Skip to content

Commit

Permalink
add imagepinning support
Browse files Browse the repository at this point in the history 
Signed-off-by: rksharma95 <[email protected]>
  • Loading branch information
@rksharma95
rksharma95 committed Nov 5, 2024
1 parent de680fb commit fd94d6f
Show file tree
Hide file tree
Showing 16 changed files with 311 additions and 223 deletions.
4 changes: 2 additions & 2 deletions deployments/helm/KubeArmor/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
appVersion: v1.4.0
appVersion: v1.4.1
description: A Helm chart for Kubearmor on Kubernetes
home: https://github.com/kubearmor/KubeArmor
icon: https://github.com/kubearmor/KubeArmor/blob/main/.gitbook/assets/logo.png?raw=true
name: kubearmor
type: application
version: v1.4.0
version: v1.4.1
15 changes: 14 additions & 1 deletion deployments/helm/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,4 +76,17 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ .Values.kubearmorOperator.name }}
namespace: {{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.snitch.name }}-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Values.snitch.name }}
subjects:
- kind: ServiceAccount
name: {{ .Values.snitch.name }}
namespace: {{ .Release.Namespace }}
13 changes: 13 additions & 0 deletions deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,3 +328,16 @@ rules:
- rolebindings
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Values.snitch.name }}
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- patch
4 changes: 4 additions & 0 deletions deployments/helm/KubeArmorOperator/templates/helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@
{{- end }}
- --rollbackOnFailure={{.Values.helm.rollbackOnFailure}}
- --skip-crd={{.Values.helm.skipCRD}}
{{- if .Values.imagePinning }}
- --snitchImage={{ printf "%s/%s:%s" .Values.oci_meta.repo .Values.oci_meta.images.kubearmorSnitch.image .Values.oci_meta.images.kubearmorSnitch.tag }}
{{- else }}
- --snitchImage={{ printf "%s:%s" .Values.snitch.image.repository (default .Chart.Version .Values.snitch.image.tag) }}
{{- end }}
- --snitchImagePullPolicy={{ .Values.snitch.imagePullPolicy }}
- --lsmOrder={{ .Values.snitch.lsmOrder }}
{{- end }}
7 changes: 7 additions & 0 deletions deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,10 @@ kind: ServiceAccount
metadata:
name: {{ .Values.kubearmorOperator.name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.snitch.name }}
namespace: {{ .Release.Namespace }}

6 changes: 5 additions & 1 deletion deployments/helm/KubeArmorOperator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@ autoDeploy: false
# operator will deploy pinned images for each application
imagePinning: false

# pinned images
# == pinned images ==
# solves very specific use-case of deploying KubeArmor
# on marketplaces, in-general kubearmorconfig is recommended
# to set image references
oci_meta:
repo: kubearmor
images:
Expand All @@ -30,6 +33,7 @@ oci_meta:
tag: v0.15.0

snitch:
name: kubearmor-snitch
image:
repository: kubearmor/kubearmor-snitch
tag: latest
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorOperator/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ RUN go mod download
COPY api api
# COPY client client
COPY cmd cmd
COPY defaults/ defaults/
COPY common/ common/
COPY internal/controller/ internal/controller/
COPY internal/helm internal/helm
COPY internal/status internal/status
Expand Down
93 changes: 17 additions & 76 deletions pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_conversion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,10 @@ package v1

import (
"strconv"
"strings"

"sigs.k8s.io/controller-runtime/pkg/conversion"

v2 "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/api/operator.kubearmor.com/v2"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common"
"sigs.k8s.io/controller-runtime/pkg/conversion"
)

// ConvertTo converts this KubeArmorConfig to the Hub version (v2).
Expand All @@ -23,39 +22,39 @@ func (src *KubeArmorConfig) ConvertTo(dstRaw conversion.Hub) error {

