -> feeder.Message - 3, // 12: feeder.LogService.WatchAlerts:output_type -> feeder.Alert - 4, // 13: feeder.LogService.WatchLogs:output_type -> feeder.Log - 6, // 14: feeder.PushLogService.HealthCheck:output_type -> feeder.ReplyMessage - 6, // 15: feeder.PushLogService.PushMessages:output_type -> feeder.ReplyMessage - 6, // 16: feeder.PushLogService.PushAlerts:output_type -> feeder.ReplyMessage - 6, // 17: feeder.PushLogService.PushLogs:output_type -> feeder.ReplyMessage - 10, // [10:18] is the sub-list for method output_type - 2, // [2:10] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 2, // 0: feeder.Alert.Owner:type_name -> feeder.Podowner + 2, // 1: feeder.Log.Owner:type_name -> feeder.Podowner + 0, // 2: feeder.LogService.HealthCheck:input_type -> feeder.NonceMessage + 5, // 3: feeder.LogService.WatchMessages:input_type -> feeder.RequestMessage + 5, // 4: feeder.LogService.WatchAlerts:input_type -> feeder.RequestMessage + 5, // 5: feeder.LogService.WatchLogs:input_type -> feeder.RequestMessage + 6, // 6: feeder.LogService.HealthCheck:output_type -> feeder.ReplyMessage + 1, // 7: feeder.LogService.WatchMessages:output_type -> feeder.Message + 3, // 8: feeder.LogService.WatchAlerts:output_type -> feeder.Alert + 4, // 9: feeder.LogService.WatchLogs:output_type -> feeder.Log + 6, // [6:10] is the sub-list for method output_type + 2, // [2:6] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name } func init() { file_kubearmor_proto_init() } @@ -1203,7 +1180,7 @@ func file_kubearmor_proto_init() { NumEnums: 0, NumMessages: 7, NumExtensions: 0, - NumServices: 2, + NumServices: 1, }, GoTypes: file_kubearmor_proto_goTypes, DependencyIndexes: file_kubearmor_proto_depIdxs, diff --git a/protobuf/kubearmor.proto b/protobuf/kubearmor.proto index 444e0ef9d..3a360edcc 100644 --- a/protobuf/kubearmor.proto +++ b/protobuf/kubearmor.proto @@ -1,5 +1,5 @@ syntax = "proto3"; - + package feeder; option go_package="github.com/kubearmor/KubeArmor/protobuf"; @@ -125,15 +125,9 @@ message ReplyMessage { } service LogService { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" rpc HealthCheck(NonceMessage) returns (ReplyMessage); rpc WatchMessages(RequestMessage) returns (stream Message); rpc WatchAlerts(RequestMessage) returns (stream Alert); rpc WatchLogs(RequestMessage) returns (stream Log); } - -service PushLogService { - rpc HealthCheck(NonceMessage) returns (ReplyMessage); - rpc PushMessages(stream Message) returns (stream ReplyMessage); - rpc PushAlerts(stream Alert) returns (stream ReplyMessage); - rpc PushLogs(stream Log) returns (stream ReplyMessage); -} diff --git a/protobuf/kubearmor_grpc.pb.go b/protobuf/kubearmor_grpc.pb.go index 8fe03186c..34a3ce0db 100644 --- a/protobuf/kubearmor_grpc.pb.go +++ b/protobuf/kubearmor_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v3.12.4 +// - protoc v4.25.1 // source: kubearmor.proto package protobuf @@ -29,6 +29,7 @@ const ( // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type LogServiceClient interface { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) WatchMessages(ctx context.Context, in *RequestMessage, opts ...grpc.CallOption) (LogService_WatchMessagesClient, error) WatchAlerts(ctx context.Context, in *RequestMessage, opts ...grpc.CallOption) (LogService_WatchAlertsClient, error) @@ -152,6 +153,7 @@ func (x *logServiceWatchLogsClient) Recv() (*Log, error) { // All implementations should embed UnimplementedLogServiceServer // for forward compatibility type LogServiceServer interface { + // DEPRECATED: use "google.golang.org/grpc/health/grpc_health_v1" HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) WatchMessages(*RequestMessage, LogService_WatchMessagesServer) error WatchAlerts(*RequestMessage, LogService_WatchAlertsServer) error @@ -298,299 +300,3 @@ var LogService_ServiceDesc = grpc.ServiceDesc{ }, Metadata: "kubearmor.proto", } - -const ( - PushLogService_HealthCheck_FullMethodName = "/feeder.PushLogService/HealthCheck" - PushLogService_PushMessages_FullMethodName = "/feeder.PushLogService/PushMessages" - PushLogService_PushAlerts_FullMethodName = "/feeder.PushLogService/PushAlerts" - PushLogService_PushLogs_FullMethodName = "/feeder.PushLogService/PushLogs" -) - -// PushLogServiceClient is the client API for PushLogService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type PushLogServiceClient interface { - HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) - PushMessages(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushMessagesClient, error) - PushAlerts(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushAlertsClient, error) - PushLogs(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushLogsClient, error) -} - -type pushLogServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewPushLogServiceClient(cc grpc.ClientConnInterface) PushLogServiceClient { - return &pushLogServiceClient{cc} -} - -func (c *pushLogServiceClient) HealthCheck(ctx context.Context, in *NonceMessage, opts ...grpc.CallOption) (*ReplyMessage, error) { - out := new(ReplyMessage) - err := c.cc.Invoke(ctx, PushLogService_HealthCheck_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *pushLogServiceClient) PushMessages(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushMessagesClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[0], PushLogService_PushMessages_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &pushLogServicePushMessagesClient{stream} - return x, nil -} - -type PushLogService_PushMessagesClient interface { - Send(*Message) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type pushLogServicePushMessagesClient struct { - grpc.ClientStream -} - -func (x *pushLogServicePushMessagesClient) Send(m *Message) error { - return x.ClientStream.SendMsg(m) -} - -func (x *pushLogServicePushMessagesClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *pushLogServiceClient) PushAlerts(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushAlertsClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[1], PushLogService_PushAlerts_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &pushLogServicePushAlertsClient{stream} - return x, nil -} - -type PushLogService_PushAlertsClient interface { - Send(*Alert) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type pushLogServicePushAlertsClient struct { - grpc.ClientStream -} - -func (x *pushLogServicePushAlertsClient) Send(m *Alert) error { - return x.ClientStream.SendMsg(m) -} - -func (x *pushLogServicePushAlertsClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *pushLogServiceClient) PushLogs(ctx context.Context, opts ...grpc.CallOption) (PushLogService_PushLogsClient, error) { - stream, err := c.cc.NewStream(ctx, &PushLogService_ServiceDesc.Streams[2], PushLogService_PushLogs_FullMethodName, opts...) - if err != nil { - return nil, err - } - x := &pushLogServicePushLogsClient{stream} - return x, nil -} - -type PushLogService_PushLogsClient interface { - Send(*Log) error - Recv() (*ReplyMessage, error) - grpc.ClientStream -} - -type pushLogServicePushLogsClient struct { - grpc.ClientStream -} - -func (x *pushLogServicePushLogsClient) Send(m *Log) error { - return x.ClientStream.SendMsg(m) -} - -func (x *pushLogServicePushLogsClient) Recv() (*ReplyMessage, error) { - m := new(ReplyMessage) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// PushLogServiceServer is the server API for PushLogService service. -// All implementations should embed UnimplementedPushLogServiceServer -// for forward compatibility -type PushLogServiceServer interface { - HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) - PushMessages(PushLogService_PushMessagesServer) error - PushAlerts(PushLogService_PushAlertsServer) error - PushLogs(PushLogService_PushLogsServer) error -} - -// UnimplementedPushLogServiceServer should be embedded to have forward compatible implementations. -type UnimplementedPushLogServiceServer struct { -} - -func (UnimplementedPushLogServiceServer) HealthCheck(context.Context, *NonceMessage) (*ReplyMessage, error) { - return nil, status.Errorf(codes.Unimplemented, "method HealthCheck not implemented") -} -func (UnimplementedPushLogServiceServer) PushMessages(PushLogService_PushMessagesServer) error { - return status.Errorf(codes.Unimplemented, "method PushMessages not implemented") -} -func (UnimplementedPushLogServiceServer) PushAlerts(PushLogService_PushAlertsServer) error { - return status.Errorf(codes.Unimplemented, "method PushAlerts not implemented") -} -func (UnimplementedPushLogServiceServer) PushLogs(PushLogService_PushLogsServer) error { - return status.Errorf(codes.Unimplemented, "method PushLogs not implemented") -} - -// UnsafePushLogServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to PushLogServiceServer will -// result in compilation errors. -type UnsafePushLogServiceServer interface { - mustEmbedUnimplementedPushLogServiceServer() -} - -func RegisterPushLogServiceServer(s grpc.ServiceRegistrar, srv PushLogServiceServer) { - s.RegisterService(&PushLogService_ServiceDesc, srv) -} - -func _PushLogService_HealthCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(NonceMessage) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(PushLogServiceServer).HealthCheck(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: PushLogService_HealthCheck_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PushLogServiceServer).HealthCheck(ctx, req.(*NonceMessage)) - } - return interceptor(ctx, in, info, handler) -} - -func _PushLogService_PushMessages_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushMessages(&pushLogServicePushMessagesServer{stream}) -} - -type PushLogService_PushMessagesServer interface { - Send(*ReplyMessage) error - Recv() (*Message, error) - grpc.ServerStream -} - -type pushLogServicePushMessagesServer struct { - grpc.ServerStream -} - -func (x *pushLogServicePushMessagesServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *pushLogServicePushMessagesServer) Recv() (*Message, error) { - m := new(Message) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _PushLogService_PushAlerts_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushAlerts(&pushLogServicePushAlertsServer{stream}) -} - -type PushLogService_PushAlertsServer interface { - Send(*ReplyMessage) error - Recv() (*Alert, error) - grpc.ServerStream -} - -type pushLogServicePushAlertsServer struct { - grpc.ServerStream -} - -func (x *pushLogServicePushAlertsServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *pushLogServicePushAlertsServer) Recv() (*Alert, error) { - m := new(Alert) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _PushLogService_PushLogs_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PushLogServiceServer).PushLogs(&pushLogServicePushLogsServer{stream}) -} - -type PushLogService_PushLogsServer interface { - Send(*ReplyMessage) error - Recv() (*Log, error) - grpc.ServerStream -} - -type pushLogServicePushLogsServer struct { - grpc.ServerStream -} - -func (x *pushLogServicePushLogsServer) Send(m *ReplyMessage) error { - return x.ServerStream.SendMsg(m) -} - -func (x *pushLogServicePushLogsServer) Recv() (*Log, error) { - m := new(Log) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// PushLogService_ServiceDesc is the grpc.ServiceDesc for PushLogService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var PushLogService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "feeder.PushLogService", - HandlerType: (*PushLogServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "HealthCheck", - Handler: _PushLogService_HealthCheck_Handler, - }, - }, - Streams: []grpc.StreamDesc{ - { - StreamName: "PushMessages", - Handler: _PushLogService_PushMessages_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "PushAlerts", - Handler: _PushLogService_PushAlerts_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "PushLogs", - Handler: _PushLogService_PushLogs_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "kubearmor.proto", -} diff --git a/protobuf/kvm.pb.go b/protobuf/kvm.pb.go index 82f3d71ef..41eb34730 100644 --- a/protobuf/kvm.pb.go +++ b/protobuf/kvm.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.27.1 -// protoc v3.19.4 +// protoc-gen-go v1.31.0 +// protoc v4.25.1 // source: kvm.proto package protobuf diff --git a/protobuf/kvm_grpc.pb.go b/protobuf/kvm_grpc.pb.go index 8e3e365f6..cb2e95154 100644 --- a/protobuf/kvm_grpc.pb.go +++ b/protobuf/kvm_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v3.19.4 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.25.1 // source: kvm.proto package protobuf @@ -18,6 +18,11 @@ import ( // Requires gRPC-Go v1.32.0 or later. const _ = grpc.SupportPackageIsVersion7 +const ( + KVM_RegisterAgentIdentity_FullMethodName = "/kvm.KVM/registerAgentIdentity" + KVM_SendPolicy_FullMethodName = "/kvm.KVM/sendPolicy" +) + // KVMClient is the client API for KVM service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. @@ -36,7 +41,7 @@ func NewKVMClient(cc grpc.ClientConnInterface) KVMClient { func (c *kVMClient) RegisterAgentIdentity(ctx context.Context, in *AgentIdentity, opts ...grpc.CallOption) (*Status, error) { out := new(Status) - err := c.cc.Invoke(ctx, "/kvm.KVM/registerAgentIdentity", in, out, opts...) + err := c.cc.Invoke(ctx, KVM_RegisterAgentIdentity_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -44,7 +49,7 @@ func (c *kVMClient) RegisterAgentIdentity(ctx context.Context, in *AgentIdentity } func (c *kVMClient) SendPolicy(ctx context.Context, opts ...grpc.CallOption) (KVM_SendPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &KVM_ServiceDesc.Streams[0], "/kvm.KVM/sendPolicy", opts...) + stream, err := c.cc.NewStream(ctx, &KVM_ServiceDesc.Streams[0], KVM_SendPolicy_FullMethodName, opts...) if err != nil { return nil, err } @@ -114,7 +119,7 @@ func _KVM_RegisterAgentIdentity_Handler(srv interface{}, ctx context.Context, de } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/kvm.KVM/registerAgentIdentity", + FullMethod: KVM_RegisterAgentIdentity_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KVMServer).RegisterAgentIdentity(ctx, req.