From e3cadeca8b58f976a9e9f6042a64d8bc88998721 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Wed, 22 Nov 2023 21:05:13 +0530 Subject: [PATCH] fix: Remove CRI Storage volume and volume mounts (#1507) Signed-off-by: Anurag Rajawat --- deployments/get/defaults.go | 240 ------------------ deployments/helm/KubeArmor/values.yaml | 107 -------- deployments/helm/KubeArmorOperator/README.md | 2 +- pkg/KubeArmorOperator/cmd/snitch-cmd/main.go | 8 - pkg/KubeArmorOperator/common/defaults.go | 22 -- .../internal/controller/cluster.go | 27 +- .../internal/controller/resources.go | 41 +-- pkg/KubeArmorOperator/runtime/runtime.go | 10 - tests/k8s_env/ksp/ksp_test.go | 7 - tests/util/kartutil.go | 11 - 10 files changed, 20 insertions(+), 455 deletions(-) diff --git a/deployments/get/defaults.go b/deployments/get/defaults.go index c0332623a5..ecc7592a7b 100644 --- a/deployments/get/defaults.go +++ b/deployments/get/defaults.go @@ -46,7 +46,6 @@ var hostPathDirectory = corev1.HostPathDirectory var hostPathDirectoryOrCreate = corev1.HostPathDirectoryOrCreate var hostPathFile = corev1.HostPathFile var hostPathSocket = corev1.HostPathSocket -var hostContainerStorageMountPropagation = corev1.MountPropagationHostToContainer var gkeHostUsrVolMnt = corev1.VolumeMount{ Name: "usr-src-path", // /usr -> /media/root/usr (read-only) check issue #579 for details @@ -126,18 +125,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -150,24 +137,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "oke": { @@ -180,12 +149,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/crio/crio.sock", ReadOnly: true, }, - { - Name: "crio-storage-path", // crio storage - stores all of its data, including containers images, in this directory. - MountPath: "/var/lib/containers/storage", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -198,15 +161,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "crio-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/containers/storage", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "docker": { @@ -219,12 +173,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/docker.sock", ReadOnly: true, }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -237,15 +185,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "minikube": { @@ -258,12 +197,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/docker.sock", ReadOnly: true, }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -276,15 +209,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "microk8s": { @@ -297,12 +221,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/snap/microk8s/common/run/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -315,15 +233,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/snap/microk8s/common/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "k0s": { @@ -336,11 +245,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -353,15 +257,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/k0s/containerd", - Type: &hostPathDirectory, - }, - }, - }, }, }, "k3s": { @@ -374,12 +269,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -392,15 +281,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/k3s/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "gke": { @@ -413,18 +293,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -437,24 +305,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "eks": { @@ -467,18 +317,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -491,24 +329,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "bottlerocket": { @@ -523,18 +343,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/run/dockershim.