Skip to content

Commit

Permalink
feat(apparmor/host): cleanup profiles on gracefult termination
Browse files Browse the repository at this point in the history 
This will avoid lingering enforcement of policies on running processes during uninstallation of kubearmor

Signed-off-by: daemon1024 <[email protected]>
  • Loading branch information
@daemon1024
daemon1024 committed Dec 17, 2024
1 parent 410ea7a commit f33f60d
Showing 1 changed file with 20 additions and 15 deletions.
35 changes: 20 additions & 15 deletions KubeArmor/enforcer/appArmorEnforcer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,32 +440,37 @@ func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool {
return true
}

ae.Logger.Printf("Unregistering the KubeArmor host profile from %s", cfg.GlobalCfg.Host)

ae.AppArmorProfilesLock.Lock()
defer ae.AppArmorProfilesLock.Unlock()

if err := ae.CreateAppArmorHostProfile(); err != nil {
ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
if err := kl.RunCommandAndWaitWithErr("aa-remove-unknown", []string{}); err != nil {
ae.Logger.Warnf("Unable to cleanup the KubeArmor host profile in %s", cfg.GlobalCfg.Host)

if err := os.Remove(appArmorHostFile); err != nil {
ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
if err := ae.CreateAppArmorHostProfile(); err != nil {
ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)

if err := os.Remove(appArmorHostFile); err != nil {
ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
}

return false
}

return false
}
if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "-C", appArmorHostFile}); err != nil {
ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)

if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "-C", appArmorHostFile}); err != nil {
ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
if err := os.Remove(appArmorHostFile); err != nil {
ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
}

}

if err := os.Remove(appArmorHostFile); err != nil {
ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
return false
}

return false
}

if err := os.Remove(appArmorHostFile); err != nil {
ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
return false
}

ae.Logger.Printf("Unregistered the KubeArmor host profile from %s", cfg.GlobalCfg.Host)
Expand Down

0 comments on commit f33f60d

Please sign in to comment.