KubeArmor
KubeArmor copied to clipboard
kubearmor
`make run` fails in Ubuntu 24.04
Bug Report
General Information
Following the development guide on a Ubuntu 24.02 VM the make run command fails with the error:
navin@navin:~/KubeArmor/KubeArmor$ make run
cd /home/navin/KubeArmor/KubeArmor; make -C ../protobuf
make[1]: Entering directory '/home/navin/KubeArmor/protobuf'
make[1]: Nothing to be done for 'build'.
make[1]: Leaving directory '/home/navin/KubeArmor/protobuf'
cd /home/navin/KubeArmor/KubeArmor; go mod tidy
cd /home/navin/KubeArmor/KubeArmor; bpftool btf dump file /sys/kernel/btf/vmlinux format c > BPF/vmlinux.h || true
if grep -q bpf '/sys/kernel/security/lsm'; then \
cd /home/navin/KubeArmor/KubeArmor; go generate ./... || true; \
fi
cd /home/navin/KubeArmor/KubeArmor; CGO_ENABLED=0 go build -ldflags "-X main.BuildDate=2024-05-17T11:35:53Z -X main.GitCommit=294ed3b2 -X main.GitBranch=main -X main.GitState=dirty -X main.GitSummary=294ed3b2-dirty" -o kubearmor main.go
cd /home/navin/KubeArmor/deployments/CRD; kubectl apply -f KubeArmorPolicy.yaml
customresourcedefinition.apiextensions.k8s.io/kubearmorpolicies.security.kubearmor.com configured
cd /home/navin/KubeArmor/deployments/CRD; kubectl apply -f KubeArmorHostPolicy.yaml
customresourcedefinition.apiextensions.k8s.io/kubearmorhostpolicies.security.kubearmor.com configured
cd /home/navin/KubeArmor/KubeArmor; sudo rm -f /tmp/kubearmor.log
cd /home/navin/KubeArmor/KubeArmor/BPF; make clean
make[1]: Entering directory '/home/navin/KubeArmor/KubeArmor/BPF'
make[1]: Leaving directory '/home/navin/KubeArmor/KubeArmor/BPF'
cd /home/navin/KubeArmor/KubeArmor/BPF; make
make[1]: Entering directory '/home/navin/KubeArmor/KubeArmor/BPF'
Kernel BTF information found
Generating vmlinux.h for kernel 6.8.0
Compiling eBPF bytecode: system_monitor.bpf.o ...
make[1]: Leaving directory '/home/navin/KubeArmor/KubeArmor/BPF'
cd /home/navin/KubeArmor/KubeArmor; DEBUG=true sudo -E ./kubearmor -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -enableKubeArmorHostPolicy -hostVisibility=process,file,network,capabilities -defaultFilePosture block -defaultCapabilitiesPosture block -defaultNetworkPosture block -hostDefaultFilePosture block -hostDefaultCapabilitiesPosture block -hostDefaultNetworkPosture block
2024-05-17 11:36:02.212986 INFO BUILD-INFO: commit: 294ed3b2, branch: main, date: 2024-05-17T11:35:53Z
2024-05-17 11:36:02.213114 INFO Arguments [bpfFsPath:/sys/fs/bpf cluster:default coverageTest:false criSocket: debug:false defaultCapabilitiesPosture:audit defaultFilePosture:audit defaultNetworkPosture:audit defaultPostureLogs:true enableKubeArmorHostPolicy:false enableKubeArmorPolicy:true enableKubeArmorStateAgent:false enableKubeArmorVm:false enforcerAlerts:true gRPC:32767 host:navin hostDefaultCapabilitiesPosture:audit hostDefaultFilePosture:audit hostDefaultNetworkPosture:audit hostVisibility:default initTimeout:60s k8s:true kubeconfig: logPath:none lsm:bpf,apparmor,selinux seLinuxProfileDir:/tmp/kubearmor.selinux tlsCertPath:/var/lib/kubearmor/tls tlsCertProvider:self tlsEnabled:false untrackedNs:kube-system,kubearmor visibility:process,file,network,capabilities]
2024-05-17 11:36:02.213184 INFO Configuration [{Cluster:default Host:navin GRPC:32767 TLSEnabled:false TLSCertPath:/var/lib/kubearmor/tls TLSCertProvider:self LogPath:/tmp/kubearmor.log SELinuxProfileDir: CRISocket: Visibility:process,file,network,capabilities HostVisibility:process,file,network,capabilities Policy:true HostPolicy:true KVMAgent:false K8sEnv:true Debug:true DefaultFilePosture:block DefaultNetworkPosture:block DefaultCapabilitiesPosture:block HostDefaultFilePosture:block HostDefaultNetworkPosture:block HostDefaultCapabilitiesPosture:block CoverageTest:false ConfigUntrackedNs:[] LsmOrder:[] BPFFsPath: EnforcerAlerts:false DefaultPostureLogs:false InitTimeout: StateAgent:false}]
2024-05-17 11:36:02.213209 INFO Final Configuration [{Cluster:default Host:navin GRPC:32767 TLSEnabled:false TLSCertPath:/var/lib/kubearmor/tls TLSCertProvider:self LogPath:/tmp/kubearmor.log SELinuxProfileDir: CRISocket: Visibility:process,file,network,capabilities HostVisibility:process,file,network,capabilities Policy:true HostPolicy:true KVMAgent:false K8sEnv:true Debug:true DefaultFilePosture:block DefaultNetworkPosture:block DefaultCapabilitiesPosture:block HostDefaultFilePosture:block HostDefaultNetworkPosture:block HostDefaultCapabilitiesPosture:block CoverageTest:false ConfigUntrackedNs:[kube-system kubearmor] LsmOrder:[bpf apparmor selinux] BPFFsPath:/sys/fs/bpf EnforcerAlerts:true DefaultPostureLogs:true InitTimeout:60s StateAgent:false}]
