Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extending filtering options for karmor #40

Open
4 of 7 tasks
nyrahul opened this issue Jan 26, 2022 · 4 comments
Open
4 of 7 tasks

extending filtering options for karmor #40

nyrahul opened this issue Jan 26, 2022 · 4 comments
Assignees
@slayer321
Labels
enhancement New feature or request

Comments

@nyrahul
Copy link
Contributor

nyrahul commented Jan 26, 2022
edited by daemon1024
Loading

Following filtering options are needed with karmor:

  • --since=1h
  • --namespace=default
  • --log=hostlog/containerlog
  • --operation=process/file/network
  • --limit=n ... where n is a positive integer
  • use regex for filtering the data whereever strings are applicable
  • using label filters (-l | --selector): E.g. karmor log --logFilter all --json --selector "app: checkoutservice,name=xyz" --selector "app: emailservice" ... Check if we can use the regex filters as well.

Sample:

karmor log --namespace "explorer\|default"
karmor log --namespace "expl.*"

Syntax should be similar to k8s kubectl syntax where ever applicable.

Label filter

karmor log --logFilter all --json --selector "app: checkoutservice,name=xyz" --selector "app: emailservice"
if multiple --selector | -l options are present they should be considered as or clause.
@nyrahul nyrahul added the good first issue Good for newcomers label Jan 26, 2022
@nyrahul nyrahul changed the title filtering options for karmor extending filtering options for karmor Jan 27, 2022
@skant7
Copy link

skant7 commented Feb 3, 2022

Hi @nyrahul, I was going through the existing code and it seems that some commands like log exist as a command with root cmd being karmor so the complete command looks like karmor log --logPath=stdout, so do we need to get the mentioned filters integrated as flags to the root karmor command?
If so the final cmd looks something like karmor --since=1h --namespace=default --log=hostlog/container
Please correct me if I am wrong.

@nyrahul
Copy link
Contributor Author

nyrahul commented Feb 4, 2022

Hi @nyrahul, I was going through the existing code and it seems that some commands like log exist as a command with root cmd being karmor so the complete command looks like karmor log --logPath=stdout, so do we need to get the mentioned filters integrated as flags to the root karmor command? If so the final cmd looks something like karmor --since=1h --namespace=default --log=hostlog/container Please correct me if I am wrong.

Handling --namespace and other filters are much more easy.
Handing since is tricky because we do not have historic logs pulled by karmor. Karmor pulls just the instantaneous logs.
Handling since might involve some code changes on the base kubearmor code too.

In general, the task at hand is to enable filtering options based on json fields supported and pass this filtering option to the server so that they can be filtered on the kubearmor server itself. (This also means code changes in the base kubearmor code).

(This seems to be a good point to discuss during our next community call.)

Attaching sample telemetry herewith:

{
  "Timestamp": 1643954983,
  "UpdatedTime": "2022-02-04T06:09:43.832838Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "mysql-0",
  "ContainerID": "bddbbdb1c00c2092d8b47f3284624cc22e678934d026f300780ee282979e7094",
  "ContainerName": "mysql",
  "HostPID": 934399,
  "PPID": 934391,
  "PID": 177937,
  "UID": 1001,
  "Type": "ContainerLog",
  "Source": "/opt/bitnami/mysql/bin/mysqladmin status -uroot -ppassword",
  "Operation": "File",
  "Resource": "/lib/x86_64-linux-gnu/libnss_files-2.28.so",
  "Data": "syscall=SYS_OPENAT fd=-100 flags=/lib/x86_64-linux-gnu/libnss_files.so.2",
  "Result": "Passed"
}
{
  "Timestamp": 1643954983,
  "UpdatedTime": "2022-02-04T06:09:43.832856Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "mysql-0",
  "ContainerID": "bddbbdb1c00c2092d8b47f3284624cc22e678934d026f300780ee282979e7094",
  "ContainerName": "mysql",
  "HostPID": 934399,
  "PPID": 934391,
  "PID": 177937,
  "UID": 1001,
  "Type": "ContainerLog",
  "Source": "/opt/bitnami/mysql/bin/mysqladmin status -uroot -ppassword",
  "Operation": "File",
  "Resource": "/opt/bitnami/mysql/conf/my.cnf",
  "Data": "syscall=SYS_OPENAT fd=-100 flags=/opt/bitnami/mysql/conf/my.cnf",
  "Result": "Passed"
}
{
  "Timestamp": 1643954983,
  "UpdatedTime": "2022-02-04T06:09:43.832878Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "mysql-0",
  "ContainerID": "bddbbdb1c00c2092d8b47f3284624cc22e678934d026f300780ee282979e7094",
  "ContainerName": "mysql",
  "HostPID": 934399,
  "PPID": 934391,
  "PID": 177937,
  "UID": 1001,
  "Type": "ContainerLog",
  "Source": "/opt/bitnami/mysql/bin/mysqladmin status -uroot -ppassword",
  "Operation": "Network",
  "Resource": "domain=AF_UNIX type=SOCK_STREAM protocol=0",
  "Data": "syscall=SYS_SOCKET",
  "Result": "Passed"
}
{
  "Timestamp": 1643954983,
  "UpdatedTime": "2022-02-04T06:09:43.832901Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "mysql-0",
  "ContainerID": "bddbbdb1c00c2092d8b47f3284624cc22e678934d026f300780ee282979e7094",
  "ContainerName": "mysql",
  "HostPID": 934399,
  "PPID": 934391,
  "PID": 177937,
  "UID": 1001,
  "Type": "ContainerLog",
  "Source": "/opt/bitnami/mysql/bin/mysqladmin status -uroot -ppassword",
  "Operation": "Network",
  "Resource": "sa_family=AF_UNIX sun_path=/opt/bitnami/mysql/tmp/mysql.sock",
  "Data": "syscall=SYS_CONNECT fd=3",
  "Result": "Passed"
}
{
  "Timestamp": 1643954983,
  "UpdatedTime": "2022-02-04T06:09:43.832925Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "mysql-0",
  "ContainerID": "bddbbdb1c00c2092d8b47f3284624cc22e678934d026f300780ee282979e7094",
  "ContainerName": "mysql",
  "HostPID": 45821,
  "PPID": 45667,
  "PID": 1,
  "UID": 1001,
  "Type": "ContainerLog",
  "Source": "mysqld",
  "Operation": "Network",
  "Resource": "sa_family=AF_UNIX sun_path=\n",
  "Data": "syscall=SYS_ACCEPT fd=25",
  "Result": "Passed"
}
{
  "Timestamp": 1643954987,
  "UpdatedTime": "2022-02-04T06:09:47.006139Z",
  "ClusterName": "default",
  "HostName": "ubuntu2004-vagrants",
  "NamespaceName": "explorer",
  "PodName": "knoxautopolicy-684854b4f4-s7vxm",
  "ContainerID": "47143ff0f01752aec2d98d376cbee668e365de4a37629fa83876397614bf4ce2",
  "ContainerName": "knoxautopolicy",
  "HostPID": 48560,
  "PPID": 48478,
  "PID": 1,
  "Type": "ContainerLog",
  "Source": "knoxAutoPolicy",
  "Operation": "File",
  "Resource": "/run/secrets/kubernetes.io/serviceaccount/..2022_02_04_05_24_40.153181384/token",
  "Data": "syscall=SYS_OPENAT fd=-100 flags=/var/run/secrets/kubernetes.io/serviceaccount/token",
  "Result": "Passed"
}

@slayer321 slayer321 mentioned this issue Mar 20, 2022
Merged
@slayer321
Copy link
Contributor

/assign

@nyrahul nyrahul added enhancement New feature or request and removed good first issue Good for newcomers labels Apr 6, 2022
@slayer321 slayer321 mentioned this issue Apr 12, 2022
Merged
@daemon1024
Copy link
Member

Hey @slayer321, There's a pull request in KubeArmor - kubearmor/KubeArmor#683 to support Labels field in telemetry. This should ease things out implementing the labels filter here. Wdyt?

@slayer321 slayer321 mentioned this issue May 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slayer321 slayer321

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nyrahul @daemon1024 @slayer321 @skant7