Added init operations

Signed-off-by: Afek Berger <afekb@armosec.io>
kubescape · Nov 11, 2024 · abe4173 · abe4173
1 parent 3885bab
commit abe4173
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 6 deletions.
diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -177,7 +177,9 @@ func (am *ApplicationProfileManager) monitorContainer(ctx context.Context, conta
 		watchedContainer.SetCompletionStatus(utils.WatchedContainerCompletionStatusFull)
 	}
 	watchedContainer.SetStatus(utils.WatchedContainerStatusInitializing)
-	am.saveProfile(ctx, watchedContainer, container.K8s.Namespace)
+
+	initOps := GetInitOperations(watchedContainer.ContainerType.String(), watchedContainer.ContainerIndex)
+	am.saveProfile(ctx, watchedContainer, container.K8s.Namespace, initOps)
 
 	for {
 		select {
@@ -188,7 +190,7 @@ func (am *ApplicationProfileManager) monitorContainer(ctx context.Context, conta
 				watchedContainer.UpdateDataTicker.Reset(utils.AddJitter(am.cfg.UpdateDataPeriod, am.cfg.MaxJitterPercentage))
 			}
 			watchedContainer.SetStatus(utils.WatchedContainerStatusReady)
-			am.saveProfile(ctx, watchedContainer, container.K8s.Namespace)
+			am.saveProfile(ctx, watchedContainer, container.K8s.Namespace, nil)
 		case err := <-watchedContainer.SyncChannel:
 			switch {
 			case errors.Is(err, utils.ContainerHasTerminatedError):
@@ -197,11 +199,11 @@ func (am *ApplicationProfileManager) monitorContainer(ctx context.Context, conta
 					watchedContainer.SetStatus(utils.WatchedContainerStatusCompleted)
 				}
 
-				am.saveProfile(ctx, watchedContainer, container.K8s.Namespace)
+				am.saveProfile(ctx, watchedContainer, container.K8s.Namespace, nil)
 				return err
 			case errors.Is(err, utils.ContainerReachedMaxTime):
 				watchedContainer.SetStatus(utils.WatchedContainerStatusCompleted)
-				am.saveProfile(ctx, watchedContainer, container.K8s.Namespace)
+				am.saveProfile(ctx, watchedContainer, container.K8s.Namespace, nil)
 				return err
 			case errors.Is(err, utils.ObjectCompleted):
 				watchedContainer.SetStatus(utils.WatchedContainerStatusCompleted)
@@ -215,7 +217,7 @@ func (am *ApplicationProfileManager) monitorContainer(ctx context.Context, conta
 	}
 }
 
-func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedContainer *utils.WatchedContainerData, namespace string) {
+func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedContainer *utils.WatchedContainerData, namespace string, initalizeOperations []utils.PatchOperation) {
 	ctx, span := otel.Tracer("").Start(ctx, "ApplicationProfileManager.saveProfile")
 	defer span.End()
 
@@ -339,9 +341,13 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 	// 3a. the object is missing its container slice - ADD one with the container profile at the right index
 	// 3b. the object is missing the container profile - ADD the container profile at the right index
 	// 3c. default - patch the container ourselves and REPLACE it at the right index
-	if len(capabilities) > 0 || len(endpoints) > 0 || len(execs) > 0 || len(opens) > 0 || len(toSaveSyscalls) > 0 || watchedContainer.StatusUpdated() {
+	if len(capabilities) > 0 || len(endpoints) > 0 || len(execs) > 0 || len(opens) > 0 || len(toSaveSyscalls) > 0 || len(initalizeOperations) > 0 || watchedContainer.StatusUpdated() {
 		// 0. calculate patch
 		operations := utils.CreateCapabilitiesPatchOperations(capabilities, observedSyscalls, execs, opens, endpoints, rulePolicies, watchedContainer.ContainerType.String(), watchedContainer.ContainerIndex)
+		if len(initalizeOperations) > 0 {
+			operations = append(operations, initalizeOperations...)
+		}
+
 		operations = utils.AppendStatusAnnotationPatchOperations(operations, watchedContainer)
 		operations = append(operations, utils.PatchOperation{
 			Op:    "add",

diff --git a/pkg/applicationprofilemanager/v1/helpers.go b/pkg/applicationprofilemanager/v1/helpers.go
@@ -15,6 +15,8 @@ import (
 	"github.com/kubescape/go-logger/helpers"
 	tracerhttphelper "github.com/kubescape/node-agent/pkg/ebpf/gadgets/http/tracer"
 	tracerhttptype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/http/types"
+	"github.com/kubescape/node-agent/pkg/ruleengine/v1"
+	"github.com/kubescape/node-agent/pkg/utils"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
@@ -103,3 +105,20 @@ func IsPolicyIncluded(existingPolicy, newPolicy *v1beta1.RulePolicy) bool {
 
 	return true
 }
+
+func GetInitOperations(containerType string, containerIndex int) []utils.PatchOperation {
+	var operations []utils.PatchOperation
+	ids := ruleengine.NewRuleCreator().GetAllRuleIDs()
+	for _, id := range ids {
+		operation := utils.PatchOperation{
+			Op:   "add",
+			Path: fmt.Sprintf("/spec/%s/%d/rulePolicies/%s/-", containerType, containerIndex, id),
+			Value: v1beta1.RulePolicy{
+				AllowedProcesses: nil,
+				AllowedContainer: false,
+			},
+		}
+		operations = append(operations, operation)
+	}
+	return operations
+}
diff --git a/pkg/ruleengine/v1/factory.go b/pkg/ruleengine/v1/factory.go
@@ -88,6 +88,13 @@ func (r *RuleCreatorImpl) CreateRulesByEventType(eventType utils.EventType) []ru
 	}
 	return rules
 }
+func (r *RuleCreatorImpl) GetAllRuleIDs() []string {
+	var ruleIDs []string
+	for _, rule := range r.ruleDescriptions {
+		ruleIDs = append(ruleIDs, rule.ID)
+	}
+	return ruleIDs
+}
 
 func containsEventType(eventTypes []utils.EventType, eventType utils.EventType) bool {
 	for _, et := range eventTypes {