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -547,24 +355,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, "aks": { @@ -577,18 +367,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ MountPath: "/var/run/containerd/containerd.sock", ReadOnly: true, }, - { - Name: "containerd-storage-path", // containerd storage - MountPath: "/run/containerd", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, - { - Name: "docker-storage-path", // docker storage - MountPath: "/var/lib/docker", - MountPropagation: &hostContainerStorageMountPropagation, - ReadOnly: true, - }, }, Volumes: []corev1.Volume{ apparmorVol, @@ -601,24 +379,6 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, }, }, - { - Name: "containerd-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/containerd", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, - { - Name: "docker-storage-path", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/lib/docker", - Type: &hostPathDirectoryOrCreate, - }, - }, - }, }, }, } diff --git a/deployments/helm/KubeArmor/values.yaml b/deployments/helm/KubeArmor/values.yaml index 1fd9a57d41..2cb5e8f398 100644 --- a/deployments/helm/KubeArmor/values.yaml +++ b/deployments/helm/KubeArmor/values.yaml @@ -136,14 +136,6 @@ kubearmor: - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true - - mountPath: /var/lib/docker - mountPropagation: HostToContainer - name: docker-storage-path - readOnly: true volumeMountsDocker: - mountPath: /usr/src @@ -166,10 +158,6 @@ kubearmor: - mountPath: /var/run/docker.sock name: docker-sock-path readOnly: true - - mountPath: /var/lib/docker - mountPropagation: HostToContainer - name: docker-storage-path - readOnly: true volumeMountsCRIO: - mountPath: /usr/src @@ -192,10 +180,6 @@ kubearmor: - mountPath: /var/run/crio/crio.sock name: crio-sock-path readOnly: true - - mountPath: /var/lib/containers/storage - mountPropagation: HostToContainer - name: crio-storage-path - readOnly: true volumeMountsMicroK8s: - mountPath: /usr/src @@ -218,10 +202,6 @@ kubearmor: - mountPath: /var/snap/microk8s/common/run/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true volumeMountsK0s: - mountPath: /usr/src @@ -244,9 +224,6 @@ kubearmor: - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path volumeMountsK3s: - mountPath: /usr/src @@ -269,10 +246,6 @@ kubearmor: - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true volumeMountsMinikube: - mountPath: /usr/src @@ -316,14 +289,6 @@ kubearmor: - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true - - mountPath: /var/lib/docker - mountPropagation: HostToContainer - name: docker-storage-path - readOnly: true volumeMountsBottleRocket: - mountPath: /lib/modules @@ -346,14 +311,6 @@ kubearmor: - mountPath: /run/dockershim.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true - - mountPath: /var/lib/docker - mountPropagation: HostToContainer - name: docker-storage-path - readOnly: true volumeMountsEKS: - mountPath: /lib/modules @@ -376,14 +333,6 @@ kubearmor: - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - - mountPath: /run/containerd - mountPropagation: HostToContainer - name: containerd-storage-path - readOnly: true - - mountPath: /var/lib/docker - mountPropagation: HostToContainer - name: docker-storage-path - readOnly: true volumesGeneric: - hostPath: @@ -418,14 +367,6 @@ kubearmor: path: /var/run/containerd/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/containerd - type: DirectoryOrCreate - name: containerd-storage-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path volumesDocker: - hostPath: @@ -460,10 +401,6 @@ kubearmor: path: /var/run/docker.sock type: Socket name: docker-sock-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path volumesCRIO: - hostPath: @@ -498,10 +435,6 @@ kubearmor: path: /var/run/crio/crio.sock type: Socket name: crio-sock-path - - hostPath: - path: /var/lib/containers/storage - type: DirectoryOrCreate - name: crio-storage-path volumesMicroK8s: - hostPath: @@ -536,10 +469,6 @@ kubearmor: path: /var/snap/microk8s/common/run/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /var/snap/microk8s/common/run/containerd - type: DirectoryOrCreate - name: containerd-storage-path volumesK0s: - hostPath: @@ -574,10 +503,6 @@ kubearmor: path: /run/k0s/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/k0s/containerd - type: Directory - name: containerd-storage-path volumesK3s: - hostPath: @@ -612,10 +537,6 @@ kubearmor: path: /run/k3s/containerd/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/k3s/containerd - type: DirectoryOrCreate - name: containerd-storage-path volumesMinikube: - hostPath: @@ -650,10 +571,6 @@ kubearmor: path: /var/run/docker.sock type: Socket name: docker-sock-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path volumesGKE: - hostPath: @@ -688,14 +605,6 @@ kubearmor: path: /var/run/containerd/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/containerd - type: DirectoryOrCreate - name: containerd-storage-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path volumesBottleRocket: - hostPath: @@ -730,14 +639,6 @@ kubearmor: path: /run/dockershim.