modifies the detect enforcer function in the controller #1497
Conversation
Signed-off-by: swastik959 <Sswastik959@gmail.com>
|
@swastik959 thanks for your contribution, can you also handle the deployment related changes with this PR itself. |
There was a problem hiding this comment.
Thank you for the PR. For (others) reference, the PR removes the need to depend on /sys/kernel/security/lsm file to detect enforcer settings. KubeArmor implemented an operator pattern sometime back that affixes a label on the node that specifies the policy enforcer in use.
However, my understanding is that this label is created only when the operator pattern is used and if someone deploys the kubearmor using the karmor cli then these labels are present.
@daemon1024 @Ankurk99 @achrefbensaad , isn't this correct?
I guess, we eventually intend to use operator mode of deployment even with karmor cli, but right now it is not present.
It is best to keep this PR active till next release and merge it along with the karmor changes.
using the karmor cli then these labels are not present. |
|
@nyrahul can you create a seperate issue for that I would like to work on it . |
| @@ -26,6 +27,9 @@ import ( | |||
| securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" | |||
| "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers" | |||
| "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/handlers" | |||
| "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common" | |||
There was a problem hiding this comment.
Please do go mod tidy here and update the deps.
| @@ -139,29 +143,29 @@ func main() { | |||
| } | |||
|
|
|||
| // detect the enforcer on the node | |||
| func detectEnforcer(logger logr.Logger) string { | |||
| func detectEnforcer(logger logr.Logger, client client.Client, nodeName string) string { | |||
There was a problem hiding this comment.
We can use context.Context here instead of using context.TODO() later, but I think it's okay given we use context.TODO() at other places in the code as well.
// cc @daemon1024
w.r.t this change, please update the call where we are registering webhook with updated arguments.
We should update this Enforcer: detectEnforcer(setupLog), as well.
There was a problem hiding this comment.
@kranurag7 should I make changes in podannotator struct itself or just add client anf node name in the same file's main function
|
Folks, FYI kubearmor-client now installs KubeArmor using the operator, since it was a blocker to this PR earlier. |
|
Resolved with #1335. Thanks for the PR @swastik959 |
Purpose of PR?:
kubearmor makes use of /sys/kernel/security/lsm to detect enforcer this can be removed as the operator now deploys the snitch which detects the enforcer and adds it to the node label
Fixes #1389
Does this PR introduce a breaking change?
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Checklist:
<type>(<scope>): <subject>