Skip to content

fix(core): enforce policies on host containers running alongside k8s#2718

Open
Athang69 wants to merge 1 commit into
kubearmor:mainfrom
Athang69:fix/enforce-host-containers-with-k8s
Open

fix(core): enforce policies on host containers running alongside k8s#2718
Athang69 wants to merge 1 commit into
kubearmor:mainfrom
Athang69:fix/enforce-host-containers-with-k8s

Conversation

@Athang69

Copy link
Copy Markdown
Contributor

Purpose of PR?:
Fixes #2320

When KubeArmor runs in K8s mode (K8sEnabled=true), containers running directly on the host without K8s orchestration (e.g. via ctr run or docker run) were not getting endpoints created or policies enforced. All endpoint creation and policy matching was gated behind !dm.K8sEnabled, so host containers were silently skipped when K8s was also running.

Does this PR introduce a breaking change?
No. The fix only extends the existing non-K8s container handling path to also cover host containers running alongside K8s. Normal K8s pod containers (whose NamespaceName is a real K8s namespace like default or kube-system) are unaffected and continue using the K8s watcher path.

If the changes in this PR are manually verified, list down the scenarios covered:
Unit tests added in KubeArmor/core/hostContainerEnforcement_test.go cover the following scenarios:

  • TestHostContainerNamespaceDetection: verifies that non-K8s host containers are correctly identified with NamespaceName="container_namespace" when the io.kubernetes.pod.namespace label is absent, and that real K8s pod containers get their actual namespace name.
  • TestEndpointCreationCondition/k8s_mode,_host_container_-_THE_FIX: verifies that with K8sEnabled=true and NamespaceName="container_namespace", the endpoint creation condition evaluates to true (the core fix for enforce on containers running on host even if k8s is running #2320).
  • TestEndpointCreationCondition/k8s_mode,_real_k8s_pod: verifies that real K8s pods (NamespaceName="default") correctly skip the host container path and use the K8s watcher path instead (no regression).
  • TestK8sPodContainerNotAffected: verifies that K8s pods across multiple namespaces (default, kube-system, production, monitoring) are never accidentally routed through the host container enforcement path.

All 3 tests pass
Screenshot from 2026-06-29 10-11-35

Additional information for reviewer?:
The root cause was that in containerdHandler.go, dockerHandler.go, crioHandler.go, and nriHandler.go, the blocks responsible for creating endpoints and matching security policies were all gated behind !dm.K8sEnabled. Non-K8s containers running on a K8s host were tracked in dm.Containers but never got an endpoint, so no policies were ever enforced on them. The fix changes this condition from !dm.K8sEnabled to !dm.K8sEnabled || container.NamespaceName == "container_namespace" in all four handlers. The discriminator container_namespace is already set by each handler's GetContainerInfo when the io.kubernetes.pod.namespace label is absent.

Checklist:

  • Bug fix. Fixes enforce on containers running on host even if k8s is running #2320
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of fix(core): enforce policies on host containers running alongside k8s
  • Commit has unit tests
  • Commit has integration tests

Copilot AI review requested due to automatic review settings June 29, 2026 04:47

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Signed-off-by: Athang69 <athangkali21@gmail.com>
@Athang69
Athang69 force-pushed the fix/enforce-host-containers-with-k8s branch from 1941b42 to f5080d9 Compare June 29, 2026 04:48
@Athang69

Copy link
Copy Markdown
Contributor Author

@Aryan-sharma11 PTAL whenever convenient.
Thanks!

@Aryan-sharma11
Aryan-sharma11 self-requested a review July 1, 2026 07:52
@Athang69

Copy link
Copy Markdown
Contributor Author

Validation

Tested the fix locally by building and running the patched binary from fix/enforce-host-containers-with-k8s branch.

Setup:

  • KubeArmor running with -k8s=false -criSocket=unix:///var/run/docker.sock -enableKubeArmorPolicy=true
  • Plain Docker container proof-host-container started via sudo docker run -d --name proof-host-container ubuntu:22.04 sleep infinity (no K8s orchestration, simulating the issue scenario)

What was verified:

  1. KubeArmor detects the host container (added/59bda15b7017)
  2. The container is tracked with namespaceName=container_namespace - the discriminator our fix uses to identify non-K8s host containers
  3. KubeArmor generates ContainerLog entries for it, confirming it is monitored and policy enforcement applies

Screenshot 1 - Runtime validation (container detected + identity confirmed):

Screenshot from 2026-07-12 09-28-24

Screenshot 2 - Unit tests passing (all 3 tests pass including the core fix test):

image

@Athang69

Copy link
Copy Markdown
Contributor Author

@Aryan-sharma11 I've added the validation screenshots PTAL.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

enforce on containers running on host even if k8s is running

2 participants