fix(probe): directly ftech kubearmor pods from k8s api instead of lis…

…ting nodes this approach fixes panic in case kubearmor is not running on a node for some reason Signed-off-by: daemon1024 <[email protected]>
kubearmor · May 27, 2024 · a64b744 · a64b744
1 parent 80ceb6a
commit a64b744
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 25 deletions.
diff --git a/go.sum b/go.sum
@@ -109,8 +109,6 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DATA-DOG/go-sqlmock v1.5.1 h1:FK6RCIUSfmbnI/imIICmboyQBkOckutaa6R5YYlLZyo=
-github.com/DATA-DOG/go-sqlmock v1.5.1/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
@@ -2259,8 +2257,6 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-helm.sh/helm/v3 v3.14.2 h1:V71fv+NGZv0icBlr+in1MJXuUIHCiPG1hW9gEBISTIA=
-helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424=
 helm.sh/helm/v3 v3.14.3 h1:HmvRJlwyyt9HjgmAuxHbHv3PhMz9ir/XNWHyXfmnOP4=
 helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

diff --git a/probe/probe.go b/probe/probe.go
@@ -422,7 +422,8 @@ func getKubeArmorDaemonset(c *k8s.Client, o Options) (bool, *Status) {
 		return false, nil
 	}
 	desired, ready, available := w.Items[0].Status.DesiredNumberScheduled, w.Items[0].Status.NumberReady, w.Items[0].Status.NumberAvailable
-	if desired != ready && desired != available {
+	if desired != ready && desired != available && ready == 0 {
+		// set kubearmor to not running only if there are 0 ready pods
 		return false, nil
 	}
 	DaemonSetStatus := Status{
@@ -487,21 +488,23 @@ func getKubeArmorContainers(c *k8s.Client, o Options) map[string]*KubeArmorPodSp
 // ProbeRunningKubeArmorNodes extracts data from running KubeArmor daemonset  by executing into the container and reading /tmp/kubearmor.cfg
 func ProbeRunningKubeArmorNodes(c *k8s.Client, o Options) ([]KubeArmorProbeData, map[string]KubeArmorProbeData, error) {
 	// KubeArmor Nodes
-	nodes, err := c.K8sClientset.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{})
-	if err != nil {
-		return []KubeArmorProbeData{}, nil, fmt.Errorf("error occured when getting nodes %s", err.Error())
-	}
+	pods, err := c.K8sClientset.CoreV1().Pods("").List(context.Background(), metav1.ListOptions{
+		LabelSelector: "kubearmor-app=kubearmor",
+	})
 
-	if len(nodes.Items) == 0 {
+	if err != nil || len(pods.Items) == 0 {
 		return []KubeArmorProbeData{}, nil, fmt.Errorf("no nodes found")
 	}
 	nodeData := make(map[string]KubeArmorProbeData)
 
 	var dataList []KubeArmorProbeData
-	for i, item := range nodes.Items {
-		data, err := readDataFromKubeArmor(c, o, item.Name)
+	for i, item := range pods.Items {
+		if item.Status.Phase != corev1.PodRunning {
+			continue
+		}
+		data, err := readDataFromKubeArmor(c, item)
 		if err != nil {
-			return []KubeArmorProbeData{}, nil, err
+			continue
 		}
 		dataList = append(dataList, data)
 		nodeData["Node"+strconv.Itoa(i+1)] = data
@@ -510,25 +513,18 @@ func ProbeRunningKubeArmorNodes(c *k8s.Client, o Options) ([]KubeArmorProbeData,
 	return dataList, nodeData, nil
 }
 
-func readDataFromKubeArmor(c *k8s.Client, o Options, nodeName string) (KubeArmorProbeData, error) {
+func readDataFromKubeArmor(c *k8s.Client, pod corev1.Pod) (KubeArmorProbeData, error) {
 	srcPath := "/tmp/karmorProbeData.cfg"
-	pods, err := c.K8sClientset.CoreV1().Pods("").List(context.Background(), metav1.ListOptions{
-		LabelSelector: "kubearmor-app=kubearmor",
-		FieldSelector: "spec.nodeName=" + nodeName,
-	})
-	if err != nil || pods == nil || len(pods.Items) == 0 {
-		return KubeArmorProbeData{}, fmt.Errorf("error occured while getting KubeArmor pods %s", err.Error())
-	}
 	reader, outStream := io.Pipe()
 	cmdArr := []string{"cat", srcPath}
 	req := c.K8sClientset.CoreV1().RESTClient().
 		Get().
-		Namespace(pods.Items[0].Namespace).
+		Namespace(pod.Namespace).
 		Resource("pods").
-		Name(pods.Items[0].Name).
+		Name(pod.Name).
 		SubResource("exec").
 		VersionedParams(&corev1.PodExecOptions{
-			Container: pods.Items[0].Spec.Containers[0].Name,
+			Container: pod.Spec.Containers[0].Name,
 			Command:   cmdArr,
 			Stdin:     false,
 			Stdout:    true,

diff --git a/profile/Client/profileClient.go b/profile/Client/profileClient.go
@@ -386,7 +386,7 @@ func convertToJSON(Operation string, data []Profile) {
 	}
 	if len(jsonArray) > 0 {
 		filepath := "Profile_Summary/"
-		err := os.MkdirAll(filepath, os.ModePerm)
+		err := os.MkdirAll(filepath, 0600)
 		err = os.WriteFile(filepath+Operation+".json", []byte(jsonArray[0]), 0600)
 		if err != nil {
 			panic(err)