seperate snitch from the operator

Signed-off-by: rksharma95 <[email protected]>
rksharma95 · Sep 14, 2023 · 86a581a · 86a581a
1 parent 3bf3123
commit 86a581a
Show file tree

Hide file tree

Showing 16 changed files with 194 additions and 113 deletions.
diff --git a/.github/workflows/ci-operator-release.yaml b/.github/workflows/ci-operator-release.yaml
@@ -4,18 +4,24 @@ on:
   push:
     branches:
       - "main"
+      - "v*"
     paths:
       # release on any dependency change
       - "pkg/**"
       - "deployments/get/**"
       - "KubeArmor/utils/**"
+  create:
+    branches:
+      - "v*"
+
 
 env:
   PLATFORM: linux/amd64,linux/arm64/v8
 
 jobs:
   kubearmor-operator-release:
     name: Build & Push KubeArmor Operator
+    if: github.repository == 'kubearmor/kubearmor'
     defaults:
       run:
         working-directory: ./pkg/KubeArmorOperator
@@ -41,6 +47,41 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Get Tag
+        id: vars
+        run: |
+          if [ ${{ github.ref }} == "refs/heads/main" ]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+            echo "stable=false" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+            value=`cat STABLE-RELEASE`
+            if [ ${{ github.ref }} == "refs/heads/$value" ]; then
+              echo "stable=true" >> $GITHUB_OUTPUT
+            else
+              echo "stable=false" >> $GITHUB_OUTPUT
+            fi
+          fi
 
       - name: Build & Push KubeArmor Operator
-        run: PLATFORM=$PLATFORM make docker-buildx TAG=latest
+        if:  ${{ github.ref }} == 'refs/heads/main' && ${{ steps.vars.outputs.stable }} == 'false'
+        run: PLATFORM=$PLATFORM make docker-buildx TAG=${{ steps.vars.outputs.tag }} 
+
+      - name: Install regctl
+        if: steps.vars.outputs.stable == 'true'
+        run: |
+          curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
+          chmod 755 regctl
+          mv regctl /usr/local/bin
+  
+      - name: Check install
+        if: steps.vars.outputs.stable == 'true'
+        run: regctl version
+
+      - name: Generate the stable version of KubeArmor in Docker Hub
+        if: steps.vars.outputs.stable == 'true'
+        run: |
+          STABLE_VERSION=`cat STABLE-RELEASE`
+          regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION kubearmor/kubearmor-operator:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION kubearmor/kubearmor-snitch:stable --digest-tags
diff --git a/.github/workflows/ci-stable-release.yml b/.github/workflows/ci-stable-release.yml
@@ -37,6 +37,8 @@ jobs:
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
           regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION kubearmor/kubearmor-operator:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION kubearmor/kubearmor-snitch:stable --digest-tags
 
   update-helm-chart:
     name: Update KubeArmor Helm chart version

diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml
@@ -66,11 +66,13 @@ jobs:
             docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import -
             docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
             docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import -
+            docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import -
           else
             if [ ${{ matrix.runtime }} == "crio" ]; then
               sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
               sudo podman pull docker-daemon:kubearmor/kubearmor:latest
               sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
+              sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
             fi
           fi
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kube-system