// kubearmor image
if imageAndTag := src.Spec.KubeArmorImage.Image; imageAndTag != "" {
reg, repo, tag := parseImage(imageAndTag)
reg, repo, tag := common.ParseImage(imageAndTag)
dst.Spec.KubeArmor.Image.Registry = reg
dst.Spec.KubeArmor.Image.Repository = repo
dst.Spec.KubeArmor.Image.Tag = tag
}
dst.Spec.KubeArmor.ImagePullPolicy = v2.ImagePullPolicy(src.Spec.KubeArmorImage.ImagePullPolicy)
// kubearmor init image
if imageAndTag := src.Spec.KubeArmorInitImage.Image; imageAndTag != "" {
reg, repo, tag := parseImage(imageAndTag)
reg, repo, tag := common.ParseImage(imageAndTag)
dst.Spec.KubeArmorInit.Image.Registry = reg
dst.Spec.KubeArmorInit.Image.Repository = repo
dst.Spec.KubeArmorInit.Image.Tag = tag
}
dst.Spec.KubeArmorInit.ImagePullPolicy = v2.ImagePullPolicy(src.Spec.KubeArmorInitImage.ImagePullPolicy)
// kubearmor relay image
if imageAndTag := src.Spec.KubeArmorRelayImage.Image; imageAndTag != "" {
reg, repo, tag := parseImage(imageAndTag)
reg, repo, tag := common.ParseImage(imageAndTag)
dst.Spec.KubeArmorRelay.Image.Registry = reg
dst.Spec.KubeArmorRelay.Image.Repository = repo
dst.Spec.KubeArmorRelay.Image.Tag = tag
}
dst.Spec.KubeArmorRelay.ImagePullPolicy = v2.ImagePullPolicy(src.Spec.KubeArmorRelayImage.ImagePullPolicy)
// kubearmor controller image
if imageAndTag := src.Spec.KubeArmorControllerImage.Image; imageAndTag != "" {
reg, repo, tag := parseImage(imageAndTag)
reg, repo, tag := common.ParseImage(imageAndTag)
dst.Spec.KubeArmorController.Image.Registry = reg
dst.Spec.KubeArmorController.Image.Repository = repo
dst.Spec.KubeArmorController.Image.Tag = tag
}
dst.Spec.KubeArmorController.ImagePullPolicy = v2.ImagePullPolicy(src.Spec.KubeArmorControllerImage.ImagePullPolicy)
// kube rbac proxy image
if imageAndTag := src.Spec.KubeRbacProxyImage.Image; imageAndTag != "" {
reg, repo, tag := parseImage(imageAndTag)
reg, repo, tag := common.ParseImage(imageAndTag)
dst.Spec.KubeRbacProxy.Image.Registry = reg
dst.Spec.KubeRbacProxy.Image.Repository = repo
dst.Spec.KubeRbacProxy.Image.Tag = tag
Expand Down Expand Up @@ -118,49 +117,49 @@ func (dst *KubeArmorConfig) ConvertFrom(srcRaw conversion.Hub) error {
if img := src.Spec.KubeArmor.Image.Repository; img != "" {
tag := src.Spec.KubeArmor.Image.Tag
if reg := src.Spec.KubeArmor.Image.Registry; reg != "" {
dst.Spec.KubeArmorImage.Image = createImage(reg, img, tag)
dst.Spec.KubeArmorImage.Image = common.CreateImage(reg, img, tag)
} else {
dst.Spec.KubeArmorImage.Image = createImage(globalRegistry, img, tag)
dst.Spec.KubeArmorImage.Image = common.CreateImage(globalRegistry, img, tag)
}
}
dst.Spec.KubeArmorImage.ImagePullPolicy = string(src.Spec.KubeArmor.ImagePullPolicy)
// kubearmor init image
if img := src.Spec.KubeArmorInit.Image.Repository; img != "" {
tag := src.Spec.KubeArmorInit.Image.Tag
if reg := src.Spec.KubeArmorInit.Image.Registry; reg != "" {
dst.Spec.KubeArmorInitImage.Image = createImage(reg, img, tag)
dst.Spec.KubeArmorInitImage.Image = common.CreateImage(reg, img, tag)
} else {
dst.Spec.KubeArmorInitImage.Image = createImage(globalRegistry, img, tag)
dst.Spec.KubeArmorInitImage.Image = common.CreateImage(globalRegistry, img, tag)
}
}
dst.Spec.KubeArmorInitImage.ImagePullPolicy = string(src.Spec.KubeArmorInit.ImagePullPolicy)
// kubearmor relay image
if img := src.Spec.KubeArmorRelay.Image.Repository; img != "" {
tag := src.Spec.KubeArmorRelay.Image.Tag
if reg := src.Spec.KubeArmorRelay.Image.Registry; reg != "" {
dst.Spec.KubeArmorRelayImage.Image = createImage(reg, img, tag)
dst.Spec.KubeArmorRelayImage.Image = common.CreateImage(reg, img, tag)
} else {
dst.Spec.KubeArmorRelayImage.Image = createImage(globalRegistry, img, tag)
dst.Spec.KubeArmorRelayImage.Image = common.CreateImage(globalRegistry, img, tag)
}
}
dst.Spec.KubeArmorRelayImage.ImagePullPolicy = string(src.Spec.KubeArmorRelay.ImagePullPolicy)
// kubearmor controller image
if img := src.Spec.KubeArmorController.Image.Repository; img != "" {
tag := src.Spec.KubeArmorController.Image.Tag
if reg := src.Spec.KubeArmorController.Image.Registry; reg != "" {
dst.Spec.KubeArmorControllerImage.Image = createImage(reg, img, tag)
dst.Spec.KubeArmorControllerImage.Image = common.CreateImage(reg, img, tag)
} else {
dst.Spec.KubeArmorControllerImage.Image = createImage(globalRegistry, img, tag)
dst.Spec.KubeArmorControllerImage.Image = common.CreateImage(globalRegistry, img, tag)
}
}
dst.Spec.KubeArmorControllerImage.ImagePullPolicy = string(src.Spec.KubeArmorController.ImagePullPolicy)
// kube rbac proxy image
if img := src.Spec.KubeRbacProxy.Image.Repository; img != "" {
tag := src.Spec.KubeRbacProxy.Image.Tag
if reg := src.Spec.KubeRbacProxy.Image.Registry; reg != "" && !src.Spec.UseGlobalRegistryForVendorImages {
dst.Spec.KubeRbacProxyImage.Image = createImage(reg, img, tag)
dst.Spec.KubeRbacProxyImage.Image = common.CreateImage(reg, img, tag)
} else {
dst.Spec.KubeRbacProxyImage.Image = createImage(globalRegistry, img, tag)
dst.Spec.KubeRbacProxyImage.Image = common.CreateImage(globalRegistry, img, tag)
}
}
dst.Spec.KubeRbacProxyImage.ImagePullPolicy = string(src.Spec.KubeRbacProxy.ImagePullPolicy)
Expand Down Expand Up @@ -204,61 +203,3 @@ func (dst *KubeArmorConfig) ConvertFrom(srcRaw conversion.Hub) error {
dst.ObjectMeta = src.ObjectMeta
return nil
}

