feat(config): Add syscalls-related fields

feat: Add go.work to use two mods feat(config): Add the adapter's config feat(receiver): Add a receiver for the adapter feat(core): Add a transformer and Applier for the adapter feat(adapter): Add adapter-specific main.go and other files feat(adapter): Add core(converter, enforcer) feat(adapter): Add applier and modify package name featgo.mod): go version to use go.work (requires go >= 1.21) feat(applier): Add license feat(receiver): Add karmor policy delete test(v2): Modify ID Docs: Update Tutorials fix(go.mod): Resolve lint fix(gomod): resolve golangci-lint Update Quick-tutorials.md Update nimbus-adapter Update nimbus-adapter
5GSEC · Jan 9, 2024 · 92779ae · 92779ae
1 parent 19c2e51
commit 92779ae
Show file tree

Hide file tree

Showing 30 changed files with 1,336 additions and 838 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 *.dylib
 bin
 Dockerfile.cross
+nimbus-kubearmor
 
 # Test binary, build with `go test -c`
 *.test

diff --git a/Makefile b/Makefile
@@ -88,7 +88,7 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 
 .PHONY: build
 build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+	GOARCH=amd64 GOOS=linux go build -o bin/manager cmd/main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
@@ -181,4 +181,4 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
diff --git a/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml b/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml
@@ -69,6 +69,15 @@ spec:
                               properties:
                                 capability:
                                   type: string
+                                fromSource:
+                                  items:
+                                    description: FromSource defines a source path
+                                      for directory-based policies
+                                    properties:
+                                      path:
+                                        type: string
+                                    type: object
+                                  type: array
                               type: object
                             type: array
                           matchDirectories:
@@ -91,7 +100,7 @@ spec:
                             type: array
                           matchPaths:
                             description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
-                              File: MatchPaths, MatchDirectories'
+                              File: MatchPaths, MatchDirectories,  MatchPatterns'
                             items:
                               description: MatchPath defines a path for process or
                                 file policies
@@ -119,12 +128,43 @@ spec:
                                   type: string
                               type: object
                             type: array
+                          matchSyscallPaths:
+                            items:
+                              properties:
+                                fromSource:
+                                  items:
+                                    properties:
+                                      dir:
+                                        type: string
+                                      path:
+                                        type: string
+                                    type: object
+                                  type: array
+                                path:
+                                  type: string
+                                recursive:
+                                  type: boolean
+                                syscall:
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            type: array
                           matchSyscalls:
                             description: 'Syscalls: MatchSyscalls'
                             items:
                               description: MatchSyscall defines a syscall for syscall
                                 policies
                               properties:
+                                fromSource:
+                                  items:
+                                    properties:
+                                      dir:
+                                        type: string
+                                      path:
+                                        type: string
+                                    type: object
+                                  type: array
                                 syscalls:
                                   items:
                                     type: string

diff --git a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml
@@ -38,9 +38,8 @@ spec:
             description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding
             properties:
               intents:
-                description: Foo is an example field of SecurityIntentBinding. Edit
-                  securityintentbinding_types.go to remove/update
                 items:
+                  description: Intent struct defines the request for a specific SecurityIntent
                   properties:
                     name:
                       type: string

diff --git a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml
@@ -116,12 +116,43 @@ spec:
                                 type: string
                             type: object
                           type: array
+                        matchSyscallPaths:
+                          items:
+                            properties:
+                              fromSource:
+                                items:
+                                  properties:
+                                    dir:
+                                      type: string
+                                    path:
+                                      type: string
+                                  type: object
+                                type: array
+                              path:
+                                type: string
+                              recursive:
+                                type: boolean
+                              syscall:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
                         matchSyscalls:
                           description: 'Syscalls: MatchSyscalls'
                           items:
                             description: MatchSyscall defines a syscall for syscall
                               policies
                             properties:
+                              fromSource:
+                                items:
+                                  properties:
+                                    dir:
+                                      type: string
+                                    path:
+                                      type: string
+                                  type: object
+                                type: array
                               syscalls:
                                 items:
                                   type: string

diff --git a/docs/Quick-tutorials.md b/docs/Quick-tutorials.md
@@ -9,66 +9,150 @@ $ kubectl apply -f ./test/env/multiubuntu.yaml
 
 ### Run Operators (Nimbus)
 ```
-$ make run
+~/nimbus_accuknox$ make run
+test -s /home/cclab/nimbus_accuknox/bin/controller-gen && /home/cclab/nimbus_accuknox/bin/controller-gen --version | grep -q v0.13.0 || \
+GOBIN=/home/cclab/nimbus_accuknox/bin go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0
+/home/cclab/nimbus_accuknox/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+/home/cclab/nimbus_accuknox/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./pkg/..."
+go fmt ./...
+go vet ./...
+go run cmd/main.go
+2024-01-09T13:36:57Z    INFO    setup   Starting manager
+2024-01-09T13:36:57Z    INFO    controller-runtime.metrics      Starting metrics server
+2024-01-09T13:36:57Z    INFO    starting server {"kind": "health probe", "addr": "[::]:8081"}
+2024-01-09T13:36:57Z    INFO    Starting EventSource    {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "source": "kind source: *v1.SecurityIntent"}
+2024-01-09T13:36:57Z    INFO    Starting EventSource    {"controller": "nimbuspolicy", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "NimbusPolicy", "source": "kind source: *v1.NimbusPolicy"}
+...
 ```
 
