kyverno

Signed-off-by: Ved Ratan <[email protected]> updated adapter for namespaced policy Signed-off-by: Ved Ratan <[email protected]> added clusterpolicy logic Signed-off-by: Ved Ratan <[email protected]> minor fixes Signed-off-by: Ved Ratan <[email protected]>
5GSEC · Mar 14, 2024 · 6e6968b · 6e6968b
1 parent 359d519
commit 6e6968b
Show file tree

Hide file tree

Showing 16 changed files with 3,371 additions and 0 deletions.
diff --git a/examples/clusterscoped/escape-to-host-si-sib.yaml b/examples/clusterscoped/escape-to-host-si-sib.yaml
@@ -0,0 +1,32 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: escape-to-host
+spec:
+  intent:
+    id: escapeToHost
+    description: ""
+    action: Block
+---
+apiVersion: intent.security.nimbus.com/v1
+kind: ClusterSecurityIntentBinding
+metadata:
+  name: escape-to-host-binding
+spec:
+  intents:
+    - name: escape-to-host
+  selector:
+    resources:
+      - kind: Pod
+        name: pod1
+        namespace: ns1
+        matchLabels:
+          app: db
+          env: dev
+
+      - kind: Pod
+        name: pod1
+        namespace: ns2
+        matchLabels:
+          app: mongo
+          env: prod
diff --git a/examples/namespaced/escape-to-host-si-sib.yaml b/examples/namespaced/escape-to-host-si-sib.yaml
@@ -0,0 +1,26 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: escape-to-host
+spec:
+  intent:
+    id: escapeToHost
+    description: "Description"
+    action: Block
+
+---
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: escape-to-host-binding
+spec:
+  intents:
+    - name: escape-to-host
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: nginx    
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -16,6 +16,7 @@ const (
 	DNSManipulation           = "dnsManipulation"
 	NetPortExec               = "netPortExec"
 	SysPathExec               = "sysPathExec"
+	EscapeToHost              = "escapeToHost"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -28,13 +29,21 @@ var NetPolIDs = []string{
 	DNSManipulation,
 }
 
+// KyvIds are IDs supported by Kyverno.
+
+var KyvIds = []string{
+	EscapeToHost,
+}
+
 // IsIdSupportedBy determines whether a given ID is supported by a security engine.
 func IsIdSupportedBy(id, securityEngine string) bool {
 	switch strings.ToLower(securityEngine) {
 	case "kubearmor":
 		return in(id, KaIds)
 	case "netpol":
 		return in(id, NetPolIDs)
+	case "kyverno":
+		return in(id, KyvIds)
 	default:
 		return false
 	}

diff --git a/pkg/adapter/nimbus-kyverno/.dockerignore b/pkg/adapter/nimbus-kyverno/.dockerignore
@@ -0,0 +1 @@
+bin/
diff --git a/pkg/adapter/nimbus-kyverno/Dockerfile b/pkg/adapter/nimbus-kyverno/Dockerfile
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+# Build the nimbus-kubearmor binary
+FROM golang:1.21 as builder
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY manager/ manager/
+COPY processor/ processor/
+COPY watcher/ watcher/
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kubearmor main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/nimbus-kyverno .
+USER 65532:65532
+
+ENTRYPOINT ["/nimbus-kyverno"]
diff --git a/pkg/adapter/nimbus-kyverno/Makefile b/pkg/adapter/nimbus-kyverno/Makefile
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+# Image URL to use all building/pushing image targets
+IMG ?= 5gsec/nimbus-kyverno
+# Image Tag to use all building/pushing image targets
+TAG ?= v0.1
+
+CONTAINER_TOOL ?= docker
+BINARY ?= bin/nimbus-kyverno
+
+build:
+	@go build -ldflags="-w" -o ${BINARY}  main.go
+
+run: build
+	@./${BINARY}
+
+.PHONY: docker-build
+docker-build:
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} .
+
+.PHONY: docker-push
+docker-push:
+	$(CONTAINER_TOOL) push ${IMG}:${TAG}
+	$(CONTAINER_TOOL) push ${IMG}:latest
+
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx:
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
+	$(CONTAINER_TOOL) buildx use project-v3-builder
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross . || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; }
+	- $(CONTAINER_TOOL) buildx rm project-v3-builder
+	rm Dockerfile.cross