Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes bug #1787 non-k8s: KubeArmor panics when not-enabled policy type is received #1789

Merged
merged 1 commit into from
Aug 12, 2024
Merged

Fixes bug #1787 non-k8s: KubeArmor panics when not-enabled policy type is received #1789

merged 1 commit into from
Aug 12, 2024

Conversation

itsCheithanya
Copy link
Contributor

This fixes the bug that KubeArmor panics when not-enabled policy type is being received
Reproduce the issue :
Modify make run target in KubeArmor's Makefile to something like below such that host policy is disabled:

 cd $(CURDIR); DEBUG=true sudo -E ./kubearmor -k8s=false -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -defaultFilePosture block -defaultCapabilitiesPosture block -defaultNetworkPosture block

Once KubeArmor is running, send the below host policy by running karmor vm policy --gRPC=:32767 add <path-to-policy> :


apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-block-sleep
spec:
  severity: 10
  message: "sleep was attempted to be executed"
  tags:
  - ALERT
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: '*'
  process:
    matchPaths:
    - path: /usr/bin/sleep
  action:
    Block

image
You'll see that KubeArmor doesn't panic :
image

Fixes #1787

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes non-k8s: KubeArmor panics when not-enabled policy type is received #1787
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

DelusionalOptimist
DelusionalOptimist requested changes Jun 27, 2024
View reviewed changes
Copy link
Member

@DelusionalOptimist DelusionalOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @itsCheithanya!
Minor changes to address... Looking good otherwise.

KubeArmor/policy/policy.go Outdated Show resolved Hide resolved
KubeArmor/policy/policy.go Outdated Show resolved Hide resolved
KubeArmor/policy/policy.go Outdated Show resolved Hide resolved
DelusionalOptimist
DelusionalOptimist requested changes Jul 1, 2024
View reviewed changes
Copy link
Member

@DelusionalOptimist DelusionalOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the changes.
Please see the comments inline @itsCheithanya

protobuf/policy.proto Outdated Show resolved Hide resolved
KubeArmor/policy/policy.go Outdated Show resolved Hide resolved
DelusionalOptimist
DelusionalOptimist approved these changes Aug 12, 2024
View reviewed changes
Copy link
Member

@DelusionalOptimist DelusionalOptimist left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @itsCheithanya! 🚀
Please rebase with main so that we can merge.

Can you also do the changes required for handling this new error code in kubearmor-client?

@itsCheithanya @daemon1024
Fixes bug kubearmor#1787 when not-enabled policy type is received
0605ea2 
Signed-off-by: Cheithanya <cheithanya2002@gmail.com>
@DelusionalOptimist DelusionalOptimist merged commit 0501772 into kubearmor:main Aug 12, 2024
16 of 17 checks passed
@itsCheithanya
Copy link
Contributor Author

itsCheithanya commented Aug 13, 2024
edited
Loading

LGTM. Thanks @itsCheithanya! 🚀 Please rebase with main so that we can merge.

Can you also do the changes required for handling this new error code in kubearmor-client?

Sure will do that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DelusionalOptimist DelusionalOptimist DelusionalOptimist approved these changes

@Aryan-sharma11 Aryan-sharma11 Aryan-sharma11 approved these changes

@daemon1024 daemon1024 daemon1024 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

non-k8s: KubeArmor panics when not-enabled policy type is received
4 participants
@itsCheithanya @daemon1024 @Aryan-sharma11 @DelusionalOptimist