Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

recording webhook: Remove webhook state #1112

Merged
merged 7 commits into from
Sep 7, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 21 additions & 44 deletions api/profilerecording/v1alpha1/profilerecording_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"time"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilrand "k8s.io/apimachinery/pkg/util/rand"

"sigs.k8s.io/security-profiles-operator/internal/pkg/config"
)
Expand All @@ -35,7 +36,6 @@ const (
type ProfileRecorder string

const (
ProfileRecorderHook ProfileRecorder = "hook"
ProfileRecorderLogs ProfileRecorder = "logs"
ProfileRecorderBpf ProfileRecorder = "bpf"
)
Expand All @@ -47,7 +47,7 @@ type ProfileRecordingSpec struct {
Kind ProfileRecordingKind `json:"kind"`

// Recorder to be used.
// +kubebuilder:validation:Enum=bpf;hook;logs
// +kubebuilder:validation:Enum=bpf;logs
Recorder ProfileRecorder `json:"recorder"`

// PodSelector selects the pods to record. This field follows standard
Expand Down Expand Up @@ -80,17 +80,12 @@ type ProfileRecording struct {
Status ProfileRecordingStatus `json:"status,omitempty"`
}

func (pr *ProfileRecording) CtrAnnotation(replica, ctrName string) (key, value string, err error) {
ctrReplicaName := ctrName
if replica != "" {
ctrReplicaName += replica
}

func (pr *ProfileRecording) CtrAnnotation(ctrName string) (key, value string, err error) {
switch pr.Spec.Kind {
case ProfileRecordingKindSeccompProfile:
return pr.ctrAnnotationSeccomp(ctrReplicaName, ctrName)
return pr.ctrAnnotationSeccomp(ctrName)
case ProfileRecordingKindSelinuxProfile:
return pr.ctrAnnotationSelinux(ctrReplicaName, ctrName)
return pr.ctrAnnotationSelinux(ctrName)
}

return "", "", fmt.Errorf(
Expand All @@ -106,69 +101,51 @@ func (pr *ProfileRecording) IsKindSupported() bool {
return false
}

func (pr *ProfileRecording) ctrAnnotationSeccomp(ctrReplicaName, ctrName string) (key, value string, err error) {
func (pr *ProfileRecording) ctrAnnotationValue(ctrName string) string {
const nonceSize = 5

return fmt.Sprintf(
"%s_%s_%s_%d",
pr.GetName(),
ctrName,
utilrand.String(nonceSize),
time.Now().Unix(),
)
}

func (pr *ProfileRecording) ctrAnnotationSeccomp(ctrName string) (key, value string, err error) {
var annotationPrefix string

switch pr.Spec.Recorder {
case ProfileRecorderHook:
annotationPrefix = config.SeccompProfileRecordHookAnnotationKey
value = fmt.Sprintf(
"of:%s/%s-%s-%d.json",
config.ProfileRecordingOutputPath,
pr.GetName(),
ctrReplicaName,
time.Now().Unix(),
)

case ProfileRecorderLogs:
annotationPrefix = config.SeccompProfileRecordLogsAnnotationKey
value = fmt.Sprintf(
"%s-%s-%d",
pr.GetName(),
ctrReplicaName,
time.Now().Unix(),
)

case ProfileRecorderBpf:
annotationPrefix = config.SeccompProfileRecordBpfAnnotationKey
value = fmt.Sprintf(
"%s-%s-%d",
pr.GetName(),
ctrReplicaName,
time.Now().Unix(),
)

default:
return "", "", fmt.Errorf(
"invalid recorder: %s", pr.Spec.Recorder,
)
}

key = annotationPrefix + ctrName
value = pr.ctrAnnotationValue(ctrName)
return key, value, err
}

func (pr *ProfileRecording) ctrAnnotationSelinux(ctrReplicaName, ctrName string) (key, value string, err error) {
func (pr *ProfileRecording) ctrAnnotationSelinux(ctrName string) (key, value string, err error) {
var annotationPrefix string

switch pr.Spec.Recorder {
case ProfileRecorderLogs:
annotationPrefix = config.SelinuxProfileRecordLogsAnnotationKey
value = fmt.Sprintf(
"%s-%s-%d",
pr.GetName(),
ctrReplicaName,
time.Now().Unix(),
)

