Added security policy validator in custome controller by [VenkataReddy]

kubearmor · Jul 20, 2021 · f4a12be · f4a12be
1 parent 12fca1f
commit f4a12be
Show file tree

Hide file tree

Showing 16 changed files with 1,745 additions and 21 deletions.
diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -589,7 +589,7 @@ func (dm *KubeArmorDaemon) GetSecurityPolicies(identities []string) []tp.Securit
 }
 
 // UpdateSecurityPolicy Function
-func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicy tp.SecurityPolicy) {
+func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicy tp.SecurityPolicy, status string) {
 	dm.ContainerGroupsLock.Lock()
 	defer dm.ContainerGroupsLock.Unlock()
 
@@ -626,7 +626,9 @@ func (dm *KubeArmorDaemon) UpdateSecurityPolicy(action string, secPolicy tp.Secu
 			dm.LogFeeder.UpdateSecurityPolicies("UPDATED", dm.ContainerGroups[idx])
 
 			// enforce security policies
-			dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.ContainerGroups[idx])
+			if status == "OK" {
+				dm.RuntimeEnforcer.UpdateSecurityPolicies(dm.ContainerGroups[idx])
+			}
 		}
 	}
 }
@@ -670,7 +672,7 @@ func (dm *KubeArmorDaemon) WatchSecurityPolicies() {
 						if policy.Metadata["policyName"] == secPolicy.Metadata["policyName"] &&
 							policy.Metadata["namespaceName"] == secPolicy.Metadata["namespaceName"] &&
 							policy.Metadata["generation"] == secPolicy.Metadata["generation"] {
-							exist = true
+							//exist = true
 							break
 						}
 					}
@@ -1042,7 +1044,7 @@ func (dm *KubeArmorDaemon) WatchSecurityPolicies() {
 				dm.LogFeeder.Printf("Detected a Security Policy (%s/%s/%s)", strings.ToLower(event.Type), secPolicy.Metadata["namespaceName"], secPolicy.Metadata["policyName"])
 
 				// apply security policies to containers
-				dm.UpdateSecurityPolicy(event.Type, secPolicy)
+				dm.UpdateSecurityPolicy(event.Type, secPolicy, event.Object.Status.PolicyStatus)
 			}
 		}
 	}

diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
@@ -92,10 +92,15 @@ type K8sKubeArmorPolicyEvent struct {
 	Object K8sKubeArmorPolicy `json:"object"`
 }
 
+type SecurityPolicyStatus struct {
+	PolicyStatus string `json:"status,omitempty"`
+}
+
 // K8sKubeArmorPolicy Structure
 type K8sKubeArmorPolicy struct {
-	Metadata metav1.ObjectMeta `json:"metadata"`
-	Spec     SecuritySpec      `json:"spec"`
+	Metadata metav1.ObjectMeta    `json:"metadata"`
+	Spec     SecuritySpec         `json:"spec"`
+	Status   SecurityPolicyStatus `json:"status,omitempty"`
 }
 
 // K8sKubeArmorPolicies Structure