Runtime rule manager (KDR) (#192)

* wip rulemanager * wip: cache * wip: enable rule * wip: single rule * wip: remove failure * wip: rename * wip: rename * Adding exporters * wip: adding prometheusMetric * wip: rename * wip: rename * wip: rename * wip: adding rule manager to main * wip: Add macOS error * wip: adding R0002UnexpectedFileAccessRuleDescriptor rule * wip: R1003 * wip: enable all rules * wip: remove logs * wip: adding RB * wip: rename * wip: http exporter is working * wip: http exporter is working (#193) * wip: start prometheus exporter * wip: adding pod watch * wip: using interface * adding RuleBindingCache interface * wip: dynamic watch * wip: append global rules * Adding base refactor of rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * wip: support ap watch * wip: adding ticker * wip: adding types * Adding randomx to watcher Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding randomx support Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding events Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding ebpf code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding stop call for dns tracer Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding syscall type Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding syscall peeking support Signed-off-by: Amit Schendel <amitschendel@gmail.com> * aip: adding applicationactivitiescache * wip: adding AA to interface * fix panic * wip: rename * wip: working * Adding syscall event type Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing syscall rule Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding stuff Signed-off-by: Amit Schendel <amitschendel@gmail.com> * adding syscall event conversion Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing crypto miner rule Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing randomx event conversion Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixed rule code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding unsahre syscall rule test Signed-off-by: Amit Schendel <amitschendel@gmail.com> * tests * Adding requirement fixes for all the rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * wip: units * wip: adding watch * adding logs * stop tracing * fix ID * Adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers support Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Formatting Signed-off-by: Amit Schendel <amitschendel@gmail.com> * wip: marshal pod * naming * remove some logs * Removing application profile requirement Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing application profile requirement Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing application profile requirement Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing application profile requirement Signed-off-by: Amit Schendel <amitschendel@gmail.com> * go mod tidy Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding updated main file with malware manager Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding malware manager callbacks Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding malware manager with clamav support Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing old impl Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding container id Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing exporters to support the new malware fields Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Moving interface location to be part of v1 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding support of v1 interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding support of the new interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding interface of v1 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * status labels Signed-off-by: Amir Malka <amirm@armosec.io> * wip: move cache objects * Adding support for the new v1 mm Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding support for pre running containers detection Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing oci config Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding runtime enrichment Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing ticker Signed-off-by: Amit Schendel <amitschendel@gmail.com> * cont implementation Signed-off-by: Amir Malka <amirm@armosec.io> * cont implementation Signed-off-by: Amir Malka <amirm@armosec.io> * cont implementation Signed-off-by: Amir Malka <amirm@armosec.io> * cont implementation Signed-off-by: Amir Malka <amirm@armosec.io> * network manager impl Signed-off-by: Amir Malka <amirm@armosec.io> * Adding tests * fix Signed-off-by: Amir Malka <amirm@armosec.io> * delete pod objects from cache after 1 min Signed-off-by: Amir Malka <amirm@armosec.io> * update network neighbors cache Signed-off-by: Amir Malka <amirm@armosec.io> * Adding updated go mod Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding support for open reports Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing mock to fit new interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding support in clamav malware scanner to scan open events Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding open events mangment in the manager Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding report callback for malware manager Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding the option to look a file path on the host using /proc host view Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing file path to be from host pov Signed-off-by: Amit Schendel <amitschendel@gmail.com> * removed deletion wait Signed-off-by: Amir Malka <amirm@armosec.io> * Adding container