Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add KubeArmor adapter #33

Closed
wants to merge 3 commits into from
Closed

feat: Add KubeArmor adapter #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ca7be8c
feat: Add KubeArmor adapter
anurag-rajawat Jan 9, 2024
f08f2ed
feat: Add a cleanup script that can delete all resources (running the…
b0m313 Jan 5, 2024
65e0acc
chore: Remove cleanup.sh script
anurag-rajawat Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ RUN go mod download
# Copy the go source
COPY cmd/main.go cmd/main.go
COPY api/ api/
COPY pkg/ pkg/
COPY pkg/exporter/ pkg/exporter/
COPY pkg/processor/ pkg/processor/
COPY pkg/receiver/ pkg/receiver/

# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust

.PHONY: generate
generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./pkg/..."
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."

.PHONY: fmt
fmt: ## Run go fmt against code.
Expand Down
2 changes: 1 addition & 1 deletion api/v1/nimbuspolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type NimbusRules struct {
Id string `json:"id"`
Type string `json:"type,omitempty"`
Description string `json:"description,omitempty"`
Rule []Rule `json:"rule"`
Rule Rule `json:"rule"`
}

type Rule struct {
Expand Down
5 changes: 3 additions & 2 deletions api/v1/securityintent_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,14 @@ type SecurityIntentSpec struct {

// Intent defines the security policy details
type Intent struct {
// +kubebuilder:validation:Pattern:="^[a-zA-Z0-9]*$"
Id string `json:"id"`
Description string `json:"description,omitempty"`
Action string `json:"action"`
Mode string `json:"mode"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Params []SecurityIntentParams `json:"params"`
Params []SecurityIntentParams `json:"params,omitempty"`
}

// Resource defines the resources that the security policy applies to
Expand Down Expand Up @@ -110,7 +111,7 @@ type SecurityIntentStatus struct {

// SecurityIntent is the Schema for the securityintents API
// +kubebuilder:object:root=true
// +kubebuilder:resource: shortName="sit"
// +kubebuilder:resource: shortName="si"
// +kubebuilder:subresource:status
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

Expand Down
8 changes: 1 addition & 7 deletions api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

205 changes: 101 additions & 104 deletions config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,111 +48,108 @@ spec:
id:
type: string
rule:
items:
properties:
action:
type: string
fromCIDRSet:
items:
description: CIDRSet defines CIDR ranges for network
policies
properties:
cidr:
properties:
action:
type: string
fromCIDRSet:
items:
description: CIDRSet defines CIDR ranges for network policies
properties:
cidr:
type: string
type: object
type: array
matchCapabilities:
description: 'Capabilities: MatchCapabilities'
items:
description: MatchCapability defines a capability for
capabilities policies
properties:
capability:
type: string
type: object
type: array
matchDirectories:
items:
description: MatchDirectory defines a directory for process
or file policies
properties:
dir:
type: string
fromSource:
items:
description: FromSource defines a source path for
directory-based policies
properties:
path:
type: string
type: object
type: array
type: object
type: array
matchPaths:
description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
File: MatchPaths, MatchDirectories'
items:
description: MatchPath defines a path for process or file
policies
properties:
path:
type: string
type: object
type: array
matchPatterns:
items:
description: MatchPattern defines a pattern for process
policies
properties:
pattern:
type: string
type: object
type: array
matchProtocols:
description: 'Network: MatchProtocols'
items:
description: MatchProtocol defines a protocol for network
policies
properties:
protocol:
type: string
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
syscalls:
items:
type: string
type: object
type: array
matchCapabilities:
description: 'Capabilities: MatchCapabilities'
items:
description: MatchCapability defines a capability for
capabilities policies
properties:
capability:
type: string
type: object
type: array
matchDirectories:
items:
description: MatchDirectory defines a directory for
process or file policies
properties:
dir:
type: string
fromSource:
items:
description: FromSource defines a source path
for directory-based policies
properties:
path:
type: string
type: object
type: array
type: object
type: array
matchPaths:
description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
File: MatchPaths, MatchDirectories'
items:
description: MatchPath defines a path for process or
file policies
properties:
path:
type: string
type: object
type: array
matchPatterns:
items:
description: MatchPattern defines a pattern for process
policies
properties:
pattern:
type: string
type: object
type: array
matchProtocols:
description: 'Network: MatchProtocols'
items:
description: MatchProtocol defines a protocol for network
policies
properties:
protocol:
type: string
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
syscalls:
items:
type: string
type: array
type: object
type: array
toPorts:
items:
description: ToPort defines ports and protocols for
network policies
properties:
ports:
items:
description: Port defines a network port and its
protocol
properties:
port:
type: string
protocol:
type: string
type: object
type: array
type: object
type: array
required:
- action
type: object
type: array
type: array
type: object
type: array
toPorts:
items:
description: ToPort defines ports and protocols for network
policies
properties:
ports:
items:
description: Port defines a network port and its
protocol
properties:
port:
type: string
protocol:
type: string
type: object
type: array
type: object
type: array
required:
- action
type: object
type:
type: string
required:
Expand Down
4 changes: 2 additions & 2 deletions config/crd/bases/intent.security.nimbus.com_securityintents.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ spec:
listKind: SecurityIntentList
plural: securityintents
shortNames:
- sit
- si
singular: securityintent
scope: Namespaced
versions:
Expand Down Expand Up @@ -44,6 +44,7 @@ spec:
description:
type: string
id:
pattern: ^[a-zA-Z0-9]*$
type: string
mode:
type: string
Expand Down Expand Up @@ -158,7 +159,6 @@ spec:
- action
- id
- mode
- params
type: object
required:
- intent
Expand Down
20 changes: 20 additions & 0 deletions pkg/adapter/adapter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2023 Authors of Nimbus

// Package adapter provides security engine adapters to use with nimbus.
package adapter

import (
"context"

v1 "github.com/5GSEC/nimbus/api/v1"
)

// The Adapters currently supported by nimbus.
var Adapters = []string{"kubearmor"}

// Adapter knows how to create/update and delete security-engine policies.
type Adapter interface {
ApplyPolicy(ctx context.Context, np v1.NimbusPolicy) error
DeletePolicy(ctx context.Context, np v1.NimbusPolicy) error
}
39 changes: 39 additions & 0 deletions pkg/adapter/exporter/exporter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2023 Authors of Nimbus

package exporter

import (
"context"

"go.uber.org/zap"

v1 "github.com/5GSEC/nimbus/api/v1"
"github.com/5GSEC/nimbus/pkg/adapter"
"github.com/5GSEC/nimbus/pkg/adapter/k8s"
"github.com/5GSEC/nimbus/pkg/adapter/kubearmor"
)

// ExportNpToAdapters export nimbus policy to security-engine adapters.
func ExportNpToAdapters(loggr *zap.SugaredLogger, nimbusPolicy v1.NimbusPolicy) {
for _, adptr := range adapter.Adapters {
loggr.Infof("Exporting '%s' NimbusPolicy to %s security engine", nimbusPolicy.Name, adptr)
err := sendNpTo(loggr, nimbusPolicy, adptr)
if err != nil {
loggr.Warnf("%v", err)
}
}
}

func sendNpTo(loggr *zap.SugaredLogger, nimbusPolicy v1.NimbusPolicy, adptr string) error {
var securityEngineClient adapter.Adapter
k8sClient := k8s.NewClient(loggr)
switch adptr {
case "kubearmor":
securityEngineClient = kubearmor.NewKubeArmorClient(loggr, k8sClient)
err := securityEngineClient.ApplyPolicy(context.Background(), nimbusPolicy)
return err
default:
return nil
}
}
Loading
Loading