(*AgentIdentity)) diff --git a/protobuf/policy.pb.go b/protobuf/policy.pb.go index 248182898..48fe1d5ee 100644 --- a/protobuf/policy.pb.go +++ b/protobuf/policy.pb.go @@ -1,15 +1,15 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.1 -// protoc v3.19.4 +// protoc-gen-go v1.31.0 +// protoc v4.25.1 // source: policy.proto package protobuf import ( - empty "github.com/golang/protobuf/ptypes/empty" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + emptypb "google.golang.org/protobuf/types/known/emptypb" reflect "reflect" sync "sync" ) @@ -23,7 +23,7 @@ const ( // Symbols defined in public import of google/protobuf/empty.proto. -type Empty = empty.Empty +type Empty = emptypb.Empty type PolicyStatus int32 @@ -83,102 +83,6 @@ func (PolicyStatus) EnumDescriptor() ([]byte, []int) { return file_policy_proto_rawDescGZIP(), []int{0} } -// Health check -type HealthCheckReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Nonce int32 `protobuf:"varint,1,opt,name=nonce,proto3" json:"nonce,omitempty"` -} - -func (x *HealthCheckReq) Reset() { - *x = HealthCheckReq{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HealthCheckReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HealthCheckReq) ProtoMessage() {} - -func (x *HealthCheckReq) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HealthCheckReq.ProtoReflect.Descriptor instead. -func (*HealthCheckReq) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{0} -} - -func (x *HealthCheckReq) GetNonce() int32 { - if x != nil { - return x.Nonce - } - return 0 -} - -// healthcheck reply message -type HealthCheckReply struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Retval int32 `protobuf:"varint,1,opt,name=Retval,proto3" json:"Retval,omitempty"` -} - -func (x *HealthCheckReply) Reset() { - *x = HealthCheckReply{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HealthCheckReply) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HealthCheckReply) ProtoMessage() {} - -func (x *HealthCheckReply) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HealthCheckReply.ProtoReflect.Descriptor instead. -func (*HealthCheckReply) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{1} -} - -func (x *HealthCheckReply) GetRetval() int32 { - if x != nil { - return x.Retval - } - return 0 -} - type Response struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -190,7 +94,7 @@ type Response struct { func (x *Response) Reset() { *x = Response{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[2] + mi := &file_policy_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -203,7 +107,7 @@ func (x *Response) String() string { func (*Response) ProtoMessage() {} func (x *Response) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[2] + mi := &file_policy_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -216,7 +120,7 @@ func (x *Response) ProtoReflect() protoreflect.Message { // Deprecated: Use Response.ProtoReflect.Descriptor instead. func (*Response) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{2} + return file_policy_proto_rawDescGZIP(), []int{0} } func (x *Response) GetStatus() PolicyStatus { @@ -237,7 +141,7 @@ type Policy struct { func (x *Policy) Reset() { *x = Policy{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[3] + mi := &file_policy_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -250,7 +154,7 @@ func (x *Policy) String() string { func (*Policy) ProtoMessage() {} func (x *Policy) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[3] + mi := &file_policy_proto_msgTypes[1] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -263,7 +167,7 @@ func (x *Policy) ProtoReflect() protoreflect.Message { // Deprecated: Use Policy.ProtoReflect.Descriptor instead. func (*Policy) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{3} + return file_policy_proto_rawDescGZIP(), []int{1} } func (x *Policy) GetPolicy() []byte { @@ -285,7 +189,7 @@ type ContainerData struct { func (x *ContainerData) Reset() { *x = ContainerData{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[4] + mi := &file_policy_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -298,7 +202,7 @@ func (x *ContainerData) String() string { func (*ContainerData) ProtoMessage() {} func (x *ContainerData) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[4] + mi := &file_policy_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -311,7 +215,7 @@ func (x *ContainerData) ProtoReflect() protoreflect.Message { // Deprecated: Use ContainerData.ProtoReflect.Descriptor instead. func (*ContainerData) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{4} + return file_policy_proto_rawDescGZIP(), []int{2} } func (x *ContainerData) GetPolicyList() []string { @@ -339,7 +243,7 @@ type HostSecurityPolicies struct { func (x *HostSecurityPolicies) Reset() { *x = HostSecurityPolicies{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[5] + mi := &file_policy_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -352,7 +256,7 @@ func (x *HostSecurityPolicies) String() string { func (*HostSecurityPolicies) ProtoMessage() {} func (x *HostSecurityPolicies) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[5] + mi := &file_policy_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -365,7 +269,7 @@ func (x *HostSecurityPolicies) ProtoReflect() protoreflect.Message { // Deprecated: Use HostSecurityPolicies.ProtoReflect.Descriptor instead. func (*HostSecurityPolicies) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{5} + return file_policy_proto_rawDescGZIP(), []int{3} } func (x *HostSecurityPolicies) GetPolicyList() []string { @@ -388,7 +292,7 @@ type ProbeResponse struct { func (x *ProbeResponse) Reset() { *x = ProbeResponse{} if protoimpl.UnsafeEnabled { - mi := &file_policy_proto_msgTypes[6] + mi := &file_policy_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -401,7 +305,7 @@ func (x *ProbeResponse) String() string { func (*ProbeResponse) ProtoMessage() {} func (x *ProbeResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_proto_msgTypes[6] + mi := &file_policy_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -414,7 +318,7 @@ func (x *ProbeResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use ProbeResponse.ProtoReflect.Descriptor instead. func (*ProbeResponse) Descriptor() ([]byte, []int) { - return file_policy_proto_rawDescGZIP(), []int{6} + return file_policy_proto_rawDescGZIP(), []int{4} } func (x *ProbeResponse) GetContainerList() []string { @@ -444,84 +348,66 @@ var file_policy_proto_rawDesc = []byte{ 0x0a, 0x0c, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x22, 0x26, 0x0a, 0x0e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, - 0x63, 0x6b, 0x52, 0x65, 0x71, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x22, 0x2a, 0x0a, 0x10, 0x48, - 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, - 0x16, 0x0a, 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, - 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x22, 0x38, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x2c, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0e, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x22, 0x20, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x22, 0x55, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, - 0x44, 0x61, 0x74, 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, - 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x4c, 0x69, 0x73, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, - 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x48, 0x6f, - 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, - 0x65, 0x73, 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, - 