Kubearmor policies are not getting enforced on reboot (kubearmor#631)

daemon1024 · Mar 7, 2022 · 86954a6 · 86954a6
1 parent 005cdeb
commit 86954a6
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 1 deletion.
diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -32,6 +32,9 @@ type KubearmorConfig struct {
 	CoverageTest bool // Enable/Disable Coverage Test
 }
 
+// PolicyDir policy dir path for host policies backup
+const PolicyDir string = "/opt/kubearmor/policies/"
+
 // GlobalCfg Global configuration for Kubearmor
 var GlobalCfg KubearmorConfig
 

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -534,6 +534,13 @@ func KubeArmor() {
 
 	// == //
 
+	if !cfg.GlobalCfg.K8sEnv && (cfg.GlobalCfg.KVMAgent || cfg.GlobalCfg.HostPolicy) {
+		// Restore and apply all kubearmor host security policies
+		dm.restoreKubeArmorHostPolicies()
+	}
+
+	// == //
+
 	// Init KvmAgent
 	if cfg.GlobalCfg.KVMAgent {
 		// initialize kvm agent

diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -7,12 +7,14 @@ import (
 	"encoding/json"
 	"io"
 	"io/ioutil"
+	"os"
 	"sort"
 	"strings"
 	"time"
 
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
 	cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
+	kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
 	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
 )
 
@@ -1199,7 +1201,7 @@ func (dm *KubeArmorDaemon) UpdateHostSecurityPolicies() {
 			if kl.MatchIdentities(policy.Spec.NodeSelector.Identities, dm.Node.Identities) {
 				secPolicies = append(secPolicies, policy)
 			}
-		} else { // KubeArmorVM
+		} else { // KubeArmorVM and KVMAgent
 			secPolicies = append(secPolicies, policy)
 		}
 	}
@@ -1582,6 +1584,11 @@ func (dm *KubeArmorDaemon) ParseAndUpdateHostSecurityPolicy(event tp.K8sKubeArmo
 
 	// apply security policies to a host
 	dm.UpdateHostSecurityPolicies()
+
+	if !cfg.GlobalCfg.K8sEnv && (cfg.GlobalCfg.KVMAgent || cfg.GlobalCfg.HostPolicy) {
+		// backup HostSecurityPolicy to file
+		dm.backupKubeArmorHostPolicy(secPolicy)
+	}
 }
 
 // WatchHostSecurityPolicies Function
@@ -1617,3 +1624,56 @@ func (dm *KubeArmorDaemon) WatchHostSecurityPolicies() {
 		}
 	}
 }
+
+// ================================= //
+// == HostPolicy Backup & Restore == //
+// ================================= //
+
+// backupKubeArmorHostPolicy Function
+func (dm *KubeArmorDaemon) backupKubeArmorHostPolicy(policy tp.HostSecurityPolicy) {
+	// Check for "/opt/kubearmor/policies" path. If dir not found, create the same
+	if _, err := os.Stat(cfg.PolicyDir); err != nil {
+		if err = os.MkdirAll(cfg.PolicyDir, 0700); err != nil {
+			kg.Warnf("Dir creation failed for [%v]", cfg.PolicyDir)
+			return
+		}
+	}
+
+	var file *os.File
+	var err error
+
+	if file, err = os.Create(cfg.PolicyDir + policy.Metadata["policyName"] + ".yaml"); err == nil {
+		if policyBytes, err := json.Marshal(policy); err == nil {
+			if _, err = file.Write(policyBytes); err == nil {
+				if err := file.Close(); err != nil {
+					dm.Logger.Errf(err.Error())
+				}
+			}
+		}
+	}
+}
+
+func (dm *KubeArmorDaemon) restoreKubeArmorHostPolicies() {
+	if _, err := os.Stat(cfg.PolicyDir); err != nil {
+		kg.Warn("Policies dir not found for restoration")
+		return
+	}
+
+	// List all policies files from "/opt/kubearmor/policies" path
+	if policyFiles, err := ioutil.ReadDir(cfg.PolicyDir); err == nil {
+		for _, file := range policyFiles {
+			if data, err := ioutil.ReadFile(cfg.PolicyDir + file.Name()); err == nil {
+				var hostPolicy tp.HostSecurityPolicy
+				if err := json.Unmarshal(data, &hostPolicy); err == nil {
+					dm.HostSecurityPolicies = append(dm.HostSecurityPolicies, hostPolicy)
+				}
+			}
+		}
+
+		if len(policyFiles) != 0 {
+			dm.UpdateHostSecurityPolicies()
+		} else {
+			kg.Warn("No policies found for restoration")
+		}
+	}
+}