I dont see any reports in relay/karmor

[zayac3452]

Bug Report

I installed kubearmor following off doc, later I saw an error in relay pod looks like "I haven't any permission for watch resource" so I gived it:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubearmor-relay-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch # this is verbs that I gived

General Information

• Environment description VM-Kubeadm
• Kernel version
  Linux kube-node-1 5.15.0-124-generic Add Kafka Client #134-Ubuntu SMP Fri Sep 27 20:20:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
• Orchestration system version in use (e.g. kubectl version, ...)

Client Version: v1.31.3
Kustomize Version: v5.4.2
Server Version: v1.30.1

• Link to relevant artifacts (policies, deployments scripts, ...)

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"security.kubearmor.com/v1","kind":"KubeArmorPolicy","metadata":{"annotations":{},"name":"deny-restricted-app","namespace":"pentestit"},"spec":{"action":"Block","file":{"matchPatterns":[{"pattern":"/proc/*/environ","readOnly":false}]},"message":"Block container with potential hacker!","selector":{"matchLabels":{"app":"pentest"}},"severity":2,"tags":["ussc","hostpid"]}}
  name: deny-restricted-app
  namespace: pentestit
spec:
  action: Block
  file:
    matchPatterns:
    - pattern: /proc/*/environ
      readOnly: false
  message: Block container with potential hacker!
  selector:
    matchLabels:
      app: pentest
  severity: 2
  tags:
  - ussc
  - hostpid

• Target containers/pods

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/hostpid-exec-deployment: localhost/kubearmor-pentestit-hostpid-exec-deployment-hostpid-exec-deployment
    kubearmor-policy: enabled
    kubearmor-visibility: process,file,network,capabilities
  generateName: hostpid-exec-deployment-549b7c8fd6-
  labels:
    app: pentest
    pod-template-hash: 549b7c8fd6
    type: deployment
  name: hostpid-exec-deployment-549b7c8fd6-pzhcp
  namespace: pentestit
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: hostpid-exec-deployment-549b7c8fd6
spec:
  containers:
  - args:
    - while true; do sleep 30; done;
    command:
    - /bin/sh
    - -c
    - --
    image: ubuntu
    imagePullPolicy: Always
    name: hostpid-exec-deployment
    resources: {}
    securityContext:
      appArmorProfile:
        localhostProfile: kubearmor-pentestit-hostpid-exec-deployment-hostpid-exec-deployment
        type: Localhost
  hostPID: true
  nodeName: kube-node-1

To Reproduce

1. On another node start gprc client to relay server using karmor cli
   karmor logs

local port to be used for port forwarding kubearmor-relay-7d8894b786-x5kbm: 32867
Created a gRPC client (localhost:32867)
Checked the liveness of the gRPC server
Started to watch alerts

2. Enter the pod
   kubectl exec -it -n pentestit <podname> -- bash
3. cat any environ in proc directory
   cat /proc/self/environ
4. See "Permission denied"
   cat: /proc/self/environ: Permission denied
5. In logs karmor doesn't see anything

Expected behavior

I expected any logs for my blocking in karmor or in relay server but I haven't anything. Action is block, no notification :(

Screenshots

If applicable, add screenshots to help explain your problem.