Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enforcer(bpf): automatically mount bpffs #1097

Merged
merged 1 commit into from
Feb 11, 2023
Merged

enforcer(bpf): automatically mount bpffs #1097

merged 1 commit into from
Feb 11, 2023

Conversation

DelusionalOptimist
Copy link
Member

@DelusionalOptimist DelusionalOptimist commented Feb 7, 2023
edited
Loading

Signed-off-by: Rudraksh Pareek rudraksh@accuknox.comPurpose of PR?:

May fix #1005

Does this PR introduce a breaking change?
Nope

If the changes in this PR are manually verified, list down the scenarios covered::

  • Tested on k3s using kubearmor-test-k3s.yaml
    • bpffs is not mounted on the host (umount /sys/fs/bpf) - kubearmor-init now mounts it when deployed
    • bpffs is mounted on the host - no changes

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Though SYS_ADMIN capability should be enough for mounting filesystems but bpffs needs the container to be privileged.

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

daemon1024
daemon1024 requested changes Feb 7, 2023
View reviewed changes
KubeArmor/build/compile.sh Outdated Show resolved Hide resolved
deployments/get/objects.go Outdated Show resolved Hide resolved
@DelusionalOptimist DelusionalOptimist force-pushed the DelusionalOptimist/chore/bpffs-automount branch from bbf3321 to a902510 Compare February 8, 2023 13:51
@DelusionalOptimist DelusionalOptimist changed the title feat(kukearmor-init): Update kubearmor-init to automatically mount bpffs enforcer(bpf): automatically mount bpffs Feb 8, 2023
@DelusionalOptimist
Copy link
Member Author

Update - Cilium too uses a privileged init Mount-bpf container for bidirectional mounting and the cilium-agent is unprivileged by default but may be privileged if specified through helm values. Mount-bpf does the mounting work when Cilium is running in K8s.

However the logic we've implemented now would create /sys/fs/bpf in kubearmor's container if it wasn't mounted on host and mount the bpffs in it. The host would remain undisturbed and we could bypass the need for privileged container.
Also, @daemon1024 pointed out that we don't really need persistence of bpf maps so even if kubearmor pod was killed, the policies will remain intact and be restored on restart (we also tried this out).
In case Kubearmor is running outside K8s, it would mount bpffs itself if not already mounted.

cc @nyrahul @kranurag7

@nyrahul nyrahul self-requested a review February 9, 2023 04:14
nyrahul
nyrahul requested changes Feb 9, 2023
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM. Please check for review comment inline.

KubeArmor/enforcer/bpflsm/bpffs.go Show resolved Hide resolved
@DelusionalOptimist DelusionalOptimist force-pushed the DelusionalOptimist/chore/bpffs-automount branch from a902510 to bafc2a3 Compare February 9, 2023 04:47
@achrefbensaad achrefbensaad self-requested a review February 9, 2023 06:06
daemon1024
daemon1024 reviewed Feb 9, 2023
View reviewed changes
Copy link
Member

@daemon1024 daemon1024 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one minor nit

KubeArmor/enforcer/bpflsm/bpffs.go Show resolved Hide resolved
@DelusionalOptimist
automount bpffs in both k8s & systemd mode
2b8bf35 
Signed-off-by: Rudraksh Pareek <rudraksh@accuknox.com>
@DelusionalOptimist DelusionalOptimist force-pushed the DelusionalOptimist/chore/bpffs-automount branch from bafc2a3 to 2b8bf35 Compare February 9, 2023 07:39
achrefbensaad
achrefbensaad approved these changes Feb 9, 2023
View reviewed changes
Copy link
Member

@achrefbensaad achrefbensaad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!. Needs to be tested on AZL2 before merging.

nyrahul
nyrahul approved these changes Feb 9, 2023
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DelusionalOptimist
Copy link
Member Author

Tested on AL2. Good to merge.

@daemon1024 daemon1024 merged commit 2a8e429 into kubearmor:main Feb 11, 2023
@daemon1024 daemon1024 mentioned this pull request Feb 21, 2023
Merged
4 tasks
@DelusionalOptimist DelusionalOptimist deleted the DelusionalOptimist/chore/bpffs-automount branch July 3, 2023 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daemon1024 daemon1024 daemon1024 approved these changes

@achrefbensaad achrefbensaad achrefbensaad approved these changes

@nyrahul nyrahul nyrahul approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
v0.9 backlog
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Amazon Linux 2 Support for BPF-LSM
4 participants
@DelusionalOptimist @nyrahul @achrefbensaad @daemon1024