callback Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding container callback in order to store a mapping between container id to pid Signed-off-by: Amit Schendel <amitschendel@gmail.com> * fix pr * adding units for ap * adding tests * Passing config to the malware manager Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding a check to see if a path is a directory Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding a smart container cache Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing logs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding read only scanning Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Bumping IG to v0.0.27 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing functions Signed-off-by: Amit Schendel <amitschendel@gmail.com> * idk Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Using matthyx ig version Signed-off-by: Amit Schendel <amitschendel@gmail.com> * adding tests * waiting for cache * Adding Fixed ClamAV Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixes Signed-off-by: Amit Schendel <amitschendel@gmail.com> * fix callback * handle dropped events * use lock for isCached * Removed docker from initial container runtime iteration Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing logs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pre running containers only if trace forever Signed-off-by: Amit Schendel <amitschendel@gmail.com> * change status * moved syscalls to ap Signed-off-by: Amir Malka <amirm@armosec.io> * moved syscalls to ap Signed-off-by: Amir Malka <amirm@armosec.io> * adding tests * Adding process utils Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding procfs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Moving exporters Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing import Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing exporters Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new types enrichments Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new exporters Signed-off-by: Amit Schendel <amitschendel@gmail.com> * updated workflow Signed-off-by: Amir Malka <amirm@armosec.io> * renamed storage_no_cache, fix NN patch Signed-off-by: Amir Malka <amirm@armosec.io> * support ephemeral containers Signed-off-by: Amir Malka <amirm@armosec.io> * fix units * update deps Signed-off-by: Amir Malka <amirm@armosec.io> * Adding needed packages Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing exporters Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fitting interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing malware manager to support the new structs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing rules to work with the new struct Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new utils Signed-off-by: Amit Schendel <amitschendel@gmail.com> * update deps Signed-off-by: Amir Malka <amirm@armosec.io> * Fixing exporters to use new rules structure Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding host network to enrichment Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing r0003 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding replace statement for syft pkg Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing tests Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing bugs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing timestamp Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding Upper Layer to RandomX tracer Signed-off-by: Amit Schendel <amitschendel@gmail.com> * updated pod json Signed-off-by: Amir Malka <amirm@armosec.io> * watch running containers * bump deps Signed-off-by: Amir Malka <amirm@armosec.io> * fixed test * Passsing needed params Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding needed params Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding wlid for http exporter Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing severity of rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing params Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing exporters Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pod to wlid in malware manager Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding pod to wlid Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixing logger and adding missing function in interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * BUGFIX: extra param to exporter Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing comment Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding some fixes for rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding comments on syscall event Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding missing param Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixed test for rule Signed-off-by: Amit Schendel <amitschendel@gmail.com> * fix NN patch Signed-off-by: Amir Malka <amirm@armosec.io> * fixed rule * adding ruleManager.ContainerCallback * remove global rb * refactor Signed-off-by: Amir Malka <amirm@armosec.io> * fix Signed-off-by: Amir Malka <amirm@armosec.io> * Fixing r1000 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding missing enrichment Signed-off-by: Amit Schendel <amitschendel@gmail.com> * adding tests * make test stable --------- Signed-off-by: Amit Schendel <amitschendel@gmail.com> Signed-off-by: Amir Malka <amirm@armosec.io> Signed-off-by: David Wertenteil <dwertent@armosec.io> Co-authored-by: Amit Schendel <amitschendel@gmail.com> Co-authored-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> Co-authored-by: Amir Malka <amirm@armosec.io>
kubescape · Apr 7, 2024 · 04e9992 · 04e9992
1 parent 120d3e7
commit 04e9992
Show file tree

