Skip to content

Commit

Permalink
Merge pull request #1471 from VedRatan/helm-enhancement
Browse files Browse the repository at this point in the history
  • Loading branch information
DelusionalOptimist authored Nov 10, 2023
2 parents c5c1c2a + 4dc2ba2 commit 97f5c11
Show file tree
Hide file tree
Showing 12 changed files with 142 additions and 2 deletions.
15 changes: 15 additions & 0 deletions deployments/get/objects.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,20 @@ var replicas = int32(1)
var relayDeploymentLabels = map[string]string{
"kubearmor-app": "kubearmor-relay",
}
var envVars = []corev1.EnvVar{
{
Name: "ENABLE_STDOUT_LOGS",
Value: "false",
},
{
Name: "ENABLE_STDOUT_ALERTS",
Value: "false",
},
{
Name: "ENABLE_STDOUT_MSGS",
Value: "false",
},
}

// GetRelayDeployment Function
func GetRelayDeployment(namespace string) *appsv1.Deployment {
Expand Down Expand Up @@ -159,6 +173,7 @@ func GetRelayDeployment(namespace string) *appsv1.Deployment {
ContainerPort: port,
},
},
Env: envVars,
},
},
},
Expand Down
7 changes: 7 additions & 0 deletions deployments/helm/KubeArmor/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@ spec:
- image: {{printf "%s:%s" .Values.kubearmorRelay.image.repository .Values.kubearmorRelay.image.tag}}
imagePullPolicy: {{ .Values.kubearmorRelay.imagePullPolicy }}
name: kubearmor-relay-server
env:
- name: ENABLE_STDOUT_LOGS
value: {{ quote .Values.kubearmorRelay.enableStdoutLogs }}
- name: ENABLE_STDOUT_ALERTS
value: {{ quote .Values.kubearmorRelay.enableStdoutAlerts }}
- name: ENABLE_STDOUT_MSGS
value: {{ quote .Values.kubearmorRelay.enableStdoutMsg }}
ports:
- containerPort: 32767
nodeSelector:
Expand Down
4 changes: 4 additions & 0 deletions deployments/helm/KubeArmor/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ kubearmorRelay:
tag: latest
# kubearmor-init imagePullPolicy
imagePullPolicy: Always
# Add environment variables for STDOUT logging
enableStdoutLogs: "false"
enableStdoutAlerts: "false"
enableStdoutMsg: "false"

kubearmorInit:
image:
Expand Down
6 changes: 5 additions & 1 deletion deployments/helm/KubeArmorOperator/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ spec:
defaultFilePosture: audit|block # DEFAULT - audit
defaultNetworkPosture: audit|block # DEFAULT - audit

enableStdOutLogs: [show stdout logs for relay server] # DEFAULT - false
enableStdOutAlerts: [show stdout alerts for relay server] # DEFAULT - false
enableStdOutMsgs: [show stdout messages for relay server] # DEFAULT - false

# default visibility configuration
defaultVisibility: [comma separated: process|file|network] # DEFAULT - process,network

Expand Down Expand Up @@ -117,5 +121,5 @@ job.batch/kubearmor-snitch-lglbd 1/1 3s 11m
Uninstalling the Operator will also uninstall KubeArmor from all your nodes. To uninstall, just run:

```bash
helm uninstall kubearmor -n kubearmor
helm uninstall kubearmor-operator -n kubearmor
```
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,12 @@ spec:
type: string
defaultVisibility:
type: string
enableStdOutAlerts:
type: boolean
enableStdOutLogs:
type: boolean
enableStdOutMsgs:
type: boolean
kubeRbacProxyImage:
description: ImageSpec defines the image specifications
properties:
Expand Down
5 changes: 4 additions & 1 deletion deployments/helm/KubeArmorOperator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,12 @@ kubearmorOperator:
repository: kubearmor/kubearmor-operator
tag: latest
imagePullPolicy: IfNotPresent

kubearmorConfig:
defaultCapabilitiesPosture: audit
defaultFilePosture: audit
defaultNetworkPosture: audit
defaultVisibility: process,network
enableStdOutLogs: false
enableStdOutAlerts: false
enableStdOutMsgs: false
6 changes: 6 additions & 0 deletions deployments/operator/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ spec:
type: string
defaultVisibility:
type: string
enableStdOutAlerts:
type: boolean
enableStdOutLogs:
type: boolean
enableStdOutMsgs:
type: boolean
kubeRbacProxyImage:
description: ImageSpec defines the image specifications
properties:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ type KubeArmorConfigSpec struct {
KubeArmorControllerImage ImageSpec `json:"kubearmorControllerImage,omitempty"`
// +kubebuilder:validation:optional
KubeRbacProxyImage ImageSpec `json:"kubeRbacProxyImage,omitempty"`
// +kubebuilder:validation:optional
EnableStdOutLogs bool `json:"enableStdOutLogs,omitempty"`
// +kubebuilder:validation:optional
EnableStdOutAlerts bool `json:"enableStdOutAlerts,omitempty"`
// +kubebuilder:validation:optional
EnableStdOutMsgs bool `json:"enableStdOutMsgs,omitempty"`
}

// KubeArmorConfigStatus defines the observed state of KubeArmorConfig
Expand Down
12 changes: 12 additions & 0 deletions pkg/KubeArmorOperator/common/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ var (
ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture"
ConfigDefaultNetworkPosture string = "defaultNetworkPosture"

//KubearmorRelayEnvVariables

EnableStdOutAlerts string = "enableStdOutAlerts"
EnableStdOutLogs string = "enableStdOutLogs"
EnableStdOutMsgs string = "enableStdOutMsgs"

