fix option names

Signed-off-by: Jubril Oyetunji <[email protected]> use application as default for insight and discover Signed-off-by: Jubril Oyetunji <[email protected]> switch to class in options struct Signed-off-by: Jubril Oyetunji <[email protected]> fix typo Signed-off-by: Jubril Oyetunji <[email protected]> change error handling conditions Signed-off-by: Jubril Oyetunji <[email protected]> change field names to ruletype Signed-off-by: Jubril Oyetunji <[email protected]> change field names to ruletype Signed-off-by: Jubril Oyetunji <[email protected]> fix typo Signed-off-by: Jubril Oyetunji <[email protected]> change error handling conditions Signed-off-by: Jubril Oyetunji <[email protected]> change field names to ruletype Signed-off-by: Jubril Oyetunji <[email protected]> check for insight igned-off-by: Jubril Oyetunji <[email protected]> change field names to ruletype Signed-off-by: Jubril Oyetunji <[email protected]> change field names to ruletype Signed-off-by: Jubril Oyetunji <[email protected]> add example rule types Signed-off-by: Jubril Oyetunji <[email protected]> update policy packages to install updated CRDs Signed-off-by: daemon1024 <[email protected]> feat: add selector flag to logs Signed-off-by: slayer321 <[email protected]> configure audit posture during installation Signed-off-by: daemon1024 <[email protected]> updated deployment to get kubearmor hostname fix Ref: kubearmor/KubeArmor#736 Signed-off-by: Rahul Jadhav <[email protected]> add controller installation to karmor (kubearmor#65) Support input files that contain multiple VM host/network policies (kubearmor#83) Signed-off-by: Wazir Ahmed <[email protected]> Synched with /vmlist response format changes in kvm-service (kubearmor#82) Signed-off-by: Wazir Ahmed <[email protected]> Upgrade go.mo/go.sum to support latest version of discovery-engine Signed-off-by: Eswar Rajan Subramanian <[email protected]> added selfupdate support `karmor selfupdate` to auto update karmor to latest one Signed-off-by: Rahul Jadhav <[email protected]> added support for --force `--force` will remove all kubearmor annotations from all the deployments. Signed-off-by: Rahul Jadhav <[email protected]> updates to go.mod/sum Signed-off-by: Rahul Jadhav <[email protected]> releaser update Signed-off-by: Rahul Jadhav <[email protected]> updated README Signed-off-by: Rahul Jadhav <[email protected]> event channel support External tools might want to handle events as and when they arrive. Currently, karmor simply prints the events to stdout. Now the API is added support to export the events on a channel to external tool. Needed this for kubearmor auto test framework. Signed-off-by: Rahul Jadhav <[email protected]> added unit-tests in CI Signed-off-by: Rahul Jadhav <[email protected]> refactored description removed unnecessary text. install: autodetect bottlerocket env Signed-off-by: daemon1024 <[email protected]> log: refactor telemetry helper - handle alert and logs in same helper - future proof output for telemetry events fields - modify tests to demo suggested usage Signed-off-by: daemon1024 <[email protected]> changed the EventChan exported data; fixed lints Signed-off-by: Rahul Jadhav <[email protected]> sysdump issue fixes * gets apparmor profiles from all kubearmor pods * if the exec to kubearmor pod fails, handle the failure graciously and get other information Closes: kubearmor#95 Signed-off-by: Rahul Jadhav <[email protected]> sysdump output file * certain platforms do not allow colons to be part of filename (faced problem on GH action while uploading artifacts) * ability to explicitly specify output file name Signed-off-by: Rahul Jadhav <[email protected]> ignore err if kubearmor daemonset not found using `karmor sysdump` in the context of dev env causes problem since kubearmor is not running in daemonset mode. Signed-off-by: Rahul Jadhav <[email protected]> Add cri-o in environment for karmor (kubearmor#98) update