case ProfileRecorderHook:
case ProfileRecorderBpf:
default:
return "", "", fmt.Errorf(
"invalid recorder: %s, only %s is supported", pr.Spec.Recorder, ProfileRecorderLogs,
)
}

value = pr.ctrAnnotationValue(ctrName)
key = annotationPrefix + ctrName
return
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
1 change: 0 additions & 1 deletion deploy/base-crds/crds/profilerecording.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down
8 changes: 8 additions & 0 deletions deploy/base/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
1 change: 0 additions & 1 deletion deploy/helm/crds/crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down
8 changes: 8 additions & 0 deletions deploy/helm/templates/static-resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
9 changes: 8 additions & 1 deletion deploy/namespace-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down Expand Up @@ -1570,6 +1569,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
9 changes: 8 additions & 1 deletion deploy/openshift-dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down Expand Up @@ -1570,6 +1569,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
9 changes: 8 additions & 1 deletion deploy/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down Expand Up @@ -1570,6 +1569,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
9 changes: 8 additions & 1 deletion deploy/webhook-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,6 @@ spec:
description: Recorder to be used.
enum:
- bpf
- hook
- logs
type: string
required:
Expand Down Expand Up @@ -1424,6 +1423,14 @@ rules:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- security-profiles-operator.x-k8s.io
resources:
Expand Down
13 changes: 0 additions & 13 deletions examples/profilerecording-hook.yaml

This file was deleted.

2 changes: 1 addition & 1 deletion hack/ci/Vagrantfile-fedora
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Vagrant.configure("2") do |config|
iptables \
jq \
make \
oci-seccomp-bpf-hook \
gcc \
openssl \
podman

Expand Down
1 change: 0 additions & 1 deletion hack/ci/e2e-fedora.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ export E2E_CLUSTER_TYPE=vanilla
export E2E_TEST_SELINUX=true
export E2E_TEST_LOG_ENRICHER=true
export E2E_TEST_BPF_RECORDER=true
export E2E_TEST_PROFILE_RECORDING=true
export E2E_TEST_FLAKY_TESTS_ONLY=${E2E_TEST_FLAKY_TESTS_ONLY:-false}

# These are already tested in the standard e2e test.
Expand Down
1 change: 0 additions & 1 deletion hack/ci/e2e-flatcar.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ export E2E_TEST_SECCOMP=true
export E2E_TEST_SELINUX=false
export E2E_TEST_LOG_ENRICHER=false
export E2E_TEST_BPF_RECORDER=true
export E2E_TEST_PROFILE_RECORDING=false
export E2E_TEST_FLAKY_TESTS_ONLY=${E2E_TEST_FLAKY_TESTS_ONLY:-false}

export HOSTFS_DEV_MOUNT_PATH="/hostfs"
Expand Down
1 change: 0 additions & 1 deletion hack/ci/e2e-static-webhook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ export OPERATOR_MANIFEST="deploy/webhook-operator.yaml"
export E2E_TEST_SELINUX=true
export E2E_TEST_LOG_ENRICHER=true
export E2E_TEST_BPF_RECORDER=true
export E2E_TEST_PROFILE_RECORDING=true
export E2E_SKIP_NAMESPACED_TESTS=true
export E2E_TEST_SECCOMP=true
export E2E_TEST_WEBHOOK_CONFIG=false
Expand Down
3 changes: 0 additions & 3 deletions hacking.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,8 +224,6 @@ source file:
record seccomp or SELinux profiles by tailing the `audit.log`.
- `E2E_TEST_SECCOMP` - Whether to run seccomp related e2e tests. Our CI
tests the seccomp tests in the kind-based prow target only.
- `E2E_TEST_PROFILE_RECORDING` - Whether to run profile recording tests that
use the `oci-seccomp-bpf-hook`.
- `E2E_TEST_BPF_RECORDER` - Whether to test recording of seccomp profiles
using our eBPF recorder. Currently, enabled for Fedora only.

Expand Down Expand Up @@ -286,7 +284,6 @@ E2E_SPO_IMAGE=image-registry.openshift-image-registry.svc:5000/openshift/securit
E2E_CLUSTER_TYPE=openshift \
E2E_SKIP_BUILD_IMAGES=true \
E2E_TEST_SECCOMP=false \
E2E_TEST_PROFILE_RECORDING=false \
E2E_TEST_BPF_RECORDER=false \
E2E_TEST_LOG_ENRICHER=false \
E2E_TEST_SELINUX=true \
Expand Down
Loading