Skip to content

Commit

Permalink
Merge pull request #39 from anurag-rajawat/feat-netpol-adapter
Browse files Browse the repository at this point in the history 
feat: Add Network Policy adapter
  • Loading branch information
@seungsoo-lee
seungsoo-lee authored Jan 29, 2024
2 parents 5e0ddf9 + 91adb72 commit 01178b5
Show file tree
Hide file tree
Showing 25 changed files with 898 additions and 225 deletions.
0 docs/Getting-Started.md → docs/getting-started.md
View file
File renamed without changes.
209 changes: 132 additions & 77 deletions docs/Quick-tutorials.md → docs/quick-tutorials.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
## Create a sample deployment

```shell
$ kubectl apply -f ./test/env/nginx-deploy.yaml
kubectl apply -f ./test/env/nginx-deploy.yaml
deployment.apps/nginx created
```

Expand Down Expand Up @@ -35,7 +35,15 @@ go run cmd/main.go
2024-01-13T22:12:20+05:30 INFO Starting workers {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "worker count": 1}
```

## Run Adapter (in this example, KubeArmor)
## Run Adapters

### KubeArmor

> [!Note]
> The `nimbus-kubearmor` adapter leverages the [KubeArmor](https://kubearmor.io) security engine for its functionality.
> To use this adapter, you'll need KubeArmor installed. Please
> follow [this](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment_guide.md) guide for
> installation.
```shell
$ cd pkg/adapter/nimbus-kubearmor
Expand All @@ -44,6 +52,21 @@ $ make run
{"level":"info","ts":"2024-01-13T22:13:25+05:30","msg":"NimbusPolicy watcher started"}
```

### Network Policy

> [!Note]
> The `nimbus-netpol` adapter leverages
> the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
> To use network policies, you must be using a networking solution which supports NetworkPolicy.
```shell
$ cd pkg/adapter/nimbus-netpol
$ make run
{"level":"info","ts":"2024-01-23T17:20:46+05:30","msg":"Network Policy adapter started"}
{"level":"info","ts":"2024-01-23T17:20:46+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-01-23T17:20:46+05:30","msg":"ClusterNimbusPolicy watcher started"}
```

## Create SecurityIntent and SecurityIntentBinding

```shell
Expand Down Expand Up @@ -74,67 +97,15 @@ NAME STATUS
multiple-sis-nsscoped-binding Created
```

* Verify Nimbus policy
## Verify the Security Engines policies

```shell
$ kubectl get nimbuspolicy
NAME STATUS
multiple-sis-nsscoped-binding Created
```
### KubeArmorPolicy

or inspect nimbuspolicy for detailed info:
KubeArmor adapter logs that detected NimbusPolicy is shown below:

```shell
$ kubectl get nimbuspolicy multiple-sis-nsscoped-binding -o yaml
```

```yaml
apiVersion: intent.security.nimbus.com/v1
kind: NimbusPolicy
metadata:
creationTimestamp: "2024-01-13T16:43:56Z"
generation: 1
name: multiple-sis-nsscoped-binding
namespace: default
ownerReferences:
- apiVersion: intent.security.nimbus.com/v1
blockOwnerDeletion: true
controller: true
kind: SecurityIntentBinding
name: multiple-sis-nsscoped-binding
uid: b047d013-b402-4126-9798-529d96d2cc85
resourceVersion: "406627"
uid: 6ef05c5b-660f-4ba0-baa3-bbf87e501cca
spec:
rules:
- description: Do not allow the execution of package managers inside the containers
id: swDeploymentTools
rule:
action: Block
mode: Strict
- id: unAuthorizedSaTokenAccess
rule:
action: Block
mode: strict
- id: dnsManipulation
rule:
action: Block
mode: best-effort
selector:
matchLabels:
app: nginx
status:
status: Created
```
## Verify the Security Engine policy (in this example, KubeArmorPolicy)
KubeArmor adapter logs can that that detected NimbusPolicy is shown below:
```shell
{"level":"info","ts":"2024-01-13T22:13:25+05:30","msg":"KubeArmor Adapter started"}
{"level":"info","ts":"2024-01-13T22:13:25+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-01-13T22:13:56+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
...
...
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmor does not support this ID","ID":"dnsManipulation","NimbusPolicy":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default"}
Expand All @@ -161,12 +132,19 @@ kind: KubeArmorPolicy
metadata:
annotations:
app.kubernetes.io/managed-by: nimbus-kubearmor
creationTimestamp: "2024-01-13T16:43:57Z"
creationTimestamp: "2024-01-23T12:05:54Z"
generation: 1
name: multiple-sis-nsscoped-binding-swdeploymenttools
namespace: default
resourceVersion: "406628"
uid: b665ed3c-89de-40c4-bf24-1ac7e8ca63eb
ownerReferences:
- apiVersion: intent.security.nimbus.com/v1
blockOwnerDeletion: true
controller: true
kind: NimbusPolicy
name: multiple-sis-nsscoped-binding
uid: 2e634795-0e4d-4172-9d1d-bf783e6bc1c6
resourceVersion: "550197"
uid: 22f38fe4-3e71-437d-93e8-8eb517a12ad1
spec:
action: Block
capabilities: { }
Expand Down Expand Up @@ -227,12 +205,19 @@ kind: KubeArmorPolicy
metadata:
annotations:
app.kubernetes.io/managed-by: nimbus-kubearmor
creationTimestamp: "2024-01-13T16:43:57Z"
creationTimestamp: "2024-01-23T12:05:54Z"
generation: 1
name: multiple-sis-nsscoped-binding-unauthorizedsatokenaccess
namespace: default
resourceVersion: "406629"
uid: 6644f0a9-46a2-4bde-9b5a-b01947da3311
ownerReferences:
- apiVersion: intent.security.nimbus.com/v1
blockOwnerDeletion: true
controller: true
kind: NimbusPolicy
name: multiple-sis-nsscoped-binding
uid: 2e634795-0e4d-4172-9d1d-bf783e6bc1c6
resourceVersion: "550198"
uid: 8ac4bf6f-d543-4dad-9c9d-c2dc96f53925
spec:
action: Block
capabilities: { }
Expand All @@ -248,6 +233,72 @@ spec:
syscalls: { }
```
### NetworkPolicy
Network Policy adapter logs that detected NimbusPolicy is shown below:
```shell
...
...
{"level":"info","ts":"2024-01-23T17:26:24+05:30","msg":"Network Policy adapter does not support this ID","ID":"swDeploymentTools","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:26:24+05:30","msg":"Network Policy adapter does not support this ID","ID":"unAuthorizedSaTokenAccess","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:26:24+05:30","msg":"NetworkPolicy created","NetworkPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","NetworkPolicy.Namespace":"default"}
```

You can also review the network policies that were successfully generated:

```shell
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
multiple-sis-nsscoped-binding-dnsmanipulation app=nginx 3m44s
```

Or, inspect policy for detailed info:

```shell
$ kubectl get networkpolicy multiple-sis-nsscoped-binding-dnsmanipulation -o yaml
```

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
app.kubernetes.io/managed-by: nimbus-netpol
creationTimestamp: "2024-01-23T11:56:24Z"
generation: 1
name: multiple-sis-nsscoped-binding-dnsmanipulation
namespace: default
ownerReferences:
- apiVersion: intent.security.nimbus.com/v1
blockOwnerDeletion: true
controller: true
kind: NimbusPolicy
name: multiple-sis-nsscoped-binding
uid: a151ee11-539f-4dad-92ae-9a813a681790
resourceVersion: "549724"
uid: 8018a181-d317-418f-a700-d41369235701
spec:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
podSelector:
matchLabels:
app: nginx
policyTypes:
- Egress
```
## Cleanup
* The SecurityIntent and SecurityIntentBinding created earlier are no longer needed and can be deleted:
Expand All @@ -260,19 +311,23 @@ securityintent.intent.security.nimbus.com "dns-manipulation-multiple-nsscoped" d
securityintentbinding.intent.security.nimbus.com "multiple-sis-nsscoped-binding" deleted
```

* Check Security Engine adapter logs:
* Check KubeArmor Security Engine adapter logs:

```shell
{"level":"info","ts":"2024-01-13T22:13:25+05:30","msg":"KubeArmor Adapter started"}
{"level":"info","ts":"2024-01-13T22:13:25+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-01-13T22:13:56+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmor does not support this ID","ID":"dnsManipulation","NimbusPolicy":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:13:57+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:17:48+05:30","msg":"NimbusPolicy deleted","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:17:49+05:30","msg":"KubeArmor does not support this ID","ID":"dnsManipulation","NimbusPolicy":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:17:49+05:30","msg":"KubeArmorPolicy deleted due to NimbusPolicy deletion","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-13T22:17:49+05:30","msg":"KubeArmorPolicy deleted due to NimbusPolicy deletion","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
...
{"level":"info","ts":"2024-01-23T17:40:51+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:40:51+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:40:51+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","KubeArmorPolicy.Namespace":"default"}
```

* Check Network Policy adapter logs:

```shell
...
...
{"level":"info","ts":"2024-01-23T17:33:28+05:30","msg":"Network Policy adapter does not support this ID","ID":"swDeploymentTools","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:33:28+05:30","msg":"Network Policy adapter does not support this ID","ID":"unAuthorizedSaTokenAccess","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-01-23T17:33:28+05:30","msg":"NetworkPolicy already deleted, no action needed","NetworkPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","NetworkPolicy.Namespace":"default"}
```

* Delete deployment
Expand All @@ -285,6 +340,6 @@ deployment.apps "nginx" deleted
* Confirm all resources have been deleted (Optional)

```shell
$ kubectl get securityintent,securityintentbinding,nimbuspolicy,kubearmorpolicy -A
$ kubectl get securityintent,securityintentbinding,kubearmorpolicy,netpol -A
No resources found
```
33 changes: 17 additions & 16 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,29 @@ module github.com/5GSEC/nimbus
go 1.21

require (
github.com/onsi/ginkgo/v2 v2.13.0
github.com/onsi/gomega v1.29.0
github.com/onsi/ginkgo/v2 v2.14.0
github.com/onsi/gomega v1.30.0
k8s.io/apimachinery v0.29.0
k8s.io/client-go v0.29.0
sigs.k8s.io/controller-runtime v0.16.3
sigs.k8s.io/controller-runtime v0.17.0
)

require (
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
)

require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/evanphx/json-patch/v5 v5.8.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
github.com/go-openapi/jsonpointer v0.20.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
Expand All @@ -48,7 +49,7 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.17.0 // indirect
github.com/prometheus/client_golang v1.18.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.45.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
Expand All @@ -57,22 +58,22 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/oauth2 v0.12.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.12.0 // indirect
golang.org/x/tools v0.16.1 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.29.0 // indirect
k8s.io/apiextensions-apiserver v0.28.3 // indirect
k8s.io/component-base v0.28.3 // indirect
k8s.io/apiextensions-apiserver v0.29.0 // indirect
k8s.io/component-base v0.29.0 // indirect
k8s.io/klog/v2 v2.110.1 // indirect
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
Expand Down
Loading

0 comments on commit 01178b5

Please sign in to comment.