deployment package to use init container (kubearmor#108) update deployment package to fix generic env installation Signed-off-by: daemon1024 <[email protected]> install: Add flag to just save manifest and not install New flag to save the KubeArmor Manifest file for the cluster env without installing Also fixed panic when Nodes aren't available for environment detection Signed-off-by: daemon1024 <[email protected]> sysdump even if kubearmor pods are not found currently, the sysdump expects the kubearmor daemon + pods to be mandatorily present in the k8s. If not present, the sysdump errors out and no zip file is produced. karmor sysdump could also be used in cases where the user might just want to provide the snapshot of current k8s cluster on which they intend to deploy kubearmor. Similarly, sysdump is used in the context where kubearmor might be used in host process mode (for e.g, dev env). Signed-off-by: Rahul Jadhav <[email protected]> check if key value exists in map Signed-off-by: rk <[email protected]> Added progression bar, Added time wait status check for all kubearmor-app pods, Added execution time counter, Added cursor animation, Added emojis. Update install/install.go Co-authored-by: Rahul Jadhav <[email protected]> Update install/install.go Co-authored-by: Barun Acharya <[email protected]> Update install/install.go Co-authored-by: Rahul Jadhav <[email protected]> Update install/install.go Co-authored-by: Rahul Jadhav <[email protected]> Done changes Changes proposed were made Update install/install.go Co-authored-by: Rahul Jadhav <[email protected]> create probe utility, probe host for observability/audit Signed-off-by: essietom <[email protected]> squash all commits for karmor probe utility rename methods properly Signed-off-by: essietom <[email protected]> check supported enforcement for host Signed-off-by: essietom <[email protected]> correct print output Signed-off-by: essietom <[email protected]> rrefactor code to remove redundancy Signed-off-by: essietom <[email protected]> format text output Signed-off-by: essietom <[email protected]> check node observability support Signed-off-by: essietom <[email protected]> refactor code Signed-off-by: essietom <[email protected]> refactor code Signed-off-by: essietom <[email protected]> refactor code Signed-off-by: essietom <[email protected]> refactor code Signed-off-by: essietom <[email protected]> remove non probe commits Signed-off-by: essietom <[email protected]> probe deployment Signed-off-by: essietom <[email protected]> handle error from bold text Signed-off-by: essietom <[email protected]> refactor code, check bpf support in lsm, check lib module in kernel header Signed-off-by: essietom <[email protected]> format code fix indentation Signed-off-by: essietom <[email protected]> add licence identifier Signed-off-by: essietom <[email protected]> ci: check if any files are unformatted gofmt doesn't error it incase files are unformatted so we manually check if the output filelist contains any files or not Signed-off-by: daemon1024 <[email protected]> chore: handle fmt and linter error/warnings Signed-off-by: daemon1024 <[email protected]> uninstall: uninstall CRD only if force option is used Signed-off-by: daemon1024 <[email protected]> Add info emoji when resource already exists Signed-off-by: daemon1024 <[email protected]> add support for handling un-orchestrated containers Signed-off-by: Ankur Kothiwal <[email protected]> fix sysname error and os probe support Signed-off-by: essietom <[email protected]> remove redundant space Signed-off-by: essietom <[email protected]> put back comment Signed-off-by: essietom <[email protected]> put comment Signed-off-by: essietom <[email protected]> fix animation flag revert animation flag removal in introduced kubearmor#120 Signed-off-by: daemon1024 <[email protected]>
s1ntaxe770r · Aug 18, 2022 · a4a38fe · a4a38fe
1 parent 9bf755a
commit a4a38fe
Show file tree

