Merge pull request #1849 from carlosrodfern/main

feat(operator): allow to set log level
kubearmor · Aug 24, 2024 · 12c43e8 · 12c43e8
2 parents 63534ca + 5cedaca
commit 12c43e8
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 8 deletions.
diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -351,7 +351,11 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) {
 				dm.Logger.UpdateSecurityPolicies(action, endpoint)
 				if dm.RuntimeEnforcer != nil && newPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
 					// enforce security policies
-					dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+					if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, endpoint.NamespaceName) {
+						dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+					} else {
+						dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", endpoint.NamespaceName)
+					}
 				}
 			}
 		}
@@ -531,7 +535,12 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) {
 
 					if dm.RuntimeEnforcer != nil && endpoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
 						// enforce security policies
-						dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+						if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, endpoint.NamespaceName) {
+							dm.RuntimeEnforcer.UpdateSecurityPolicies(endpoint)
+						} else {
+							dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", endpoint.NamespaceName)
+						}
+
 					}
 				}
 			}
@@ -1084,7 +1093,12 @@ func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicyType str
 					if dm.RuntimeEnforcer != nil {
 						if dm.EndPoints[idx].PolicyEnabled == tp.KubeArmorPolicyEnabled {
 							// enforce security policies
-							dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+							if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, dm.EndPoints[idx].NamespaceName) {
+								dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+							} else {
+								dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", dm.EndPoints[idx].NamespaceName)
+							}
+
 						}
 					}
 				}
@@ -1142,7 +1156,12 @@ func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicyType str
 					if dm.RuntimeEnforcer != nil {
 						if dm.EndPoints[idx].PolicyEnabled == tp.KubeArmorPolicyEnabled {
 							// enforce security policies
-							dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+							if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, dm.EndPoints[idx].NamespaceName) {
+								dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+							} else {
+								dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", dm.EndPoints[idx].NamespaceName)
+							}
+
 						}
 					}
 				}
@@ -2418,7 +2437,11 @@ func (dm *KubeArmorDaemon) UpdateDefaultPostureWithCM(endPoint *tp.EndPoint, act
 		if dm.RuntimeEnforcer != nil {
 			if endPoint.PolicyEnabled == tp.KubeArmorPolicyEnabled {
 				// enforce security policies
-				dm.RuntimeEnforcer.UpdateSecurityPolicies(*endPoint)
+				if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, endPoint.NamespaceName) {
+					dm.RuntimeEnforcer.UpdateSecurityPolicies(*endPoint)
+				} else {
+					dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", endPoint.NamespaceName)
+				}
 			}
 		}
 	}
@@ -2480,7 +2503,12 @@ func (dm *KubeArmorDaemon) UpdateDefaultPosture(action string, namespace string,
 				if dm.RuntimeEnforcer != nil {
 					if dm.EndPoints[idx].PolicyEnabled == tp.KubeArmorPolicyEnabled {
 						// enforce security policies
-						dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+						if !kl.ContainsElement(dm.SystemMonitor.UntrackedNamespaces, dm.EndPoints[idx].NamespaceName) {
+							dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.EndPoints[idx])
+						} else {
+							dm.Logger.Warnf("Policy cannot be enforced in untracked namespace %s", dm.EndPoints[idx].NamespaceName)
+						}
+
 					}
 				}
 			}

diff --git a/pkg/KubeArmorOperator/cmd/operator/main.go b/pkg/KubeArmorOperator/cmd/operator/main.go
@@ -13,6 +13,7 @@ import (
 	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/k8s"
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/homedir"
@@ -28,11 +29,18 @@ var DeploymentName string
 var ExtClient *apiextensionsclientset.Clientset
 var Opv1Client *opv1client.Clientset
 var InitDeploy bool
+var LogLevel string
 
 // Cmd represents the base command when called without any subcommands
 var Cmd = &cobra.Command{
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		log, _ := zap.NewProduction()
+		level, err := zapcore.ParseLevel(LogLevel)
+		if err != nil {
+			return errors.New("unable to parse log level")
+		}
+		config := zap.NewProductionConfig()
+		config.Level.SetLevel(level)
+		log, _ := config.Build()
 		Logger = log.Sugar()
 		K8sClient = k8s.NewClient(*Logger, KubeConfig)
 		ExtClient = k8s.NewExtClient(*Logger, KubeConfig)
@@ -72,6 +80,7 @@ func init() {
 	Cmd.PersistentFlags().StringVar(&DeploymentName, "deploymentName", "kubearmor-operator", "operator deployment name")
 	// TODO:- set initDeploy to false by default once this change is added to stable
 	Cmd.PersistentFlags().BoolVar(&InitDeploy, "initDeploy", true, "Init container deployment")
+	Cmd.PersistentFlags().StringVar(&LogLevel, "loglevel", "info", "log level, e.g., debug, info, warn, error")
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.

diff --git a/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go b/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
@@ -20,6 +20,7 @@ import (
 	runtimepkg "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/runtime"
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/rand"
@@ -43,11 +44,18 @@ var LsmOrder string
 var PathPrefix string = "/rootfs"
 var NodeName string
 var Runtime string
+var LogLevel string
 
 // Cmd represents the base command when called without any subcommands
 var Cmd = &cobra.Command{
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		log, _ := zap.NewProduction()
+		level, err := zapcore.ParseLevel(LogLevel)
+		if err != nil {
+			return errors.New("unable to parse log level")
+		}
+		config := zap.NewProductionConfig()
+		config.Level.SetLevel(level)
+		log, _ := config.Build()
 		Logger = log.Sugar()
 		K8sClient = k8s.NewClient(*Logger, KubeConfig)
 		//Initialise k8sClient for all child commands to inherit
@@ -87,6 +95,7 @@ func init() {
 	Cmd.PersistentFlags().StringVar(&NodeName, "nodename", "", "node name to label")
 	Cmd.PersistentFlags().StringVar(&PathPrefix, "pathprefix", "/rootfs", "path prefix for runtime search")
 	Cmd.PersistentFlags().StringVar(&Runtime, "runtime", "", "runtime detected by k8s")
+	Cmd.PersistentFlags().StringVar(&LogLevel, "loglevel", "info", "log level, e.g., debug, info, warn, error")
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.