// parseImage parses a image string into registry, repository, and tag.
func parseImage(image string) (string, string, string) {
// Split the image string into parts
var registry, repo, tag string

// Split image by ':'
parts := strings.Split(image, ":")
if len(parts) > 2 {
// Invalid format if there are more than two parts
return "", "", ""
}

// Extract tag if present
if len(parts) == 2 {
tag = parts[1]
image = parts[0]
} else {
tag = ""
}

// Split image by '/'
imageParts := strings.Split(image, "/")

// Handle cases with multiple slashes
if len(imageParts) > 1 {
// The last part is the repository
repo = imageParts[len(imageParts)-1]

// The registry is everything before the last part
registry = strings.Join(imageParts[:len(imageParts)-1], "/")
} else {
// Handle case with no slashes (assume it is just a repository)
repo = imageParts[0]
registry = ""
}

// Return results
return registry, repo, tag
}

// createImage generates image string from registry, repository, and tag.
func createImage(registry, repo, tag string) string {
// Construct the image string
var imageBuilder strings.Builder

if registry != "" {
imageBuilder.WriteString(registry)
imageBuilder.WriteString("/")
}
imageBuilder.WriteString(repo)
if tag != "" {
imageBuilder.WriteString(":")
imageBuilder.WriteString(tag)
}

return imageBuilder.String()
}
20 changes: 10 additions & 10 deletions pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import (
"os"
"strings"

