Fixes bug #1787 when not-enabled policy type is received

Signed-off-by: Cheithanya <cheithanya2002@gmail.com>
kubearmor · Jul 22, 2024 · b369910 · b369910
1 parent 9ce5979
commit b369910
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 46 deletions.
diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -771,7 +771,10 @@ func KubeArmor() {
 	}
 
 	if !dm.K8sEnabled && (enableContainerPolicy || cfg.GlobalCfg.HostPolicy) {
-		policyService := &policy.PolicyServer{}
+		policyService := &policy.PolicyServer{
+			ContainerPolicyEnabled: enableContainerPolicy,
+			HostPolicyEnabled:      cfg.GlobalCfg.HostPolicy,
+		}
 		if enableContainerPolicy {
 			policyService.UpdateContainerPolicy = dm.ParseAndUpdateContainerSecurityPolicy
 			dm.Logger.Print("Started to monitor container security policies on gRPC")

diff --git a/KubeArmor/policy/policy.go b/KubeArmor/policy/policy.go
@@ -16,15 +16,21 @@ import (
 // PolicyServer provides structure to serve Policy gRPC service
 type PolicyServer struct {
 	pb.PolicyServiceServer
-	UpdateContainerPolicy func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus
-	UpdateHostPolicy      func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus
+	UpdateContainerPolicy  func(tp.K8sKubeArmorPolicyEvent) pb.PolicyStatus
+	UpdateHostPolicy       func(tp.K8sKubeArmorHostPolicyEvent) pb.PolicyStatus
+	ContainerPolicyEnabled bool
+	HostPolicyEnabled      bool
 }
 
 // ContainerPolicy accepts container events on gRPC and update container security policies
 func (p *PolicyServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
-	policyEvent := tp.K8sKubeArmorPolicyEvent{}
 	res := new(pb.Response)
-
+	if !p.ContainerPolicyEnabled {
+		res.Status = pb.PolicyStatus_NotEnabled
+		kg.Warn("Container policies are not enabled")
+		return res, nil
+	}
+	policyEvent := tp.K8sKubeArmorPolicyEvent{}
 	err := json.Unmarshal(data.Policy, &policyEvent)
 
 	if err == nil {
@@ -50,9 +56,13 @@ func (p *PolicyServer) ContainerPolicy(c context.Context, data *pb.Policy) (*pb.
 
 // HostPolicy accepts host policy event on gRPC service and updates host security policies. It responds with 1 if success else 0.
 func (p *PolicyServer) HostPolicy(c context.Context, data *pb.Policy) (*pb.Response, error) {
-
-	policyEvent := tp.K8sKubeArmorHostPolicyEvent{}
 	res := new(pb.Response)
+	if !p.HostPolicyEnabled {
+		res.Status = pb.PolicyStatus_NotEnabled
+		kg.Warn("Host policies are not enabled")
+		return res, nil
+	}
+	policyEvent := tp.K8sKubeArmorHostPolicyEvent{}
 
 	err := json.Unmarshal(data.Policy, &policyEvent)
 	if err == nil {

diff --git a/protobuf/policy.pb.go b/protobuf/policy.pb.go
diff --git a/protobuf/policy.proto b/protobuf/policy.proto
@@ -13,6 +13,7 @@ enum PolicyStatus {
   Modified = 3 ;
   NotExist = 4;
   Invalid = 5;
+  NotEnabled = 6 ;
 }
 
 message response {

diff --git a/protobuf/policy_grpc.pb.go b/protobuf/policy_grpc.pb.go