bug(syscalls): not receiving events for audited syscalls

DelusionalOptimist commented 1 year ago

NOTE: This bug is also causing frequent failures in ginkgo tests for docker.

Bug Report

General Information

Environment description: k3s with docker

vagrant@kubearmor-dev-next:~/accuknox/KubeArmor/tests$ k3s --version
k3s version v1.23.9+k3s1 (f45cf326)
go version go1.17.5
vagrant@kubearmor-dev-next:~/accuknox/KubeArmor/tests$ docker --version
Docker version 20.10.13, build a224086

Kernel version: Linux kubearmor-dev-next 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Orchestration system version in use:

Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.9+k3s1", GitCommit:"f45cf3267307b153ed8b418ae5b8ea6c6b9ebaca", GitTreeState:"clean", BuildDate:"2022-07-19T00:42:17Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}

Link to relevant artifacts (policies, deployments scripts, ...)
Target containers/pods

To Reproduce

Deploy kubearmor using https://github.com/kubearmor/KubeArmor/blob/main/KubeArmor/build/kubearmor-test-docker.yaml - the kubearmor args in this are a possible cause.
Try to generate some events. Generally running ksp test suite should be fine.
```
cd tests/
ginkgo --flake-attempts=5 ksp/ syscalls/
```
In the above, syscall test suite might fail. If it doesn't, run karmor logs --gRPC=:32767 --operation=syscall --logFilter=all, try to exec into one of the multiubuntu pods created by the above and run:
```
cp `which unlink` /unlink
touch /dummy
unlink /dummy
```
You won't get a log for syscall=SYS_UNLINK. However, other syscall logs like SETUID, SETGID would be working fine.

Expected behavior

Should receive logs for audited syscalls.

rksharma95 commented 1 year ago

syscall test suit is passing in ci for k3s+docker env. https://github.com/kubearmor/KubeArmor/actions/runs/5320142460/jobs/9633972722

DelusionalOptimist commented 1 year ago

@rksharma95 yes, they don't fail all the time. However they fail a lot. See the attempts for this commit for example - https://github.com/kubearmor/KubeArmor/actions/runs/5241501424. Also checkout the ginkgo test runs for main branch, you'll notice that they mostly fail while running the syscalls suite - https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml?query=branch%3Amain I've also been able to reproduce it locally. Wasn't getting any logs for the SYS_UNLINK syscall. However one needs to generate some events before it happens.

daemon1024 commented 1 year ago

Keeping it open, since it's not properly fixed

kubearmor / KubeArmor

bug(syscalls): not receiving events for audited syscalls #1269

Bug Report