add ability to set cri socket & refactor

Signed-off-by: Rudraksh Pareek <[email protected]>

KubeArmor/common/common.go

@@ -20,6 +20,22 @@ import (
 	kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
 )
 
+// ContainerRuntimeSocketMap lists all sockets that are auto-detected for each
+// supported runtime
+var ContainerRuntimeSocketMap = map[string][]string{
+	"docker": {
+		"/var/run/docker.sock",
+	},
+	"containerd": {
+		"/var/snap/microk8s/common/run/containerd.sock",
+		"/run/k3s/containerd/containerd.sock",
+		"/var/run/containerd/containerd.sock",
+	},
+	"crio": {
+		"/var/run/crio/crio.sock",
+	},
+}
+
 // ============ //
 // == Common == //
 // ============ //
@@ -365,6 +381,17 @@ func IsK8sEnv() bool {
 	return false
 }
 
+// GetCRISocket Function validates and returns the socket for each compatible
+// runtime
+func GetCRISocket(ContainerRuntime string) string {
+	for _, candidate := range ContainerRuntimeSocketMap[ContainerRuntime] {
+		if _, err := os.Stat(candidate); err == nil {
+			return candidate
+		}
+	}
+	return ""
+}
+
 // ==================== //
 // == Identity Match == //
 // ==================== //

KubeArmor/config/config.go

@@ -4,6 +4,7 @@
 package config
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -40,6 +41,8 @@ type KubearmorConfig struct {
 	HostDefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context
 
 	CoverageTest bool // Enable/Disable Coverage Test
+
+	CRISocket string // The container runtime endpoint to use
 }
 
 // PolicyDir policy dir path for host policies backup
@@ -105,6 +108,9 @@ const ConfigCoverageTest string = "coverageTest"
 // ConfigK8sEnv VM key
 const ConfigK8sEnv string = "k8s"
 
+// ConfigCRISocket key
+const ConfigCRISocket string = "criSocket"
+
 func readCmdLineParams() {
 	hostname, _ := os.Hostname()
 	clusterStr := flag.String(ConfigCluster, "default", "cluster name")
@@ -132,6 +138,8 @@ func readCmdLineParams() {
 
 	coverageTestB := flag.Bool(ConfigCoverageTest, false, "enabling CoverageTest")
 
+	criSocket := flag.String(ConfigCRISocket, "", "path to CRI socket. Format: unix:///path/to/file.sock. If empty kubearmor will try to auto-detect this.")
+
 	flags := []string{}
 	flag.VisitAll(func(f *flag.Flag) {
 		kv := fmt.Sprintf("%s:%v", f.Name, f.Value)
@@ -165,6 +173,8 @@ func readCmdLineParams() {
 	viper.SetDefault(ConfigHostDefaultCapabilitiesPosture, *hostDefaultCapabilitiesPosture)
 
 	viper.SetDefault(ConfigCoverageTest, *coverageTestB)
+
+	viper.SetDefault(ConfigCRISocket, *criSocket)
 }
 
 // LoadConfig Load configuration
@@ -213,6 +223,16 @@ func LoadConfig() error {
 	GlobalCfg.HostDefaultNetworkPosture = viper.GetString(ConfigHostDefaultNetworkPosture)
 	GlobalCfg.HostDefaultCapabilitiesPosture = viper.GetString(ConfigHostDefaultCapabilitiesPosture)
 
+	// read CRI_SOCKET env variable. If empty, check criSocket flag
+	GlobalCfg.CRISocket = os.Getenv("CRI_SOCKET")
+	if GlobalCfg.CRISocket == "" {
+		GlobalCfg.CRISocket = viper.GetString(ConfigCRISocket)
+	}
+
+	if GlobalCfg.CRISocket != "" && !strings.HasPrefix(GlobalCfg.CRISocket, "unix://") {
+		return errors.New(fmt.Sprintf("%s is invalid. CRI socket must start with unix://", GlobalCfg.CRISocket))
+	}
+
 	kg.Printf("Configuration [%+v]", GlobalCfg)
 
 	if GlobalCfg.KVMAgent {

KubeArmor/core/containerdHandler.go

@@ -7,8 +7,8 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
 	"strconv"
+	"strings"
 	"time"
 
 	kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
@@ -42,8 +42,6 @@ func init() {
 
 	typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec")
 	typeurl.Register(&specs.Process{}, prefix, "opencontainers/runtime-spec", major, "Process")
-
-	Containerd = NewContainerdHandler()
 }
 
 // ContainerdHandler Structure
@@ -72,29 +70,15 @@ type ContainerdHandler struct {
 func NewContainerdHandler() *ContainerdHandler {
 	ch := &ContainerdHandler{}
 
