Support karmor install for non-k8s environment

cmd/install.go

@@ -1,20 +1,25 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2021 Authors of KubeArmor
-
 package cmd
 
 import (
 	"fmt"
-
+    "github.com/spf13/cobra"
 	"github.com/kubearmor/kubearmor-client/install"
-	"github.com/spf13/cobra"
 )
 
+var secureRuntime string
 var installOptions install.Options
 
-// installCmd represents the get command
 var installCmd = &cobra.Command{
 	Use:   "install",
+	Short: "Install KubeArmor",
+	Long:  `Install KubeArmor in either Kubernetes or non-Kubernetes mode.`,
+}
+
+// k8sInstallCmd represents the install command for Kubernetes mode
+var k8sInstallCmd = &cobra.Command{
+	Use:   "k8s",
 	Short: "Install KubeArmor in a Kubernetes Cluster",
 	Long:  `Install KubeArmor in a Kubernetes Clusters`,
 	RunE: func(cmd *cobra.Command, args []string) error {
@@ -34,6 +39,36 @@ var installCmd = &cobra.Command{
 	},
 }
 
+// nonK8sInstallCmd represents the install command for non-Kubernetes mode
+var nonK8sInstallCmd = &cobra.Command{
+	Use:   "non-k8s",
+	Short: "Install KubeArmor in non-Kubernetes mode",
+	Long: "Install KubeArmor in non-Kubernetes mode",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		availableRuntimes := install.DetectRuntimes()
+		if len(availableRuntimes) == 0 {
+			return fmt.Errorf("no supported container runtime found")
+		}
+		runtime := install.SelectRuntime(secureRuntime, availableRuntimes)
+
+		composeFilePath, err := install.EnsureComposeFile()
+		if err != nil {
+			return fmt.Errorf("failed to ensure Compose file: %v", err)
+		}
+
+		err = install.ParseAndValidateComposeFile(composeFilePath, runtime)
+		if err != nil {
+			return fmt.Errorf("error validating Compose file: %v", err)
+		}
+		err = install.RunCompose(runtime, composeFilePath)
+		if err != nil {
+			return fmt.Errorf("error running Compose file: %v", err)
+		}
+		fmt.Println("😄 KubeArmor installed successfully in non-Kubernetes mode.")
+		return nil
+	},
+}
+
 func markDeprecated(cmd *cobra.Command, flag, message string) {
 	if err := cmd.Flags().MarkDeprecated(flag, message); err != nil {
 		fmt.Printf("Error marking '%s' as deprecated: %v\n", flag, err)
@@ -42,29 +77,36 @@ func markDeprecated(cmd *cobra.Command, flag, message string) {
 
 func init() {
 	rootCmd.AddCommand(installCmd)
+	// Add subcommands for k8s and non-k8s modes
+	installCmd.AddCommand(k8sInstallCmd)
+	installCmd.AddCommand(nonK8sInstallCmd)
 