diff --git a/.github/workflows/test-operator-ci.yml b/.github/workflows/test-operator-ci.yml
@@ -0,0 +1,87 @@
+name: ci-release-operator
+
+on:
+  push:
+    branches:
+      - "feat-snitch-image"
+      - "v*"
+    paths:
+      # release on any dependency change
+      - "pkg/**"
+      - "deployments/get/**"
+      - "KubeArmor/utils/**"
+  create:
+    branches:
+      - "v*"
+
+
+env:
+  PLATFORM: linux/amd64,linux/arm64/v8
+
+jobs:
+  kubearmor-operator-release:
+    name: Build & Push KubeArmor Operator
+    if: github.repository == 'rksharma95/kubearmor'
+    defaults:
+      run:
+        working-directory: ./pkg/KubeArmorOperator
+    runs-on: ubuntu-20.04
+    timeout-minutes: 60
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "v1.20"
+
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          platforms: linux/amd64,linux/arm64/v8
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Get Tag
+        id: vars
+        run: |
+          if [ ${{ github.ref }} == "refs/heads/feat-snitch-image" ]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+            echo "stable=false" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+            value=`cat STABLE-RELEASE`
+            if [ ${{ github.ref }} == "refs/heads/$value" ]; then
+              echo "stable=true" >> $GITHUB_OUTPUT
+            else
+              echo "stable=false" >> $GITHUB_OUTPUT
+            fi
+          fi
+
+      - name: Build & Push KubeArmor Operator
+        if:  ${{ github.ref }} == 'refs/heads/feat-snitch-image' && ${{ steps.vars.outputs.stable }} == 'false'
+        run: PLATFORM=$PLATFORM make docker-buildx TAG=${{ steps.vars.outputs.tag }} 
+
+      - name: Install regctl
+        if: steps.vars.outputs.stable == 'true'
+        run: |
+          curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
+          chmod 755 regctl
+          mv regctl /usr/local/bin
+  
+      - name: Check install
+        if: steps.vars.outputs.stable == 'true'
+        run: regctl version
+
+      - name: Generate the stable version of KubeArmor in Docker Hub
+        if: steps.vars.outputs.stable == 'true'
+        run: |
+          STABLE_VERSION=`cat STABLE-RELEASE`
+          regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION kubearmor/kubearmor-operator:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION kubearmor/kubearmor-snitch:stable --digest-tags
diff --git a/deployments/helm/KubeArmorOperator/templates/deployment.yaml b/deployments/helm/KubeArmorOperator/templates/deployment.yaml
@@ -15,9 +15,6 @@ spec:
         kubearmor-app: {{ .Values.kubearmorOperator.name }}
     spec:
       containers:
-      - command:
-        - /operator
-        - kubearmor-operator
         env:
         - name: KUBEARMOR_OPERATOR_NS
           valueFrom:
@@ -26,8 +23,4 @@ spec:
         image: {{ printf "%s:%s" .Values.kubearmorOperator.image.repository .Values.kubearmorOperator.image.tag}}
         imagePullPolicy: {{ .Values.kubearmorOperator.imagePullPolicy }}
         name: {{ .Values.kubearmorOperator.name }}
-        securityContext:
-          capabilities:
-          {{- toYaml .Values.kubearmorOperator.capabilities | trim | nindent 12 }}
-          privileged: false
       serviceAccountName: {{ .Values.kubearmorOperator.name }}
diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml
@@ -3,13 +3,4 @@ kubearmorOperator:
   image:
     repository: kubearmor/kubearmor-operator
     tag: latest
-  imagePullPolicy: IfNotPresent
-  capabilities:
-    add:
-    - SYS_ADMIN
-    - SYS_RESOURCE
-    - IPC_LOCK
-    - CAP_DAC_OVERRIDE
-    - CAP_DAC_READ_SEARCH
-    drop:
-    - ALL
+  imagePullPolicy: IfNotPresent
diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml
@@ -422,26 +422,12 @@ spec:
         kubearmor-app: kubearmor-operator
     spec:
       containers:
-      - command:
-        - /operator
-        - kubearmor-operator
-        env:
+      - env:
         - name: KUBEARMOR_OPERATOR_NS
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
         image: kubearmor/kubearmor-operator:latest
         imagePullPolicy: IfNotPresent
         name: operator
-        securityContext:
-          capabilities:
-            add:
-            - SYS_ADMIN
-            - SYS_RESOURCE
-            - IPC_LOCK
-            - DAC_OVERRIDE
-            - DAC_READ_SEARCH
-            drop:
-            - ALL
-          privileged: false
       serviceAccountName: kubearmor-operator
diff --git a/pkg/KubeArmorOperator/Dockerfile b/pkg/KubeArmorOperator/Dockerfile
@@ -35,9 +35,10 @@ COPY $OPERATOR_DIR/k8s k8s
 COPY $OPERATOR_DIR/runtime runtime
 
 # Build
-RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o operator cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o operator cmd/operator/main.go
+RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o snitch cmd/snitch-cmd/main.go
 
-FROM redhat/ubi9-minimal
+FROM redhat/ubi9-minimal as operator
 
 ARG VERSION=latest
 
@@ -58,8 +59,24 @@ RUN groupadd --gid 1000 default \
 ARG OPERATOR_DIR=pkg/KubeArmorOperator
 COPY --from=builder --chown=1000:1000 /KubeArmor/$OPERATOR_DIR/operator /operator
 COPY LICENSE /licenses/license.txt
-RUN setcap "cap_sys_admin=+ep cap_ipc_lock=+ep cap_sys_resource=+ep cap_dac_override=+ep cap_dac_read_search=+ep" /operator
 