-	sockFile := "unix://"
-
-	for idx, candidate := range []string{"/var/run/containerd/containerd.sock", "/var/snap/microk8s/common/run/containerd.sock", "/run/k3s/containerd/containerd.sock"} {
-		if _, err := os.Stat(filepath.Clean(candidate)); err == nil {
-			sockFile = sockFile + candidate
-
-			if idx == 0 { // containerd
-				ch.StoragePath = "/run/containerd"
-			} else if idx == 1 { // microk8s
-				ch.StoragePath = "/var/snap/microk8s/common/run/containerd"
-			} else if idx == 2 { // k3s
-				ch.StoragePath = "/run/k3s/containerd"
-			}
-
-			break
-		}
-	}
-
-	if sockFile == "unix://" {
-		return nil
+	if strings.Contains(cfg.GlobalCfg.CRISocket, "microk8s") { // microk8s
+		ch.StoragePath = "/var/snap/microk8s/common/run/containerd"
+	} else if strings.Contains(cfg.GlobalCfg.CRISocket, "k3s") { // k3s
+		ch.StoragePath = "/run/k3s/containerd"
+	} else { // vanilla containerd
+		ch.StoragePath = "/run/containerd"
 	}
 
-	conn, err := grpc.Dial(sockFile, grpc.WithInsecure())
+	conn, err := grpc.Dial(cfg.GlobalCfg.CRISocket, grpc.WithInsecure())
 	if err != nil {
 		return nil
 	}
@@ -380,6 +364,8 @@ func (dm *KubeArmorDaemon) UpdateContainerdContainer(ctx context.Context, contai
 
 // MonitorContainerdEvents Function
 func (dm *KubeArmorDaemon) MonitorContainerdEvents() {
+	Containerd = NewContainerdHandler()
+
 	// check if Containerd exists
 	if Containerd == nil {
 		return

KubeArmor/core/crioHandler.go

@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"path/filepath"
 	"strconv"
 	"time"
 
@@ -29,9 +28,6 @@ type CrioHandler struct {
 	// crio client
 	client pb.RuntimeServiceClient
 
-	// storage path
-	StoragePath string
-
 	// containers is a map with empty value to have lookups in constant time
 	containers map[string]struct{}
 }
@@ -48,36 +44,11 @@ type CrioContainerInfo struct {
 // Crio Handler
 var Crio *CrioHandler
 
-// init Function
-func init() {
-	Crio = NewCrioHandler()
-}
-
 // NewCrioHandler Function creates a new Crio handler
 func NewCrioHandler() *CrioHandler {
 	ch := &CrioHandler{}
 
-	sockFile := "unix://"
-
-	// TODO: identify other k8s distros which support CRIO by default
-	for idx, candidate := range []string{"/var/run/crio/crio.sock"} {
-		if _, err := os.Stat(filepath.Clean(candidate)); err == nil {
-			sockFile = sockFile + candidate
-
-			if idx == 0 {
-				// default crio
-				ch.StoragePath = "/run/crio"
-			}
-
-			break
-		}
-	}
-
-	if sockFile == "unix://" {
-		return nil
-	}
-
-	conn, err := grpc.Dial(sockFile, grpc.WithInsecure())
+	conn, err := grpc.Dial(cfg.GlobalCfg.CRISocket, grpc.WithInsecure())
 	if err != nil {
 		return nil
 	}
@@ -339,6 +310,7 @@ func (dm *KubeArmorDaemon) UpdateCrioContainer(ctx context.Context, containerID,
 
 // MonitorCrioEvents Function
 func (dm *KubeArmorDaemon) MonitorCrioEvents() {
+	Crio = NewCrioHandler()
 	// check if Crio exists
 	if Crio == nil {
 		return

KubeArmor/core/dockerHandler.go

@@ -29,11 +29,6 @@ import (
 // Docker Handler
 var Docker *DockerHandler
 
-// init Function
-func init() {
-	Docker = NewDockerHandler()
-}
-
 // DockerVersion Structure
 type DockerVersion struct {
 	APIVersion string `json:"ApiVersion"`
@@ -52,7 +47,7 @@ func NewDockerHandler() *DockerHandler {
 	// specify the docker api version that we want to use
 	// Versioned API: https://docs.docker.com/engine/api/
 
-	versionStr, err := kl.GetCommandOutputWithErr("curl", []string{"--silent", "--unix-socket", "/var/run/docker.sock", "http://localhost/version"})
+	versionStr, err := kl.GetCommandOutputWithErr("curl", []string{"--silent", "--unix-socket", strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://"), "http://localhost/version"})
 	if err != nil {
 		return nil
 	}
@@ -381,6 +376,8 @@ func (dm *KubeArmorDaemon) MonitorDockerEvents() {
 	dm.WgDaemon.Add(1)
 	defer dm.WgDaemon.Done()
 
+	Docker = NewDockerHandler()
+
 	// check if Docker exists
 	if Docker == nil {
 		return