Merge pull request #235 from bytedance/release-0.8

Release 0.8.1

Author: Danny-Wei

Makefile

@@ -28,8 +28,8 @@ CLASSIFIER_IMAGE_DEV ?= $(REPO_DEV)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_
 
 CHART_APP_VERSION := $(VARMOR_IMAGE_TAG)
 CHART_APP_VERSION_DEV := $(GIT_VERSION)
-CHART_VERSION := $(shell echo $(CHART_APP_VERSION)| sed 's/^v//')
-CHART_VERSION_DEV := $(shell echo $(CHART_APP_VERSION_DEV)| sed 's/^v//')
+CHART_VERSION := $(shell echo $(CHART_APP_VERSION) | sed 's/^v//')
+CHART_VERSION_DEV := $(shell echo $(CHART_APP_VERSION_DEV) | sed 's/^v//')
 
 KERNEL_RELEASE = $(shell uname -r)
 APPARMOR_ABI_NAME = kernel-$(KERNEL_RELEASE)
@@ -109,8 +109,8 @@ generate-apparmor-abi: ## Generate the AppArmor feature ABI of development envir
 	cp config/apparmor.d/abi/$(APPARMOR_ABI_NAME) config/apparmor.d/abi/varmor
 
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	@echo "[+] Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects"
+manifests: controller-gen ## Generate CustomResourceDefinition objects.
+	@echo "[+] Generate CustomResourceDefinition objects"
 	$(CONTROLLER_GEN) crd paths="./apis/varmor/..." output:crd:artifacts:config=config/crds
 	cp config/crds/* manifests/varmor/templates/crds/
 

README.ja.md

@@ -58,13 +58,13 @@ vArmorポリシーは、**AlwaysAllow、RuntimeDefault、EnhanceProtect、Behavi
 
 ### ステップ1. チャートの取得
 ```
-helm pull oci://elkeid-ap-southeast-1.cr.volces.com/varmor/varmor --version 0.8.0
+helm pull oci://elkeid-ap-southeast-1.cr.volces.com/varmor/varmor --version 0.8.1
 ```
 
 ### ステップ2. インストール
 *中国地域内では、ドメイン`elkeid-cn-beijing.cr.volces.com`を使用できます。*
 ```
-helm install varmor varmor-0.8.0.tgz \
+helm install varmor varmor-0.8.1.tgz \
     --namespace varmor --create-namespace \
     --set image.registry="elkeid-ap-southeast-1.cr.volces.com"
 ```

cmd/classifier/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.10-slim-buster
+FROM python:3.10-slim-bookworm
 
 WORKDIR /home/varmor
 

cmd/classifier/boot.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 # source venv/bin/activate
 
-gunicorn -b :5000 -w 2 wsgi:app
+gunicorn -b :${CLASSIFIER_SERVICE_PORT:-5000} -w 2 wsgi:app

cmd/varmor/Dockerfile

@@ -1,5 +1,5 @@
 ## Building AppArmor & libseccomp
-FROM debian:bookworm as apparmor-libseccomp-builder
+FROM debian:bookworm AS apparmor-libseccomp-builder
 
 LABEL maintainer="vArmor authors"
 
@@ -28,7 +28,7 @@ RUN ./autogen.sh && ./configure --prefix=/usr && \
 
 
 ## Building vArmor-ebpf
-FROM ghcr.io/cilium/ebpf-builder:1726131844 as vArmor-ebpf-builder
+FROM ghcr.io/cilium/ebpf-builder:1726131844 AS varmor-ebpf-builder
 
 RUN update-alternatives --install /usr/bin/clang clang /usr/bin/clang-17 90
 RUN update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-17 90
@@ -38,7 +38,7 @@ RUN make build-ebpf
 
 
 ## Building vArmor
-FROM golang:1.23-bookworm as vArmor-builder
+FROM golang:1.23-bookworm AS varmor-builder
 
 LABEL maintainer="vArmor authors"
 
@@ -53,10 +53,10 @@ COPY --from=apparmor-libseccomp-builder /usr/lib/libseccomp.* /usr/lib/
 COPY --from=apparmor-libseccomp-builder /usr/include/seccomp* /usr/include/
 COPY --from=apparmor-libseccomp-builder /usr/lib/libapparmor.* /usr/lib/
 COPY --from=apparmor-libseccomp-builder /usr/include/aalogparse /usr/include/aalogparse
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.go /varmor/pkg/processtracer
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.o /varmor/pkg/processtracer
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.go /varmor/pkg/lsm/bpfenforcer
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.o /varmor/pkg/lsm/bpfenforcer
+COPY --from=varmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.go /varmor/pkg/processtracer
+COPY --from=varmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.o /varmor/pkg/processtracer
+COPY --from=varmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.go /varmor/pkg/lsm/bpfenforcer
+COPY --from=varmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.o /varmor/pkg/lsm/bpfenforcer
 
 RUN apt-get update
 RUN apt-get install -y libseccomp2 libseccomp-dev
@@ -82,9 +82,9 @@ LABEL maintainer="vArmor authors"
 ARG TARGETARCH
 