0x73, 0x74, 0x22, 0xf2, 0x02, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x6f, 0x6e, - 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x6f, - 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x27, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, - 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x12, 0x3c, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, - 0x61, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, - 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x6f, - 0x73, 0x74, 0x4d, 0x61, 0x70, 0x1a, 0x56, 0x0a, 0x11, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, - 0x74, 0x61, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x58, 0x0a, - 0x0c, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, - 0x32, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x2a, 0x5e, 0x0a, 0x0c, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0b, 0x0a, 0x07, 0x46, 0x61, 0x69, 0x6c, 0x75, - 0x72, 0x65, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x10, - 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x10, 0x02, 0x12, 0x0c, - 0x0a, 0x08, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, - 0x4e, 0x6f, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x10, 0x04, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x6e, - 0x76, 0x61, 0x6c, 0x69, 0x64, 0x10, 0x05, 0x32, 0x4d, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x62, 0x65, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x3d, 0x0a, 0x0c, 0x67, 0x65, 0x74, 0x50, 0x72, - 0x6f, 0x62, 0x65, 0x44, 0x61, 0x74, 0x61, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, - 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x74, 0x0a, 0x0d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, - 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x0a, - 0x68, 0x6f, 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xc3, 0x01, 0x0a, - 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x53, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, - 0x65, 0x63, 0x6b, 0x12, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x65, 0x61, - 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x1a, 0x18, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, - 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x37, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, 0x30, 0x01, 0x12, 0x32, - 0x0a, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x10, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x1a, 0x0e, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x28, 0x01, - 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, - 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6f, 0x74, 0x6f, 0x22, 0x38, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x2c, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x20, 0x0a, + 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, + 0x55, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, + 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, + 0x12, 0x24, 0x0a, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, + 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, + 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x1e, + 0x0a, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xf2, + 0x02, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x24, 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4c, 0x69, 0x73, + 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, + 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, + 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x70, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, + 0x4d, 0x61, 0x70, 0x12, 0x3c, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x18, 0x03, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, + 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x48, 0x6f, 0x73, 0x74, + 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x4d, 0x61, + 0x70, 0x1a, 0x56, 0x0a, 0x11, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4d, 0x61, + 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x52, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x58, 0x0a, 0x0c, 0x48, 0x6f, 0x73, + 0x74, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, + 0x02, 0x38, 0x01, 0x2a, 0x5e, 0x0a, 0x0c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x12, 0x0b, 0x0a, 0x07, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x10, 0x00, + 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x65, 0x64, 0x10, 0x01, 0x12, 0x0b, 0x0a, + 0x07, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x4d, 0x6f, + 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x4e, 0x6f, 0x74, 0x45, + 0x78, 0x69, 0x73, 0x74, 0x10, 0x04, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x10, 0x05, 0x32, 0x4d, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x12, 0x3d, 0x0a, 0x0c, 0x67, 0x65, 0x74, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x44, + 0x61, 0x74, 0x61, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x32, 0x74, 0x0a, 0x0d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x0a, 0x68, 0x6f, 0x73, 0x74, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, + 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x50, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -537,43 +423,35 @@ func file_policy_proto_rawDescGZIP() []byte { } var file_policy_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 7) var file_policy_proto_goTypes = []interface{}{ (PolicyStatus)(0), // 0: policy.PolicyStatus - (*HealthCheckReq)(nil), // 1: policy.HealthCheckReq - (*HealthCheckReply)(nil), // 2: policy.HealthCheckReply - (*Response)(nil), // 3: policy.response - (*Policy)(nil), // 4: policy.policy - (*ContainerData)(nil), // 5: policy.ContainerData - (*HostSecurityPolicies)(nil), // 6: policy.HostSecurityPolicies - (*ProbeResponse)(nil), // 7: policy.ProbeResponse - nil, // 8: policy.ProbeResponse.ContainerMapEntry - nil, // 9: policy.ProbeResponse.HostMapEntry - (*empty.Empty)(nil), // 10: google.protobuf.Empty + (*Response)(nil), // 1: policy.response + (*Policy)(nil), // 2: policy.policy + (*ContainerData)(nil), // 3: policy.ContainerData + (*HostSecurityPolicies)(nil), // 4: policy.HostSecurityPolicies + (*ProbeResponse)(nil), // 5: policy.ProbeResponse + nil, // 6: policy.ProbeResponse.ContainerMapEntry + nil, // 7: policy.ProbeResponse.HostMapEntry + (*emptypb.Empty)(nil), // 8: google.protobuf.Empty } var file_policy_proto_depIdxs = []int32{ - 0, // 0: policy.response.status:type_name -> policy.PolicyStatus - 8, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry - 9, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry - 5, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData - 6, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies - 10, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty - 4, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy - 4, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy - 1, // 8: policy.PolicyStreamService.HealthCheck:input_type -> policy.HealthCheckReq - 3, // 9: policy.PolicyStreamService.containerPolicy:input_type -> policy.response - 3, // 10: policy.PolicyStreamService.hostPolicy:input_type -> policy.response - 7, // 11: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse - 3, // 12: policy.PolicyService.containerPolicy:output_type -> policy.response - 3, // 13: policy.PolicyService.hostPolicy:output_type -> policy.response - 2, // 14: policy.PolicyStreamService.HealthCheck:output_type -> policy.HealthCheckReply - 4, // 15: policy.PolicyStreamService.containerPolicy:output_type -> policy.policy - 4, // 16: policy.PolicyStreamService.hostPolicy:output_type -> policy.policy - 11, // [11:17] is the sub-list for method output_type - 5, // [5:11] is the sub-list for method input_type - 5, // [5:5] is the sub-list for extension type_name - 5, // [5:5] is the sub-list for extension extendee - 0, // [0:5] is the sub-list for field type_name + 0, // 0: policy.response.status:type_name -> policy.PolicyStatus + 6, // 1: policy.ProbeResponse.containerMap:type_name -> policy.ProbeResponse.ContainerMapEntry + 7, // 2: policy.ProbeResponse.hostMap:type_name -> policy.ProbeResponse.HostMapEntry + 3, // 3: policy.ProbeResponse.ContainerMapEntry.value:type_name -> policy.ContainerData + 4, // 4: policy.ProbeResponse.HostMapEntry.value:type_name -> policy.HostSecurityPolicies + 8, // 5: policy.ProbeService.getProbeData:input_type -> google.protobuf.Empty + 2, // 6: policy.PolicyService.containerPolicy:input_type -> policy.policy + 2, // 7: policy.PolicyService.hostPolicy:input_type -> policy.policy + 5, // 8: policy.ProbeService.getProbeData:output_type -> policy.ProbeResponse + 1, // 9: policy.PolicyService.containerPolicy:output_type -> policy.response + 1, // 10: policy.PolicyService.hostPolicy:output_type -> policy.response + 8, // [8:11] is the sub-list for method output_type + 5, // [5:8] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name } func init() { file_policy_proto_init() } @@ -583,30 +461,6 @@ func file_policy_proto_init() { } if !protoimpl.UnsafeEnabled { file_policy_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HealthCheckReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HealthCheckReply); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Response); i { case 0: return &v.state @@ -618,7 +472,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Policy); i { case 0: return &v.state @@ -630,7 +484,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ContainerData); i { case 0: return &v.state @@ -642,7 +496,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*HostSecurityPolicies); i { case 0: return &v.state @@ -654,7 +508,7 @@ func file_policy_proto_init() { return nil } } - file_policy_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + file_policy_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ProbeResponse); i { case 0: return &v.state @@ -673,9 +527,9 @@ func file_policy_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_proto_rawDesc, NumEnums: 1, - NumMessages: 9, + NumMessages: 7, NumExtensions: 0, - NumServices: 3, + NumServices: 2, }, GoTypes: file_policy_proto_goTypes, DependencyIndexes: file_policy_proto_depIdxs, diff --git a/protobuf/policy.proto b/protobuf/policy.proto index 62c004042..fc544a711 100644 --- a/protobuf/policy.proto +++ b/protobuf/policy.proto @@ -1,20 +1,10 @@ syntax = "proto3"; - -import public "google/protobuf/empty.proto"; package policy; -option go_package="github.com/kubearmor/KubeArmor/protobuf"; - -// Health check -message HealthCheckReq { - int32 nonce = 1; -} +import public "google/protobuf/empty.proto"; -// healthcheck reply message -message HealthCheckReply { - int32 Retval = 1; -} +option go_package="github.com/kubearmor/KubeArmor/protobuf"; enum PolicyStatus { Failure = 0 ; @@ -22,9 +12,9 @@ enum PolicyStatus { Deleted = 2 ; Modified = 3 ; NotExist = 4; - Invalid = 5; - + Invalid = 5; } + message response { PolicyStatus status = 1; } @@ -38,13 +28,14 @@ message ContainerData { int32 policyEnabled = 2; } message HostSecurityPolicies { - repeated string policyList = 1; + repeated string policyList = 1; } message ProbeResponse { repeated string containerList = 1; map containerMap = 2; map hostMap = 3; } + service ProbeService { rpc getProbeData(google.protobuf.Empty) returns (ProbeResponse); } @@ -53,9 +44,3 @@ service PolicyService { rpc containerPolicy (policy) returns (response); rpc hostPolicy (policy) returns (response); } - -service PolicyStreamService { - rpc HealthCheck(HealthCheckReq) returns (HealthCheckReply); - rpc containerPolicy (stream response) returns (stream policy); - rpc hostPolicy (stream response) returns (stream policy); -} diff --git a/protobuf/policy_grpc.pb.go b/protobuf/policy_grpc.pb.go index 8eae2a7af..14d20d6fe 100644 --- a/protobuf/policy_grpc.pb.go +++ b/protobuf/policy_grpc.pb.go @@ -1,17 +1,17 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.2.0 -// - protoc v3.19.4 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.25.1 // source: policy.proto package protobuf import ( context "context" - empty "github.com/golang/protobuf/ptypes/empty" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" + emptypb "google.golang.org/protobuf/types/known/emptypb" ) // This is a compile-time assertion to ensure that this generated file @@ -19,11 +19,15 @@ import ( // Requires gRPC-Go v1.32.0 or later. const _ = grpc.SupportPackageIsVersion7 +const ( + ProbeService_GetProbeData_FullMethodName = "/policy.ProbeService/getProbeData" +) + // ProbeServiceClient is the client API for ProbeService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type ProbeServiceClient interface { - GetProbeData(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) + GetProbeData(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) } type probeServiceClient struct { @@ -34,9 +38,9 @@ func NewProbeServiceClient(cc grpc.ClientConnInterface) ProbeServiceClient { return &probeServiceClient{cc} } -func (c *probeServiceClient) GetProbeData(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) { +func (c *probeServiceClient) GetProbeData(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ProbeResponse, error) { out := new(ProbeResponse) - err := c.cc.Invoke(ctx, "/policy.ProbeService/getProbeData", in, out, opts...) + err := c.cc.Invoke(ctx, ProbeService_GetProbeData_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -47,14 +51,14 @@ func (c *probeServiceClient) GetProbeData(ctx context.Context, in *empty.Empty, // All implementations should embed UnimplementedProbeServiceServer // for forward compatibility type ProbeServiceServer interface { - GetProbeData(context.Context, *empty.Empty) (*ProbeResponse, error) + GetProbeData(context.Context, *emptypb.Empty) (*ProbeResponse, error) } // UnimplementedProbeServiceServer should be embedded to have forward compatible implementations. type UnimplementedProbeServiceServer struct { } -func (UnimplementedProbeServiceServer) GetProbeData(context.Context, *empty.Empty) (*ProbeResponse, error) { +func (UnimplementedProbeServiceServer) GetProbeData(context.Context, *emptypb.Empty) (*ProbeResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method GetProbeData not implemented") } @@ -70,7 +74,7 @@ func RegisterProbeServiceServer(s grpc.ServiceRegistrar, srv ProbeServiceServer) } func _ProbeService_GetProbeData_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(empty.Empty) + in := new(emptypb.Empty) if err := dec(in); err != nil { return nil, err } @@ -79,10 +83,10 @@ func _ProbeService_GetProbeData_Handler(srv interface{}, ctx context.Context, de } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.ProbeService/getProbeData", + FullMethod: ProbeService_GetProbeData_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(ProbeServiceServer).GetProbeData(ctx, req.