-### Run Adapter Server
+### Run Adapter (in this example, KubeArmor)
 ```
-$ cd nimbus-kubearmor/receiver/server
-$ go run server.go
-2024/01/02 20:35:46 Server starting on port 13000...
+~/nimbus_accuknox$ cd pkg/nimbus-kubearmor
+~/nimbus_accuknox/pkg/nimbus-kubearmor$ make build
+~/nimbus_accuknox/pkg/nimbus-kubearmor$ make run
+...
+2024/01/09 13:36:18 Starting Kubernetes client configuration
+2024/01/09 13:36:18 Starting NimbusPolicyWatcher
+2024/01/09 13:36:18 Starting policy processing loop
 ```
 
-### Create and apply Securityintent and SecurityintentBinding file
+### Create and apply Securityintent and SecurityintentBinding
 ```
-$ kubectl apply -f ./test/v2/intents/system/intent-path-block.yaml
+$ cd nimbus_accuknox/test/v2
+~/nimbus_accuknox/test/v2$ kubectl apply -f intents/system/intent-path-block.yaml
+securityintent.intent.security.nimbus.com/group-1-proc-path-sleep-block created
 ```
 
 ```
-$ kubectl apply -f ./test/v2/bindings/system/binding-path-block.yaml
+~/nimbus_accuknox/test/v2$ kubectl apply -f bindings/system/binding-path-block.yaml
+securityintentbinding.intent.security.nimbus.com/sys-proc-path-sleep-block created
 ```
 