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/containerd - type: DirectoryOrCreate - name: containerd-storage-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path volumesEKS: - hostPath: @@ -772,11 +673,3 @@ kubearmor: path: /var/run/containerd/containerd.sock type: Socket name: containerd-sock-path - - hostPath: - path: /run/containerd - type: DirectoryOrCreate - name: containerd-storage-path - - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - name: docker-storage-path diff --git a/deployments/helm/KubeArmorOperator/README.md b/deployments/helm/KubeArmorOperator/README.md index 0260b8adf4..0594566462 100644 --- a/deployments/helm/KubeArmorOperator/README.md +++ b/deployments/helm/KubeArmorOperator/README.md @@ -100,7 +100,7 @@ service/kubearmor-controller-metrics-service ClusterIP 10.43.241.84 32767/TCP 2m53s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE -daemonset.apps/kubearmor-bpf-docker-d4651 1 1 1 1 1 kubearmor.io/btf=yes,kubearmor.io/enforcer=bpf,kubearmor.io/runtime-storage=var_lib_docker,kubearmor.io/runtime=docker,kubearmor.io/socket=run_docker.sock,kubernetes.io/os=linux 30s +daemonset.apps/kubearmor-bpf-docker-d4651 1 1 1 1 1 kubearmor.io/btf=yes,kubearmor.io/enforcer=bpf,kubearmor.io/runtime=docker,kubearmor.io/socket=run_docker.sock,kubernetes.io/os=linux 30s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/kubearmor-operator 1/1 1 1 11m diff --git a/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go b/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go index 71dc5f2959..62751a68ce 100644 --- a/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go +++ b/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go @@ -114,13 +114,6 @@ func snitch() { Logger.Errorf("Not able to detect runtime") os.Exit(1) } - runtimeStorage := runtimepkg.DetectRuntimeStorage(PathPrefix, runtime, *Logger) - if runtimeStorage != "NA" { - Logger.Infof("Detected runtime storage location %s", runtimeStorage) - } else { - Logger.Errorf("Not able to detect runtime storage location") - os.Exit(1) - } // Check BTF support btfPresent := enforcer.CheckBtfSupport(PathPrefix, *Logger) @@ -131,7 +124,6 @@ func snitch() { patchNode.Metadata.Labels[common.RuntimeLabel] = runtime patchNode.Metadata.Labels[common.SocketLabel] = strings.ReplaceAll(socket[1:], "/", "_") patchNode.Metadata.Labels[common.EnforcerLabel] = nodeEnforcer - patchNode.Metadata.Labels[common.RuntimeStorageLabel] = strings.ReplaceAll(runtimeStorage[1:], "/", "_") patchNode.Metadata.Labels[common.RandLabel] = rand.String(4) patchNode.Metadata.Labels[common.BTFLabel] = btfPresent patch, err := json.Marshal(patchNode) diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 680980fca0..57ef753575 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -43,7 +43,6 @@ var OperatorConfigCrd *opv1.KubeArmorConfig var ( EnforcerLabel string = "kubearmor.io/enforcer" RuntimeLabel string = "kubearmor.io/runtime" - RuntimeStorageLabel string = "kubearmor.io/runtime-storage" SocketLabel string = "kubearmor.io/socket" RandLabel string = "kubearmor.io/rand" OsLabel string = "kubernetes.io/os" @@ -130,7 +129,6 @@ var ContainerRuntimeSocketMap = map[string][]string{ var HostPathDirectory = corev1.HostPathDirectory var HostPathSocket = corev1.HostPathSocket var HostPathFile = corev1.HostPathFile -var HostToContainerMountPropagation = corev1.MountPropagationHostToContainer var EnforcerVolumesMounts = map[string][]corev1.VolumeMount{ "apparmor": { @@ -173,26 +171,6 @@ var EnforcerVolumes = map[string][]corev1.Volume{ }, } -var RuntimeStorageVolumes = map[string][]string{ - "docker": { - "/var/lib/docker", - }, - "cri-o": { - "/var/lib/containers/storage", - }, - "containerd": { - "/run/k0s/containerd", - "/run/k3s/containerd", - "/run/containerd", - }, -} - -var RuntimeStorageLocation = map[string]string{ - "docker": "/var/lib/docker", - "containerd": "/run/containerd", - "cri-o": "/var/lib/containers/storage", -} - var RuntimeSocketLocation = map[string]string{ "docker": "/var/run/docker.sock", "containerd": "/var/run/containerd/containerd.sock", diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index cf40388099..39359c6692 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -43,13 +43,12 @@ type ClusterWatcher struct { DaemonsetsLock *sync.Mutex } type Node struct { - Name string - Enforcer string - Runtime string - RuntimeSocket string - RuntimeStorage string - Arch string - BTF string + Name string + Enforcer string + Runtime string + RuntimeSocket string + Arch string + BTF string } func NewClusterWatcher(client *kubernetes.Clientset, log *zap.SugaredLogger, extClient *apiextensionsclientset.Clientset, opv1Client *opv1client.Clientset, pathPrefix, deploy_name string) *ClusterWatcher { @@ -120,9 +119,6 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() { if val, ok := node.Labels[common.SocketLabel]; ok { newNode.RuntimeSocket = val } - if val, ok := node.Labels[common.RuntimeStorageLabel]; ok { - newNode.RuntimeStorage = val - } if val, ok := node.Labels[common.BTFLabel]; ok { newNode.BTF = val } @@ -143,7 +139,6 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() { clusterWatcher.Nodes[i].Name != newNode.Name || clusterWatcher.Nodes[i].Runtime != newNode.Runtime || clusterWatcher.Nodes[i].RuntimeSocket != newNode.RuntimeSocket || - clusterWatcher.Nodes[i].RuntimeStorage != newNode.RuntimeStorage || clusterWatcher.Nodes[i].BTF != newNode.BTF { clusterWatcher.Nodes[i] = newNode nodeModified = true @@ -152,9 +147,9 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() { } clusterWatcher.NodesLock.Unlock() if nodeModified { - clusterWatcher.UpdateDaemonsets(common.DeleteAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.RuntimeStorage, newNode.BTF) + clusterWatcher.UpdateDaemonsets(common.DeleteAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.BTF) } - clusterWatcher.UpdateDaemonsets(common.AddAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.RuntimeStorage, newNode.BTF) + clusterWatcher.UpdateDaemonsets(common.AddAction, newNode.Enforcer, newNode.Runtime, newNode.RuntimeSocket, newNode.BTF) } } else { log.Errorf("Cannot convert object to node struct") @@ -173,7 +168,7 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() { } } clusterWatcher.NodesLock.Unlock() - clusterWatcher.UpdateDaemonsets(common.DeleteAction, deletedNode.Enforcer, deletedNode.Runtime, deletedNode.RuntimeSocket, deletedNode.RuntimeStorage, deletedNode.BTF) + clusterWatcher.UpdateDaemonsets(common.DeleteAction, deletedNode.Enforcer, deletedNode.Runtime, deletedNode.RuntimeSocket, deletedNode.BTF) } }, }) @@ -181,7 +176,7 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() { nodeInformer.Run(wait.NeverStop) } -func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime, socket, runtimeStorage, btfPresent string) { +func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime, socket, btfPresent string) { clusterWatcher.Log.Info("updating daemonset") daemonsetName := strings.Join([]string{ "kubearmor", @@ -217,7 +212,7 @@ func (clusterWatcher *ClusterWatcher) UpdateDaemonsets(action, enforcer, runtime } } if newDaemonSet { - daemonset := generateDaemonset(daemonsetName, enforcer, runtime, socket, runtimeStorage, btfPresent) + daemonset := generateDaemonset(daemonsetName, enforcer, runtime, socket, btfPresent) _, err := clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Create(context.Background(), daemonset, v1.CreateOptions{}) if err != nil { clusterWatcher.Log.Warnf("Cannot Create daemonset %s, error=%s", daemonsetName, err.Error()) diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index 3b870e5536..cc13a8c424 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -23,9 +23,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func generateDaemonset(name, enforcer, runtime, socket, runtimeStorage, btfPresent string) *appsv1.DaemonSet { +func generateDaemonset(name, enforcer, runtime, socket, btfPresent string) *appsv1.DaemonSet { enforcerVolumes, enforcerVolumeMounts := genEnforcerVolumes(enforcer) - runtimeVolumes, runtimeVolumeMounts := genRuntimeVolumes(runtime, socket, runtimeStorage) + runtimeVolumes, runtimeVolumeMounts := genRuntimeVolumes(runtime, socket) vols := []corev1.Volume{} volMnts := []corev1.VolumeMount{} vols = append(vols, enforcerVolumes...) @@ -43,12 +43,11 @@ func generateDaemonset(name, enforcer, runtime, socket, runtimeStorage, btfPrese daemonset := deployments.GenerateDaemonSet("generic", common.Namespace) daemonset.Name = name labels := map[string]string{ - common.EnforcerLabel: enforcer, - common.RuntimeLabel: runtime, - common.RuntimeStorageLabel: runtimeStorage, - common.SocketLabel: socket, - common.OsLabel: "linux", - common.BTFLabel: btfPresent, + common.EnforcerLabel: enforcer, + common.RuntimeLabel: runtime, + common.SocketLabel: socket, + common.OsLabel: "linux", + common.BTFLabel: btfPresent, } daemonset.Spec.Template.Spec.NodeSelector = common.CopyStrMap(labels) labels["kubearmor-app"] = "kubearmor" @@ -92,7 +91,7 @@ func genEnforcerVolumes(enforcer string) (vol []corev1.Volume, volMnt []corev1.V return } -func genRuntimeVolumes(runtime, runtimeSocket, runtimeStorage string) (vol []corev1.Volume, volMnt []corev1.VolumeMount) { +func genRuntimeVolumes(runtime, runtimeSocket string) (vol []corev1.Volume, volMnt []corev1.VolumeMount) { // lookup socket for _, socket := range common.ContainerRuntimeSocketMap[runtime] { if strings.ReplaceAll(socket[1:], "/", "_") == runtimeSocket { @@ -115,30 +114,6 @@ func genRuntimeVolumes(runtime, runtimeSocket, runtimeStorage string) (vol []cor break } } - - // lookup runtime storage location - for _, storageLocation := range common.RuntimeStorageVolumes[runtime] { - if strings.ReplaceAll(storageLocation[1:], "/", "_") == runtimeStorage { - vol = append(vol, corev1.Volume{ - Name: runtime + "-storage", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: storageLocation, - Type: &common.HostPathDirectory, - }, - }, - }) - - storageLocation = common.RuntimeStorageLocation[runtime] - volMnt = append(volMnt, corev1.VolumeMount{ - Name: runtime + "-storage", - MountPath: storageLocation, - MountPropagation: &common.HostToContainerMountPropagation, - ReadOnly: true, - }) - break - } - } return } diff --git a/pkg/KubeArmorOperator/runtime/runtime.go b/pkg/KubeArmorOperator/runtime/runtime.go index 09f6a1168e..437f0a5192 100644 --- a/pkg/KubeArmorOperator/runtime/runtime.go +++ b/pkg/KubeArmorOperator/runtime/runtime.go @@ -34,13 +34,3 @@ func DetectRuntimeViaMap(pathPrefix string, k8sRuntime string, log zap.SugaredLo log.Warn("Couldn't detect runtime") return "NA", "NA" } - -func DetectRuntimeStorage(pathPrefix, runtime string, log zap.SugaredLogger) string { - - for _, storageLocation := range common.RuntimeStorageVolumes[runtime] { - if _, err := os.Stat(pathPrefix + storageLocation); err == nil { - return storageLocation - } - } - return "NA" -} diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 6eca9c2bc7..7e4ebc6d9b 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -851,13 +851,6 @@ var _ = Describe("Ksp", func() { It("it can audit accessing a file owner only from source path", func() { - if strings.Contains(K8sCRIRuntime(), "cri-o") { - // We have issues with audit policy matching with owner related logs due to inconsistent storage mounts - // Please check issue for more details : https://github.com/kubearmor/KubeArmor/issues/1178 - // We will revert the skip after the issue is handled - Skip("Skipping due to issue with policy matcher in context of owner only alerts") - } - // Apply Policy err := K8sApplyFile("multiubuntu/ksp-group-2-audit-file-path-owner-from-source-path.yaml") Expect(err).To(BeNil()) diff --git a/tests/util/kartutil.go b/tests/util/kartutil.go index 24e42b0146..ebc35602fd 100644 --- a/tests/util/kartutil.go +++ b/tests/util/kartutil.go @@ -581,17 +581,6 @@ func RandString(n int) string { return string(b) } -// K8sCRIRuntime extracts Container Runtime from the Kubernetes API -func K8sCRIRuntime() string { - nodes, _ := k8sClient.K8sClientset.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{}) - if len(nodes.Items) <= 0 { - return "" - } - - containerRuntime := nodes.Items[0].Status.NodeInfo.ContainerRuntimeVersion - return containerRuntime -} - // K8sRuntimeEnforcer extracts Runtime Enforcer from the Node Labels func K8sRuntimeEnforcer() string { nodes, _ := k8sClient.K8sClientset.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{})