(*empty.Empty)) + return srv.(ProbeServiceServer).GetProbeData(ctx, req.(*emptypb.Empty)) } return interceptor(ctx, in, info, handler) } @@ -103,6 +107,11 @@ var ProbeService_ServiceDesc = grpc.ServiceDesc{ Metadata: "policy.proto", } +const ( + PolicyService_ContainerPolicy_FullMethodName = "/policy.PolicyService/containerPolicy" + PolicyService_HostPolicy_FullMethodName = "/policy.PolicyService/hostPolicy" +) + // PolicyServiceClient is the client API for PolicyService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. @@ -121,7 +130,7 @@ func NewPolicyServiceClient(cc grpc.ClientConnInterface) PolicyServiceClient { func (c *policyServiceClient) ContainerPolicy(ctx context.Context, in *Policy, opts ...grpc.CallOption) (*Response, error) { out := new(Response) - err := c.cc.Invoke(ctx, "/policy.PolicyService/containerPolicy", in, out, opts...) + err := c.cc.Invoke(ctx, PolicyService_ContainerPolicy_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -130,7 +139,7 @@ func (c *policyServiceClient) ContainerPolicy(ctx context.Context, in *Policy, o func (c *policyServiceClient) HostPolicy(ctx context.Context, in *Policy, opts ...grpc.CallOption) (*Response, error) { out := new(Response) - err := c.cc.Invoke(ctx, "/policy.PolicyService/hostPolicy", in, out, opts...) + err := c.cc.Invoke(ctx, PolicyService_HostPolicy_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -177,7 +186,7 @@ func _PolicyService_ContainerPolicy_Handler(srv interface{}, ctx context.Context } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.PolicyService/containerPolicy", + FullMethod: PolicyService_ContainerPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(PolicyServiceServer).ContainerPolicy(ctx, req.(*Policy)) @@ -195,7 +204,7 @@ func _PolicyService_HostPolicy_Handler(srv interface{}, ctx context.Context, dec } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/policy.PolicyService/hostPolicy", + FullMethod: PolicyService_HostPolicy_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(PolicyServiceServer).HostPolicy(ctx, req.(*Policy)) @@ -222,224 +231,3 @@ var PolicyService_ServiceDesc = grpc.ServiceDesc{ Streams: []grpc.StreamDesc{}, Metadata: "policy.proto", } - -// PolicyStreamServiceClient is the client API for PolicyStreamService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type PolicyStreamServiceClient interface { - HealthCheck(ctx context.Context, in *HealthCheckReq, opts ...grpc.CallOption) (*HealthCheckReply, error) - ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_ContainerPolicyClient, error) - HostPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_HostPolicyClient, error) -} - -type policyStreamServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewPolicyStreamServiceClient(cc grpc.ClientConnInterface) PolicyStreamServiceClient { - return &policyStreamServiceClient{cc} -} - -func (c *policyStreamServiceClient) HealthCheck(ctx context.Context, in *HealthCheckReq, opts ...grpc.CallOption) (*HealthCheckReply, error) { - out := new(HealthCheckReply) - err := c.cc.Invoke(ctx, "/policy.PolicyStreamService/HealthCheck", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *policyStreamServiceClient) ContainerPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_ContainerPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &PolicyStreamService_ServiceDesc.Streams[0], "/policy.PolicyStreamService/containerPolicy", opts...) - if err != nil { - return nil, err - } - x := &policyStreamServiceContainerPolicyClient{stream} - return x, nil -} - -type PolicyStreamService_ContainerPolicyClient interface { - Send(*Response) error - Recv() (*Policy, error) - grpc.ClientStream -} - -type policyStreamServiceContainerPolicyClient struct { - grpc.ClientStream -} - -func (x *policyStreamServiceContainerPolicyClient) Send(m *Response) error { - return x.ClientStream.SendMsg(m) -} - -func (x *policyStreamServiceContainerPolicyClient) Recv() (*Policy, error) { - m := new(Policy) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func (c *policyStreamServiceClient) HostPolicy(ctx context.Context, opts ...grpc.CallOption) (PolicyStreamService_HostPolicyClient, error) { - stream, err := c.cc.NewStream(ctx, &PolicyStreamService_ServiceDesc.Streams[1], "/policy.PolicyStreamService/hostPolicy", opts...) - if err != nil { - return nil, err - } - x := &policyStreamServiceHostPolicyClient{stream} - return x, nil -} - -type PolicyStreamService_HostPolicyClient interface { - Send(*Response) error - Recv() (*Policy, error) - grpc.ClientStream -} - -type policyStreamServiceHostPolicyClient struct { - grpc.ClientStream -} - -func (x *policyStreamServiceHostPolicyClient) Send(m *Response) error { - return x.ClientStream.SendMsg(m) -} - -func (x *policyStreamServiceHostPolicyClient) Recv() (*Policy, error) { - m := new(Policy) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// PolicyStreamServiceServer is the server API for PolicyStreamService service. -// All implementations should embed UnimplementedPolicyStreamServiceServer -// for forward compatibility -type PolicyStreamServiceServer interface { - HealthCheck(context.Context, *HealthCheckReq) (*HealthCheckReply, error) - ContainerPolicy(PolicyStreamService_ContainerPolicyServer) error - HostPolicy(PolicyStreamService_HostPolicyServer) error -} - -// UnimplementedPolicyStreamServiceServer should be embedded to have forward compatible implementations. -type UnimplementedPolicyStreamServiceServer struct { -} - -func (UnimplementedPolicyStreamServiceServer) HealthCheck(context.Context, *HealthCheckReq) (*HealthCheckReply, error) { - return nil, status.Errorf(codes.Unimplemented, "method HealthCheck not implemented") -} -func (UnimplementedPolicyStreamServiceServer) ContainerPolicy(PolicyStreamService_ContainerPolicyServer) error { - return status.Errorf(codes.Unimplemented, "method ContainerPolicy not implemented") -} -func (UnimplementedPolicyStreamServiceServer) HostPolicy(PolicyStreamService_HostPolicyServer) error { - return status.Errorf(codes.Unimplemented, "method HostPolicy not implemented") -} - -// UnsafePolicyStreamServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to PolicyStreamServiceServer will -// result in compilation errors. -type UnsafePolicyStreamServiceServer interface { - mustEmbedUnimplementedPolicyStreamServiceServer() -} - -func RegisterPolicyStreamServiceServer(s grpc.ServiceRegistrar, srv PolicyStreamServiceServer) { - s.RegisterService(&PolicyStreamService_ServiceDesc, srv) -} - -func _PolicyStreamService_HealthCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(HealthCheckReq) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(PolicyStreamServiceServer).HealthCheck(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/policy.PolicyStreamService/HealthCheck", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PolicyStreamServiceServer).HealthCheck(ctx, req.