Hide file tree

Showing 40 changed files with 2,256 additions and 883 deletions.
diff --git a/.github/workflows/ci-go.yml b/.github/workflows/ci-go.yml
@@ -56,3 +56,17 @@ jobs:
         uses: morphy2k/revive-action@v2
         with:
           path: "./..."
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: v1.18
+
+      - name: Run unit tests
+        run: make test
+
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -8,6 +8,6 @@ builds:
     goarch:
       - amd64
       - arm64
-    ldflags: -w -s -X github.com/kubearmor/kubearmor-client/version.BuildDate={{.Date}} -X github.com/kubearmor/kubearmor-client/version.GitSummary={{.Version}}
+    ldflags: -w -s -X github.com/kubearmor/kubearmor-client/selfupdate.BuildDate={{.Date}} -X github.com/kubearmor/kubearmor-client/selfupdate.GitSummary={{.Version}}
     env:
       - CGO_ENABLED=0
diff --git a/Makefile b/Makefile
@@ -5,10 +5,10 @@ CURDIR     := $(shell pwd)
 INSTALLDIR := $(shell go env GOPATH)/bin/
 
 ifeq (, $(shell which govvv))
-$(shell go get github.com/ahmetb/govvv@latest)
+$(shell go install github.com/ahmetb/govvv@latest)
 endif
 
-PKG      := $(shell go list ./version)
+PKG      := $(shell go list ./selfupdate)
 GIT_INFO := $(shell govvv -flags -pkg $(PKG))
 
 .PHONY: build
@@ -23,13 +23,18 @@ install: build
 clean:
 	cd $(CURDIR); rm -f karmor
 
+.PHONY: test
+test:
+	cd $(CURDIR); go test -v ./...
+
 .PHONY: protobuf
 vm-protobuf:
 	cd $(CURDIR)/vm/protobuf; protoc --proto_path=. --go_opt=paths=source_relative --go_out=plugins=grpc:. vm.proto
 
 .PHONY: gofmt
 gofmt:
 	cd $(CURDIR); gofmt -s -d $(shell find . -type f -name '*.go' -print)
+	cd $(CURDIR); test -z "$(shell gofmt -s -l $(shell find . -type f -name '*.go' -print) | tee /dev/stderr)"
 
 .PHONY: golint
 golint:

diff --git a/README.md b/README.md
@@ -1,28 +1,16 @@
-# kArmor
+# karmor
 
-**kArmor** is a CLI client to help manage [KubeArmor](github.com/kubearmor/KubeArmor).
-
-KubeArmor is a container-aware runtime security enforcement system that
-restricts the behavior (such as process execution, file access, and networking
-operation) of containers at the system level.
+**karmor** is a client tool to help manage [KubeArmor](github.com/kubearmor/KubeArmor).
 
 ## Installation
 
-The following sections show how to install the kArmor. It can be installed either from source, or from pre-built binary releases.
-
-### From Script
-
-kArmor has an installer script that will automatically grab the latest version of kArmor and install it locally.
-
 ```
-curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
+curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
 ```
 
-The binary will be installed in `/usr/local/bin` folder.
-
-### From Source 
+### Installing from Source 
 