Hide file tree

Showing 182 changed files with 151,884 additions and 564 deletions.
diff --git a/.github/workflows/pr-created.yaml b/.github/workflows/pr-created.yaml
@@ -2,8 +2,6 @@ name: pull_request_created
 on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
-    branches:
-      - 'main'
     paths-ignore:
       - '*.md'
       - '*.yaml'

diff --git a/Makefile b/Makefile
@@ -1,8 +1,9 @@
 DOCKERFILE_PATH=./build/Dockerfile
 BINARY_NAME=node-agent
 
-IMAGE?=quay.io/kubescape/$(BINARY_NAME)
-
+IMAGE?=quay.io/dwertent/$(BINARY_NAME)
+TAG?=test
+# TAG?=v0.0.1
 
 binary:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $(BINARY_NAME)

diff --git a/configuration/config.json b/configuration/config.json
@@ -4,5 +4,16 @@
   "networkServiceEnabled": true,
   "relevantCVEServiceEnabled": true,
   "maxSniffingTimePerContainer": "6h",
-  "updateDataPeriod": "1m"
+  "updateDataPeriod": "1m",
+  "InitialDelay": "2m",
+  "prometheusExporterEnabled": "true",
+  "runtimeDetectionEnabled": "true",
+  "exporters": {
+    "syslogExporterURL": "http://syslog.kubescape.svc.cluster.local:514",
+    "stdoutExporter": "false",
+    "alertManagerExporterUrls": ["http://alertmanager.kubescape.svc.cluster.local:9093", "http://alertmanager.kubescape.svc.cluster.local:9095"],
+    "CsvRuleExporterPath": "/rules",
+    "CsvMalwareExporterPath": "/malware",
+    "httpExporterConfig": {"url":"http://synchronizer.kubescape.svc.cluster.local:8089/apis/v1/kubescape.io/v1/runtimealerts"}
+  }
 }
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/validator/validator.go b/internal/validator/validator.go
@@ -103,6 +103,14 @@ func CheckPrerequisites() error {
 	if nodeName := os.Getenv(config.NodeNameEnvVar); nodeName == "" {
 		return fmt.Errorf("%s environment variable not set", config.NodeNameEnvVar)
 	}
+	logger.L().Debug("checking pod name")
+	if nodeName := os.Getenv(config.PodNameEnvVar); nodeName == "" {
+		return fmt.Errorf("%s environment variable not set", config.NodeNameEnvVar)
+	}
+	logger.L().Debug("checking namespace name")
+	if nodeName := os.Getenv(config.NamespaceEnvVar); nodeName == "" {
+		return fmt.Errorf("%s environment variable not set", config.NodeNameEnvVar)
+	}
 	// Ensure all filesystems are mounted
 	logger.L().Debug("checking mounts")
 	if err := workaroundMounts(); err != nil {

diff --git a/internal/validator/validator_test.go b/internal/validator/validator_test.go
@@ -87,6 +87,8 @@ func TestCheckPrerequisites(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.setEnv {
 				t.Setenv(config.NodeNameEnvVar, "testNode")
+				t.Setenv(config.NamespaceEnvVar, "namespace")
+				t.Setenv(config.PodNameEnvVar, "pod")
 			}
 			if err := CheckPrerequisites(); (err != nil) != tt.wantErr {
 				t.Errorf("CheckPrerequisites() error = %v, wantErr %v", err, tt.wantErr)

diff --git a/main.go b/main.go
@@ -12,18 +12,35 @@ import (
 	"node-agent/pkg/config"
 	"node-agent/pkg/containerwatcher/v1"
 	"node-agent/pkg/dnsmanager"
+	"node-agent/pkg/exporters"
 	"node-agent/pkg/filehandler/v1"
+	"node-agent/pkg/malwaremanager"
+	malwaremanagerv1 "node-agent/pkg/malwaremanager/v1"
+	clamavv1 "node-agent/pkg/malwaremanager/v1/clamav"
+	metricsmanager "node-agent/pkg/metricsmanager"
+	metricprometheus "node-agent/pkg/metricsmanager/prometheus"
 	"node-agent/pkg/networkmanager"
+	"node-agent/pkg/objectcache"
+	"node-agent/pkg/objectcache/applicationprofilecache"
+	"node-agent/pkg/objectcache/k8scache"
+	"node-agent/pkg/objectcache/networkneighborscache"
+	objectcachev1 "node-agent/pkg/objectcache/v1"
 	"node-agent/pkg/relevancymanager"
 	relevancymanagerv1 "node-agent/pkg/relevancymanager/v1"
+	rulebinding "node-agent/pkg/rulebindingmanager"
+	rulebindingcachev1 "node-agent/pkg/rulebindingmanager/cache"
+	"node-agent/pkg/rulemanager"
+	rulemanagerv1 "node-agent/pkg/rulemanager/v1"
 	"node-agent/pkg/sbomhandler/syfthandler"
 	"node-agent/pkg/storage/v1"
 	"node-agent/pkg/utils"
+	"node-agent/pkg/watcher/dynamicwatcher"
 	"os"
 	"os/signal"
 	"syscall"
 
 	utilsmetadata "github.com/armosec/utils-k8s-go/armometadata"
+	mapset "github.com/deckarep/golang-set/v2"
 
 	beUtils "github.com/kubescape/backend/pkg/utils"
 	"github.com/kubescape/go-logger"
@@ -82,15 +99,36 @@ func main() {
 
