From a64b744b50ee9021e35caa2d91559153a6840318 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Tue, 21 May 2024 23:58:19 +0530 Subject: [PATCH] fix(probe): directly ftech kubearmor pods from k8s api instead of listing nodes this approach fixes panic in case kubearmor is not running on a node for some reason Signed-off-by: daemon1024 --- go.sum | 4 ---- probe/probe.go | 36 +++++++++++++++------------------ profile/Client/profileClient.go | 2 +- 3 files changed, 17 insertions(+), 25 deletions(-) diff --git a/go.sum b/go.sum index 4fcffabf..a719ba14 100644 --- a/go.sum +++ b/go.sum @@ -109,8 +109,6 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DATA-DOG/go-sqlmock v1.5.1 h1:FK6RCIUSfmbnI/imIICmboyQBkOckutaa6R5YYlLZyo= -github.com/DATA-DOG/go-sqlmock v1.5.1/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= @@ -2259,8 +2257,6 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.14.2 h1:V71fv+NGZv0icBlr+in1MJXuUIHCiPG1hW9gEBISTIA= -helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= helm.sh/helm/v3 v3.14.3 h1:HmvRJlwyyt9HjgmAuxHbHv3PhMz9ir/XNWHyXfmnOP4= helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/probe/probe.go b/probe/probe.go index 8482007d..a881f40a 100644 --- a/probe/probe.go +++ b/probe/probe.go @@ -422,7 +422,8 @@ func getKubeArmorDaemonset(c *k8s.Client, o Options) (bool, *Status) { return false, nil } desired, ready, available := w.Items[0].Status.DesiredNumberScheduled, w.Items[0].Status.NumberReady, w.Items[0].Status.NumberAvailable - if desired != ready && desired != available { + if desired != ready && desired != available && ready == 0 { + // set kubearmor to not running only if there are 0 ready pods return false, nil } DaemonSetStatus := Status{ @@ -487,21 +488,23 @@ func getKubeArmorContainers(c *k8s.Client, o Options) map[string]*KubeArmorPodSp // ProbeRunningKubeArmorNodes extracts data from running KubeArmor daemonset by executing into the container and reading /tmp/kubearmor.cfg func ProbeRunningKubeArmorNodes(c *k8s.Client, o Options) ([]KubeArmorProbeData, map[string]KubeArmorProbeData, error) { // KubeArmor Nodes - nodes, err := c.K8sClientset.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{}) - if err != nil { - return []KubeArmorProbeData{}, nil, fmt.Errorf("error occured when getting nodes %s", err.Error()) - } + pods, err := c.K8sClientset.CoreV1().Pods("").List(context.Background(), metav1.ListOptions{ + LabelSelector: "kubearmor-app=kubearmor", + }) - if len(nodes.Items) == 0 { + if err != nil || len(pods.Items) == 0 { return []KubeArmorProbeData{}, nil, fmt.Errorf("no nodes found") } nodeData := make(map[string]KubeArmorProbeData) var dataList []KubeArmorProbeData - for i, item := range nodes.Items { - data, err := readDataFromKubeArmor(c, o, item.Name) + for i, item := range pods.Items { + if item.Status.Phase != corev1.PodRunning { + continue + } + data, err := readDataFromKubeArmor(c, item) if err != nil { - return []KubeArmorProbeData{}, nil, err + continue } dataList = append(dataList, data) nodeData["Node"+strconv.Itoa(i+1)] = data @@ -510,25 +513,18 @@ func ProbeRunningKubeArmorNodes(c *k8s.Client, o Options) ([]KubeArmorProbeData, return dataList, nodeData, nil } -func readDataFromKubeArmor(c *k8s.Client, o Options, nodeName string) (KubeArmorProbeData, error) { +func readDataFromKubeArmor(c *k8s.Client, pod corev1.Pod) (KubeArmorProbeData, error) { srcPath := "/tmp/karmorProbeData.cfg" - pods, err := c.K8sClientset.CoreV1().Pods("").List(context.Background(), metav1.ListOptions{ - LabelSelector: "kubearmor-app=kubearmor", - FieldSelector: "spec.nodeName=" + nodeName, - }) - if err != nil || pods == nil || len(pods.Items) == 0 { - return KubeArmorProbeData{}, fmt.Errorf("error occured while getting KubeArmor pods %s", err.Error()) - } reader, outStream := io.Pipe() cmdArr := []string{"cat", srcPath} req := c.K8sClientset.CoreV1().RESTClient(). Get(). - Namespace(pods.Items[0].Namespace). + Namespace(pod.Namespace). Resource("pods"). - Name(pods.Items[0].Name). + Name(pod.Name). SubResource("exec"). VersionedParams(&corev1.PodExecOptions{ - Container: pods.Items[0].Spec.Containers[0].Name, + Container: pod.Spec.Containers[0].Name, Command: cmdArr, Stdin: false, Stdout: true, diff --git a/profile/Client/profileClient.go b/profile/Client/profileClient.go index 4091e2c3..a0395249 100644 --- a/profile/Client/profileClient.go +++ b/profile/Client/profileClient.go @@ -386,7 +386,7 @@ func convertToJSON(Operation string, data []Profile) { } if len(jsonArray) > 0 { filepath := "Profile_Summary/" - err := os.MkdirAll(filepath, os.ModePerm) + err := os.MkdirAll(filepath, 0600) err = os.WriteFile(filepath+Operation+".json", []byte(jsonArray[0]), 0600) if err != nil { panic(err)