Closed Ankurk99 closed 1 month ago
Hi @Ankurk99 would love to pick up this one
Hi @Ankurk99 , the probing for KubeArmor support happens only when KubeArmor is not running isn't it ?
$ karmor probe
Didn't find KubeArmor in systemd or Kubernetes, probing for support for KubeArmor
Host:
Observability/Audit: Supported (Kernel Version 5.15.0)
Enforcement: Full (Supported LSMs: lockdown,capability,landlock,yama,apparmor)
So, when the KubeArmor is not running the new requirement is that the karmor sysdump
creates a new file with the node support information. Or, is there an existing file which we can use like node-info.yaml
?
Hi @Ankurk99, to my understanding this function has to be included into the sysdump file. Is this correct?
As I see, the node information in the give image obtained by running "karmor probe" is to be included into the output dump of "karmor sysdump". Am I correct @Ankurk99 ?
@rootxrishabh Ideally we would love to see everything from the karmor probe
in sysdump
including if the KubeArmor is running fine and the image versions.
Sysdump shows inconsistent behaviour while running. As shown below.
Hi @rootxrishabh , are you still working on it ? I would like to take this up. @Ankurk99 are you talking about the output to stdout or to the zip created ?
Hey @sheharyaar, not working on this as of now, go ahead : )
Hi @rootxrishabh , are you still working on it ? I would like to take this up. @Ankurk99 are you talking about the output to stdout or to the zip created ?
@sheharyaar Ideally, both.
Thanks for assigning this, will follow up if I have a query or a PR is ready.
I checked that karmor probe
accepts namespace , format string, grpc and other flags. So how do I tackle those in karmor sysdump
do I default the namespace to kubearmor and --full
flag to true, or do I add these flags to sysdump ? @Ankurk99
Also, the probe dump would be in yaml format or just a raw stdout dump (karmor-probe.dump) ?
@Ankurk99
I am interested on working on this issue! @Ankurk99
@DelusionalOptimist @daemon1024
Description Currently
karmor sysdump
generated output doesn't contains information about the node's support for KubeArmor (available LSMs, the mode of enforcement, etc.) which are already a part ofkarmor probe
. The aim is to get that output as a part ofkarmor sysdump