Merge pull request #197 from nam-jaehyun/master

minor updates
kubearmor · Jul 9, 2021 · 12fca1f · 12fca1f
2 parents f4fba7c + 5c7ec4c
commit 12fca1f
Show file tree

Hide file tree

Showing 11 changed files with 24 additions and 9 deletions.
diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile
@@ -23,6 +23,11 @@ run-per-pod: $(CURDIR)/kubearmor
 	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
 	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableEnforcerPerPod
 
+.PHONY: run-with-host
+run-per-pod: $(CURDIR)/kubearmor
+	cd $(CURDIR); sudo rm -f /tmp/kubearmor.log
+	cd $(CURDIR); sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableHostPolicy
+
 .PHONY: test
 test:
 	cd $(CURDIR)/feeder; go mod tidy

diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -301,6 +301,7 @@ func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error {
 		"\n" +
 		"  /usr/bin/runc Ux,\n" + // docker
 		"  /usr/sbin/runc Ux,\n" + // containerd
+		"  /snap/microk8s/2262/bin/runc Ux,\n" + // microk8s
 		"  /snap/microk8s/2264/bin/runc Ux,\n" + // microk8s
 		"\n" +
 		"  ## == POLICY START == ##\n" +

diff --git a/KubeArmor/enforcer/appArmorHostProfile.go b/KubeArmor/enforcer/appArmorHostProfile.go
@@ -1839,6 +1839,7 @@ func GenerateHostProfileHead() string {
 		"\n" +
 		"  /usr/bin/runc Ux,\n" + // docker
 		"  /usr/sbin/runc Ux,\n" + // containerd
+		"  /snap/microk8s/2262/bin/runc Ux,\n" + // microk8s
 		"  /snap/microk8s/2264/bin/runc Ux,\n" + // microk8s
 		"\n" +
 		"  ## == POLICY START == ##\n"

diff --git a/contribution/self-managed-k8s/k8s/activate_br_netfilter.sh b/contribution/self-managed-k8s/k8s/activate_br_netfilter.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# activate br_netfilter
+sudo modprobe br_netfilter
+sudo bash -c "echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables"
+sudo bash -c "echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf"
diff --git a/contribution/self-managed-k8s/k8s/initialize_kubernetes.sh b/contribution/self-managed-k8s/k8s/initialize_kubernetes.sh
@@ -11,10 +11,6 @@ fi
 # turn off swap
 sudo swapoff -a
 
-# enable ip forwarding
-sudo bash -c "echo '1' > /proc/sys/net/ipv4/ip_forward"
-sudo bash -c "echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf"
-
 # activate br_netfilter
 sudo modprobe br_netfilter
 sudo bash -c "echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables"

diff --git a/contribution/self-managed-k8s/k8s/install_kubernetes.sh b/contribution/self-managed-k8s/k8s/install_kubernetes.sh
@@ -30,3 +30,9 @@ sudo apt-get install -y apparmor apparmor-utils auditd
 
 # enable auditd
 sudo systemctl enable auditd && sudo systemctl start auditd
+
+# enable ip forwarding
+if [ $(cat /proc/sys/net/ipv4/ip_forward) == 0 ]; then
+    sudo bash -c "echo '1' > /proc/sys/net/ipv4/ip_forward"
+    sudo bash -c "echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf"
+fi
diff --git a/deployments/GKE/kubearmor.yaml b/deployments/GKE/kubearmor.yaml
@@ -92,7 +92,7 @@ spec:
         imagePullPolicy: Always
         securityContext:
           privileged: true
-        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableEnforcerPerPod", "-enableHostPolicy"]
+        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableEnforcerPerPod"]
         ports:
         - containerPort: 32767
         volumeMounts:

diff --git a/deployments/docker/kubearmor.yaml b/deployments/docker/kubearmor.yaml
@@ -92,7 +92,7 @@ spec:
         imagePullPolicy: Always
         securityContext:
           privileged: true
-        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableHostPolicy"]
+        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log"]
         ports:
         - containerPort: 32767
         volumeMounts:

diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml
@@ -92,7 +92,7 @@ spec:
         imagePullPolicy: Always
         securityContext:
           privileged: true
-        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableHostPolicy"]
+        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log"]
         ports:
         - containerPort: 32767
         volumeMounts:

diff --git a/deployments/microk8s/kubearmor.yaml b/deployments/microk8s/kubearmor.yaml
@@ -92,7 +92,7 @@ spec:
         imagePullPolicy: Always
         securityContext:
           privileged: true
-        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableHostPolicy"]
+        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log"]
         ports:
         - containerPort: 32767
         volumeMounts:

diff --git a/helm/templates/kubearmor-daemonset.yaml b/helm/templates/kubearmor-daemonset.yaml
@@ -29,7 +29,7 @@ spec:
         imagePullPolicy: Always
         securityContext:
           privileged: true
-        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log", "-enableHostPolicy"]
+        args: ["-gRPC=32767", "-logPath=/tmp/kubearmor.log"]
         env:
         - name: CLUSTER_NAME
           value: {{ .Values.general.clusterName | quote }}