-Building kArmor from source is slightly more work, but is the best way to go if you want to test the latest (pre-release) kArmor version.
+Build karmor from source if you want to test the latest (pre-release) karmor version.
 
 ```
 git clone https://github.com/kubearmor/kubearmor-client.git
@@ -50,6 +38,8 @@ Available Commands:
   insight     Policy insight from discovery engine
   install     Install KubeArmor in a Kubernetes Cluster
   log         Observe Logs from KubeArmor
+  rotate-tls  Rotate webhook controller tls certificates
+  selfupdate  selfupdate this cli tool
   sysdump     Collect system dump information for troubleshooting and error report
   uninstall   Uninstall KubeArmor from a Kubernetes Cluster
   version     Display version information

diff --git a/cmd/discover.go b/cmd/discover.go
@@ -27,7 +27,7 @@ func init() {
 	rootCmd.AddCommand(discoverCmd)
 	discoverCmd.Flags().StringVar(&discoverOptions.GRPC, "grpc", "", "gRPC server information")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Format, "format", "f", "json", "Format: json or yaml")
-	discoverCmd.Flags().StringVar(&discoverOptions.Policy, "class", "kubearmor", "Type of policies to be discovered: cilium or kubearmor")
+	discoverCmd.Flags().StringVar(&discoverOptions.Class, "class", "application", "Type of policies to be discovered: application or network ")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Namespace, "namespace", "n", "", "Filter by Namespace")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Clustername, "clustername", "c", "", "Filter by Clustername")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Labels, "labels", "l", "", "Filter by policy Label")

diff --git a/cmd/insight.go b/cmd/insight.go
@@ -27,12 +27,12 @@ func init() {
 	rootCmd.AddCommand(insightCmd)
 
 	insightCmd.Flags().StringVar(&insightOptions.GRPC, "grpc", "", "gRPC server information")
-	insightCmd.Flags().StringVar(&insightOptions.Source, "class", "application", "The DB for insight : application|network|all")
+	insightCmd.Flags().StringVar(&insightOptions.Class, "class", "application", "The DB for insight : application|network|all")
 	insightCmd.Flags().StringVar(&insightOptions.Labels, "labels", "", "Labels for resources")
 	insightCmd.Flags().StringVar(&insightOptions.Containername, "containername", "", "Filter according to the Container name")
 	insightCmd.Flags().StringVar(&insightOptions.Clustername, "clustername", "", "Filter according to the Cluster name")
 	insightCmd.Flags().StringVar(&insightOptions.Fromsource, "fromsource", "", "Filter according to the source path")
 	insightCmd.Flags().StringVarP(&insightOptions.Namespace, "namespace", "n", "", "Namespace for resources")
 	insightCmd.Flags().StringVar(&insightOptions.Type, "type", "", "NW packet type : ingress|egress")
-	insightCmd.Flags().StringVar(&insightOptions.Rule, "ruletype", "", "NW packet Rule")
+	insightCmd.Flags().StringVar(&insightOptions.Ruletype, "ruletype", "", "NW packet Rule : toPorts| toEntities|  fromEntities |  matchLabels")
 }
diff --git a/cmd/install.go b/cmd/install.go
@@ -16,6 +16,7 @@ var installCmd = &cobra.Command{
 	Short: "Install KubeArmor in a Kubernetes Cluster",
 	Long:  `Install KubeArmor in a Kubernetes Clusters`,
 	RunE: func(cmd *cobra.Command, args []string) error {
+		installOptions.Animation = true
 		if err := install.K8sInstaller(client, installOptions); err != nil {
 			return err
 		}
@@ -28,4 +29,7 @@ func init() {
 
 	installCmd.Flags().StringVarP(&installOptions.Namespace, "namespace", "n", "kube-system", "Namespace for resources")
 	installCmd.Flags().StringVarP(&installOptions.KubearmorImage, "image", "i", "kubearmor/kubearmor:stable", "Kubearmor daemonset image to use")
+	installCmd.Flags().StringVarP(&installOptions.Audit, "audit", "a", "", "Kubearmor Audit Posture Context [all,file,network,capabilities]")
+	installCmd.Flags().BoolVar(&installOptions.Save, "save", false, "Save KubeArmor Manifest ")
+
 }
diff --git a/cmd/log.go b/cmd/log.go
@@ -40,4 +40,5 @@ func init() {
 	logCmd.Flags().StringVar(&logOptions.Resource, "resource", "", "command used by the user")
 	logCmd.Flags().StringVar(&logOptions.Source, "source", "", "binary used by the system ")
