adding dockerfile chnages + host-scanner deployment

build/Dockerfile

@@ -1,20 +1,40 @@
+# Builder stage
 FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
 
+# Set environment variables
 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
 ARG TARGETOS TARGETARCH
+ARG BUILD_VERSION
 
+# Build node-agent
+COPY . /work/node-agent
 RUN --mount=target=. \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/node-agent .
 
+# Build kube-host-sensor
+COPY . /work/kube-host-sensor
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/kube-host-sensor --ldflags "-w -s -X main.BuildVersion=$BUILD_VERSION" .
+
+# Final stage
 FROM gcr.io/distroless/static-debian11:latest
 
+# Copy built applications
 COPY --from=builder /out/node-agent /usr/bin/node-agent
+COPY --from=builder /out/kube-host-sensor /usr/bin/kube-host-sensor
 
+# Set environment variables
 ARG image_version
 ENV RELEASE=$image_version
 
+# Set up working directory
 WORKDIR /root
-ENTRYPOINT ["node-agent"]
+
+# Define entrypoint
+# NOTE: This needs to be adjusted if both applications can't run simultaneously
+ENTRYPOINT ["node-agent"]

build/Dockerfile_hostscanner

@@ -0,0 +1,21 @@
+FROM --platform=$BUILDPLATFORM golang:1.20-bullseye as builder
+
+ARG BUILD_VERSION
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /work
+ARG TARGETOS TARGETARCH
+
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/kube-host-sensor --ldflags "-w -s -X main.BuildVersion=$BUILD_VERSION" .
+
+FROM gcr.io/distroless/static-debian11:latest
+
+COPY --from=builder /out/kube-host-sensor /usr/bin/kube-host-sensor
+
+ARG image_version
+ENV RELEASE=$image_version
+
+WORKDIR /root
+ENTRYPOINT ["kube-host-sensor"]

build/Dockerfile_nodeagent

@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
+
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /work
+ARG TARGETOS TARGETARCH
+
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/node-agent .
+
+FROM gcr.io/distroless/static-debian11:latest
+
+COPY --from=builder /out/node-agent /usr/bin/node-agent
+
+ARG image_version
+ENV RELEASE=$image_version
+
+WORKDIR /root
+ENTRYPOINT ["node-agent"]

deployment/host-scanner.yaml

@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: kubescape-host-scanner
+    k8s-app: kubescape-host-scanner
+    kubernetes.io/metadata.name: kubescape-host-scanner
+    tier: kubescape-host-scanner-control-plane
+  name: kubescape
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: host-scanner
+  namespace: kubescape
+  labels:
+    app: host-scanner
+    k8s-app: kubescape-host-scanner
+    otel: enabled
+spec:
+  selector:
+    matchLabels:
+      name: host-scanner
+  template:
+    metadata:
+      labels:
+        name: host-scanner
+    spec:
+      tolerations:
+      # this toleration is to have the DaemonSet runnable on all nodes (including masters)
+      # remove it if your masters can't run pods
+      - operator: Exists
+      containers:
+      - name: host-sensor
+        image: quay.io/kubescape/host-scanner:test
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          readOnlyRootFilesystem: true
+          procMount: Unmasked
+        ports:
+          - name: scanner # Do not change port name
+            containerPort: 7888
+            protocol: TCP
+        resources:
+          limits:
+            cpu: 0.1m
+            memory: 200Mi
+          requests:
+            cpu: 1m
+            memory: 200Mi
+        volumeMounts:
+        - mountPath: /host_fs
+          name: host-filesystem
+        startupProbe:
+          httpGet:
+            path: /readyz
+            port: 7888
+          failureThreshold: 30
+          periodSeconds: 1
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 7888
+          periodSeconds: 10
+      terminationGracePeriodSeconds: 120
+      dnsPolicy: ClusterFirstWithHostNet
+      automountServiceAccountToken: false
+      volumes:
+      - hostPath:
+          path: /
+          type: Directory
+        name: host-filesystem
+      hostPID: true
+      hostIPC: true

go.mod

@@ -33,11 +33,12 @@ require (
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/BurntSushi/toml v1.3.2
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.12.0-rc.1 // indirect
 	github.com/armosec/armoapi-go v0.0.254 // indirect
 	github.com/armosec/gojay v1.2.15 // indirect
-	github.com/armosec/utils-go v0.0.40 // indirect
+	github.com/armosec/utils-go v0.0.40
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
@@ -48,7 +49,7 @@ require (
 	github.com/containerd/ttrpc v1.2.2 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -67,7 +68,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -83,9 +84,11 @@ require (
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jarcoal/httpmock v1.3.1
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.3 // indirect
+	github.com/kubescape/host-scanner v0.0.0-20230815131417-6e97c07e07da
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -130,6 +133,7 @@ require (
 	github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 // indirect
 	github.com/uptrace/uptrace-go v1.18.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/weaveworks/procspy v0.0.0-20150706124340-cb970aa190c3
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0 // indirect
@@ -165,7 +169,7 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/cli-runtime v0.28.4 // indirect
 	k8s.io/cri-api v0.28.4 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
@@ -175,7 +179,7 @@ require (
 	sigs.k8s.io/kustomize/api v0.14.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.4.0
 )
 
 replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6

go.sum

@@ -50,6 +50,8 @@ github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
@@ -287,6 +289,8 @@ github.com/inspektor-gadget/inspektor-gadget v0.23.1 h1:lAo+6I79E7qYVkeoi1IhDviL
 github.com/inspektor-gadget/inspektor-gadget v0.23.1/go.mod h1:ciFeohyRWA1ZFnv2SdDVUAg3KclJsa1ZGiXqhL2rC5g=
 github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic=
 github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
+github.com/jarcoal/httpmock v1.3.1/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -315,6 +319,8 @@ github.com/kubescape/backend v0.0.16 h1:bkQGY39GSoNIeFfnAJ2zlcrGEyXk6LGYv1/MgS51
 github.com/kubescape/backend v0.0.16/go.mod h1:ug9NFmmxT4DcQx3sgdLRzlLPWMKGHE/fpbcYUm5G5Qo=
 github.com/kubescape/go-logger v0.0.22 h1:gle7wH6emOiGv9ljdpVi82pWLQ3jGucrUucvil6JXHE=
 github.com/kubescape/go-logger v0.0.22/go.mod h1:x3HBpZo3cMT/WIdy18BxvVVd5D0e/PWFVk/HiwBNu3g=
+github.com/kubescape/host-scanner v0.0.0-20230815131417-6e97c07e07da h1:7C6TX/i078UouHAMibUEePmRZmhoHinY3y61RfaFVRI=
+github.com/kubescape/host-scanner v0.0.0-20230815131417-6e97c07e07da/go.mod h1:HrTFA+wNEJzQWrxS+zPGEHDC0+Nsnl7WZd9XGjSXM1I=
 github.com/kubescape/k8s-interface v0.0.152 h1:1tm2zPYVK7+1fewpca0/MCoK3TgUNButpM3F3uZz6yo=
 github.com/kubescape/k8s-interface v0.0.152/go.mod h1:5sz+5Cjvo98lTbTVDiDA4MmlXxeHSVMW/wR0V3hV4K8=
 github.com/kubescape/storage v0.0.39 h1:zxdu6pQ/8Fdzp0Er0yX+KWApMYvNZh9y7ONWyJcbb08=
@@ -333,6 +339,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
@@ -489,6 +497,8 @@ github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49u
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/weaveworks/procspy v0.0.0-20150706124340-cb970aa190c3 h1:UC4iN/yCDCObTBhKzo34/R2U6qptTPmqbzG6UiQVMUQ=
+github.com/weaveworks/procspy v0.0.0-20150706124340-cb970aa190c3/go.mod h1:cJTfuBcxkdbj8Mabk4PPdaf0AXv9TYEJmkFxKcWxYY4=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

pkg/sensor/CNI.go

@@ -0,0 +1,103 @@
+package sensor
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	sensorDs "node-agent/pkg/sensor/datastructures"
+	sensorUtils "node-agent/pkg/sensor/internal/utils"
+)
+
+// KubeProxyInfo holds information about kube-proxy process
+type CNIInfo struct {
+	CNIConfigFiles []*sensorDs.FileInfo `json:"CNIConfigFiles,omitempty"`
+
+	// The name of the running CNI
+	CNINames []string `json:"CNINames,omitempty"`
+}
+
+// SenseCNIInfo return `CNIInfo`
+func SenseCNIInfo(ctx context.Context) (*CNIInfo, error) {
+	var err error
+	ret := CNIInfo{}
+
+	// make cni config files
+	CNIConfigInfo, err := makeCNIConfigFilesInfo(ctx)
+
+	if err != nil {
+		logger.L().Ctx(ctx).Warning("SenseCNIInfo", helpers.Error(err))
+	} else {
+		ret.CNIConfigFiles = CNIConfigInfo
+	}
+
+	// get CNI name
+	ret.CNINames = getCNINames(ctx)
+
+	return &ret, nil
+}
+
+// makeCNIConfigFilesInfo - returns a list of FileInfos of cni config files.
+func makeCNIConfigFilesInfo(ctx context.Context) ([]*sensorDs.FileInfo, error) {
+	// *** Start handling CNI Files
+	kubeletProc, err := LocateKubeletProcess()
+	if err != nil {
+		return nil, err
+	}
+
+	CNIConfigDir := sensorUtils.GetCNIConfigPath(ctx, kubeletProc)
+
+	if CNIConfigDir == "" {
+		return nil, fmt.Errorf("no CNI Config dir found in getCNIConfigPath")
+	}
+
+	//Getting CNI config files
+	CNIConfigInfo, err := makeHostDirFilesInfoVerbose(ctx, CNIConfigDir, true, nil, 0)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to makeHostDirFilesInfo for CNIConfigDir %s: %w", CNIConfigDir, err)
+	}
+
+	if len(CNIConfigInfo) == 0 {
+		logger.L().Debug("SenseCNIInfo - no cni config files were found.",
+			helpers.String("path", CNIConfigDir))
+	}
+
+	return CNIConfigInfo, nil
+}
+
+// getCNIName - looking for CNI process and return CNI name, or empty if not found.
+func getCNINames(ctx context.Context) []string {
+	var CNIs []string
+	supportedCNIs := []struct {
+		name          string
+		processSuffix string
+	}{
+		{"aws", "aws-k8s-agent"}, // aws VPC CNI agent
+		// 'canal' CNI "sets up Calico to handle policy management and Flannel to manage the network itself". Therefore, we will first
+		// check "calico" (which supports network policies and indicates for either 'canal' or 'calico') and then flannel.
+		{"Calico", "calico-node"},
+		{"Flannel", "flanneld"},
+		{"Cilium", "cilium-agent"},
+		{"WeaveNet", "weave-net"},
+		{"Kindnet", "kindnetd"},
+		{"Multus", "multus"},
+	}
+
+	for _, cni := range supportedCNIs {
+		p, _ := sensorUtils.LocateProcessByExecSuffix(cni.processSuffix)
+
+		if p != nil {
+			logger.L().Debug("CNI process found", helpers.String("name", cni.name))
+			CNIs = append(CNIs, cni.name)
+		}
+	}
+
+	if len(CNIs) == 0 {
+		logger.L().Warning("No CNI found")
+	}
+
+	return CNIs
+}