Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): add support for kata and confidential containers #1888

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(core): add support for kata and confidential containers #1888

wants to merge 5 commits into from
+316 −173

Conversation

rootxrishabh
Copy link
Member

Purpose of PR?:
This PR introduces support for kata and confidential containers.

Fixes #1340

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@rootxrishabh rootxrishabh added the enhancement New feature or request label Nov 6, 2024
@rootxrishabh
Copy link
Member Author

#1793

@rootxrishabh
Copy link
Member Author

Enforcement confirmed on CoCo + Kubearmor VM setup
https://asciinema.org/a/RAAG15qLZMLBvdWPaifBAV71d

bpradipt
bpradipt reviewed Nov 6, 2024
View reviewed changes
KubeArmor/config/config.go Outdated Show resolved Hide resolved
daemon1024
daemon1024 requested changes Nov 7, 2024
View reviewed changes
Copy link
Member

@daemon1024 daemon1024 left a comment
edited by rootxrishabh
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More pending work

  • Use custom directory for backup of policies
  • Refactor and streamline endpoint creation for unorchestrated workloads.

KubeArmor/core/hookHandler.go Outdated
Comment on lines 96 to 123
// endpoint := types.EndPoint{}

// dm.ContainersLock.Lock()
// defer dm.ContainersLock.Unlock()
// if _, ok := dm.Containers[container.ContainerID]; !ok {
// dm.Containers[container.ContainerID] = container
// } else if dm.Containers[container.ContainerID].PidNS == 0 && dm.Containers[container.ContainerID].MntNS == 0 {
// c := dm.Containers[container.ContainerID]
// c.MntNS = container.MntNS
// c.PidNS = container.PidNS
// c.AppArmorProfile = container.AppArmorProfile
// dm.Containers[c.ContainerID] = c
// dm.EndPointsLock.Lock()
// for idx, endPoint := range dm.EndPoints {
// if endPoint.NamespaceName == container.NamespaceName && endPoint.EndPointName == container.EndPointName && kl.ContainsElement(endPoint.Containers, container.ContainerID) {

// // update apparmor profiles
// if !kl.ContainsElement(endPoint.AppArmorProfiles, container.AppArmorProfile) {
// dm.EndPoints[idx].AppArmorProfiles = append(dm.EndPoints[idx].AppArmorProfiles, container.AppArmorProfile)
// }

// if container.Privileged && dm.EndPoints[idx].PrivilegedContainers != nil {
// dm.EndPoints[idx].PrivilegedContainers[container.ContainerName] = struct{}{}
// }

// endpoint = dm.EndPoints[idx]

// break
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's avoid redundant code

KubeArmor/core/hookHandler.go Outdated Show resolved Hide resolved
@daemon1024
Copy link
Member

daemon1024 commented Nov 7, 2024
edited by rootxrishabh
Loading

  • support custom policy backup path, so we can adapt to using writeable path
  • support storing policies in YAML rather than JSON.

@rootxrishabh
Copy link
Member Author

@daemon1024 @DelusionalOptimist, need your thoughts on custom restore path -

  1. Kubearmor will panic if the user specifies a path which contains files other than json. Should we add a check here? If yes, we could fall back top /opt/kubearmor/policies
  2. Should we create the user specified path in case it does not exist? We can fall back to /opt/kubearmor/policies in case the path is privileged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt left review comments

@daemon1024 daemon1024 daemon1024 requested changes

@Aryan-sharma11 Aryan-sharma11 Awaiting requested review from Aryan-sharma11

@Prateeknandle Prateeknandle Awaiting requested review from Prateeknandle

@rksharma95 rksharma95 Awaiting requested review from rksharma95

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

check support for Kata containers
3 participants
@rootxrishabh @daemon1024 @bpradipt