 # Copy the varmor executable to the image
-COPY --from=vArmor-builder /output/ /varmor
+COPY --from=varmor-builder /output/ /varmor
 # Copy the AppArmor feature ABI file which used during development and testing the VarmorPolicy to the image
-COPY --from=vArmor-builder /varmor/config/apparmor.d/abi/varmor /varmor/apparmor.d/abi/varmor
+COPY --from=varmor-builder /varmor/config/apparmor.d/abi/varmor /varmor/apparmor.d/abi/varmor
 # Copy the AppArmor executables and tools to the image
 COPY --from=apparmor-libseccomp-builder /etc/apparmor/parser.conf /etc/apparmor/parser.conf
 COPY --from=apparmor-libseccomp-builder /etc/apparmor.d /varmor/apparmor.d

cmd/varmor/main.go

@@ -212,7 +212,7 @@ func main() {
 	}
 
 	// init a metrics
-	metricsModule := metrics.NewMetricsModule(logger.WithName("METRICS"), enableMetrics, 10)
+	metricsModule := metrics.NewMetricsModule(logger.WithName("METRICS"), enableMetrics, 10, config.MetricsServicePort)
 
 	if agent {
 		logger.WithName("SETUP").Info("vArmor agent startup")
@@ -226,18 +226,25 @@ func main() {
 			}
 		}
 
-		agentCtrl, err := varmoragent.NewAgent(
+		svcAddresses := make(map[string]string, 2)
+		if inContainer {
+			svcAddresses[config.StatusServiceName] = fmt.Sprintf("%s.%s:%d", config.StatusServiceName, config.Namespace, config.StatusServicePort)
+			svcAddresses[config.ClassifierServiceName] = fmt.Sprintf("%s.%s:%d", config.ClassifierServiceName, config.Namespace, config.ClassifierServicePort)
+		} else {
+			svcAddresses[config.StatusServiceName] = fmt.Sprintf("%s:%d", managerIP, config.StatusServicePort)
+			svcAddresses[config.ClassifierServiceName] = fmt.Sprintf("%s:%d", managerIP, config.ClassifierServicePort)
+		}
+
+		agent, err := varmoragent.NewAgent(
 			varmorClient.CrdV1beta1(),
 			varmorFactory.Crd().V1beta1().ArmorProfiles(),
 			enableBehaviorModeling,
 			enableBpfEnforcer,
 			unloadAllAaProfiles,
 			removeAllSeccompProfiles,
+			svcAddresses,
 			debugFlag,
 			inContainer,
-			managerIP,
-			config.StatusServicePort,
-			config.ClassifierServicePort,
 			auditLogPaths,
 			stopCh,
 			metricsModule,
@@ -248,20 +255,20 @@ func main() {
 			os.Exit(1)
 		}
 		varmorFactory.Start(stopCh)
-		go agentCtrl.Run(1, stopCh)
+		go agent.Run(1, stopCh)
 
 		// Wait for the manager to be ready.
 		logger.WithName("SETUP").Info("Waiting for the manager to be ready")
-		varmorutils.WaitForManagerReady(inContainer, managerIP, config.StatusServicePort)
+		agent.WaitForManagerReady()
 
 		// Set the agent to ready.
-		varmorutils.SetAgentReady()
+		agent.SetAgentReady()
 
 		logger.WithName("SETUP").Info("vArmor agent is online")
 
 		<-stopCh
 
-		agentCtrl.CleanUp()
+		agent.CleanUp()
 		logger.WithName("SETUP").Info("vArmor agent shutdown successful")
 
 	} else {
@@ -322,7 +329,7 @@ func main() {
 		mwcFactory.Start(stopCh)
 
 		// Elect a leader to register the admission webhook configurations.
-		registerWebhookConfigurations := func() {
+		registerWebhookConfigurations := func(ctx context.Context) {
 			// Only leader initializes the secrets of CA cert and TLS pair.
 			certManager.InitTLSPemPair()
 			// Only leader registers the MutatingWebhookConfiguration object.
@@ -333,12 +340,14 @@ func main() {
 			}
 		}
 		webhookRegisterLeader, err := leaderelection.New(
+			logger.WithName("webhook-register/LeaderElection"),
 			"webhook-register",
 			config.Namespace,
 			kubeClient,
+			config.Name,
+			leaderelection.DefaultRetryPeriod,
 			registerWebhookConfigurations,
-			nil,
-			logger.WithName("webhook-register/LeaderElection"))
+			nil)
 		if err != nil {
 			logger.WithName("SETUP").Error(err, "failed to elect a leader")
 			os.Exit(1)
@@ -462,7 +471,7 @@ func main() {
 		varmorFactory.Start(stopCh)
 
 		// Wrap all controllers that need leaderelection, start them once by the leader.
-		leaderRun := func() {
+		leaderRun := func(ctx context.Context) {
 			if enablePodServiceEgressControl && enableBpfEnforcer {
 				// Only the leader watches the Pod and Service IP changes.
 				go ipWatcher.Run(1, stopCh)
@@ -485,7 +494,7 @@ func main() {
 					if err != nil {
 						return err
 					}
-					return varmorutils.TagLeaderPod(kubeClient.CoreV1().Pods(config.Namespace))
+					return varmorutils.TagLeaderPod(kubeClient.CoreV1().Pods(config.Namespace), config.Name)
 				}
 				err := retry.OnError(retry.DefaultRetry, retriable, tag)
 				if err != nil {
@@ -502,7 +511,15 @@ func main() {
 			signal.RequestShutdown()
 		}
 
-		leader, err := leaderelection.New("varmor-manager", config.Namespace, kubeClient, leaderRun, leaderStop, logger.WithName("varmor-manager/LeaderElection"))
+		leader, err := leaderelection.New(
+			logger.WithName("varmor-manager/LeaderElection"),
+			"varmor-manager",
+			config.Namespace,
+			kubeClient,
+			config.Name,
+			leaderelection.DefaultRetryPeriod,
+			leaderRun,
+			leaderStop)
 		if err != nil {
 			logger.WithName("SETUP").Error(err, "failed to elect a leader")
 			os.Exit(1)