 	// Create clients
 	k8sClient := k8sinterface.NewKubernetesApi()
-	storageClient, err := storage.CreateStorageNoCache(clusterData.Namespace)
+	storageClient, err := storage.CreateStorage(clusterData.Namespace)
 	if err != nil {
 		logger.L().Ctx(ctx).Fatal("error creating the storage client", helpers.Error(err))
 	}
 
+	// Create Prometheus metrics exporter
+	var prometheusExporter metricsmanager.MetricsManager
+	if cfg.EnablePrometheusExporter {
+		prometheusExporter = metricprometheus.NewPrometheusMetric()
+	} else {
+		prometheusExporter = metricsmanager.NewMetricsMock()
+	}
+
+	nodeName := os.Getenv(config.NodeNameEnvVar)
+	// Create watchers
+	dWatcher := dynamicwatcher.NewWatchHandler(k8sClient)
+	// create k8sObject cache
+	k8sObjectCache, err := k8scache.NewK8sObjectCache(nodeName, k8sClient)
+	if err != nil {
+		logger.L().Ctx(ctx).Fatal("error creating K8sObjectCache", helpers.Error(err))
+	}
+	dWatcher.AddAdaptor(k8sObjectCache)
+
+	// Initiate pre-existing containers
+	preRunningContainersIDs := mapset.NewSet[string]() // Set of container IDs
+
 	// Create the application profile manager
 	var applicationProfileManager applicationprofilemanager.ApplicationProfileManagerClient
 	if cfg.EnableApplicationProfile {
-		applicationProfileManager, err = applicationprofilemanagerv1.CreateApplicationProfileManager(ctx, cfg, clusterData.ClusterName, k8sClient, storageClient)
+		applicationProfileManager, err = applicationprofilemanagerv1.CreateApplicationProfileManager(ctx, cfg, clusterData.ClusterName, k8sClient, storageClient, preRunningContainersIDs, k8sObjectCache)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating the application profile manager", helpers.Error(err))
 		}
@@ -107,46 +145,113 @@ func main() {
 		}
 
 		sbomHandler := syfthandler.CreateSyftSBOMHandler(storageClient)
-		relevancyManager, err = relevancymanagerv1.CreateRelevancyManager(ctx, cfg, clusterData.ClusterName, fileHandler, k8sClient, sbomHandler)
+		relevancyManager, err = relevancymanagerv1.CreateRelevancyManager(ctx, cfg, clusterData.ClusterName, fileHandler, k8sClient, sbomHandler, preRunningContainersIDs)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating the relevancy manager", helpers.Error(err))
 		}
 	} else {
 		relevancyManager = relevancymanager.CreateRelevancyManagerMock()
 	}
 