 
 ### Verify SecurityIntent and SecurityIntentBinding
+You can also check the operator's logs to see the detection and the process of creating the Nimbus Policy. 
+
+```
+...
+2024-01-09T13:37:06Z    INFO    SecurityIntent resource found   {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "SecurityIntent": {"name":"group-1-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "group-1-proc-path-sleep-block", "reconcileID": "5f7f67ea-33af-46b9-942a-af99a792c621", "Name": "group-1-proc-path-sleep-block", "Namespace": "multiubuntu"}
+2024-01-09T13:37:19Z    INFO    SecurityIntentBinding resource found    {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Name": "sys-proc-path-sleep-block", "Namespace": "multiubuntu"}
+2024-01-09T13:37:19Z    INFO    Starting intent and binding matching    {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166"}
+2024-01-09T13:37:19Z    INFO    Matching completed      {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Matched Intent Names": ["group-1-proc-path-sleep-block"], "Matched Binding Names": ["sys-proc-path-sleep-block"]}
+2024-01-09T13:37:19Z    INFO    Starting NimbusPolicy building  {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166"}
+2024-01-09T13:37:19Z    INFO    NimbusPolicy built successfully {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Policy": {"namespace": "multiubuntu", "name": "sys-proc-path-sleep-block"}}
+2024-01-09T13:37:19Z    INFO    Found: NimbusPolicy     {"controller": "nimbuspolicy", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "NimbusPolicy", "NimbusPolicy": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "46b8482e-bd09-44d4-9cdc-6b9b8c17febf", "Name": "sys-proc-path-sleep-block", "Namespace": "multiubuntu"}
+...
+```
+
+To verify that it was actually created, you can check the following. 
+* Verify SecurityIntent
 ```
 $ kubectl get SecurityIntent -n multiubuntu
 NAME                            AGE
-group-1-proc-path-sleep-block   25s
-
+group-1-proc-path-sleep-block   28s
 ```
+* Verify SecurityIntentBinding
 ```
 $ kubectl get SecurityIntentBinding -n multiubuntu
 NAME                        AGE
 sys-proc-path-sleep-block   29s
-
 ```
-
-### Verify Nimbus policy
+* Verify Nimbus policy
 ```
 $ kubectl get nimbuspolicy -n multiubuntu
-NAME                     AGE
-net-redis-ingress-deny   38s
+NAME                        AGE
+sys-proc-path-sleep-block   39s
 ```
 ```
 $ kubectl get np -n multiubuntu sys-proc-path-sleep-block -o yaml
 apiVersion: intent.security.nimbus.com/v1
 kind: NimbusPolicy
 metadata:
-  creationTimestamp: "2024-01-02T20:37:33Z"
+  creationTimestamp: "2024-01-09T13:37:19Z"
   generation: 1
   name: sys-proc-path-sleep-block
   namespace: multiubuntu
-  resourceVersion: "4281015"
-  uid: 00c3de93-92d4-4a88-bff6-389449751e3c
+  resourceVersion: "5753517"
+  uid: 5d2ae075-98b8-4958-850e-8114cb6dec19
 spec:
   rules:
   - description: block the execution of '/bin/sleep'
-    id: sys-path-exec
+    id: sys-proc-paths
     rule:
     - action: Block
       matchPaths:
       - path: /bin/sleep
   selector:
     matchLabels:
       group: group-1
-```
+```
+
+### Verify the adapter 
+The log for the adapter that detected nimbuspolicy is shown below. 
+```
+2024/01/09 13:36:18 Starting Kubernetes client configuration
+2024/01/09 13:36:18 Starting NimbusPolicyWatcher
+2024/01/09 13:36:18 Starting policy processing loop
+2024/01/09 13:37:28 NimbusPolicy: Detected policy: Name: multiubuntu, Namespace: sys-proc-path-sleep-block, ID: [sys-proc-paths]
+{TypeMeta:{Kind:NimbusPolicy APIVersion:intent.security.nimbus.com/v1} ObjectMeta:{Name:sys-proc-path-sleep-block GenerateName: Namespace:multiubuntu SelfLink: UID:5d2ae075-98b8-4958-850e-8114cb6dec19 ResourceVersion:5753517 Generation:1 CreationTimestamp:2024-01-09 13:37:19 +0000 UTC DeletionTimestamp:<nil> DeletionGracePeriodSeconds:<nil> Labels:map[] Annotations:map[] OwnerReferences:[] Finalizers:[] ManagedFields:[{Manager:main Operation:Update APIVersion:intent.security.nimbus.com/v1 Time:2024-01-09 13:37:19 +0000 UTC FieldsType:FieldsV1 FieldsV1:{"f:spec":{".":{},"f:rules":{},"f:selector":{".":{},"f:matchLabels":{".":{},"f:group":{}}}}} Subresource:}]} Spec:{Selector:{MatchLabels:map[group:group-1]} NimbusRules:[{Id:sys-proc-paths Type: Description:block the execution of '/bin/sleep' Rule:[{RuleAction:Block MatchProtocols:[] MatchPaths:[{Path:/bin/sleep}] MatchDirectories:[] MatchPatterns:[] MatchCapabilities:[] MatchSyscalls:[] MatchSyscallPaths:[] FromCIDRSet:[] ToPorts:[]}]}]} Status:{PolicyStatus:}}
+2024/01/09 13:37:28 Exporting and Applying NimbusPolicy to KubeArmorPolicy
+2024-01-09T13:37:28Z    INFO    Start Converting a NimbusPolicy {"PolicyName": "sys-proc-path-sleep-block"}
+2024-01-09T13:37:28Z    INFO    Apply a new KubeArmorPolicy     {"PolicyName": "sys-proc-path-sleep-block", "Policy": {"metadata":{"name":"sys-proc-path-sleep-block","namespace":"multiubuntu","creationTimestamp":null},"spec":{"selector":{"matchLabels":{"group":"group-1"}},"process":{"matchPaths":[{"path":"/bin/sleep"}]},"file":{},"network":{"matchProtocols":[{"protocol":"raw"}]},"capabilities":{"matchCapabilities":[{"capability":"lease"}]},"syscalls":{},"action":"Block"},"status":{}}}
+2024/01/09 13:37:28 Successfully exported NimbusPolicy to KubeArmorPolicy
+```
+<br>
+You can also see the policies that were actually created. 
+
+``` 
+$ kubectl get ksp -n multiubuntu
+NAME                        AGE
+sys-proc-path-sleep-block   3m24s
+```
+```
+$  kubectl get ksp -n multiubuntu sys-proc-path-sleep-block -o yaml
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  creationTimestamp: "2024-01-09T13:37:28Z"
+  generation: 1
+  name: sys-proc-path-sleep-block
+  namespace: multiubuntu
+  resourceVersion: "5753537"
+  uid: 16cb107b-e442-442f-90fe-dbb139658d5e
+spec:
+  action: Block
+  capabilities:
+    matchCapabilities:
+    - capability: lease
+  file: {}
+  network:
+    matchProtocols:
+    - protocol: raw
+  process:
+    matchPaths:
+    - path: /bin/sleep
+  selector:
+    matchLabels:
+      group: group-1
+  syscalls: {}
+```
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/5GSEC/nimbus
 
-go 1.20
+go 1.21
 
 require (
 	github.com/cilium/cilium v1.14.3

diff --git a/go.work b/go.work
@@ -0,0 +1,6 @@
+go 1.21
+
+use (
+	./
+	./pkg/nimbus-kubearmor
+)
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ @@
     *.dylib
     bin
     Dockerfile.cross
+    nimbus-kubearmor
     # Test binary, build with `go test -c`
     *.test
@@ Expand Down @@