(*HealthCheckReq)) - } - return interceptor(ctx, in, info, handler) -} - -func _PolicyStreamService_ContainerPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PolicyStreamServiceServer).ContainerPolicy(&policyStreamServiceContainerPolicyServer{stream}) -} - -type PolicyStreamService_ContainerPolicyServer interface { - Send(*Policy) error - Recv() (*Response, error) - grpc.ServerStream -} - -type policyStreamServiceContainerPolicyServer struct { - grpc.ServerStream -} - -func (x *policyStreamServiceContainerPolicyServer) Send(m *Policy) error { - return x.ServerStream.SendMsg(m) -} - -func (x *policyStreamServiceContainerPolicyServer) Recv() (*Response, error) { - m := new(Response) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -func _PolicyStreamService_HostPolicy_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(PolicyStreamServiceServer).HostPolicy(&policyStreamServiceHostPolicyServer{stream}) -} - -type PolicyStreamService_HostPolicyServer interface { - Send(*Policy) error - Recv() (*Response, error) - grpc.ServerStream -} - -type policyStreamServiceHostPolicyServer struct { - grpc.ServerStream -} - -func (x *policyStreamServiceHostPolicyServer) Send(m *Policy) error { - return x.ServerStream.SendMsg(m) -} - -func (x *policyStreamServiceHostPolicyServer) Recv() (*Response, error) { - m := new(Response) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// PolicyStreamService_ServiceDesc is the grpc.ServiceDesc for PolicyStreamService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var PolicyStreamService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "policy.PolicyStreamService", - HandlerType: (*PolicyStreamServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "HealthCheck", - Handler: _PolicyStreamService_HealthCheck_Handler, - }, - }, - Streams: []grpc.StreamDesc{ - { - StreamName: "containerPolicy", - Handler: _PolicyStreamService_ContainerPolicy_Handler, - ServerStreams: true, - ClientStreams: true, - }, - { - StreamName: "hostPolicy", - Handler: _PolicyStreamService_HostPolicy_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "policy.proto", -} diff --git a/protobuf/state.pb.go b/protobuf/state.pb.go new file mode 100644 index 000000000..dc81b1e6e --- /dev/null +++ b/protobuf/state.pb.go @@ -0,0 +1,254 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.31.0 +// protoc v4.25.1 +// source: state.proto + +package protobuf + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + emptypb "google.golang.org/protobuf/types/known/emptypb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type StateEvent struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"Kind,omitempty"` + Type string `protobuf:"bytes,2,opt,name=Type,proto3" json:"Type,omitempty"` + Name string `protobuf:"bytes,3,opt,name=Name,proto3" json:"Name,omitempty"` + Object []byte `protobuf:"bytes,4,opt,name=Object,proto3" json:"Object,omitempty"` +} + +func (x *StateEvent) Reset() { + *x = StateEvent{} + if protoimpl.UnsafeEnabled { + mi := &file_state_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StateEvent) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StateEvent) ProtoMessage() {} + +func (x *StateEvent) ProtoReflect() protoreflect.Message { + mi := &file_state_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StateEvent.ProtoReflect.Descriptor instead. +func (*StateEvent) Descriptor() ([]byte, []int) { + return file_state_proto_rawDescGZIP(), []int{0} +} + +func (x *StateEvent) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *StateEvent) GetType() string { + if x != nil { + return x.Type + } + return "" +} + +func (x *StateEvent) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *StateEvent) GetObject() []byte { + if x != nil { + return x.Object + } + return nil +} + +type StateEvents struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + StateEvents []*StateEvent `protobuf:"bytes,1,rep,name=StateEvents,proto3" json:"StateEvents,omitempty"` +} + +func (x *StateEvents) Reset() { + *x = StateEvents{} + if protoimpl.UnsafeEnabled { + mi := &file_state_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StateEvents) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StateEvents) ProtoMessage() {} + +func (x *StateEvents) ProtoReflect() protoreflect.Message { + mi := &file_state_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StateEvents.ProtoReflect.Descriptor instead. +func (*StateEvents) Descriptor() ([]byte, []int) { + return file_state_proto_rawDescGZIP(), []int{1} +} + +func (x *StateEvents) GetStateEvents() []*StateEvent { + if x != nil { + return x.StateEvents + } + return nil +} + +var File_state_proto protoreflect.FileDescriptor + +var file_state_proto_rawDesc = []byte{ + 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0b, 0x73, + 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, + 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x60, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x4b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, + 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, + 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x16, 0x0a, 0x06, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x0c, 0x52, 0x06, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0x48, 0x0a, 0x0b, 0x53, 0x74, 0x61, + 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x39, 0x0a, 0x0b, 0x53, 0x74, 0x61, 0x74, + 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, + 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x0b, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, + 0x6e, 0x74, 0x73, 0x32, 0x8d, 0x01, 0x0a, 0x0a, 0x53, 0x74, 0x61, 0x74, 0x65, 0x41, 0x67, 0x65, + 0x6e, 0x74, 0x12, 0x3f, 0x0a, 0x0a, 0x57, 0x61, 0x74, 0x63, 0x68, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, + 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, + 0x74, 0x30, 0x01, 0x12, 0x3e, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, + 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x18, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, + 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, + 0x73, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, + 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_state_proto_rawDescOnce sync.Once + file_state_proto_rawDescData = file_state_proto_rawDesc +) + +func file_state_proto_rawDescGZIP() []byte { + file_state_proto_rawDescOnce.Do(func() { + file_state_proto_rawDescData = protoimpl.X.CompressGZIP(file_state_proto_rawDescData) + }) + return file_state_proto_rawDescData +} + +var file_state_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_state_proto_goTypes = []interface{}{ + (*StateEvent)(nil), // 0: state_agent.StateEvent + (*StateEvents)(nil), // 1: state_agent.StateEvents + (*emptypb.Empty)(nil), // 2: google.protobuf.Empty +} +var file_state_proto_depIdxs = []int32{ + 0, // 0: state_agent.StateEvents.StateEvents:type_name -> state_agent.StateEvent + 2, // 1: state_agent.StateAgent.WatchState:input_type -> google.protobuf.Empty + 2, // 2: state_agent.StateAgent.GetState:input_type -> google.protobuf.Empty + 0, // 3: state_agent.StateAgent.WatchState:output_type -> state_agent.StateEvent + 1, // 4: state_agent.StateAgent.GetState:output_type -> state_agent.StateEvents + 3, // [3:5] is the sub-list for method output_type + 1, // [1:3] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_state_proto_init() } +func file_state_proto_init() { + if File_state_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_state_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StateEvent); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_state_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StateEvents); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_state_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_state_proto_goTypes, + DependencyIndexes: file_state_proto_depIdxs, + MessageInfos: file_state_proto_msgTypes, + }.Build() + File_state_proto = out.File + file_state_proto_rawDesc = nil + file_state_proto_goTypes = nil + file_state_proto_depIdxs = nil +} diff --git a/protobuf/state.proto b/protobuf/state.proto new file mode 100644 index 000000000..34a8a9cba --- /dev/null +++ b/protobuf/state.