+	var ruleManager rulemanager.RuleManagerClient
+	var malwareManager malwaremanager.MalwareManagerClient
+	var objCache objectcache.ObjectCache
+	var ruleBindingNotify chan rulebinding.RuleBindingNotify
+
+	if cfg.EnableRuntimeDetection {
+
+		// create ruleBinding cache
+		ruleBindingCache := rulebindingcachev1.NewCache(nodeName, k8sClient)
+		dWatcher.AddAdaptor(ruleBindingCache)
+
+		ruleBindingNotify = make(chan rulebinding.RuleBindingNotify, 100)
+		ruleBindingCache.AddNotifier(&ruleBindingNotify)
+
+		apc := applicationprofilecache.NewApplicationProfileCache(nodeName, k8sClient)
+		dWatcher.AddAdaptor(apc)
+
+		nnc := networkneighborscache.NewNetworkNeighborsCache(nodeName, k8sClient)
+		dWatcher.AddAdaptor(nnc)
+
+		// create object cache
+		objCache = objectcachev1.NewObjectCache(k8sObjectCache, apc, nnc)
+
+		// create exporter
+		exporter := exporters.InitExporters(cfg.Exporters, clusterData.ClusterName, nodeName)
+
+		// create runtimeDetection managers
+		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, preRunningContainersIDs, nodeName, clusterData.ClusterName)
+		if err != nil {
+			logger.L().Ctx(ctx).Fatal("error creating RuleManager", helpers.Error(err))
+		}
+
+		// Create malware scanners
+		malwarescanners := []malwaremanagerv1.MalwareScanner{}
+
+		// Create ClamAV scanner
+		// Check if ClamAV is enabled (CLAMAV_ADDRESS env var is set in the format <host>:<port>)
+		if clamavAddress, present := os.LookupEnv("CLAMAV_ADDRESS"); present {
+			clamavConfig := clamavv1.ClamAVConfig{
+				Address: clamavAddress,
+			}
+			if clamavScanner, err := clamavv1.CreateClamAVClient(&clamavConfig); err == nil {
+				malwarescanners = append(malwarescanners, clamavScanner)
+			} else {
+				logger.L().Ctx(ctx).Error("error creating ClamAV client", helpers.Error(err))
+			}
+		}
+
+		malwareManager, err = malwaremanagerv1.CreateMalwareManager(malwarescanners, exporter, cfg, k8sClient, nodeName, clusterData.ClusterName)
+		if err != nil {
+			logger.L().Ctx(ctx).Fatal("error creating MalwareManager", helpers.Error(err))
+		}
+	} else {
+		ruleManager = rulemanager.CreateRuleManagerMock()
+		malwareManager = malwaremanager.CreateMalwareManagerMock()
+		objCache = objectcache.NewObjectCacheMock()
+		ruleBindingNotify = make(chan rulebinding.RuleBindingNotify, 1)
+	}
+
+	// Create the network and DNS managers
 	var networkManagerClient networkmanager.NetworkManagerClient
 	var dnsManagerClient dnsmanager.DNSManagerClient
-
 	if cfg.EnableNetworkTracing {
 		dnsManager := dnsmanager.CreateDNSManager()
 		dnsManagerClient = dnsManager
-
-		networkManagerClient = networkmanager.CreateNetworkManager(ctx, cfg, k8sClient, storageClient, clusterData.ClusterName, dnsManager)
-
+		networkManagerClient = networkmanager.CreateNetworkManager(ctx, cfg, k8sClient, storageClient, clusterData.ClusterName, dnsManager, preRunningContainersIDs, k8sObjectCache)
 	} else {
 		networkManagerClient = networkmanager.CreateNetworkManagerMock()
 		dnsManagerClient = dnsmanager.CreateDNSManagerMock()
 	}
 
 	// Create the container handler
-	mainHandler, err := containerwatcher.CreateIGContainerWatcher(cfg, applicationProfileManager, k8sClient, relevancyManager, networkManagerClient, dnsManagerClient)
+	mainHandler, err := containerwatcher.CreateIGContainerWatcher(cfg, applicationProfileManager, k8sClient, relevancyManager, networkManagerClient, dnsManagerClient, prometheusExporter, ruleManager, malwareManager, preRunningContainersIDs, &ruleBindingNotify)
 	if err != nil {
 		logger.L().Ctx(ctx).Fatal("error creating the container watcher", helpers.Error(err))
 	}
 
+	// Start the prometheusExporter
+	prometheusExporter.Start()
+
 	// Start the container handler
 	err = mainHandler.Start(ctx)
 	if err != nil {
 		logger.L().Ctx(ctx).Error("error starting the container watcher", helpers.Error(err))
-		if strings.Contains(err.Error(), utils.ErrRuncNotFound) {
-			os.Exit(utils.ExitCodeRuncNotFound)
-		} else {
+		switch {
+		case strings.Contains(err.Error(), utils.ErrKernelVersion):
+			os.Exit(utils.ExitCodeIncompatibleKernel)
+		case strings.Contains(err.Error(), utils.ErrMacOS):
+			os.Exit(utils.ExitCodeMacOS)
+		default:
 			os.Exit(utils.ExitCodeError)
 		}
 	}
 	defer mainHandler.Stop()
 
+	// start watching
+	dWatcher.Start(ctx)
+	defer dWatcher.Stop(ctx)
+
 	// Wait for shutdown signal
 	shutdown := make(chan os.Signal, 1)
 	signal.Notify(shutdown, os.Interrupt, syscall.SIGTERM)