2024-05-17 11:36:02.213675 INFO Initialized Kubernetes client
2024-05-17 11:36:02.213747 INFO Started to monitor node events
2024-05-17 11:36:02.213761 INFO GlobalCfg.Host=navin, KUBEARMOR_NODENAME=
2024-05-17 11:36:02.213790 INFO Started watching node information
2024-05-17 11:36:03.214069 INFO Node Name: navin
2024-05-17 11:36:03.214143 INFO Node IP: 192.168.122.156
2024-05-17 11:36:03.214214 INFO Node Annotations: map[alpha.kubernetes.io/provided-node-ip:192.168.122.156 flannel.alpha.coreos.com/backend-data:{"VNI":1,"VtepMAC":"2e:8b:4a:6e:d8:ca"} flannel.alpha.coreos.com/backend-type:vxlan flannel.alpha.coreos.com/kube-subnet-manager:true flannel.alpha.coreos.com/public-ip:192.168.122.156 k3s.io/hostname:navin k3s.io/internal-ip:192.168.122.156 k3s.io/node-args:["server","--disable","traefik","--docker","--container-runtime-endpoint","unix:///var/run/docker.sock","--kubelet-arg","cgroup-driver=systemd"] k3s.io/node-config-hash:U5AJKYRLFTFYB3SEXD7CJGI6BAOUSEX3T2S6XD6AQ5EMIZSUB4DQ==== k3s.io/node-env:{"K3S_DATA_DIR":"/var/lib/rancher/k3s/data/b159f6e26663d8c92285e7bc4a6881d85bd8c81efc55eb2cf191c54100387fbb","K3S_KUBECONFIG_MODE":"644"} kubearmor-policy:enabled kubearmor-visibility:process,file,network,capabilities node.alpha.kubernetes.io/ttl:0 volumes.kubernetes.io/controller-managed-attach-detach:true]
2024-05-17 11:36:03.214239 INFO OS Image: Ubuntu 24.04 LTS
2024-05-17 11:36:03.214255 INFO Kernel Version: 6.8.0-31-generic
2024-05-17 11:36:03.214271 INFO Kubelet Version: v1.29.4+k3s1
2024-05-17 11:36:03.214288 INFO Container Runtime: docker://26.1.2
2024-05-17 11:36:03.214927 INFO Initialized KubeArmor Logger
2024-05-17 11:36:03.216974 INFO Detected mounted BPF filesystem at /sys/fs/bpf
2024-05-17 11:36:03.217298 INFO Initializing eBPF system monitor
2024-05-17 11:36:03.229466 INFO Successfully added visibility map with key={PidNS:0 MntNS:0} to the kernel
2024-05-17 11:36:03.239452 INFO Successfully added visibility map with key={PidNS:12648430 MntNS:12648430} to the kernel
2024-05-17 11:36:03.239570 INFO eBPF system monitor object file path: /home/navin/KubeArmor/KubeArmor/BPF/system_monitor.bpf.o
2024-05-17 11:36:03.389960 ERROR Failed to initialize BPF (bpf module is nil program sys_exit_openat: load program: permission denied: 4745: (85) call bpf_probe_read_str#45: R1 unbounded memory access, make sure to bounds check any such access (truncated, 816 line(s) omitted))
github.com/kubearmor/KubeArmor/KubeArmor/log.Errf
/home/navin/KubeArmor/KubeArmor/log/logger.go:108
github.com/kubearmor/KubeArmor/KubeArmor/core.(*KubeArmorDaemon).InitSystemMonitor
/home/navin/KubeArmor/KubeArmor/core/kubeArmor.go:257
github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor
/home/navin/KubeArmor/KubeArmor/core/kubeArmor.go:532
main.main
/home/navin/KubeArmor/KubeArmor/main.go:79
runtime.main
/usr/local/go/src/runtime/proc.go:271
2024-05-17 11:36:03.390019 ERROR Failed to initialize KubeArmor Monitor
github.com/kubearmor/KubeArmor/KubeArmor/log.Err
/home/navin/KubeArmor/KubeArmor/log/logger.go:103
github.com/kubearmor/KubeArmor/KubeArmor/feeder.(*Feeder).Err
/home/navin/KubeArmor/KubeArmor/feeder/feeder.go:423
github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor
/home/navin/KubeArmor/KubeArmor/core/kubeArmor.go:533
main.main
/home/navin/KubeArmor/KubeArmor/main.go:79
runtime.main
/usr/local/go/src/runtime/proc.go:271
2024-05-17 11:36:03.390065 INFO Stopped KubeArmor Monitor
2024-05-17 11:36:03.390071 INFO Terminated KubeArmor
2024-05-17 11:36:05.390337 INFO Stopped KubeArmor Logger
2024-05-17 11:36:05.390467 INFO Waiting for routine terminations
-
Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...) OS - Ubuntu 24.02 server (VM) K3s
-
Kernel version (run
uname -a) 6.8.0 -
Orchestration system version in use (e.g.
kubectl version, ...) K3s - v1.29.4+k3s1 -
Link to relevant artifacts (policies, deployments scripts, ...)
-
Target containers/pods
To Reproduce
- Create an Ubuntu 24.02 server VM.
- Follow the self-managed kubernetes guide for K3s installation.
- Inside the
KubeArmordirectory runmake, start the local proxykubectl proxy &thenmake run.
Expected behavior
make run should run without any errors.
Screenshots
If applicable, add screenshots to help explain your problem.