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package state_agent; + +import "google/protobuf/empty.proto"; + +option go_package="github.com/kubearmor/KubeArmor/protobuf"; + +message StateEvent { + string Kind=1; + string Type=2; + string Name=3; + bytes Object=4; +} + +message StateEvents { + repeated StateEvent StateEvents=1; +} + +service StateAgent { + // stream which continuously pushes state events + rpc WatchState (google.protobuf.Empty) returns (stream StateEvent); + + // get all state events in one go + rpc GetState (google.protobuf.Empty) returns (stream StateEvents); +} diff --git a/protobuf/state_grpc.pb.go b/protobuf/state_grpc.pb.go new file mode 100644 index 000000000..448e0907c --- /dev/null +++ b/protobuf/state_grpc.pb.go @@ -0,0 +1,203 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.3.0 +// - protoc v4.25.1 +// source: state.proto + +package protobuf + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + emptypb "google.golang.org/protobuf/types/known/emptypb" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +const ( + StateAgent_WatchState_FullMethodName = "/state_agent.StateAgent/WatchState" + StateAgent_GetState_FullMethodName = "/state_agent.StateAgent/GetState" +) + +// StateAgentClient is the client API for StateAgent service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type StateAgentClient interface { + // stream which continuously pushes state events + WatchState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) + // get all state events in one go + GetState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) +} + +type stateAgentClient struct { + cc grpc.ClientConnInterface +} + +func NewStateAgentClient(cc grpc.ClientConnInterface) StateAgentClient { + return &stateAgentClient{cc} +} + +func (c *stateAgentClient) WatchState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_WatchStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[0], StateAgent_WatchState_FullMethodName, opts...) + if err != nil { + return nil, err + } + x := &stateAgentWatchStateClient{stream} + if err := x.ClientStream.SendMsg(in); err != nil { + return nil, err + } + if err := x.ClientStream.CloseSend(); err != nil { + return nil, err + } + return x, nil +} + +type StateAgent_WatchStateClient interface { + Recv() (*StateEvent, error) + grpc.ClientStream +} + +type stateAgentWatchStateClient struct { + grpc.ClientStream +} + +func (x *stateAgentWatchStateClient) Recv() (*StateEvent, error) { + m := new(StateEvent) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +func (c *stateAgentClient) GetState(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (StateAgent_GetStateClient, error) { + stream, err := c.cc.NewStream(ctx, &StateAgent_ServiceDesc.Streams[1], StateAgent_GetState_FullMethodName, opts...) + if err != nil { + return nil, err + } + x := &stateAgentGetStateClient{stream} + if err := x.ClientStream.SendMsg(in); err != nil { + return nil, err + } + if err := x.ClientStream.CloseSend(); err != nil { + return nil, err + } + return x, nil +} + +type StateAgent_GetStateClient interface { + Recv() (*StateEvents, error) + grpc.ClientStream +} + +type stateAgentGetStateClient struct { + grpc.ClientStream +} + +func (x *stateAgentGetStateClient) Recv() (*StateEvents, error) { + m := new(StateEvents) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// StateAgentServer is the server API for StateAgent service. +// All implementations should embed UnimplementedStateAgentServer +// for forward compatibility +type StateAgentServer interface { + // stream which continuously pushes state events + WatchState(*emptypb.Empty, StateAgent_WatchStateServer) error + // get all state events in one go + GetState(*emptypb.Empty, StateAgent_GetStateServer) error +} + +// UnimplementedStateAgentServer should be embedded to have forward compatible implementations. +type UnimplementedStateAgentServer struct { +} + +func (UnimplementedStateAgentServer) WatchState(*emptypb.Empty, StateAgent_WatchStateServer) error { + return status.Errorf(codes.Unimplemented, "method WatchState not implemented") +} +func (UnimplementedStateAgentServer) GetState(*emptypb.Empty, StateAgent_GetStateServer) error { + return status.Errorf(codes.Unimplemented, "method GetState not implemented") +} + +// UnsafeStateAgentServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to StateAgentServer will +// result in compilation errors. +type UnsafeStateAgentServer interface { + mustEmbedUnimplementedStateAgentServer() +} + +func RegisterStateAgentServer(s grpc.ServiceRegistrar, srv StateAgentServer) { + s.RegisterService(&StateAgent_ServiceDesc, srv) +} + +func _StateAgent_WatchState_Handler(srv interface{}, stream grpc.ServerStream) error { + m := new(emptypb.Empty) + if err := stream.RecvMsg(m); err != nil { + return err + } + return srv.(StateAgentServer).WatchState(m, &stateAgentWatchStateServer{stream}) +} + +type StateAgent_WatchStateServer interface { + Send(*StateEvent) error + grpc.ServerStream +} + +type stateAgentWatchStateServer struct { + grpc.ServerStream +} + +func (x *stateAgentWatchStateServer) Send(m *StateEvent) error { + return x.ServerStream.SendMsg(m) +} + +func _StateAgent_GetState_Handler(srv interface{}, stream grpc.ServerStream) error { + m := new(emptypb.Empty) + if err := stream.RecvMsg(m); err != nil { + return err + } + return srv.(StateAgentServer).GetState(m, &stateAgentGetStateServer{stream}) +} + +type StateAgent_GetStateServer interface { + Send(*StateEvents) error + grpc.ServerStream +} + +type stateAgentGetStateServer struct { + grpc.ServerStream +} + +func (x *stateAgentGetStateServer) Send(m *StateEvents) error { + return x.ServerStream.SendMsg(m) +} + +// StateAgent_ServiceDesc is the grpc.ServiceDesc for StateAgent service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var StateAgent_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "state_agent.StateAgent", + HandlerType: (*StateAgentServer)(nil), + Methods: []grpc.MethodDesc{}, + Streams: []grpc.StreamDesc{ + { + StreamName: "WatchState", + Handler: _StateAgent_WatchState_Handler, + ServerStreams: true, + }, + { + StreamName: "GetState", + Handler: _StateAgent_GetState_Handler, + ServerStreams: true, + }, + }, + Metadata: "state.proto", +}