// Images
KubeArmorName string = "kubearmor"
KubeArmorImage string = "kubearmor/kubearmor:stable"
Expand Down Expand Up @@ -96,6 +102,12 @@ var ConfigMapData = map[string]string{
ConfigVisibility: "process,network,capabilities",
}

var KubearmorRelayEnvMap = map[string]string{
EnableStdOutAlerts: "false",
EnableStdOutLogs: "false",
EnableStdOutMsgs: "false",
}

var ContainerRuntimeSocketMap = map[string][]string{
"docker": {
"/var/run/docker.sock",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,12 @@ spec:
type: string
defaultVisibility:
type: string
enableStdOutAlerts:
type: boolean
enableStdOutLogs:
type: boolean
enableStdOutMsgs:
type: boolean
kubeRbacProxyImage:
description: ImageSpec defines the image specifications
properties:
Expand Down
3 changes: 3 additions & 0 deletions pkg/KubeArmorOperator/config/samples/sample-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ spec:
defaultFilePosture: audit
defaultNetworkPosture: audit
defaultVisibility: process,network
enableStdOutLogs: false
enableStdOutAlerts: false
enableStdOutMsgs: false
kubearmorImage:
image: kubearmor/kubearmor:stable
imagePullPolicy: Always
Expand Down
68 changes: 68 additions & 0 deletions pkg/KubeArmorOperator/internal/controller/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package controller

import (
"context"
"strconv"
"strings"
"sync"
"time"
Expand Down Expand Up @@ -266,6 +267,7 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() {
common.OperatorConfigCrd = cfg
UpdateConfigMapData(&cfg.Spec)
UpdateImages(&cfg.Spec)
UpdatedKubearmorRelayEnv(&cfg.Spec)
// update status to (Installation) Created
go clusterWatcher.UpdateCrdStatus(cfg.Name, common.CREATED, common.CREATED_MSG)
go clusterWatcher.WatchRequiredResources()
Expand All @@ -286,6 +288,7 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() {
if common.OperatorConfigCrd != nil && cfg.Name == common.OperatorConfigCrd.Name {
configChanged := UpdateConfigMapData(&cfg.Spec)
imageUpdated := UpdateImages(&cfg.Spec)
relayEnvUpdated := UpdatedKubearmorRelayEnv(&cfg.Spec)
// return if only status has been updated
if !configChanged && cfg.Status != oldObj.(*opv1.KubeArmorConfig).Status && len(imageUpdated) < 1 {
return
Expand All @@ -298,6 +301,11 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() {
go clusterWatcher.UpdateCrdStatus(cfg.Name, common.UPDATING, common.UPDATING_MSG)
clusterWatcher.UpdateKubeArmorConfigMap(cfg)
}
if relayEnvUpdated {
// update status to Updating
go clusterWatcher.UpdateCrdStatus(cfg.Name, common.UPDATING, common.UPDATING_MSG)
clusterWatcher.UpdateKubearmorRelayEnv(cfg)
}
}
}
},
Expand Down Expand Up @@ -390,6 +398,38 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err
return res
}

func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmorConfig) error {
var res error
relay, err := clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Get(context.Background(), deployments.RelayDeploymentName, v1.GetOptions{})
if err != nil {
clusterWatcher.Log.Warnf("Cannot get deployment=%s error=%s", deployments.RelayDeploymentName, err.Error())
res = err
} else {
relay.Spec.Template.Spec.Containers[0].Env = []corev1.EnvVar{
{
Name: "ENABLE_STDOUT_LOGS",
Value: common.KubearmorRelayEnvMap[common.EnableStdOutLogs],
},
{
Name: "ENABLE_STDOUT_ALERTS",
Value: common.KubearmorRelayEnvMap[common.EnableStdOutAlerts],
},
{
Name: "ENABLE_STDOUT_MSGS",
Value: common.KubearmorRelayEnvMap[common.EnableStdOutMsgs],
},
}
_, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{})
if err != nil {
clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error())
res = err
} else {
clusterWatcher.Log.Infof("Updated Deployment=%s with env=%s", deployments.RelayDeploymentName, common.KubearmorRelayEnvMap)
}
}
return res
}

func UpdateIfDefinedAndUpdated(common *string, in string) bool {
if in != "" && in != *common {
*common = in
Expand Down Expand Up @@ -513,3 +553,31 @@ func UpdateConfigMapData(config *opv1.KubeArmorConfigSpec) bool {
}
return updated
}

func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool {
updated := false
stringEnableStdOutLogs := strconv.FormatBool(config.EnableStdOutLogs)
if stringEnableStdOutLogs != "" {
if common.KubearmorRelayEnvMap[common.EnableStdOutLogs] != string(stringEnableStdOutLogs) {
common.KubearmorRelayEnvMap[common.EnableStdOutLogs] = string(stringEnableStdOutLogs)
updated = true
}
}

stringEnableStdOutAlerts := strconv.FormatBool(config.EnableStdOutAlerts)
if stringEnableStdOutAlerts != "" {
if common.KubearmorRelayEnvMap[common.EnableStdOutAlerts] != string(stringEnableStdOutAlerts) {
common.KubearmorRelayEnvMap[common.EnableStdOutAlerts] = string(stringEnableStdOutAlerts)
updated = true
}
}

stringEnableStdOutMsgs := strconv.FormatBool(config.EnableStdOutMsgs)
if stringEnableStdOutMsgs != "" {
if common.KubearmorRelayEnvMap[common.EnableStdOutMsgs] != string(stringEnableStdOutMsgs) {
common.KubearmorRelayEnvMap[common.EnableStdOutMsgs] = string(stringEnableStdOutMsgs)
updated = true
}
}
return updated
}

0 comments on commit 97f5c11

Please sign in to comment.