Add KubeVirt Support

[Ankurk99]

Feature Request

Test if KubeArmor can be run on KubeVirt

The aim is to check how KubeVirt works and whether it's possible to run KubeArmor on it. We should also check the changes which needs to be done in order to support it.

[ShivangShandilya]

@Ankurk99 I would like to work on this but I would require your guidance along the way. So like can you please elaborate on this issue a little I get what we have to do I want to know how to do this.

[Ankurk99]

@ShivangShandilya Glad to see your interest. You can start with checking out KubeVirt and install a setup environment https://kubevirt.io/labs/kubernetes/lab1.html. Also preparing a design document for how it actually works will help. We ourselves haven't tried KubeVirt before so we will be learning it together :smile:

[ShivangShandilya]

Ohh nice, ok so I'll check out KubeVirt. Correct me if I'm wrong but in the design document basically, all I'll have to add will be how it works and what all steps are there to install a setup env right?? And also where can I share the same when it's ready?

[Ankurk99]

all I'll have to add will be how it works and what all steps are there to install a setup env right?

Yes, how it works, how to set-up the environment, Can KubeArmor be installed on it, what all changes are required to do so. You can share the link to the document here only and we will add it to the KubeArmor wiki

[Ankurk99]

Hey @ShivangShandilya did you get a chance to look into the issue?

[Amishakumari544]

If no one is working I am interested in this @Ankurk99

[ShivangShandilya]

Hey @ShivangShandilya did you get a chance to look into the issue?

Yes I have been looking into it but got a little side tracked because of getting my gsoc proposals ready. Will get back to it ASAP but will need some time

[nyrahul]

Model for supporting KubeVirt

Points to be noted:

1. KubeArmor will be installed on the target virtual machines in systemd mode. How this installation is handled is out of scope for this task. The installation can be handled using precreated image or using Hashicorp Packer Provisioner or through any other means. The point is, KubeArmor will already be running in the target.
2. KubeArmor Relay would be the gateway to the KubeArmor instances deployed on Virtual Machines.
3. Things would be plug n play i.e., kubearmor does not have to be explicitly instructed to be operated in kubevirt environment. KubeArmor (and the relay) knows that kubevirt resources are available and thus should be able to watch for the resources and act accordingly.

Deployment changes

There are no changes in deployment steps. KubeArmor relay would internally know that kubevirt resources are available and thus needs to connect to the corresponding VMI (the VMI IP address is available in the corresponding resource).

Relay would proactively connect to the VMI and maintain a state for every VMI. Note that it is possible that the KubeArmor is installed at a later point in time on the VMI. Or the KubeArmor might be stopped and later started back again. All these conditions needs to be handled.

Note that the KubeArmor deployed in the KubeVirt k8s cluster is for the kubevirt control plane security vs KubeArmor deployed in the VMI is for the data plane security.

Tasklist

• [ ] KubeArmor Relay should auto-detect the presense of KubeVirt resources and connect to the corresponding KubeArmor instances running on virtual machines. This would enable relay to get the host visibility feeds.
• [ ] KubeArmor Relay needs to be changed to enforce policies on the target virtual machine
• [ ] When a user applies/updates/deletes a host policy and if that host selector labels matches that of a VM then the relay needs to handle the corresponding operation with the corresponding VM.
• [ ] Ability to apply policies at container level within a VMI
• [ ] Ability to get the names of the host on which the corresponding kubearmor host policy (hsp) is applied. Ref: #1393 does the same for pods to be listed in the context of ksp.
• [ ] Handling difference between hsp and csp in ksp

[sheharyaar]

Hi @DelusionalOptimist are you working on this ?