Skip to content

Commit

Permalink
cmd/tetragon: add a RuntimeSecurityPolicy via flag
Browse files Browse the repository at this point in the history 
Also add common helpers like FromFile().

Signed-off-by: Mahe Tardy <[email protected]>
  • Loading branch information
@mtardy
mtardy committed Jun 6, 2024
1 parent 29dbd92 commit eb9b550
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 13 deletions.
27 changes: 27 additions & 0 deletions cmd/tetragon/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import (
"github.com/cilium/tetragon/pkg/reader/namespace"
"github.com/cilium/tetragon/pkg/reader/proc"
"github.com/cilium/tetragon/pkg/rthooks"
"github.com/cilium/tetragon/pkg/runtimesecuritypolicy"
"github.com/cilium/tetragon/pkg/sensors/base"
"github.com/cilium/tetragon/pkg/sensors/program"
"github.com/cilium/tetragon/pkg/server"
Expand Down Expand Up @@ -481,6 +482,13 @@ func tetragonExecute() error {
}
}

if len(option.Config.RuntimeSecurityPolicy) > 0 {
err = addRuntimeSecurityPolicy(ctx, option.Config.RuntimeSecurityPolicy)
if err != nil {
return err
}
}

// k8s should have metrics, so periodically log only in a non k8s
if !option.Config.EnableK8s {
go logStatus(ctx, obs)
Expand Down Expand Up @@ -584,6 +592,25 @@ func loadTpFromDir(ctx context.Context, dir string) error {
return err
}

func addRuntimeSecurityPolicy(ctx context.Context, file string) error {
tp, err := runtimesecuritypolicy.FromFileToTracingPolicy(file)
if err != nil {
return err
}

err = observer.GetSensorManager().AddTracingPolicy(ctx, tp)
if err != nil {
return err
}

logger.GetLogger().WithFields(logrus.Fields{
"RuntimeSecurityPolicy": file,
"metadata.name": tp.Name,
}).Info("Added RuntimeSecurityPolicy with success")

return nil
}

func addTracingPolicy(ctx context.Context, file string) error {
f, err := filepath.Abs(filepath.Clean(file))
if err != nil {
Expand Down
11 changes: 6 additions & 5 deletions pkg/option/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,12 @@ type config struct {
ProcessCacheSize int
DataCacheSize int

MetricsServer string
MetricsLabelFilter metrics.LabelFilter
ServerAddress string
TracingPolicy string
TracingPolicyDir string
MetricsServer string
MetricsLabelFilter metrics.LabelFilter
ServerAddress string
TracingPolicy string
TracingPolicyDir string
RuntimeSecurityPolicy string

ExportFilename string
ExportFileMaxSizeMB int
Expand Down
20 changes: 12 additions & 8 deletions pkg/option/flags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,15 @@ const (
KeyK8sKubeConfigPath = "k8s-kubeconfig-path"
KeyEnableProcessAncestors = "enable-process-ancestors"

KeyMetricsServer = "metrics-server"
KeyMetricsLabelFilter = "metrics-label-filter"
KeyServerAddress = "server-address"
KeyGopsAddr = "gops-address"
KeyEnableProcessCred = "enable-process-cred"
KeyEnableProcessNs = "enable-process-ns"
KeyTracingPolicy = "tracing-policy"
KeyTracingPolicyDir = "tracing-policy-dir"
KeyMetricsServer = "metrics-server"
KeyMetricsLabelFilter = "metrics-label-filter"
KeyServerAddress = "server-address"
KeyGopsAddr = "gops-address"
KeyEnableProcessCred = "enable-process-cred"
KeyEnableProcessNs = "enable-process-ns"
KeyTracingPolicy = "tracing-policy"
KeyTracingPolicyDir = "tracing-policy-dir"
KeyRuntimeSecurityPolicy = "runtime-security-policy"

KeyCpuProfile = "cpuprofile"
KeyMemProfile = "memprofile"
Expand Down Expand Up @@ -197,6 +198,7 @@ func ReadAndSetFlags() error {
Config.EnableRuntimeSecurityPolicyCRD = viper.GetBool(KeyEnableRuntimeSecurityPolicyCRD)

Config.TracingPolicy = viper.GetString(KeyTracingPolicy)
Config.RuntimeSecurityPolicy = viper.GetString(KeyRuntimeSecurityPolicy)

switch viper.GetString(KeyUsernameMetadata) {
case "unix":
Expand Down Expand Up @@ -303,6 +305,8 @@ func AddFlags(flags *pflag.FlagSet) {

flags.String(KeyTracingPolicyDir, defaults.DefaultTpDir, "Directory from where to load Tracing Policies")

flags.String(KeyRuntimeSecurityPolicy, "", "Runtime security policy file to load at startup")

// Options for debugging/development, not visible to users
flags.String(KeyCpuProfile, "", "Store CPU profile into provided file")
flags.MarkHidden(KeyCpuProfile)
Expand Down
21 changes: 21 additions & 0 deletions pkg/runtimesecuritypolicy/validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package runtimesecuritypolicy

import (
"fmt"
"os"
"sync"

"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client"
Expand Down Expand Up @@ -110,6 +111,26 @@ func FromYAMLToTracingPolicy(data []byte) (*RuntimeSecurityTracingPolicy, error)
return ToTracingPolicy(*rsp)
}

func FromFile(path string) (*v1alpha1.RuntimeSecurityPolicy, error) {
policy, err := os.ReadFile(path)
if err != nil {
return nil, err
}
tp, err := FromYAML(policy)
if err != nil {
return nil, fmt.Errorf("failed loading runtime security policy file %q: %w", path, err)
}
return tp, nil
}

func FromFileToTracingPolicy(path string) (*RuntimeSecurityTracingPolicy, error) {
rsp, err := FromFile(path)
if err != nil {
return nil, err
}
return ToTracingPolicy(*rsp)
}

func ValidateCRD(policy v1alpha1.RuntimeSecurityPolicy) (*validate.Result, error) {
metaErrors := ValidateCRDMeta(policy)

Expand Down

0 comments on commit eb9b550

Please sign in to comment.