 USER 1000
 
-ENTRYPOINT ["/operator"]
+ENTRYPOINT ["/operator"]
+
+FROM redhat/ubi9-minimal as snitch
+
+ARG VERSION=latest
+
+LABEL name="kubearmor-snitch" \
+      vendor="Accuknox" \
+      version=${VERSION} \
+      release=${VERSION} \
+      summary="kubearmor-snitch container image based on redhat ubi" \
+      description="KubeArmor-Snitch, A CLI Utility to Detect node related informations for KubeArmor"
+
+ARG OPERATOR_DIR=pkg/KubeArmorOperator
+COPY --from=builder --chown=1000:1000 /KubeArmor/$OPERATOR_DIR/snitch /snitch
+COPY LICENSE /licenses/license.txt
+
+ENTRYPOINT ["/snitch"]
diff --git a/pkg/KubeArmorOperator/Makefile b/pkg/KubeArmorOperator/Makefile
@@ -7,7 +7,8 @@ CHARTDIR  := $(realpath $(DEPLOYDIR)/helm/KubeArmorOperator)
 CRDDIR    := $(realpath $(CHARTDIR)/crds)
 
 # Image URL to use all building/pushing image targets
-IMG ?= kubearmor/kubearmor-operator
+OPERATOR_IMG ?= kubearmor/kubearmor-operator
+SNITCH_IMG ?= kubearmor/kubearmor-snitch
 # Image Tag to use all building/pushing image targets
 TAG ?= v0.1
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
@@ -65,25 +66,28 @@ tidy:
 
 .PHONY: kubearmor-operator
 kubearmor-operator: get
-	go build -o kubearmor-operator cmd/main.go
+	go build -o kubearmor-operator cmd/operator/main.go
 
 .PHONY: snitch
 snitch: get
-	go build -o snitch cmd/main.go
+	go build -o snitch cmd/snitch-cmd/main.go
 
 .PHONY: build
 build: snitch kubearmor-operator
 
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.
-	docker build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../
+	docker build -t ${OPERATOR_IMG}:${TAG} -t ${OPERATOR_IMG}:latest --build-arg VERSION=${TAG} --target operator -f ./Dockerfile ../../
+	docker build -t ${SNITCH_IMG}:${TAG} -t ${SNITCH_IMG}:latest --build-arg VERSION=${TAG} --target snitch -f ./Dockerfile ../../
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
-	docker push ${IMG}:${TAG}
+	docker push ${OPERATOR_IMG}:${TAG}
+	docker push ${SNITCH_IMG}:${TAG}
 
 docker-buildx:
-	docker buildx build --platform ${PLATFORM} --build-arg VERSION=${TAG} --push -t ${IMG}:${TAG} -f ./Dockerfile ../../
+	docker buildx build --platform ${PLATFORM} --build-arg VERSION=${TAG} --push --target operator -t ${OPERATOR_IMG}:${TAG} -f ./Dockerfile ../../
+	docker buildx build --platform ${PLATFORM} --build-arg VERSION=${TAG} --push --target snitch -t ${SNITCH_IMG}:${TAG} -f ./Dockerfile ../../
 
 KUSTOMIZE = /usr/local/bin/kustomize
 .PHONY: kustomize

diff --git a/pkg/KubeArmorOperator/cmd/main.go b/pkg/KubeArmorOperator/cmd/main.go
diff --git a/pkg/KubeArmorOperator/cmd/operator/root.go → pkg/KubeArmorOperator/cmd/operator/main.go b/pkg/KubeArmorOperator/cmd/operator/root.go → pkg/KubeArmorOperator/cmd/operator/main.go
@@ -2,7 +2,7 @@
 // Copyright 2021 Authors of KubeArmor
 
 // Package cmd is the collection of all the subcommands available in kArmor while providing relevant options for the same
-package operator
+package main
 
 import (
 	"errors"
@@ -76,3 +76,7 @@ func init() {
 func Execute() {
 	cobra.CheckErr(Cmd.Execute())
 }
+
+func main() {
+	Execute()
+}