-	installCmd.Flags().StringVarP(&installOptions.Namespace, "namespace", "n", "kubearmor", "Namespace for resources")
-	installCmd.Flags().StringVarP(&installOptions.KubearmorImage, "image", "i", "kubearmor/kubearmor:stable", "Kubearmor daemonset image to use")
-	installCmd.Flags().StringVarP(&installOptions.InitImage, "init-image", "", "kubearmor/kubearmor-init:stable", "Kubearmor daemonset init container image to use")
-	installCmd.Flags().StringVarP(&installOptions.OperatorImage, "operator-image", "", "kubearmor/kubearmor-operator:stable", "Kubearmor operator container image to use")
-	installCmd.Flags().StringVarP(&installOptions.ControllerImage, "controller-image", "", "kubearmor/kubearmor-controller:stable", "Kubearmor controller image to use")
-	installCmd.Flags().StringVarP(&installOptions.RelayImage, "relay-image", "", "kubearmor/kubearmor-relay-server:stable", "Kubearmor relay image to use")
-	installCmd.Flags().StringVarP(&installOptions.KubeArmorTag, "tag", "t", "", "Change image tag/version for default kubearmor images (This will overwrite the tags provided in --image/--init-image)")
-	installCmd.Flags().StringVarP(&installOptions.KubeArmorRelayTag, "relay-tag", "", "", "Change image tag/version for default kubearmor-relay image (This will overwrite the tag provided in --relay-image)")
-	installCmd.Flags().StringVarP(&installOptions.KubeArmorControllerTag, "controller-tag", "", "", "Change image tag/version for default kubearmor-controller image (This will overwrite the tag provided in --controller-image)")
-	installCmd.Flags().StringVarP(&installOptions.KubeArmorOperatorTag, "operator-tag", "", "", "Change image tag/version for default kubearmor-operator image (This will overwrite the tag provided in --operator-image)")
-	installCmd.Flags().StringVarP(&installOptions.Audit, "audit", "a", "", "Kubearmor Audit Posture Context [all,file,network,capabilities]")
-	installCmd.Flags().StringVarP(&installOptions.Block, "block", "b", "", "Kubearmor Block Posture Context [all,file,network,capabilities]")
-	installCmd.Flags().StringVarP(&installOptions.Visibility, "viz", "", "", "Kubearmor Telemetry Visibility [process,file,network,none]")
-	installCmd.Flags().BoolVar(&installOptions.Save, "save", false, "Save KubeArmor Manifest ")
-	installCmd.Flags().BoolVar(&installOptions.Verify, "verify", true, "Verify whether all KubeArmor resources are created, running and also probes whether KubeArmor has armored the cluster or not")
-	installCmd.Flags().BoolVar(&installOptions.Local, "local", false, "Use Local KubeArmor Images (sets ImagePullPolicy to 'IfNotPresent') ")
-	installCmd.Flags().StringVarP(&installOptions.ImageRegistry, "registry", "r", "", "Image registry to use to pull the images")
-	installCmd.Flags().BoolVar(&installOptions.Legacy, "legacy", false, "Installs kubearmor in legacy mode if set to true")
-	installCmd.Flags().BoolVar(&installOptions.SkipDeploy, "skip-deploy", false, "Saves kubearmor operator CR manifest rather than deploying it")
-	installCmd.Flags().BoolVar(&installOptions.PreserveUpstream, "preserve-upstream", true, "Do not override the image registry when using -r flag, prefix only")
-	installCmd.Flags().StringVarP(&installOptions.Env.Environment, "env", "e", "", "Supported KubeArmor Environment [k0s,k3s,microK8s,minikube,gke,bottlerocket,eks,docker,oke,generic]")
-	installCmd.MarkFlagsMutuallyExclusive("verify", "save")
-	markDeprecated(installCmd, "env", "Only relevant when using legacy")
-	markDeprecated(installCmd, "legacy", "KubeArmor now utilizes operator-based installation. This command may not set up KubeArmor in the intended way.")
+    //these flags should only be availabe only for mode k8s
+	k8sInstallCmd.Flags().StringVarP(&installOptions.Namespace, "namespace", "n", "kubearmor", "Namespace for resources")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.KubearmorImage, "image", "i", "kubearmor/kubearmor:stable", "Kubearmor daemonset image to use")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.InitImage, "init-image", "", "kubearmor/kubearmor-init:stable", "Kubearmor daemonset init container image to use")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.OperatorImage, "operator-image", "", "kubearmor/kubearmor-operator:stable", "Kubearmor operator container image to use")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.ControllerImage, "controller-image", "", "kubearmor/kubearmor-controller:stable", "Kubearmor controller image to use")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.RelayImage, "relay-image", "", "kubearmor/kubearmor-relay-server:stable", "Kubearmor relay image to use")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.KubeArmorTag, "tag", "t", "", "Change image tag/version for default kubearmor images (This will overwrite the tags provided in --image/--init-image)")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.KubeArmorRelayTag, "relay-tag", "", "", "Change image tag/version for default kubearmor-relay image (This will overwrite the tag provided in --relay-image)")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.KubeArmorControllerTag, "controller-tag", "", "", "Change image tag/version for default kubearmor-controller image (This will overwrite the tag provided in --controller-image)")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.KubeArmorOperatorTag, "operator-tag", "", "", "Change image tag/version for default kubearmor-operator image (This will overwrite the tag provided in --operator-image)")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.Audit, "audit", "a", "", "Kubearmor Audit Posture Context [all,file,network,capabilities]")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.Block, "block", "b", "", "Kubearmor Block Posture Context [all,file,network,capabilities]")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.Visibility, "viz", "", "", "Kubearmor Telemetry Visibility [process,file,network,none]")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.Save, "save", false, "Save KubeArmor Manifest ")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.Verify, "verify", true, "Verify whether all KubeArmor resources are created, running and also probes whether KubeArmor has armored the cluster or not")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.Local, "local", false, "Use Local KubeArmor Images (sets ImagePullPolicy to 'IfNotPresent') ")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.ImageRegistry, "registry", "r", "", "Image registry to use to pull the images")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.Legacy, "legacy", false, "Installs kubearmor in legacy mode if set to true")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.SkipDeploy, "skip-deploy", false, "Saves kubearmor operator CR manifest rather than deploying it")
+	k8sInstallCmd.Flags().BoolVar(&installOptions.PreserveUpstream, "preserve-upstream", true, "Do not override the image registry when using -r flag, prefix only")
+	k8sInstallCmd.Flags().StringVarP(&installOptions.Env.Environment, "env", "e", "", "Supported KubeArmor Environment [k0s,k3s,microK8s,minikube,gke,bottlerocket,eks,docker,oke,generic]")
+	k8sInstallCmd.MarkFlagsMutuallyExclusive("verify", "save")
+	markDeprecated(k8sInstallCmd, "env", "Only relevant when using legacy")
+	markDeprecated(k8sInstallCmd, "legacy", "KubeArmor now utilizes operator-based installation. This command may not set up KubeArmor in the intended way.")
+	//this flag --secure should only be availabe only for mode non-k8s
+    nonK8sInstallCmd.Flags().StringVar(&secureRuntime, "secure", "", "Specify the container runtime (e.g., podman, docker)")
 }
+

docker-compose.yaml

@@ -0,0 +1,83 @@
+services:
+  kubearmor:
+    cap_add:
+    - SETUID
+    - SETGID
+    - SETPCAP
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - MAC_ADMIN
+    - SYS_RESOURCE
+    - IPC_LOCK
+    - DAC_OVERRIDE
+    - DAC_READ_SEARCH
+    command:
+    - -k8s=false
+    - -enableKubeArmorPolicy
+    - -enableKubeArmorHostPolicy
+    - -visibility=process,network
+    - -hostVisibility=process,network
+    - -criSocket=unix:///run/podman/podman.sock
+    - -defaultFilePosture=audit
+    - -defaultNetworkPosture=audit
+    - -defaultCapabilitiesPosture=audit
+    - -hostDefaultFilePosture=audit
+    - -hostDefaultNetworkPosture=audit
+    - -hostDefaultCapabilitiesPosture=audit
+    container_name: kubearmor
+    depends_on:
+      kubearmor-init:
+        condition: service_completed_successfully
+    hostname: cheithanya
+    image: docker.io/cheithanya/kubearmor:latest
+    labels:
+      app: kubearmor
+    pid: host
+    ports:
+    - 32767:32767
+    privileged: true
+    pull_policy: always
+    restart: always
+    user: root
+    volumes:
+    - /tmp:/opt/kubearmor/BPF
+    - /sys/fs/bpf:/sys/fs/bpf
+    - /sys/kernel/security:/sys/kernel/security
+    - /sys/kernel/debug:/sys/kernel/debug
+    - /etc/apparmor.d:/etc/apparmor.d
+    - /var/run/docker.sock:/var/run/docker.sock
+    - /run/docker:/run/docker
+    - /var/lib/docker:/var/lib/docker
+    - /etc/containers/oci/hooks.d/:/etc/containers/oci/hooks.d/:rw
+    - /usr/share/kubearmor:/usr/share/kubearmor:rw
+    - /var/run/kubearmor:/var/run/kubearmor:rw
+  kubearmor-init:
+    cap_add:
+    - SETUID
+    - SETGID
+    - SETPCAP
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - MAC_ADMIN
+    - SYS_RESOURCE
+    - IPC_LOCK
+    - DAC_OVERRIDE
+    - DAC_READ_SEARCH
+    container_name: kubearmor-init
+    image: docker.io/cheithanya/kubearmor-init:latest
+    labels:
+      app: kubearmor-init
+    privileged: true
+    pull_policy: always
+    restart: on-failure
+    user: root
+    volumes:
+    - /tmp:/opt/kubearmor/BPF:rw,z
+    - /lib/modules:/lib/modules:ro,z
+    - /sys/fs/bpf:/sys/fs/bpf:ro,z
+    - /sys/kernel/security:/sys/kernel/security:ro,z
+    - /sys/kernel/debug:/sys/kernel/debug:ro,z
+    - /usr/src:/usr/src:z
+    - /media/root/etc/os-release:/media/root/etc/os-release:ro,z
+    - /etc/containers/oci/hooks.d/:/etc/containers/oci/hooks.d/:rw,z
+    - /usr/share/kubearmor:/usr/share/kubearmor:rw,z

go.mod

@@ -33,6 +33,7 @@ require (
 	github.com/charmbracelet/bubbles v0.17.1
 	github.com/charmbracelet/bubbletea v0.25.0
 	github.com/charmbracelet/lipgloss v0.9.1
+	github.com/compose-spec/compose-go/v2 v2.4.6
 	github.com/deckarep/golang-set/v2 v2.6.0
 	github.com/evertras/bubble-table v0.15.6
 	github.com/google/go-cmp v0.6.0
@@ -44,6 +45,7 @@ require (
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator v0.0.0-20240313131335-9ae900daa38d
 	github.com/onsi/ginkgo/v2 v2.14.0
 	github.com/onsi/gomega v1.30.0
+	gopkg.in/yaml.v2 v2.4.0
 	helm.sh/helm/v3 v3.14.3
 	k8s.io/api v0.29.2
 	k8s.io/apiextensions-apiserver v0.29.2
@@ -181,6 +183,7 @@ require (
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
@@ -239,6 +242,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/mattn/go-sqlite3 v1.14.19 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -365,7 +369,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiserver v0.29.2 // indirect
 	k8s.io/component-base v0.29.2 // indirect

go.sum

@@ -369,6 +369,8 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
+github.com/compose-spec/compose-go/v2 v2.4.6 h1:QiqXQ2L/f0OCbAl41bPpeiGAWVRIQ+GEDrYxO+dRPhQ=
+github.com/compose-spec/compose-go/v2 v2.4.6/go.mod h1:lFN0DrMxIncJGYAXTfWuajfwj5haBJqrBkarHcnjJKc=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
 github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
@@ -630,6 +632,8 @@ github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Il
 github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8=
 github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
 github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
+github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
+github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
@@ -1060,6 +1064,8 @@ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v1.14.19 h1:fhGleo2h1p8tVChob4I9HpmVFIAkKGpiukdrgQbWfGI=