"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/defaults"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/enforcer"
runtimepkg "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/runtime"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/seccomp"
Expand Down Expand Up @@ -127,18 +127,18 @@ func snitch() {

patchNode := metadata{}
patchNode.Metadata.Labels = map[string]string{}
patchNode.Metadata.Labels[defaults.RuntimeLabel] = runtime
patchNode.Metadata.Labels[defaults.SeccompLabel] = seccomp.CheckIfSeccompProfilePresent()
patchNode.Metadata.Labels[defaults.SocketLabel] = strings.ReplaceAll(socket[1:], "/", "_")
patchNode.Metadata.Labels[defaults.EnforcerLabel] = nodeEnforcer
patchNode.Metadata.Labels[defaults.RandLabel] = rand.String(4)
patchNode.Metadata.Labels[defaults.BTFLabel] = btfPresent
patchNode.Metadata.Labels[defaults.ApparmorFsLabel] = enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger)
patchNode.Metadata.Labels[common.RuntimeLabel] = runtime
patchNode.Metadata.Labels[common.SeccompLabel] = seccomp.CheckIfSeccompProfilePresent()
patchNode.Metadata.Labels[common.SocketLabel] = strings.ReplaceAll(socket[1:], "/", "_")
patchNode.Metadata.Labels[common.EnforcerLabel] = nodeEnforcer
patchNode.Metadata.Labels[common.RandLabel] = rand.String(4)
patchNode.Metadata.Labels[common.BTFLabel] = btfPresent
patchNode.Metadata.Labels[common.ApparmorFsLabel] = enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger)

if nodeEnforcer == "none" {
patchNode.Metadata.Labels[defaults.SecurityFsLabel] = "no"
patchNode.Metadata.Labels[common.SecurityFsLabel] = "no"
} else {
patchNode.Metadata.Labels[defaults.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)
patchNode.Metadata.Labels[common.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)
}

patch, err := json.Marshal(patchNode)
Expand Down
61 changes: 60 additions & 1 deletion pkg/KubeArmorOperator/defaults/defaults.go → pkg/KubeArmorOperator/common/defaults.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2022 Authors of KubeArmor

package defaults
package common

import (
"crypto/sha256"
"encoding/hex"
"strings"

corev1 "k8s.io/api/core/v1"
)
Expand Down Expand Up @@ -74,3 +75,61 @@ var ContainerRuntimeSocketMap = map[string][]string{
"/run/crio/crio.sock",
},
}

// ParseImage parses a image string into registry, repository, and tag.
func ParseImage(image string) (string, string, string) {
// Split the image string into parts
var registry, repo, tag string

// Split image by ':'
parts := strings.Split(image, ":")
if len(parts) > 2 {
// Invalid format if there are more than two parts
return "", "", ""
}

// Extract tag if present
if len(parts) == 2 {
tag = parts[1]
image = parts[0]
} else {
tag = ""
}

// Split image by '/'
imageParts := strings.Split(image, "/")

// Handle cases with multiple slashes
if len(imageParts) > 1 {
// The last part is the repository
repo = imageParts[len(imageParts)-1]

// The registry is everything before the last part
registry = strings.Join(imageParts[:len(imageParts)-1], "/")
} else {
// Handle case with no slashes (assume it is just a repository)
repo = imageParts[0]
registry = ""
}

// Return results
return registry, repo, tag
}

// CreateImage generates image string from registry, repository, and tag.
func CreateImage(registry, repo, tag string) string {
// Construct the image string
var imageBuilder strings.Builder

if registry != "" {
imageBuilder.WriteString(registry)
imageBuilder.WriteString("/")
}
imageBuilder.WriteString(repo)
if tag != "" {
imageBuilder.WriteString(":")
imageBuilder.WriteString(tag)
}

return imageBuilder.String()
}
Loading

0 comments on commit fd94d6f

Please sign in to comment.