Skip to content

Commit

Permalink
Merge pull request kubearmor#648 from nyrahul/main
Browse files Browse the repository at this point in the history
deploy/core: kubearmor for GKE latest COS images
  • Loading branch information
nyrahul authored Mar 14, 2022
2 parents 925a26a + e2737ef commit b2c7d82
Show file tree
Hide file tree
Showing 10 changed files with 139 additions and 161 deletions.
21 changes: 14 additions & 7 deletions KubeArmor/monitor/systemMonitor.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,9 +158,6 @@ type SystemMonitor struct {

// ticker to clean up exited pids
Ticker *time.Ticker

// GKE
IsCOS bool
}

// NewSystemMonitor Function
Expand Down Expand Up @@ -193,8 +190,6 @@ func NewSystemMonitor(node tp.Node, logger *fd.Feeder, containers *map[string]tp

mon.Ticker = time.NewTicker(time.Second * 10)

mon.IsCOS = false

return mon
}

Expand Down Expand Up @@ -226,8 +221,20 @@ func (mon *SystemMonitor) InitBPF() error {

// just for safety
time.Sleep(time.Second * 1)

mon.IsCOS = true
} else {
// In case of GKE COS release >= 1.22, the base OS img does not
// contain /usr/src folder. Thus we now mount /usr folder to
// /media/root/usr folder in kubearmor for GKE. The following code
// checks whether the /media/root/usr/src/kernel-hdrs path exists
// and uses it for BCC kernel source, if present.
lklhdrpath := "/media/root/usr/src/linux-headers-" + mon.KernelVersion
mon.Logger.Printf("checking if kernel headers path (%s) exists", lklhdrpath)
if _, err := os.Stat(lklhdrpath); err == nil {
mon.Logger.Printf("using kernel headers from (%s)", lklhdrpath)
if err := os.Setenv("BCC_KERNEL_SOURCE", lklhdrpath); err != nil {
mon.Logger.Errf("setenv failed for [BCC_KERNEL_SOURCE=%s] Error=%s", lklhdrpath, err.Error())
}
}
}
}
}
Expand Down
14 changes: 7 additions & 7 deletions deployments/EKS/kubearmor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
Expand All @@ -116,6 +113,9 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /etc/apparmor.d
name: etc-apparmor-d-path
- mountPath: /var/run/containerd/containerd.sock
Expand All @@ -138,10 +138,6 @@ spec:
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /lib/modules
type: Directory
Expand All @@ -162,6 +158,10 @@ spec:
path: /etc/os-release
type: File
name: os-release-path
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /etc/apparmor.d
type: DirectoryOrCreate
Expand Down
14 changes: 7 additions & 7 deletions deployments/GKE/kubearmor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
Expand All @@ -116,6 +113,9 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /media/root/usr
name: usr-src-path
readOnly: true
- mountPath: /etc/apparmor.d
name: etc-apparmor-d-path
- mountPath: /var/run/containerd/containerd.sock
Expand All @@ -138,10 +138,6 @@ spec:
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /lib/modules
type: Directory
Expand All @@ -162,6 +158,10 @@ spec:
path: /etc/os-release
type: File
name: os-release-path
- hostPath:
path: /usr
type: Directory
name: usr-src-path
- hostPath:
path: /etc/apparmor.d
type: DirectoryOrCreate
Expand Down
14 changes: 7 additions & 7 deletions deployments/docker/kubearmor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
Expand All @@ -116,6 +113,9 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /etc/apparmor.d
name: etc-apparmor-d-path
- mountPath: /var/run/docker.sock
Expand All @@ -135,10 +135,6 @@ spec:
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /lib/modules
type: Directory
Expand All @@ -159,6 +155,10 @@ spec:
path: /etc/os-release
type: File
name: os-release-path
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /etc/apparmor.d
type: DirectoryOrCreate
Expand Down
14 changes: 7 additions & 7 deletions deployments/generic/kubearmor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
Expand All @@ -116,6 +113,9 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /etc/apparmor.d
name: etc-apparmor-d-path
- mountPath: /var/run/containerd/containerd.sock
Expand All @@ -138,10 +138,6 @@ spec:
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /lib/modules
type: Directory
Expand All @@ -162,6 +158,10 @@ spec:
path: /etc/os-release
type: File
name: os-release-path
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
- hostPath:
path: /etc/apparmor.d
type: DirectoryOrCreate
Expand Down
Loading

0 comments on commit b2c7d82

Please sign in to comment.