From 0009c71e88b8f43f3e00c8eca828b97ed98ccfe8 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Tue, 24 Dec 2024 14:36:03 +0530 Subject: [PATCH] wip: fix v2 migration containerd Signed-off-by: daemon1024 --- KubeArmor/core/containerdHandler.go | 49 ++++++++++++++++++++++++----- KubeArmor/go.mod | 2 +- KubeArmor/go.sum | 4 +-- tests/go.mod | 2 +- tests/go.sum | 4 +-- 5 files changed, 48 insertions(+), 13 deletions(-) diff --git a/KubeArmor/core/containerdHandler.go b/KubeArmor/core/containerdHandler.go index 5037cd17c9..0255b17630 100644 --- a/KubeArmor/core/containerdHandler.go +++ b/KubeArmor/core/containerdHandler.go @@ -102,6 +102,7 @@ func NewContainerdHandler() *ContainerdHandler { // Subscribe to containerd events // docker namespace + ch.docker = context.Background() ch.docker = namespaces.WithNamespace(context.Background(), "moby") dockerEventsCh, _ := client.EventService().Subscribe(ch.docker, "") @@ -128,7 +129,7 @@ func (ch *ContainerdHandler) Close() { // ==================== // // GetContainerInfo Function -func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, OwnerInfo map[string]tp.PodOwner) (tp.Container, error) { +func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID string, eventpid uint32, OwnerInfo map[string]tp.PodOwner) (tp.Container, error) { res, err := ch.client.ContainerService().Get(ctx, containerID) if err != nil { return tp.Container{}, err @@ -184,6 +185,36 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s } // == // + if eventpid == 0 { + taskReq := task.ListPidsRequest{ContainerID: container.ContainerID} + if taskRes, err := ch.client.TaskService().ListPids(ctx, &taskReq); err == nil { + if len(taskRes.Processes) == 0 { + return container, err + } + + container.Pid = taskRes.Processes[0].Pid + + } else { + return container, err + } + + } else { + container.Pid = eventpid + } + + pid := strconv.Itoa(int(container.Pid)) + + if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/pid")); err == nil { + if _, err := fmt.Sscanf(data, "pid:[%d]\n", &container.PidNS); err != nil { + kg.Warnf("Unable to get PidNS (%s, %s, %s)", containerID, pid, err.Error()) + } + } + + if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/mnt")); err == nil { + if _, err := fmt.Sscanf(data, "mnt:[%d]\n", &container.MntNS); err != nil { + kg.Warnf("Unable to get MntNS (%s, %s, %s)", containerID, pid, err.Error()) + } + } taskReq := task.ListPidsRequest{ContainerID: container.ContainerID} if taskRes, err := ch.client.TaskService().ListPids(ctx, &taskReq); err == nil { @@ -267,7 +298,7 @@ func (ch *ContainerdHandler) GetContainerdContainers() map[string]context.Contex } // UpdateContainerdContainer Function -func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID, action string) bool { +func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, containerID string, containerPid uint32, action string) bool { // check if Containerd exists if Containerd == nil { return false @@ -275,8 +306,12 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai if action == "start" { // get container information from containerd client - container, err := Containerd.GetContainerInfo(ctx, containerID, dm.OwnerInfo) + container, err := Containerd.GetContainerInfo(ctx, containerID, containerPid, dm.OwnerInfo) if err != nil { + if strings.Contains(string(err.Error()), "pause container") { + kg.Debug(err.Error()) + return false + } kg.Err(err.Error()) return false } @@ -554,7 +589,7 @@ func (dm *KubeArmorDaemon) MonitorContainerdEvents() { if len(containers) > 0 { for containerID, context := range containers { - if !dm.UpdateContainerdContainer(context, containerID, "start") { + if !dm.UpdateContainerdContainer(context, containerID, 0, "start") { continue } } @@ -588,7 +623,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont if err != nil { kg.Errf("failed to unmarshal container's delete event: %v", err) } - dm.UpdateContainerdContainer(context, deleteContainer.GetID(), "destroy") + dm.UpdateContainerdContainer(context, deleteContainer.GetID(), 0, "destroy") case "/tasks/start": startTask := &apievents.TaskStart{} @@ -597,7 +632,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont if err != nil { kg.Errf("failed to unmarshal container's start task: %v", err) } - dm.UpdateContainerdContainer(context, startTask.GetContainerID(), "start") + dm.UpdateContainerdContainer(context, startTask.GetContainerID(), startTask.GetPid(), "start") case "/tasks/exit": exitTask := &apievents.TaskStart{} @@ -612,7 +647,7 @@ func (dm *KubeArmorDaemon) handleContainerdEvent(envelope *events.Envelope, cont dm.ContainersLock.RUnlock() if pid == exitTask.GetPid() { - dm.UpdateContainerdContainer(context, exitTask.GetContainerID(), "destroy") + dm.UpdateContainerdContainer(context, exitTask.GetContainerID(), pid, "destroy") } } diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index ba645b1d12..cbdb486cb7 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -49,7 +49,7 @@ require ( k8s.io/cri-api v0.31.2 k8s.io/klog/v2 v2.130.1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 - sigs.k8s.io/controller-runtime v0.19.3 + sigs.k8s.io/controller-runtime v0.19.4 ) require ( diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index 0eaf572c13..67469c1078 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -519,8 +519,8 @@ k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7F k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= -sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= +sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo= +sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/tests/go.mod b/tests/go.mod index f069e9a2b5..92a1d52800 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -153,7 +153,7 @@ require ( k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect - sigs.k8s.io/controller-runtime v0.19.3 // indirect + sigs.k8s.io/controller-runtime v0.19.4 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.16.0 // indirect sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index a023d9399e..85c8f866fb 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -394,8 +394,8 @@ k8s.io/kubectl v0.29.3 h1:RuwyyIU42MAISRIePaa8Q7A3U74Q9P4MoJbDFz9o3us= k8s.io/kubectl v0.29.3/go.mod h1:yCxfY1dbwgVdEt2zkJ6d5NNLOhhWgTyrqACIoFhpdd4= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= -sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= +sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo= +sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.16.0 h1:/zAR4FOQDCkgSDmVzV2uiFbuy9bhu3jEzthrHCuvm1g=