diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go index eac45fa699..847ee54b2f 100644 --- a/KubeArmor/core/kubeUpdate.go +++ b/KubeArmor/core/kubeUpdate.go @@ -77,8 +77,18 @@ func (dm *KubeArmorDaemon) HandleNodeAnnotations(node *tp.Node) { } } +func matchHost(hostName string) bool { + envName := os.Getenv("KUBEARMOR_NODENAME") + if envName != "" { + return envName == hostName + } + nodeName := strings.Split(hostName, ".")[0] + return nodeName == cfg.GlobalCfg.Host +} + // WatchK8sNodes Function func (dm *KubeArmorDaemon) WatchK8sNodes() { + kg.Printf("GlobalCfg.Host=%s, KUBEARMOR_NODENAME=%s", cfg.GlobalCfg.Host, os.Getenv("KUBEARMOR_NODENAME")) for { if resp := K8s.WatchK8sNodes(); resp != nil { defer resp.Body.Close() @@ -94,10 +104,15 @@ func (dm *KubeArmorDaemon) WatchK8sNodes() { // Kubearmor uses hostname to get the corresponding node information, but there are exceptions. // For example, the node name on EKS can be of the format ..compute.internal + /* Keeping this past code for near-future ref purpose. Jun-13-2022 nodeName := strings.Split(event.Object.ObjectMeta.Name, ".")[0] if nodeName != cfg.GlobalCfg.Host { continue } + */ + if !matchHost(event.Object.ObjectMeta.Name) { + continue + } node := tp.Node{} diff --git a/deployments/AKS/kubearmor.yaml b/deployments/AKS/kubearmor.yaml index a8613bf1df..352a4f3414 100644 --- a/deployments/AKS/kubearmor.yaml +++ b/deployments/AKS/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/EKS/kubearmor.yaml b/deployments/EKS/kubearmor.yaml index a8613bf1df..352a4f3414 100644 --- a/deployments/EKS/kubearmor.yaml +++ b/deployments/EKS/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/GKE/kubearmor.yaml b/deployments/GKE/kubearmor.yaml index e1303c0817..295e65480e 100644 --- a/deployments/GKE/kubearmor.yaml +++ b/deployments/GKE/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/docker/kubearmor.yaml b/deployments/docker/kubearmor.yaml index 7135326292..ff237c78bf 100644 --- a/deployments/docker/kubearmor.yaml +++ b/deployments/docker/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml index a8613bf1df..352a4f3414 100644 --- a/deployments/generic/kubearmor.yaml +++ b/deployments/generic/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/get/defaults.go b/deployments/get/defaults.go index 74b6ae5eec..3d6155fe07 100644 --- a/deployments/get/defaults.go +++ b/deployments/get/defaults.go @@ -20,6 +20,7 @@ var hostPolicyManagerDeploymentName = "kubearmor-host-policy-manager" // DaemonSetConfig Structure type DaemonSetConfig struct { Args []string + Envs []corev1.EnvVar VolumeMounts []corev1.VolumeMount Volumes []corev1.Volume } @@ -76,12 +77,24 @@ var apparmorVol = corev1.Volume{ }, } +var envVar = []corev1.EnvVar{ + { + Name: "KUBEARMOR_NODENAME", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "spec.nodeName", + }, + }, + }, +} + // Environment Specific Daemonset Configuration var defaultConfigs = map[string]DaemonSetConfig{ "generic": { Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -137,6 +150,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -176,6 +190,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ }, "minikube": { Args: []string{}, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -217,6 +232,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -258,6 +274,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -299,6 +316,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ gkeHostUsrVolMnt, apparmorVolMnt, @@ -354,6 +372,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, @@ -409,6 +428,7 @@ var defaultConfigs = map[string]DaemonSetConfig{ Args: []string{ "-enableKubeArmorHostPolicy", }, + Envs: envVar, VolumeMounts: []corev1.VolumeMount{ hostUsrVolMnt, apparmorVolMnt, diff --git a/deployments/get/objects.go b/deployments/get/objects.go index fa27ac00f8..316cdfa41d 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -439,6 +439,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { } args = append(args, defaultConfigs[env].Args...) + envs := defaultConfigs[env].Envs volumeMounts = append(volumeMounts, defaultConfigs[env].VolumeMounts...) volumes = append(volumes, defaultConfigs[env].Volumes...) @@ -487,6 +488,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { Privileged: &privileged, }, Args: args, + Env: envs, Ports: []corev1.ContainerPort{ { ContainerPort: port, diff --git a/deployments/k3s/kubearmor.yaml b/deployments/k3s/kubearmor.yaml index e04c83032a..097418049e 100644 --- a/deployments/k3s/kubearmor.yaml +++ b/deployments/k3s/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/microk8s/kubearmor.yaml b/deployments/microk8s/kubearmor.yaml index 5e18f2f30a..b14666eda1 100644 --- a/deployments/microk8s/kubearmor.yaml +++ b/deployments/microk8s/kubearmor.yaml @@ -83,6 +83,11 @@ spec: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: diff --git a/deployments/minikube/kubearmor.yaml b/deployments/minikube/kubearmor.yaml index 5c3f6cb16f..f2c389d5f9 100644 --- a/deployments/minikube/kubearmor.yaml +++ b/deployments/minikube/kubearmor.yaml @@ -82,6 +82,11 @@ spec: - args: - -gRPC=32767 - -logPath=/tmp/kubearmor.log + env: + - name: KUBEARMOR_NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: