diff --git a/deployments/nimbus-kubearmor/Chart.yaml b/deployments/nimbus-kubearmor/Chart.yaml index 2e33d805..71b7b5fb 100644 --- a/deployments/nimbus-kubearmor/Chart.yaml +++ b/deployments/nimbus-kubearmor/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.1" +appVersion: "0.1.2" diff --git a/deployments/nimbus-kubearmor/templates/deployment.yaml b/deployments/nimbus-kubearmor/templates/daemonset.yaml similarity index 93% rename from deployments/nimbus-kubearmor/templates/deployment.yaml rename to deployments/nimbus-kubearmor/templates/daemonset.yaml index 15609c2e..ff273ce2 100644 --- a/deployments/nimbus-kubearmor/templates/deployment.yaml +++ b/deployments/nimbus-kubearmor/templates/daemonset.yaml @@ -1,12 +1,11 @@ apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: name: {{ include "nimbus-kubearmor.fullname" . }} labels: {{- include "nimbus-kubearmor.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} spec: - replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "nimbus-kubearmor.selectorLabels" . | nindent 6 }} diff --git a/deployments/nimbus-kubearmor/templates/role.yaml b/deployments/nimbus-kubearmor/templates/role.yaml index 1ef3109c..c195365a 100644 --- a/deployments/nimbus-kubearmor/templates/role.yaml +++ b/deployments/nimbus-kubearmor/templates/role.yaml @@ -12,6 +12,15 @@ rules: - get - list - watch + - apiGroups: + - intent.security.nimbus.com + resources: + - nimbuspolicies/status + - clusternimbuspolicies/status + verbs: + - get + - patch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/deployments/nimbus-kubearmor/values.yaml b/deployments/nimbus-kubearmor/values.yaml index 8691d620..3acaebfa 100644 --- a/deployments/nimbus-kubearmor/values.yaml +++ b/deployments/nimbus-kubearmor/values.yaml @@ -1,7 +1,5 @@ # Default values for nimbus-kubearmor. -replicaCount: 1 - image: repository: 5gsec/nimbus-kubearmor pullPolicy: Always diff --git a/deployments/nimbus-netpol/Chart.yaml b/deployments/nimbus-netpol/Chart.yaml index dbdd11c3..abcde436 100644 --- a/deployments/nimbus-netpol/Chart.yaml +++ b/deployments/nimbus-netpol/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.1" +appVersion: "0.1.2" diff --git a/deployments/nimbus-netpol/templates/deployment.yaml b/deployments/nimbus-netpol/templates/daemonset.yaml similarity index 93% rename from deployments/nimbus-netpol/templates/deployment.yaml rename to deployments/nimbus-netpol/templates/daemonset.yaml index 384c68eb..9c53ca92 100644 --- a/deployments/nimbus-netpol/templates/deployment.yaml +++ b/deployments/nimbus-netpol/templates/daemonset.yaml @@ -1,12 +1,11 @@ apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: name: {{ include "nimbus-netpol.fullname" . }} labels: {{- include "nimbus-netpol.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} spec: - replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "nimbus-netpol.selectorLabels" . | nindent 6 }} diff --git a/deployments/nimbus-netpol/templates/role.yaml b/deployments/nimbus-netpol/templates/role.yaml index 9ddc8fb8..ea4a41e1 100644 --- a/deployments/nimbus-netpol/templates/role.yaml +++ b/deployments/nimbus-netpol/templates/role.yaml @@ -12,6 +12,15 @@ rules: - get - list - watch + - apiGroups: + - intent.security.nimbus.com + resources: + - nimbuspolicies/status + - clusternimbuspolicies/status + verbs: + - get + - patch + - update - apiGroups: - networking.k8s.io resources: diff --git a/deployments/nimbus-netpol/values.yaml b/deployments/nimbus-netpol/values.yaml index 07f823f0..02310caf 100644 --- a/deployments/nimbus-netpol/values.yaml +++ b/deployments/nimbus-netpol/values.yaml @@ -1,7 +1,5 @@ # Default values for nimbus-netpol. -replicaCount: 1 - image: repository: 5gsec/nimbus-netpol pullPolicy: Always diff --git a/deployments/nimbus/Chart.yaml b/deployments/nimbus/Chart.yaml index ec97071e..d036bad3 100644 --- a/deployments/nimbus/Chart.yaml +++ b/deployments/nimbus/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.0" +appVersion: "0.1.1" diff --git a/deployments/nimbus/templates/crds.yaml b/deployments/nimbus/templates/crds.yaml index 879da3db..1211d446 100644 --- a/deployments/nimbus/templates/crds.yaml +++ b/deployments/nimbus/templates/crds.yaml @@ -1,6 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: clusternimbuspolicies.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -17,6 +19,12 @@ spec: - jsonPath: .status.status name: Status type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfAdapterPolicies + name: Policies + type: integer name: v1 schema: openAPIV3Schema: @@ -51,8 +59,6 @@ spec: properties: action: type: string - mode: - type: string params: additionalProperties: items: @@ -61,7 +67,6 @@ spec: type: object required: - action - - mode type: object type: type: string @@ -102,9 +107,20 @@ spec: status: description: ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy properties: + adapterPolicies: + items: + type: string + type: array + lastUpdated: + format: date-time + type: string + numberOfAdapterPolicies: + format: int32 + type: integer status: type: string required: + - numberOfAdapterPolicies - status type: object type: object @@ -116,6 +132,8 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: clustersecurityintentbindings.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -132,6 +150,15 @@ spec: - jsonPath: .status.status name: Status type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfBoundIntents + name: Intents + type: integer + - jsonPath: .status.clusterNimbusPolicy + name: ClusterNimbusPolicy + type: string name: v1 schema: openAPIV3Schema: @@ -198,9 +225,23 @@ spec: description: ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding properties: + boundIntents: + items: + type: string + type: array + clusterNimbusPolicy: + type: string + lastUpdated: + format: date-time + type: string + numberOfBoundIntents: + format: int32 + type: integer status: type: string required: + - clusterNimbusPolicy + - numberOfBoundIntents - status type: object type: object @@ -212,6 +253,8 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: nimbuspolicies.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -228,6 +271,12 @@ spec: - jsonPath: .status.status name: Status type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfAdapterPolicies + name: Policies + type: integer name: v1 schema: openAPIV3Schema: @@ -263,8 +312,6 @@ spec: properties: action: type: string - mode: - type: string params: additionalProperties: items: @@ -273,7 +320,6 @@ spec: type: object required: - action - - mode type: object type: type: string @@ -302,9 +348,20 @@ spec: status: description: NimbusPolicyStatus defines the observed state of NimbusPolicy properties: + adapterPolicies: + items: + type: string + type: array + lastUpdated: + format: date-time + type: string + numberOfAdapterPolicies: + format: int32 + type: integer status: type: string required: + - numberOfAdapterPolicies - status type: object type: object @@ -316,6 +373,8 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: securityintentbindings.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -332,6 +391,15 @@ spec: - jsonPath: .status.status name: Status type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfBoundIntents + name: Intents + type: integer + - jsonPath: .status.nimbusPolicy + name: NimbusPolicy + type: string name: v1 schema: openAPIV3Schema: @@ -418,9 +486,23 @@ spec: description: SecurityIntentBindingStatus defines the observed state of SecurityIntentBinding properties: + boundIntents: + items: + type: string + type: array + lastUpdated: + format: date-time + type: string + nimbusPolicy: + type: string + numberOfBoundIntents: + format: int32 + type: integer status: type: string required: + - nimbusPolicy + - numberOfBoundIntents - status type: object type: object @@ -432,6 +514,8 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: securityintents.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -448,6 +532,17 @@ spec: - jsonPath: .status.status name: Status type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.intent.id + name: ID + priority: 1 + type: string + - jsonPath: .spec.intent.action + name: Action + priority: 1 + type: string name: v1 schema: openAPIV3Schema: @@ -483,11 +578,6 @@ spec: engines to generate corresponding security policies. pattern: ^[a-zA-Z0-9]*$ type: string - mode: - default: best-effort - description: Mode defines the enforcement behavior of the intent. - Defaults to best-effort. - type: string params: additionalProperties: items: @@ -518,13 +608,19 @@ spec: status: description: SecurityIntentStatus defines the observed state of SecurityIntent properties: + action: + type: string + id: + type: string status: type: string required: + - action + - id - status type: object type: object served: true storage: true subresources: - status: {} \ No newline at end of file + status: {} diff --git a/docs/quick-tutorials.md b/docs/quick-tutorials.md index 0673eb2f..5fbb017c 100644 --- a/docs/quick-tutorials.md +++ b/docs/quick-tutorials.md @@ -1,18 +1,12 @@ # Quick Tutorials -## Install Nimbus Operator +## Prerequisites -Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. - -## Install Adapters - -### KubeArmor - -Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. - -### Network Policy - -Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. +- **Nimbus operator**: Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. +- Nimbus adapters: To generate multiple security engines policies + - `nimbus-kubearmor`: Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` + adapter. + - `nimbus-netpol`: Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. ## Create a sample deployment @@ -32,35 +26,90 @@ securityintent.intent.security.nimbus.com/dns-manipulation created securityintentbinding.intent.security.nimbus.com/dns-manipulation-binding created ``` -## Verify SecurityIntent and SecurityIntentBinding +## Verify Resources -* Verify SecurityIntent +* SecurityIntent ```shell $ kubectl get securityintent -NAME STATUS -dns-manipulation Created +NAME STATUS AGE +dns-manipulation Created 9s ``` -* Verify SecurityIntentBinding +Output in `-o wide` for detailed info: +```shell +$ kubectl get securityintent dns-manipulation -o wide +NAME STATUS AGE ID ACTION +dns-manipulation Created 17s dnsManipulation Block +``` + +* SecurityIntentBinding ```shell $ kubectl get securityintentbinding -NAME STATUS -dns-manipulation-binding Created +NAME STATUS AGE INTENTS NIMBUSPOLICY +dns-manipulation-binding Created 69s 1 dns-manipulation-binding ``` -## Verify the Security Engines policies +* NimbusPolicy -### KubeArmorPolicy +```shell +$ kubectl get nimbuspolicy +NAME STATUS AGE POLICIES +dns-manipulation-binding Created 2m9s 2 +``` + +Describe the nimbuspolicy to check which policies are created: + +```shell +$ kubectl describe nimbuspolicy dns-manipulation-binding +Name: dns-manipulation-binding +Namespace: default +Labels: +Annotations: +API Version: intent.security.nimbus.com/v1 +Kind: NimbusPolicy +Metadata: + Creation Timestamp: 2024-02-20T06:04:32Z + Generation: 1 + Owner References: + API Version: intent.security.nimbus.com/v1 + Block Owner Deletion: true + Controller: true + Kind: SecurityIntentBinding + Name: dns-manipulation-binding + UID: c3b7046f-26c7-4edb-ad82-de243e9ee378 + Resource Version: 56960 + UID: 109a7b54-8643-487e-9454-6a79c5f4cacc +Spec: + Rules: + Description: An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity. + Id: dnsManipulation + Rule: + Action: Block + Selector: + Match Labels: + App: nginx +Status: + Adapter Policies: + KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation + NetworkPolicy/dns-manipulation-binding-dnsmanipulation + Last Updated: 2024-02-20T06:04:32Z + Number Of Adapter Policies: 2 + Status: Created +Events: +``` -Review the policies that were successfully generated as part of `DNSManipulation` SecurityIntent and +## Verify the Security Engines policies +Review the policies that are successfully generated as part of `DNSManipulation` SecurityIntent and SecurityIntentBinding: +### KubeArmorPolicy + ```shell $ kubectl get kubearmorpolicy NAME AGE -dns-manipulation-binding-dnsmanipulation 2m44s +dns-manipulation-binding-dnsmanipulation 5m45s ``` Inspect the policy for detailed info: @@ -75,7 +124,7 @@ kind: KubeArmorPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-kubearmor - creationTimestamp: "2024-02-02T08:27:03Z" + creationTimestamp: "2024-02-20T06:04:32Z" generation: 1 name: dns-manipulation-binding-dnsmanipulation namespace: default @@ -85,9 +134,9 @@ metadata: controller: true kind: NimbusPolicy name: dns-manipulation-binding - uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f - resourceVersion: "610470" - uid: 7f23a7f3-3012-449d-92ee-1ea2a741b7ec + uid: 109a7b54-8643-487e-9454-6a79c5f4cacc + resourceVersion: "56955" + uid: 03afa2ec-ea86-4248-9f63-243493aa1db9 spec: action: Block capabilities: { } @@ -95,6 +144,8 @@ spec: matchPaths: - path: /etc/resolv.conf readOnly: true + message: An adversary can manipulate DNS requests to redirect network traffic and + potentially reveal end user activity. network: { } process: { } selector: @@ -105,19 +156,16 @@ spec: ### NetworkPolicy -Review the network policies that were successfully generated as part of `DNSManipulation` SecurityIntent and -SecurityIntentBinding: - ```shell -$ kubectl get networkpolicy +$ kubectl get networkpolicy NAME POD-SELECTOR AGE -dns-manipulation-binding-dnsmanipulation app=nginx 5m54s +dns-manipulation-binding-dnsmanipulation app=nginx 6m43s ``` Inspect policy for detailed info: ```shell -$ kubectl get networkpolicy multiple-sis-nsscoped-binding-dnsmanipulation -o yaml +$ kubectl get networkpolicy dns-manipulation-binding-dnsmanipulation -o yaml ``` ```yaml @@ -126,7 +174,7 @@ kind: NetworkPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-netpol - creationTimestamp: "2024-02-02T08:27:03Z" + creationTimestamp: "2024-02-20T06:04:32Z" generation: 1 name: dns-manipulation-binding-dnsmanipulation namespace: default @@ -136,9 +184,9 @@ metadata: controller: true kind: NimbusPolicy name: dns-manipulation-binding - uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f - resourceVersion: "610469" - uid: 7cbf50e3-8c47-443e-8851-01b0ca167bd3 + uid: 109a7b54-8643-487e-9454-6a79c5f4cacc + resourceVersion: "56956" + uid: 473c293e-3006-4843-9eb3-2a21f142d6e3 spec: egress: - ports: @@ -190,7 +238,7 @@ deployment.apps "nginx" deleted * Confirm all resources have been deleted (Optional) ```shell -$ kubectl get securityintent,securityintentbinding,kubearmorpolicy,netpol -A +$ kubectl get securityintent,securityintentbinding,nimbuspolicy,kubearmorpolicy,netpol -A No resources found ``` diff --git a/examples/namespaced/cel-multi-si-sib-namespaced.yaml b/examples/namespaced/cel-multi-si-sib-namespaced.yaml index 94e783f0..107b00f3 100644 --- a/examples/namespaced/cel-multi-si-sib-namespaced.yaml +++ b/examples/namespaced/cel-multi-si-sib-namespaced.yaml @@ -9,7 +9,6 @@ spec: intent: id: swDeploymentTools action: Block - mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent @@ -19,7 +18,6 @@ spec: intent: id: unAuthorizedSaTokenAccess action: Block - mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent @@ -29,8 +27,6 @@ spec: intent: id: dnsManipulation action: Block - mode: best-effort - #mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntentBinding