Skip to content

Commit

Permalink
feat: Add KubeArmor adapter
Browse files Browse the repository at this point in the history
Signed-off-by: Anurag Rajawat <[email protected]>
  • Loading branch information
anurag-rajawat committed Jan 9, 2024
1 parent 65e0acc commit c736ce3
Show file tree
Hide file tree
Showing 19 changed files with 487 additions and 143 deletions.
4 changes: 3 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ RUN go mod download
# Copy the go source
COPY cmd/main.go cmd/main.go
COPY api/ api/
COPY pkg/ pkg/
COPY pkg/exporter/ pkg/exporter/
COPY pkg/processor/ pkg/processor/
COPY pkg/receiver/ pkg/receiver/

# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust

.PHONY: generate
generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./pkg/..."
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."

.PHONY: fmt
fmt: ## Run go fmt against code.
Expand Down
2 changes: 1 addition & 1 deletion api/v1/nimbuspolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type NimbusRules struct {
Id string `json:"id"`
Type string `json:"type,omitempty"`
Description string `json:"description,omitempty"`
Rule []Rule `json:"rule"`
Rule Rule `json:"rule"`
}

type Rule struct {
Expand Down
5 changes: 3 additions & 2 deletions api/v1/securityintent_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,14 @@ type SecurityIntentSpec struct {

// Intent defines the security policy details
type Intent struct {
// +kubebuilder:validation:Pattern:="^[a-zA-Z0-9]*$"
Id string `json:"id"`
Description string `json:"description,omitempty"`
Action string `json:"action"`
Mode string `json:"mode"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Params []SecurityIntentParams `json:"params"`
Params []SecurityIntentParams `json:"params,omitempty"`
}

// Resource defines the resources that the security policy applies to
Expand Down Expand Up @@ -110,7 +111,7 @@ type SecurityIntentStatus struct {

// SecurityIntent is the Schema for the securityintents API
// +kubebuilder:object:root=true
// +kubebuilder:resource: shortName="sit"
// +kubebuilder:resource: shortName="si"
// +kubebuilder:subresource:status
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

Expand Down
8 changes: 1 addition & 7 deletions api/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

205 changes: 101 additions & 104 deletions config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,111 +48,108 @@ spec:
id:
type: string
rule:
items:
properties:
action:
type: string
fromCIDRSet:
items:
description: CIDRSet defines CIDR ranges for network
policies
properties:
cidr:
properties:
action:
type: string
fromCIDRSet:
items:
description: CIDRSet defines CIDR ranges for network policies
properties:
cidr:
type: string
type: object
type: array
matchCapabilities:
description: 'Capabilities: MatchCapabilities'
items:
description: MatchCapability defines a capability for
capabilities policies
properties:
capability:
type: string
type: object
type: array
matchDirectories:
items:
description: MatchDirectory defines a directory for process
or file policies
properties:
dir:
type: string
fromSource:
items:
description: FromSource defines a source path for
directory-based policies
properties:
path:
type: string
type: object
type: array
type: object
type: array
matchPaths:
description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
File: MatchPaths, MatchDirectories'
items:
description: MatchPath defines a path for process or file
policies
properties:
path:
type: string
type: object
type: array
matchPatterns:
items:
description: MatchPattern defines a pattern for process
policies
properties:
pattern:
type: string
type: object
type: array
matchProtocols:
description: 'Network: MatchProtocols'
items:
description: MatchProtocol defines a protocol for network
policies
properties:
protocol:
type: string
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
syscalls:
items:
type: string
type: object
type: array
matchCapabilities:
description: 'Capabilities: MatchCapabilities'
items:
description: MatchCapability defines a capability for
capabilities policies
properties:
capability:
type: string
type: object
type: array
matchDirectories:
items:
description: MatchDirectory defines a directory for
process or file policies
properties:
dir:
type: string
fromSource:
items:
description: FromSource defines a source path
for directory-based policies
properties:
path:
type: string
type: object
type: array
type: object
type: array
matchPaths:
description: 'Process: MatchPaths, MatchDirectories, MatchPatterns
File: MatchPaths, MatchDirectories'
items:
description: MatchPath defines a path for process or
file policies
properties:
path:
type: string
type: object
type: array
matchPatterns:
items:
description: MatchPattern defines a pattern for process
policies
properties:
pattern:
type: string
type: object
type: array
matchProtocols:
description: 'Network: MatchProtocols'
items:
description: MatchProtocol defines a protocol for network
policies
properties:
protocol:
type: string
type: object
type: array
matchSyscalls:
description: 'Syscalls: MatchSyscalls'
items:
description: MatchSyscall defines a syscall for syscall
policies
properties:
syscalls:
items:
type: string
type: array
type: object
type: array
toPorts:
items:
description: ToPort defines ports and protocols for
network policies
properties:
ports:
items:
description: Port defines a network port and its
protocol
properties:
port:
type: string
protocol:
type: string
type: object
type: array
type: object
type: array
required:
- action
type: object
type: array
type: array
type: object
type: array
toPorts:
items:
description: ToPort defines ports and protocols for network
policies
properties:
ports:
items:
description: Port defines a network port and its
protocol
properties:
port:
type: string
protocol:
type: string
type: object
type: array
type: object
type: array
required:
- action
type: object
type:
type: string
required:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ spec:
listKind: SecurityIntentList
plural: securityintents
shortNames:
- sit
- si
singular: securityintent
scope: Namespaced
versions:
Expand Down Expand Up @@ -44,6 +44,7 @@ spec:
description:
type: string
id:
pattern: ^[a-zA-Z0-9]*$
type: string
mode:
type: string
Expand Down Expand Up @@ -158,7 +159,6 @@ spec:
- action
- id
- mode
- params
type: object
required:
- intent
Expand Down
20 changes: 20 additions & 0 deletions pkg/adapter/adapter.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2023 Authors of Nimbus

// Package adapter provides security engine adapters to use with nimbus.
package adapter

import (
"context"

v1 "github.com/5GSEC/nimbus/api/v1"
)

// The Adapters currently supported by nimbus.
var Adapters = []string{"kubearmor"}

// Adapter knows how to create/update and delete security-engine policies.
type Adapter interface {
ApplyPolicy(ctx context.Context, np v1.NimbusPolicy) error
DeletePolicy(ctx context.Context, np v1.NimbusPolicy) error
}
39 changes: 39 additions & 0 deletions pkg/adapter/exporter/exporter.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2023 Authors of Nimbus

package exporter

import (
"context"

"go.uber.org/zap"

v1 "github.com/5GSEC/nimbus/api/v1"
"github.com/5GSEC/nimbus/pkg/adapter"
"github.com/5GSEC/nimbus/pkg/adapter/k8s"
"github.com/5GSEC/nimbus/pkg/adapter/kubearmor"
)

// ExportNpToAdapters export nimbus policy to security-engine adapters.
func ExportNpToAdapters(loggr *zap.SugaredLogger, nimbusPolicy v1.NimbusPolicy) {
for _, adptr := range adapter.Adapters {
loggr.Infof("Exporting '%s' NimbusPolicy to %s security engine", nimbusPolicy.Name, adptr)
err := sendNpTo(loggr, nimbusPolicy, adptr)
if err != nil {
loggr.Warnf("%v", err)
}
}
}

func sendNpTo(loggr *zap.SugaredLogger, nimbusPolicy v1.NimbusPolicy, adptr string) error {
var securityEngineClient adapter.Adapter
k8sClient := k8s.NewClient(loggr)
switch adptr {
case "kubearmor":
securityEngineClient = kubearmor.NewKubeArmorClient(loggr, k8sClient)
err := securityEngineClient.ApplyPolicy(context.Background(), nimbusPolicy)
return err
default:
return nil
}
}
Loading

0 comments on commit c736ce3

Please sign in to comment.