fixes k8s-nodeName, hostname mismatch issue (kubearmor#736)

daemon1024 · Jun 13, 2022 · 8405914 · 8405914
1 parent 45dd42e
commit 8405914
Show file tree

Hide file tree

Showing 11 changed files with 77 additions and 0 deletions.
diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -77,8 +77,18 @@ func (dm *KubeArmorDaemon) HandleNodeAnnotations(node *tp.Node) {
 	}
 }
 
+func matchHost(hostName string) bool {
+	envName := os.Getenv("KUBEARMOR_NODENAME")
+	if envName != "" {
+		return envName == hostName
+	}
+	nodeName := strings.Split(hostName, ".")[0]
+	return nodeName == cfg.GlobalCfg.Host
+}
+
 // WatchK8sNodes Function
 func (dm *KubeArmorDaemon) WatchK8sNodes() {
+	kg.Printf("GlobalCfg.Host=%s, KUBEARMOR_NODENAME=%s", cfg.GlobalCfg.Host, os.Getenv("KUBEARMOR_NODENAME"))
 	for {
 		if resp := K8s.WatchK8sNodes(); resp != nil {
 			defer resp.Body.Close()
@@ -94,10 +104,15 @@ func (dm *KubeArmorDaemon) WatchK8sNodes() {
 
 				// Kubearmor uses hostname to get the corresponding node information, but there are exceptions.
 				// For example, the node name on EKS can be of the format <hostname>.<region>.compute.internal
+				/* Keeping this past code for near-future ref purpose. Jun-13-2022
 				nodeName := strings.Split(event.Object.ObjectMeta.Name, ".")[0]
 				if nodeName != cfg.GlobalCfg.Host {
 					continue
 				}
+				*/
+				if !matchHost(event.Object.ObjectMeta.Name) {
+					continue
+				}
 
 				node := tp.Node{}
 

diff --git a/deployments/AKS/kubearmor.yaml b/deployments/AKS/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/EKS/kubearmor.yaml b/deployments/EKS/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/GKE/kubearmor.yaml b/deployments/GKE/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/docker/kubearmor.yaml b/deployments/docker/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/get/defaults.go b/deployments/get/defaults.go
@@ -20,6 +20,7 @@ var hostPolicyManagerDeploymentName = "kubearmor-host-policy-manager"
 // DaemonSetConfig Structure
 type DaemonSetConfig struct {
 	Args         []string
+	Envs         []corev1.EnvVar
 	VolumeMounts []corev1.VolumeMount
 	Volumes      []corev1.Volume
 }
@@ -76,12 +77,24 @@ var apparmorVol = corev1.Volume{
 	},
 }
 
+var envVar = []corev1.EnvVar{
+	{
+		Name: "KUBEARMOR_NODENAME",
+		ValueFrom: &corev1.EnvVarSource{
+			FieldRef: &corev1.ObjectFieldSelector{
+				FieldPath: "spec.nodeName",
+			},
+		},
+	},
+}
+
 // Environment Specific Daemonset Configuration
 var defaultConfigs = map[string]DaemonSetConfig{
 	"generic": {
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -137,6 +150,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -176,6 +190,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 	},
 	"minikube": {
 		Args: []string{},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -217,6 +232,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -258,6 +274,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -299,6 +316,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			gkeHostUsrVolMnt,
 			apparmorVolMnt,
@@ -354,6 +372,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,
@@ -409,6 +428,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		Args: []string{
 			"-enableKubeArmorHostPolicy",
 		},
+		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			hostUsrVolMnt,
 			apparmorVolMnt,

diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -439,6 +439,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
 	}
 
 	args = append(args, defaultConfigs[env].Args...)
+	envs := defaultConfigs[env].Envs
 
 	volumeMounts = append(volumeMounts, defaultConfigs[env].VolumeMounts...)
 	volumes = append(volumes, defaultConfigs[env].Volumes...)
@@ -487,6 +488,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
 								Privileged: &privileged,
 							},
 							Args: args,
+							Env:  envs,
 							Ports: []corev1.ContainerPort{
 								{
 									ContainerPort: port,

diff --git a/deployments/k3s/kubearmor.yaml b/deployments/k3s/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/microk8s/kubearmor.yaml b/deployments/microk8s/kubearmor.yaml
@@ -83,6 +83,11 @@ spec:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
         - -enableKubeArmorHostPolicy
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe:

diff --git a/deployments/minikube/kubearmor.yaml b/deployments/minikube/kubearmor.yaml
@@ -82,6 +82,11 @@ spec:
       - args:
         - -gRPC=32767
         - -logPath=/tmp/kubearmor.log
+        env:
+        - name: KUBEARMOR_NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         image: kubearmor/kubearmor:stable
         imagePullPolicy: Always
         livenessProbe: