assemblyline-core 4.5.1.dev426__tar.gz → 4.5.1.dev434__tar.gz

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: assemblyline-core
-Version: 4.5.1.dev426
+Version: 4.5.1.dev434
 Summary: Assemblyline 4 - Core components
 Home-page: https://github.com/CybercentreCanada/assemblyline-core/
 Author: CCCS Assemblyline development team

assemblyline_core-4.5.1.dev434/assemblyline_core/VERSION

@@ -0,0 +1 @@
+4.5.1.dev434

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/replay/loader/run.py

@@ -86,8 +86,8 @@ class ReplayLoader(ReplayBase):
         self.maintain_threads(threads)
 
     def stop(self):
-        super().stop()
         self.cache.close()
+        return super().stop()
 
 
 if __name__ == '__main__':

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/scaler/controllers/interface.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING, Optional
 
-
 if TYPE_CHECKING:
     from assemblyline_core.scaler.scaler_server import ServiceProfile
 
@@ -12,14 +11,6 @@ class ServiceControlError(RuntimeError):
         self.service_name = service_name
 
 
-class ContainerEvent:
-    def __init__(self, object_name: str, message: str, service_name=None, updater=None) -> None:
-        self.object_name = object_name
-        self.message = message
-        self.service_name = service_name
-        self.updater = updater
-
-
 class ControllerInterface:
     def add_profile(self, profile, scale=0):
         """Tell the controller about a service profile it needs to manage."""
@@ -59,7 +50,7 @@ class ControllerInterface:
     def get_running_container_names(self):
         raise NotImplementedError()
 
-    def new_events(self) -> list[ContainerEvent]:
+    def new_events(self):
         return []
 
     def stateful_container_key(self, service_name: str, container_name: str, spec, change_key: str) -> Optional[str]:

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/scaler/controllers/kubernetes_ctl.py

@@ -26,11 +26,12 @@ from kubernetes.client import V1Deployment, V1DeploymentSpec, V1PodTemplateSpec,
     V1PersistentVolumeClaimSpec, V1NetworkPolicy, V1NetworkPolicySpec, V1NetworkPolicyEgressRule, V1NetworkPolicyPeer, \
     V1NetworkPolicyIngressRule, V1Secret, V1SecretVolumeSource, V1LocalObjectReference, V1Service, \
     V1ServiceSpec, V1ServicePort, V1PodSecurityContext, V1Probe, V1ExecAction, V1SecurityContext, \
-    V1Affinity, V1NodeAffinity, V1NodeSelector, V1NodeSelectorTerm, V1NodeSelectorRequirement, CoreV1Event, V1Toleration
+    V1Affinity, V1NodeAffinity, V1NodeSelector, V1NodeSelectorTerm, V1NodeSelectorRequirement, V1Toleration, \
+    V1Capabilities, V1SeccompProfile
 from kubernetes.client.rest import ApiException
 from assemblyline.odm.models.service import DependencyConfig, DockerConfig, PersistentVolume
 
-from assemblyline_core.scaler.controllers.interface import ContainerEvent, ControllerInterface
+from assemblyline_core.scaler.controllers.interface import ControllerInterface
 
 # RESERVE_MEMORY_PER_NODE = os.environ.get('RESERVE_MEMORY_PER_NODE')
 
@@ -45,6 +46,14 @@ SERVICE_LIVENESS_TIMEOUT = int(os.environ.get('SERVICE_LIVENESS_TIMEOUT', 60))
 UNPRIVILEGED_SERVICE_ACCOUNT_NAME = os.environ.get('UNPRIVILEGED_SERVICE_ACCOUNT_NAME', None)
 PRIVILEGED_SERVICE_ACCOUNT_NAME = os.environ.get('PRIVILEGED_SERVICE_ACCOUNT_NAME', None)
 CERTIFICATE_VALIDITY_PERIOD = int(os.environ.get('CERTIFICATE_VALIDITY_PERIOD', '36500'))
+RESTRICTED_POD_SECURITY_CONTEXT = V1SecurityContext(
+    run_as_user=1000,
+    run_as_group=1000,
+    capabilities=V1Capabilities(drop=["ALL"]),
+    run_as_non_root=True,
+    allow_privilege_escalation=False,
+    seccomp_profile=V1SeccompProfile(type="RuntimeDefault")
+)
 
 AL_ROOT_CA = os.environ.get('AL_ROOT_CA', '/etc/assemblyline/ssl/al_root-ca.crt')
 AL_ROOT_CA_PK = os.environ.get('AL_ROOT_CA_PK', '/etc/assemblyline/ssl/al_root-ca.key')
@@ -241,7 +250,8 @@ def parse_cpu(string: str) -> float:
 class KubernetesController(ControllerInterface):
     def __init__(self, logger, namespace: str, prefix: str, priority: str, dependency_priority: str,
                  cpu_reservation: float, linux_node_selector: Selector, labels=None, log_level="INFO", core_env={},
-                 default_service_account=None, cluster_pod_list=True, default_service_tolerations = [],
+                 default_service_account=None, cluster_pod_list=True, enable_pod_security=False,
+                 default_service_tolerations=[],
                  priv_labels=None):
         # Try loading a kubernetes connection from either the fact that we are running
         # inside of a cluster, or have a config file that tells us how
@@ -264,7 +274,7 @@ class KubernetesController(ControllerInterface):
             config.load_kube_config(client_configuration=cfg)
 
         self.running: bool = True
-        self.prefix: str = prefix.lower().replace('_', '-')
+        self.prefix: str = prefix.lower()
         self.priority: str = priority
         self.dependency_priority: str = dependency_priority
         self.cpu_reservation: float = max(0.0, min(cpu_reservation, 1.0))
@@ -287,6 +297,7 @@ class KubernetesController(ControllerInterface):
         self._service_limited_env: dict[str, dict[str, str]] = defaultdict(dict)
         self.default_service_account: Optional[str] = default_service_account
         self.cluster_pod_list = cluster_pod_list
+        self.security_policy = RESTRICTED_POD_SECURITY_CONTEXT if enable_pod_security else None
         self.default_service_tolerations = [V1Toleration(**toleration.as_primitives()) for toleration in default_service_tolerations]
 
         # A record of previously reported events so that we don't report the same message repeatedly, fill it with
@@ -396,7 +407,8 @@ class KubernetesController(ControllerInterface):
         """Tell the controller about a service profile it needs to manage."""
         self._create_deployment(profile.name, self._deployment_name(profile.name),
                                 profile.container_config, profile.shutdown_seconds, scale,
-                                change_key=profile.config_blob, core_mounts=profile.privileged)
+                                change_key=profile.config_blob, core_mounts=profile.privileged,
+                                security_context=self.security_policy),
         self._external_profiles[profile.name] = profile
 
     def _loop_forever(self, function):
@@ -679,7 +691,7 @@ class KubernetesController(ControllerInterface):
             return self._quota_mem_limit - self._get_pod_used_namespace_ram(), self._quota_mem_limit
         return self._node_pool_max_ram - self._get_pod_used_ram(), self._node_pool_max_ram
 
-    def _create_containers(self, service_name: str, deployment_name: str, container_config, mounts,
+    def _create_containers(self, service_name: str, deployment_name: str, container_config, mounts, security_context,
                            core_container=False):
         cores = container_config.cpu_cores
         memory = container_config.ram_mb
@@ -719,6 +731,7 @@ class KubernetesController(ControllerInterface):
             env=environment_variables,
             image_pull_policy=image_pull_policy,
             volume_mounts=mounts,
+            security_context=security_context,
             resources=V1ResourceRequirements(
                 limits={'cpu': cores, 'memory': f'{memory}Mi'},
                 requests={'cpu': cores*self.cpu_reservation, 'memory': f'{min_memory}Mi'},
@@ -731,7 +744,8 @@ class KubernetesController(ControllerInterface):
                            shutdown_seconds: int, scale: int, labels: dict[str, str] = None,
                            volumes: list[V1Volume] = None, mounts: list[V1VolumeMount] = None,
                            core_mounts: bool = False, change_key: str = '', high_priority: bool = False,
-                           deployment_strategy: V1DeploymentStrategy = V1DeploymentStrategy()):
+                           deployment_strategy: V1DeploymentStrategy = V1DeploymentStrategy(),
+                           security_context: V1SecurityContext = None):
         # Build a cache key to check for changes, just trying to only patch what changed
         # will still potentially result in a lot of restarts due to different kubernetes
         # systems returning differently formatted data
@@ -742,7 +756,8 @@ class KubernetesController(ControllerInterface):
         key_labels += sorted(deployment_labels.items())
         change_key = str(f"n={deployment_name}{change_key}dc={docker_config}ss={shutdown_seconds}"
                          f"l={key_labels}v={volumes}m={mounts}cm={core_mounts}senv={svc_env}"
-                         f"nodes={field_selector or ''}{label_selector or ''}")
+                         f"nodes={field_selector or ''}{label_selector or ''}"
+                         f"security_context={security_context or ''}")
         self.logger.debug(f"{deployment_name} actual change_key: {change_key}")
         change_key = str(hash(change_key))
 
@@ -847,7 +862,7 @@ class KubernetesController(ControllerInterface):
             init_containers=init_containers,
             volumes=all_volumes,
             containers=self._create_containers(service_name, deployment_name, docker_config,
-                                               all_mounts, core_container=core_mounts),
+                                               all_mounts, security_context, core_container=core_mounts),
             priority_class_name=self.dependency_priority if high_priority else self.priority,
             termination_grace_period_seconds=shutdown_seconds,
             security_context=V1PodSecurityContext(fs_group=1000),
@@ -952,58 +967,14 @@ class KubernetesController(ControllerInterface):
     def restart(self, service):
         self._create_deployment(service.name, self._deployment_name(service.name), service.container_config,
                                 service.shutdown_seconds, self.get_target(service.name), core_mounts=service.privileged,
-                                change_key=service.config_blob)
+                                change_key=service.config_blob, security_context=self.security_policy)
 
     def get_running_container_names(self):
         pods = self.api.list_pod_for_all_namespaces(field_selector='status.phase==Running',
                                                     _request_timeout=API_TIMEOUT)
         return [pod.metadata.name for pod in pods.items]
 
-    @staticmethod
-    def dropped_message(event: CoreV1Event) -> bool:
-        """These aren't messages anyone looking at the """
-
-        # These are common ephemeral states
-        if event.action in ["Scheduling"]:
-            return True
-        if event.reason in ["BackOff", "NodeNotReady", "FailedGetResourceMetric", "FailedComputeMetricsReplicas"]:
-            return True
-
-        # There is a more detailed event that starts with "Failed to pull image"
-        if event.message == "Error: ErrImagePull":
-            return True
-        if event.message == "Error: ImagePullBackOff":
-            return True
-
-        # Probes failing on exiting containers is normal
-        if "Readiness probe errored" in event.message and "container is in CONTAINER_EXITED state" in event.message:
-            return True
-        if "Liveness probe errored" in event.message and "container is in CONTAINER_EXITED state" in event.message:
-            return True
-
-        return False
-
-    def parse_container_name(self, name) -> tuple[Optional[str], Optional[bool]]:
-        if not name.startswith(self.prefix):
-            return (None, None)
-        name = name.removeprefix(self.prefix)
-
-        name, _, container_id = name.rpartition('-')
-        if not container_id:
-            return (None, None)
-
-        name, _, deployment_id = name.rpartition('-')
-        if not deployment_id:
-            return (None, None)
-
-        updater = False
-        if name.endswith('-updates'):
-            name = name.removesuffix('-updates')
-            updater = True
-
-        return (name, updater)
-
-    def new_events(self) -> list[ContainerEvent]:
+    def new_events(self):
         response = self.api.list_namespaced_event(namespace=self.namespace, pretty='false',
                                                   field_selector='type=Warning', watch=False,
                                                   _request_timeout=API_TIMEOUT)
@@ -1013,15 +984,7 @@ class KubernetesController(ControllerInterface):
         for event in response.items:
             if self.events_window.get(event.metadata.uid, 0) != event.count:
                 self.events_window[event.metadata.uid] = event.count
-
-                if KubernetesController.dropped_message(event):
-                    continue
-
-                object_name = event.involved_object.name
-                service_name, is_updater = None, None
-                if event.involved_object.kind == 'Pod':
-                    service_name, is_updater = self.parse_container_name(object_name)
-                new.append(ContainerEvent(object_name, event.message, service_name, is_updater))
+                new.append(event.involved_object.name + ': ' + event.message)
 
         # Flush out events that have moved outside the window
         old = set(self.events_window.keys()) - {event.metadata.uid for event in response.items}
@@ -1187,7 +1150,7 @@ class KubernetesController(ControllerInterface):
         self._create_deployment(service_name, deployment_name, spec.container,
                                 30, 1, labels, volumes=volumes, mounts=mounts, high_priority=True,
                                 core_mounts=spec.run_as_core, change_key=change_key,
-                                deployment_strategy=deployment_strategy)
+                                deployment_strategy=deployment_strategy, security_context=self.security_policy)
 
         # Setup a service to direct to the deployment
         try:

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/scaler/scaler_server.py

@@ -27,19 +27,17 @@ from assemblyline.remote.datatypes.hash import ExpiringHash, Hash
 from assemblyline.remote.datatypes.events import EventWatcher, EventSender
 from assemblyline.odm.models.service import Service, DockerConfig, EnvironmentVariable
 from assemblyline.odm.models.config import Mount
-from assemblyline.odm.models.error import Error
 from assemblyline.odm.messages.scaler_heartbeat import Metrics
 from assemblyline.odm.messages.scaler_status_heartbeat import Status
 from assemblyline.odm.messages.changes import ServiceChange, Operation
 from assemblyline.common.dict_utils import get_recursive_sorted_tuples, flatten
-from assemblyline.common.uid import get_id_from_data, get_random_id
+from assemblyline.common.uid import get_id_from_data
 from assemblyline.common.forge import get_classification, get_service_queue, get_apm_client
 from assemblyline.common.constants import SCALER_TIMEOUT_QUEUE, SERVICE_STATE_HASH, ServiceStatus
 from assemblyline.common.version import FRAMEWORK_VERSION, SYSTEM_VERSION
-from assemblyline.common.isotime import now_as_iso
 from assemblyline_core.updater.helper import get_registry_config
 from assemblyline_core.scaler.controllers import KubernetesController
-from assemblyline_core.scaler.controllers.interface import ContainerEvent, ServiceControlError
+from assemblyline_core.scaler.controllers.interface import ServiceControlError
 from assemblyline_core.server_base import ServiceStage, ThreadedCoreBase
 
 from .controllers import DockerController
@@ -54,7 +52,6 @@ SCALE_INTERVAL = 5
 METRIC_SYNC_INTERVAL = 0.5
 CONTAINER_EVENTS_LOG_INTERVAL = 2
 HEARTBEAT_INTERVAL = 5
-SIXTY_DAYS = 60 * 60 * 24 * 60
 
 # The maximum containers we ask to be created in a single scaling iteration
 # This is to give kubernetes a chance to update our view of resource usage before we ask for more containers
@@ -74,7 +71,6 @@ DOCKER_CONFIGURATION_VOLUME = os.getenv('DOCKER_CONFIGURATION_VOLUME', None)
 
 SERVICE_API_HOST = os.getenv('SERVICE_API_HOST', None)
 INTERNAL_ENCRYPT = bool(SERVICE_API_HOST and SERVICE_API_HOST.startswith('https'))
-SERVICE_PREFIX = 'alsvc-'
 
 
 @contextmanager
@@ -315,7 +311,7 @@ class ScalerServer(ThreadedCoreBase):
 
         if KUBERNETES_AL_CONFIG:
             self.log.info(f"Loading Kubernetes cluster interface on namespace: {NAMESPACE}")
-            self.controller = KubernetesController(logger=self.log, prefix=SERVICE_PREFIX, labels=labels,
+            self.controller = KubernetesController(logger=self.log, prefix='alsvc_', labels=labels,
                                                    namespace=NAMESPACE, priority='al-service-priority',
                                                    dependency_priority='al-core-priority',
                                                    cpu_reservation=self.config.services.cpu_reservation,
@@ -323,6 +319,7 @@ class ScalerServer(ThreadedCoreBase):
                                                    log_level=self.config.logging.log_level,
                                                    core_env=core_env,
                                                    cluster_pod_list=self.config.core.scaler.cluster_pod_list,
+                                                   enable_pod_security=self.config.core.scaler.enable_pod_security,
                                                    default_service_account=self.config.services.service_account,
                                                    default_service_tolerations=service_defaults_config.tolerations,
                                                    priv_labels=priv_labels
@@ -983,34 +980,7 @@ class ScalerServer(ThreadedCoreBase):
 
     def log_container_events(self):
         """The service status table may have references to containers that have crashed. Try to remove them all."""
-        pool = concurrent.futures.ThreadPoolExecutor(20)
         while self.sleep(CONTAINER_EVENTS_LOG_INTERVAL):
             with apm_span(self.apm_client, 'log_container_events'):
-                for event in self.controller.new_events():
-                    if event.service_name:
-                        pool.submit(self._process_service_event, event)
-                        continue
-                    self.log.warning("Container Event :: " + event.object_name + ": " + event.message)
-
-    def _process_service_event(self, event: ContainerEvent):
-        """Record the container event in the service event table."""
-        try:
-            message = f"Event for service {'updater' if event.updater else ''} container " + \
-                      f"[{event.object_name}] for service: \n" + event.message
-
-            error = Error({
-                'expiry_ts': now_as_iso(SIXTY_DAYS),
-                'response': {
-                    'message': message,
-                    'service_name': event.service_name,
-                    'service_version': 'UNKNOWN',
-                    'status': 'FAIL_NONRECOVERABLE'
-                },
-                'sha256': '0' * 64,
-                'type': 'UNKNOWN'
-            })
-            error_key = error.build_key(service_tool_version=get_random_id())
-            self.datastore.error.save(error_key, error)
-
-        except Exception:
-            self.log.exception("Error reporting service container event")
+                for message in self.controller.new_events():
+                    self.log.warning("Container Event :: " + message)

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/updater/run_updater.py

@@ -15,7 +15,8 @@ import docker
 
 from kubernetes.client import V1Job, V1ObjectMeta, V1JobSpec, V1PodTemplateSpec, V1PodSpec, V1Volume, \
     V1VolumeMount, V1EnvVar, V1Container, V1ResourceRequirements, \
-    V1ConfigMapVolumeSource, V1Secret, V1SecretVolumeSource, V1LocalObjectReference, V1Toleration
+    V1ConfigMapVolumeSource, V1Secret, V1SecretVolumeSource, V1LocalObjectReference, V1Toleration, V1SecurityContext, \
+    V1Capabilities, V1SeccompProfile
 from kubernetes import client, config
 from kubernetes.client.rest import ApiException
 
@@ -44,6 +45,14 @@ INHERITED_VARIABLES: list[str] = ['HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'http
 CONFIGURATION_HOST_PATH = os.getenv('CONFIGURATION_HOST_PATH', 'service_config')
 CONFIGURATION_CONFIGMAP = os.getenv('KUBERNETES_AL_CONFIG', None)
 AL_CORE_NETWORK = os.environ.get("AL_CORE_NETWORK", 'core')
+RESTRICTED_POD_SECUTITY_CONTEXT = V1SecurityContext(
+    run_as_user=1000,
+    run_as_group=1000,
+    capabilities=V1Capabilities(drop=["ALL"]),
+    run_as_non_root=True,
+    allow_privilege_escalation=False,
+    seccomp_profile=V1SeccompProfile(type="RuntimeDefault")
+)
 
 SERVICE_API_HOST = os.getenv('SERVICE_API_HOST')
 RELEASE_NAME = os.getenv('RELEASE_NAME')
@@ -148,7 +157,7 @@ class DockerUpdateInterface:
 
 class KubernetesUpdateInterface:
     def __init__(self, logger, prefix, namespace, priority_class, extra_labels, linux_node_selector: Selector,
-                 log_level="INFO", default_service_account=None, default_service_tolerations=[]):
+                 log_level="INFO", default_service_account=None, default_service_tolerations=[], enable_pod_security=False):
         # Try loading a kubernetes connection from either the fact that we are running
         # inside of a cluster, or we have a configuration in the normal location
         try:
@@ -182,6 +191,7 @@ class KubernetesUpdateInterface:
         self.secret_env = []
         self.linux_node_selector = linux_node_selector
         self.default_service_tolerations = [V1Toleration(**toleration.as_primitives()) for toleration in default_service_tolerations]
+        self.security_policy = RESTRICTED_POD_SECUTITY_CONTEXT if enable_pod_security else None
 
 
         # Get the deployment of this process. Use that information to fill out the secret info
@@ -324,6 +334,7 @@ class KubernetesUpdateInterface:
             env=environment_variables,
             image_pull_policy='Always',
             volume_mounts=volume_mounts,
+            security_context=self.security_policy,
             resources=V1ResourceRequirements(
                 limits={'cpu': cores, 'memory': f'{memory}Mi'},
                 requests={'cpu': cores / 4, 'memory': f'{memory_min}Mi'},
@@ -478,7 +489,8 @@ class ServiceUpdater(ThreadedCoreBase):
                                                         log_level=self.config.logging.log_level,
                                                         default_service_account=self.config.services.service_account,
                                                         linux_node_selector=self.config.core.scaler.linux_node_selector,
-                                                        default_service_tolerations=self.config.core.scaler.service_defaults.tolerations)
+                                                        default_service_tolerations=self.config.core.scaler.service_defaults.tolerations,
+                                                        enable_pod_security=self.config.core.scaler.enable_pod_security)
             # Add all additional mounts to privileged services
             self.mounts = self.config.core.scaler.service_defaults.mounts
         else:

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: assemblyline-core
-Version: 4.5.1.dev426
+Version: 4.5.1.dev434
 Summary: Assemblyline 4 - Core components
 Home-page: https://github.com/CybercentreCanada/assemblyline-core/
 Author: CCCS Assemblyline development team

assemblyline_core-4.5.1.dev426/assemblyline_core/VERSION

@@ -1 +0,0 @@
-4.5.1.dev426

{assemblyline_core-4.5.1.dev426 → assemblyline_core-4.5.1.dev434}/assemblyline_core/updater/helper.py

@@ -61,6 +61,7 @@ class DockerRegistry(ContainerRegistry):
                 headers["Authorization"] = f"Bearer {token}"
 
         resp = self._perform_request(url, headers, verify, proxies)
+
         # Test for valid response
         if resp and resp.ok:
             # Test for positive list of tags
@@ -265,7 +266,6 @@ def get_latest_tag_for_service(service_config: ServiceConfig, system_config: Sys
         tags = registry._get_proprietary_registry_tags(server, image_name, auth,
                                                        not system_config.services.allow_insecure_registry,
                                                        proxies, token_server)
-
     # Pre-filter tags to only consider 'compatible' tags relative to the running system
     tags = [tag for tag in tags
             if re.match(f"({FRAMEWORK_VERSION})\\.({SYSTEM_VERSION})\\.\\d+\\.({update_channel})\\d+", tag)]