From 1c73b8d2930acefa428f481bb42983484a4914a0 Mon Sep 17 00:00:00 2001 From: seungsoo-lee Date: Tue, 9 Jan 2024 15:04:33 +0000 Subject: [PATCH 1/2] Update nimbus-adapter --- pkg/nimbus-kubearmor/core/applier/applier.go | 48 ---- .../core/converter/converter.go | 114 ---------- .../core/converter/converthelper.go | 209 ------------------ .../core/enforcer/enforcer.go | 40 ---- pkg/nimbus-kubearmor/main.go | 2 +- 5 files changed, 1 insertion(+), 412 deletions(-) delete mode 100644 pkg/nimbus-kubearmor/core/applier/applier.go delete mode 100644 pkg/nimbus-kubearmor/core/converter/converter.go delete mode 100644 pkg/nimbus-kubearmor/core/converter/converthelper.go delete mode 100644 pkg/nimbus-kubearmor/core/enforcer/enforcer.go diff --git a/pkg/nimbus-kubearmor/core/applier/applier.go b/pkg/nimbus-kubearmor/core/applier/applier.go deleted file mode 100644 index aa7bc299..00000000 --- a/pkg/nimbus-kubearmor/core/applier/applier.go +++ /dev/null @@ -1,48 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package applier - -import ( - "context" - - "sigs.k8s.io/controller-runtime/pkg/log" - - kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// Applier manages the enforcement of policies. -type Applier struct { - Client client.Client -} - -// NewApplier creates a new Applier. -func NewApplier(client client.Client) *Applier { - return &Applier{Client: client} -} - -// ApplyPolicy applies or updates a given KubeArmorPolicy. -func (e *Applier) ApplyPolicy(ctx context.Context, kubeArmorPolicy *kubearmorv1.KubeArmorPolicy) error { - log := log.FromContext(ctx) - - // Check if the policy already exists - existingPolicy := &kubearmorv1.KubeArmorPolicy{} - err := e.Client.Get(ctx, types.NamespacedName{Name: kubeArmorPolicy.Name, Namespace: kubeArmorPolicy.Namespace}, existingPolicy) - if err != nil && !errors.IsNotFound(err) { - log.Error(err, "Existing KubeArmorPolicy lookup failed", "PolicyName", kubeArmorPolicy.Name) - return err - } - - // Update if exists, create otherwise - if errors.IsNotFound(err) { - log.Info("Apply a new KubeArmorPolicy", "PolicyName", kubeArmorPolicy.Name, "Policy", kubeArmorPolicy) - return e.Client.Create(ctx, kubeArmorPolicy) - } else { - log.Info("Update existing KubeArmorPolicy", "PolicyName", kubeArmorPolicy.Name) - existingPolicy.Spec = kubeArmorPolicy.Spec - return e.Client.Update(ctx, existingPolicy) - } -} diff --git a/pkg/nimbus-kubearmor/core/converter/converter.go b/pkg/nimbus-kubearmor/core/converter/converter.go deleted file mode 100644 index cf630bbc..00000000 --- a/pkg/nimbus-kubearmor/core/converter/converter.go +++ /dev/null @@ -1,114 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package converter - -import ( - "context" - "strings" - - v1 "github.com/5GSEC/nimbus/api/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/log" - - kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -type PolicyConverter struct { - Client client.Client -} - -func NewPolicyConverter(client client.Client) *PolicyConverter { - return &PolicyConverter{Client: client} -} - -func (pt *PolicyConverter) Converter(ctx context.Context, nimbusPolicy v1.NimbusPolicy) (*kubearmorv1.KubeArmorPolicy, error) { - log := log.FromContext(ctx) - log.Info("Start Converting a NimbusPolicy", "PolicyName", nimbusPolicy.Name) - - kubeArmorPolicy := &kubearmorv1.KubeArmorPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: nimbusPolicy.Name, - Namespace: nimbusPolicy.Namespace, - }, - Spec: kubearmorv1.KubeArmorPolicySpec{ - Selector: kubearmorv1.SelectorType{ - MatchLabels: nimbusPolicy.Spec.Selector.MatchLabels, - }, - }, - } - kubeArmorPolicy.Spec.Selector.MatchLabels = nimbusPolicy.Spec.Selector.MatchLabels - - for _, nimbusRule := range nimbusPolicy.Spec.NimbusRules { - idParts := strings.Split(nimbusRule.Id, "-") - if len(idParts) != 3 { - log.Info("Invalid rule ID format", "ID", nimbusRule.Id) - continue - } - - ruleType := idParts[1] - category := idParts[2] - - for _, rule := range nimbusRule.Rule { - kubeArmorPolicy.Spec.Action = kubearmorv1.ActionType(rule.RuleAction) - - switch ruleType { - case "proc": - if processType, err := handleProcessPolicy(rule, category); err == nil { - kubeArmorPolicy.Spec.Process = processType - } else { - log.Error(err, "Failed to handle process policy") - return nil, err - } - - case "file": - if fileType, err := handleFilePolicy(rule, category); err == nil { - kubeArmorPolicy.Spec.File = fileType - } else { - log.Error(err, "Failed to handle file policy") - return nil, err - } - - case "net": - if networkType, err := handleNetworkPolicy(rule); err == nil { - kubeArmorPolicy.Spec.Network = networkType - } else { - log.Error(err, "Failed to handle network policy") - return nil, err - } - - case "syscall": - if syscallType, err := handleSyscallPolicy(rule, category); err == nil { - kubeArmorPolicy.Spec.Syscalls = syscallType - } else { - log.Error(err, "Failed to handle syscall policy") - return nil, err - } - - case "cap": - if capabilityType, err := handleCapabilityPolicy(rule); err == nil { - kubeArmorPolicy.Spec.Capabilities = capabilityType - } else { - log.Error(err, "Failed to handle capability policy") - return nil, err - } - default: - log.Info("Unsupported rule type", "Type", ruleType) - } - } - } - - if len(kubeArmorPolicy.Spec.Network.MatchProtocols) == 0 { - kubeArmorPolicy.Spec.Network.MatchProtocols = append(kubeArmorPolicy.Spec.Network.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ - Protocol: "raw", - }) - } - if len(kubeArmorPolicy.Spec.Capabilities.MatchCapabilities) == 0 { - kubeArmorPolicy.Spec.Capabilities.MatchCapabilities = append(kubeArmorPolicy.Spec.Capabilities.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ - Capability: "lease", - }) - } - - return kubeArmorPolicy, nil -} diff --git a/pkg/nimbus-kubearmor/core/converter/converthelper.go b/pkg/nimbus-kubearmor/core/converter/converthelper.go deleted file mode 100644 index c8325732..00000000 --- a/pkg/nimbus-kubearmor/core/converter/converthelper.go +++ /dev/null @@ -1,209 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package converter - -import ( - v1 "github.com/5GSEC/nimbus/api/v1" - - kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" -) - -func handleProcessPolicy(rule v1.Rule, category string) (kubearmorv1.ProcessType, error) { - processType := kubearmorv1.ProcessType{ - MatchPaths: []kubearmorv1.ProcessPathType{}, - MatchDirectories: []kubearmorv1.ProcessDirectoryType{}, - MatchPatterns: []kubearmorv1.ProcessPatternType{}, - } - - switch category { - case "paths": - for _, matchPath := range rule.MatchPaths { - if matchPath.Path != "" { - processType.MatchPaths = append(processType.MatchPaths, kubearmorv1.ProcessPathType{ - Path: kubearmorv1.MatchPathType(matchPath.Path), - }) - } - } - - case "dirs": - for _, matchDir := range rule.MatchDirectories { - var fromSources []kubearmorv1.MatchSourceType - for _, source := range matchDir.FromSource { - fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - Path: kubearmorv1.MatchPathType(source.Path), - }) - } - if matchDir.Directory != "" || len(fromSources) > 0 { - processType.MatchDirectories = append(processType.MatchDirectories, kubearmorv1.ProcessDirectoryType{ - Directory: kubearmorv1.MatchDirectoryType(matchDir.Directory), - FromSource: fromSources, - }) - } - } - - case "patterns": - for _, matchPattern := range rule.MatchPatterns { - if matchPattern.Pattern != "" { - processType.MatchPatterns = append(processType.MatchPatterns, kubearmorv1.ProcessPatternType{ - Pattern: matchPattern.Pattern, - }) - } - } - } - - // Set empty slices if fields are empty - if len(processType.MatchPaths) == 0 { - processType.MatchPaths = []kubearmorv1.ProcessPathType{} - } - if len(processType.MatchDirectories) == 0 { - processType.MatchDirectories = []kubearmorv1.ProcessDirectoryType{} - } - if len(processType.MatchPatterns) == 0 { - processType.MatchPatterns = []kubearmorv1.ProcessPatternType{} - } - - return processType, nil -} - -func handleFilePolicy(rule v1.Rule, category string) (kubearmorv1.FileType, error) { - fileType := kubearmorv1.FileType{ - MatchPaths: []kubearmorv1.FilePathType{}, - MatchDirectories: []kubearmorv1.FileDirectoryType{}, - MatchPatterns: []kubearmorv1.FilePatternType{}, - } - - switch category { - case "paths": - for _, matchPath := range rule.MatchPaths { - if matchPath.Path != "" { - fileType.MatchPaths = append(fileType.MatchPaths, kubearmorv1.FilePathType{ - Path: kubearmorv1.MatchPathType(matchPath.Path), - }) - } - } - case "dirs": - for _, matchDir := range rule.MatchDirectories { - var fromSources []kubearmorv1.MatchSourceType - for _, source := range matchDir.FromSource { - fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - Path: kubearmorv1.MatchPathType(source.Path), - }) - } - if matchDir.Directory != "" || len(fromSources) > 0 { - fileType.MatchDirectories = append(fileType.MatchDirectories, kubearmorv1.FileDirectoryType{ - Directory: kubearmorv1.MatchDirectoryType(matchDir.Directory), - FromSource: fromSources, - }) - } - } - case "patterns": - for _, matchPattern := range rule.MatchPatterns { - if matchPattern.Pattern != "" { - fileType.MatchPatterns = append(fileType.MatchPatterns, kubearmorv1.FilePatternType{ - Pattern: matchPattern.Pattern, - }) - } - } - } - - // Set empty slices if fields are empty - if len(fileType.MatchPaths) == 0 { - fileType.MatchPaths = []kubearmorv1.FilePathType{} - } - if len(fileType.MatchDirectories) == 0 { - fileType.MatchDirectories = []kubearmorv1.FileDirectoryType{} - } - if len(fileType.MatchPatterns) == 0 { - fileType.MatchPatterns = []kubearmorv1.FilePatternType{} - } - - return fileType, nil -} - -func handleNetworkPolicy(rule v1.Rule) (kubearmorv1.NetworkType, error) { - networkType := kubearmorv1.NetworkType{ - MatchProtocols: []kubearmorv1.MatchNetworkProtocolType{}, - } - - for _, matchProtocol := range rule.MatchProtocols { - if matchProtocol.Protocol != "" { - networkType.MatchProtocols = append(networkType.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ - Protocol: kubearmorv1.MatchNetworkProtocolStringType(matchProtocol.Protocol), - }) - } - } - return networkType, nil -} - -func handleSyscallPolicy(rule v1.Rule, category string) (kubearmorv1.SyscallsType, error) { - // Initialize syscallType with default values - syscallType := kubearmorv1.SyscallsType{ - MatchSyscalls: []kubearmorv1.SyscallMatchType{}, - MatchPaths: []kubearmorv1.SyscallMatchPathType{}, - } - - switch category { - case "syscalls": - for _, matchSyscall := range rule.MatchSyscalls { - syscallMatch := kubearmorv1.SyscallMatchType{ - Syscalls: []kubearmorv1.Syscall{}, - } - for _, syscall := range matchSyscall.Syscalls { - if syscall != "" { - syscallMatch.Syscalls = append(syscallMatch.Syscalls, kubearmorv1.Syscall(syscall)) - } - } - syscallType.MatchSyscalls = append(syscallType.MatchSyscalls, syscallMatch) - } - - case "paths": - for _, matchSyscallPath := range rule.MatchSyscallPaths { - syscallMatchPath := kubearmorv1.SyscallMatchPathType{ - Path: kubearmorv1.MatchSyscallPathType(matchSyscallPath.Path), - Recursive: matchSyscallPath.Recursive, - Syscalls: []kubearmorv1.Syscall{}, - FromSource: []kubearmorv1.SyscallFromSourceType{}, - } - for _, syscall := range matchSyscallPath.Syscalls { - if syscall != "" { - syscallMatchPath.Syscalls = append(syscallMatchPath.Syscalls, kubearmorv1.Syscall(syscall)) - } - } - for _, fromSource := range matchSyscallPath.FromSource { - syscallFromSource := kubearmorv1.SyscallFromSourceType{ - Path: kubearmorv1.MatchPathType(fromSource.Path), - Dir: fromSource.Dir, - } - syscallMatchPath.FromSource = append(syscallMatchPath.FromSource, syscallFromSource) - } - syscallType.MatchPaths = append(syscallType.MatchPaths, syscallMatchPath) - } - } - - // Set empty slices if fields are empty - if len(syscallType.MatchSyscalls) == 0 { - syscallType.MatchSyscalls = []kubearmorv1.SyscallMatchType{} - } - // Set empty slices if fields are empty - if len(syscallType.MatchPaths) == 0 { - syscallType.MatchPaths = []kubearmorv1.SyscallMatchPathType{} - } - - return syscallType, nil -} - -func handleCapabilityPolicy(rule v1.Rule) (kubearmorv1.CapabilitiesType, error) { - capabilityType := kubearmorv1.CapabilitiesType{ - MatchCapabilities: []kubearmorv1.MatchCapabilitiesType{}, - } - - for _, matchCapability := range rule.MatchCapabilities { - if matchCapability.Capability != "" { - capabilityType.MatchCapabilities = append(capabilityType.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ - Capability: kubearmorv1.MatchCapabilitiesStringType(matchCapability.Capability), - }) - } - } - return capabilityType, nil -} diff --git a/pkg/nimbus-kubearmor/core/enforcer/enforcer.go b/pkg/nimbus-kubearmor/core/enforcer/enforcer.go deleted file mode 100644 index f0f8f5d8..00000000 --- a/pkg/nimbus-kubearmor/core/enforcer/enforcer.go +++ /dev/null @@ -1,40 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package enforcer - -import ( - "context" - - v1 "github.com/5GSEC/nimbus/api/v1" - "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/core/applier" - "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/core/converter" - - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// PolicyEnforcer manages the conversion and enforcement of Nimbus policies. -type PolicyEnforcer struct { - converter *converter.PolicyConverter - applier *applier.Applier -} - -// NewPolicyEnforcer creates a new PolicyEnforcer instance. -func NewPolicyEnforcer(client client.Client) *PolicyEnforcer { - return &PolicyEnforcer{ - converter: converter.NewPolicyConverter(client), - applier: applier.NewApplier(client), - } -} - -// ExportAndApplyPolicy converts a NimbusPolicy to a KubeArmorPolicy and applies it. -func (pe *PolicyEnforcer) Enforcer(ctx context.Context, nimbusPolicy v1.NimbusPolicy) error { - // Convert NimbusPolicy to KubeArmorPolicy - kubeArmorPolicy, err := pe.converter.Converter(ctx, nimbusPolicy) - if err != nil { - return err - } - - // Apply the converted KubeArmorPolicy - return pe.applier.ApplyPolicy(ctx, kubeArmorPolicy) -} diff --git a/pkg/nimbus-kubearmor/main.go b/pkg/nimbus-kubearmor/main.go index 695247be..132ccccb 100644 --- a/pkg/nimbus-kubearmor/main.go +++ b/pkg/nimbus-kubearmor/main.go @@ -13,7 +13,7 @@ import ( "time" v1 "github.com/5GSEC/nimbus/api/v1" - "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/core/enforcer" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/processor/enforcer" watcher "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher" "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/verifier" ctrl "sigs.k8s.io/controller-runtime" From 95e6dd3bcb73b27695660d23e02420e39f53305d Mon Sep 17 00:00:00 2001 From: b0m313 Date: Tue, 9 Jan 2024 17:05:34 +0000 Subject: [PATCH 2/2] Update nimbus-adapter --- pkg/nimbus-kubearmor/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/nimbus-kubearmor/main.go b/pkg/nimbus-kubearmor/main.go index 695247be..132ccccb 100644 --- a/pkg/nimbus-kubearmor/main.go +++ b/pkg/nimbus-kubearmor/main.go @@ -13,7 +13,7 @@ import ( "time" v1 "github.com/5GSEC/nimbus/api/v1" - "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/core/enforcer" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/processor/enforcer" watcher "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher" "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/verifier" ctrl "sigs.k8s.io/controller-runtime"