 	logCmd.Flags().Uint32Var(&logOptions.Limit, "limit", 0, "number of logs you want to see")
+	logCmd.Flags().StringArrayVarP(&logOptions.Selector, "selector", "l", []string{}, "use the label to get the particular log")
 }
diff --git a/cmd/probe.go b/cmd/probe.go
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Authors of KubeArmor
+
+package cmd
+
+import (
+	"github.com/kubearmor/kubearmor-client/probe"
+	"github.com/spf13/cobra"
+)
+
+var probeInstallOptions probe.Options
+
+// probeCmd represents the get command
+var probeCmd = &cobra.Command{
+	Use:   "probe",
+	Short: "Display probe information",
+	Long:  `Display probe information`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := probe.PrintProbeResult(client, probeInstallOptions); err != nil {
+			return err
+		}
+		return nil
+
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(probeCmd)
+	probeCmd.Flags().StringVarP(&probeInstallOptions.Namespace, "namespace", "n", "default", "Namespace for resources")
+	probeCmd.Flags().BoolVar(&probeInstallOptions.Full, "full", false, "Full performs full probing")
+}
diff --git a/cmd/root.go b/cmd/root.go
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2021 Authors of KubeArmor
 
+// Package cmd is the collection of all the subcommands available in kArmor while providing relevant options for the same
 package cmd
 
 import (

diff --git a/cmd/rotate-tls.go b/cmd/rotate-tls.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"github.com/kubearmor/kubearmor-client/rotatetls"
+	"github.com/spf13/cobra"
+)
+
+var namespace string
+var rotateCmd = &cobra.Command{
+	Use:   "rotate-tls",
+	Short: "Rotate webhook controller tls certificates",
+	Long:  `Rotate webhook controller tls certificates`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := rotatetls.RotateTLS(client, namespace); err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(rotateCmd)
+
+	rotateCmd.Flags().StringVarP(&namespace, "namespace", "n", "kube-system", "Namespace for resources")
+}
diff --git a/cmd/selfupdate.go b/cmd/selfupdate.go
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Authors of KubeArmor
+
+package cmd
+
+import (
+	"github.com/kubearmor/kubearmor-client/selfupdate"
+	"github.com/spf13/cobra"
+)
+
+// selfUpdateCmd represents the get command
+var selfUpdateCmd = &cobra.Command{
+	Use:   "selfupdate",
+	Short: "selfupdate this cli tool",
+	Long:  `selfupdate this cli tool for checking the latest release on the github`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := selfupdate.SelfUpdate(client); err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(selfUpdateCmd)
+}
diff --git a/cmd/sysdump.go b/cmd/sysdump.go
@@ -8,13 +8,15 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var dumpOptions sysdump.Options
+
 // sysdumpCmd represents the get command
 var sysdumpCmd = &cobra.Command{
 	Use:   "sysdump",
 	Short: "Collect system dump information for troubleshooting and error report",
 	Long:  `Collect system dump information for troubleshooting and error reports`,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := sysdump.Collect(client); err != nil {
+		if err := sysdump.Collect(client, dumpOptions); err != nil {
 			return err
 		}
 		return nil
@@ -23,4 +25,5 @@ var sysdumpCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(sysdumpCmd)
+	sysdumpCmd.Flags().StringVarP(&dumpOptions.Filename, "file", "f", "", "output file to use")
 }
diff --git a/cmd/uninstall.go b/cmd/uninstall.go
@@ -27,4 +27,5 @@ func init() {
 	rootCmd.AddCommand(uninstallCmd)
 
 	uninstallCmd.Flags().StringVarP(&uninstallOptions.Namespace, "namespace", "n", "kube-system", "Namespace for resources")
+	uninstallCmd.Flags().BoolVar(&uninstallOptions.Force, "force", false, "Force remove kubearmor annotations from deployments. (Deployments might be restarted)")
 }
diff --git a/cmd/vm.go b/cmd/vm.go
@@ -12,9 +12,12 @@ import (
 
 var (
 	scriptOptions vm.ScriptOptions
-	HTTPIP        string // HTTPIP : IP of the http request
-	HTTPPort      string // HTTPPort : Port of the http request
-	IsKvmsEnv     bool
+	// HTTPIP : IP of the http request
+	HTTPIP string
+	// HTTPPort : Port of the http request
+	HTTPPort string
+	//IsKvmsEnv : Is kubearmor virtual machine env?
+	IsKvmsEnv bool
 )
 
 // vmCmd represents the vm command