Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Second #31

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
*.dylib
bin
Dockerfile.cross
nimbus-kubearmor

# Test binary, build with `go test -c`
*.test
Expand Down
4 changes: 2 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes

.PHONY: build
build: manifests generate fmt vet ## Build manager binary.
go build -o bin/manager cmd/main.go
GOARCH=amd64 GOOS=linux go build -o bin/manager cmd/main.go

.PHONY: run
run: manifests generate fmt vet ## Run a controller from your host.
Expand Down Expand Up @@ -181,4 +181,4 @@ $(CONTROLLER_GEN): $(LOCALBIN)
.PHONY: envtest
envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
$(ENVTEST): $(LOCALBIN)
test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
23 changes: 19 additions & 4 deletions api/v1/nimbuspolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ type Rule struct {
MatchProtocols []MatchProtocol `json:"matchProtocols,omitempty"`

// Process: MatchPaths, MatchDirectories, MatchPatterns
// File: MatchPaths, MatchDirectories
// File: MatchPaths, MatchDirectories, MatchPatterns
MatchPaths []MatchPath `json:"matchPaths,omitempty"`
MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
MatchPatterns []MatchPattern `json:"matchPatterns,omitempty"`
Expand All @@ -52,7 +52,8 @@ type Rule struct {
MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"`

// Syscalls: MatchSyscalls
MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"`
MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"`
MatchSyscallPaths []MatchSyscallPath `json:"matchSyscallPaths,omitempty"`

FromCIDRSet []CIDRSet `json:"fromCIDRSet,omitempty"`
ToPorts []ToPort `json:"toPorts,omitempty"`
Expand Down Expand Up @@ -97,12 +98,26 @@ type MatchPattern struct {

// MatchSyscall defines a syscall for syscall policies
type MatchSyscall struct {
Syscalls []string `json:"syscalls,omitempty"`
Syscalls []string `json:"syscalls,omitempty"`
FromSource []SyscallFromSource `json:"fromSource,omitempty"`
}

type MatchSyscallPath struct {
Path string `json:"path,omitempty"`
Recursive bool `json:"recursive,omitempty"`
Syscalls []string `json:"syscall,omitempty"`
FromSource []SyscallFromSource `json:"fromSource,omitempty"`
}

type SyscallFromSource struct {
Path string `json:"path,omitempty"`
Dir string `json:"dir,omitempty"`
}

// MatchCapability defines a capability for capabilities policies
type MatchCapability struct {
Capability string `json:"capability,omitempty"`
Capability string `json:"capability,omitempty"`
FromSource []NimbusFromSource `json:"fromSource,omitempty"`
}

// FromSource defines a source path for directory-based policies
Expand Down
13 changes: 11 additions & 2 deletions api/v1/securityintent_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ type SecurityIntentParams struct {
MatchCapabilities []SecurityIntentMatchCapability `json:"matchCapabilities,omitempty"`

// Syscalls: MatchSyscalls
MatchSyscalls []SecurityIntentMatchSyscall `json:"matchSyscalls,omitempty"`
MatchSyscalls []SecurityIntentMatchSyscall `json:"matchSyscalls,omitempty"`
MatchSyscallPaths []SecurityIntentMatchSyscallPath `json:"matchSyscallPaths,omitempty"`

FromCIDRSet []SecurityIntentCIDRSet `json:"fromCIDRSet,omitempty"`
ToPorts []SecurityIntentToPort `json:"toPorts,omitempty"`
Expand Down Expand Up @@ -89,7 +90,15 @@ type SecurityIntentMatchPattern struct {

// MatchSyscall defines a syscall for syscall policies
type SecurityIntentMatchSyscall struct {
Syscalls []string `json:"syscalls,omitempty"`
Syscalls []string `json:"syscalls,omitempty"`
FromSource []SyscallFromSource `json:"fromSource,omitempty"`
}

type SecurityIntentMatchSyscallPath struct {
Path string `json:"path,omitempty"`
Recursive bool `json:"recursive,omitempty"`
Syscalls []string `json:"syscall,omitempty"`
FromSource []SyscallFromSource `json:"fromSource,omitempty"`
}

// MatchCapability defines a capability for capabilities policies
Expand Down
9 changes: 4 additions & 5 deletions api/v1/securityintentbinding_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ type SecurityIntentBindingSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
// Important: Run "make" to regenerate code after modifying this file

// Foo is an example field of SecurityIntentBinding. Edit securityintentbinding_types.go to remove/update
Intents []MatchIntent `json:"intents"`
Selector Selector `json:"selector"`
}

// Intent struct defines the request for a specific SecurityIntent
type MatchIntent struct {
Name string `json:"name"`
}
Expand Down Expand Up @@ -49,9 +49,10 @@ type SecurityIntentBindingStatus struct {
// Important: Run "make" to regenerate code after modifying this file
}

//+kubebuilder:object:root=true
// +kubebuilder:object:root=true
// +kubebuilder:resource: shortName="sib"
//+kubebuilder:subresource:status
// +kubebuilder:subresource:status
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// SecurityIntentBinding is the Schema for the securityintentbindings API
type SecurityIntentBinding struct {
Expand All @@ -61,8 +62,6 @@ type SecurityIntentBinding struct {
Status SecurityIntentBindingStatus `json:"status,omitempty"`
}

//+kubebuilder:object:root=true

// SecurityIntentBindingList contains a list of SecurityIntentBinding
type SecurityIntentBindingList struct {
metav1.TypeMeta `json:",inline"`
Expand Down
42 changes: 41 additions & 1 deletion config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,15 @@ spec:
properties:
capability:
type: string
fromSource:
items:
description: FromSource defines a source path
for directory-based policies
properties:
path:
type: string
type: object
type: array
type: object
type: array
matchDirectories:
Expand All @@ -91,7 +100,7 @@ spec:
type: array
matchPaths:
description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
File: MatchPaths, MatchDirectories'
File: MatchPaths, MatchDirectories, MatchPatterns'
items:
description: MatchPath defines a path for process or
file policies
Expand Down Expand Up @@ -119,12 +128,43 @@ spec:
type: string
type: object
type: array
matchSyscallPaths:
items:
properties:
fromSource:
items:
properties:
dir:
type: string
path:
type: string
type: object
type: array
path:
type: string
recursive:
type: boolean
syscall:
items:
type: string
type: array
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
fromSource:
items:
properties:
dir:
type: string
path:
type: string
type: object
type: array
syscalls:
items:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,8 @@ spec:
description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding
properties:
intents:
description: Foo is an example field of SecurityIntentBinding. Edit
securityintentbinding_types.go to remove/update
items:
description: Intent struct defines the request for a specific SecurityIntent
properties:
name:
type: string
Expand Down
31 changes: 31 additions & 0 deletions config/crd/bases/intent.security.nimbus.com_securityintents.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -116,12 +116,43 @@ spec:
type: string
type: object
type: array
matchSyscallPaths:
items:
properties:
fromSource:
items:
properties:
dir:
type: string
path:
type: string
type: object
type: array
path:
type: string
recursive:
type: boolean
syscall:
items:
type: string
type: array
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
fromSource:
items:
properties:
dir:
type: string
path:
type: string
type: object
type: array
syscalls:
items:
type: string
Expand Down
Loading
Loading