Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Update controllers to update CRDs status #56

Merged
merged 5 commits into from
Feb 20, 2024
Merged

fix(core): Update controllers to update CRDs status #56

merged 5 commits into from
Feb 20, 2024

Conversation

anurag-rajawat
Copy link
Collaborator

@anurag-rajawat anurag-rajawat commented Feb 11, 2024
edited
Loading

Description

This pull request introduces the following enhancements:

  • CRD Updates: Add new status fields to the CRDs for improved visibility into the resource state.
  • Controller Updates: Modifies controllers to consistently update the newly added status fields, reflecting the current state of the resources they manage.
  • Optimized Logging: Reduces redundant logs generated during the creation or deletion of SIB CRs. Logging is now duplicated only for update operations, providing more focused information about changes.

Fixes #51 and #61

Does this PR introduce a breaking change?
No

Checklist

  • PR title follows the <type>: <description> convention
  • I use conventional commits in my commit messages
  • I have updated the documentation accordingly
  • I Keep It Small and Simple: The smaller the PR is, the easier it is to review and have it merged
  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Additional information for reviewer

ℹ️ In a subsequent PR, we'll update the docs, RBACs and adapters to update their policy status.

Sample Outputs:

  • SecurityIntent
❯ k get si
NAME                                             STATUS    AGE
pkg-mgr-exec-multiple-nsscoped                   Created   71s
unauthorized-sa-token-access-multiple-nsscoped   Created   71s
dns-manipulation-multiple-nsscoped               Created   71s

❯ k get si -o wide
NAME                                             STATUS    AGE   ID                          ACTION
pkg-mgr-exec-multiple-nsscoped                   Created   79s   swDeploymentTools           Block
unauthorized-sa-token-access-multiple-nsscoped   Created   79s   unAuthorizedSaTokenAccess   Block
dns-manipulation-multiple-nsscoped               Created   79s   dnsManipulation             Block

❯ k describe si pkg-mgr-exec-multiple-nsscoped
Name:         pkg-mgr-exec-multiple-nsscoped
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  intent.security.nimbus.com/v1
Kind:         SecurityIntent
Metadata:
  Creation Timestamp:  2024-02-14T11:28:29Z
  Generation:          1
  Resource Version:    218723
  UID:                 7b295549-0db3-4fa8-a178-bff6876bea02
Spec:
  Intent:
    Action:    Block
    Id:        swDeploymentTools
    Severity:  Low
Status:
  Action:  Block
  Id:      swDeploymentTools
  Status:  Created
Events:    <none>
  • SecurityIntentBinding
❯ k get sib -o wide
NAME                            STATUS    AGE     INTENTS   NIMBUSPOLICY
multiple-sis-nsscoped-binding   Created   2m47s   3         multiple-sis-nsscoped-binding

❯ k describe sib multiple-sis-nsscoped-binding
Name:         multiple-sis-nsscoped-binding
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  intent.security.nimbus.com/v1
Kind:         SecurityIntentBinding
Metadata:
  Creation Timestamp:  2024-02-14T11:28:29Z
  Generation:          1
  Resource Version:    218731
  UID:                 fe01849a-2ce0-410c-8c08-244d128d6c48
Spec:
  Intents:
    Name:  pkg-mgr-exec-multiple-nsscoped
    Name:  unauthorized-sa-token-access-multiple-nsscoped
    Name:  dns-manipulation-multiple-nsscoped
  Selector:
    Any:
      Resources:
        Kind:  Pod
        Match Labels:
          App:      nginx
        Namespace:  default
Status:
  Bound Intents:
    pkg-mgr-exec-multiple-nsscoped
    unauthorized-sa-token-access-multiple-nsscoped
    dns-manipulation-multiple-nsscoped
  Last Updated:             2024-02-14T11:28:29Z
  Nimbus Policy:            multiple-sis-nsscoped-binding
  Number Of Bound Intents:  3
  Status:                   Created
Events:                     <none>
  • NimbusPolicy
❯ k get np multiple-sis-nsscoped-binding -o wide
NAME                            STATUS    AGE     POLICIES
multiple-sis-nsscoped-binding   Created   3m53s   4

❯ k describe np multiple-sis-nsscoped-binding
Name:         multiple-sis-nsscoped-binding
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  intent.security.nimbus.com/v1
Kind:         NimbusPolicy
Metadata:
  Creation Timestamp:  2024-02-14T11:28:29Z
  Generation:          1
  Owner References:
    API Version:           intent.security.nimbus.com/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  SecurityIntentBinding
    Name:                  multiple-sis-nsscoped-binding
    UID:                   fe01849a-2ce0-410c-8c08-244d128d6c48
  Resource Version:        218739
  UID:                     f10119cf-5fea-4c1e-8eca-acd4da7d2d81
Spec:
  Rules:
    Id:  swDeploymentTools
    Rule:
      Action:  Block
    Id:        unAuthorizedSaTokenAccess
    Rule:
      Action:  Block
    Id:        dnsManipulation
    Rule:
      Action:  Block
  Selector:
    Match Labels:
      App:  nginx
Status:
  Adapter Policies:
    NetworkPolicy/multiple-sis-nsscoped-binding-dnsmanipulation
    KubeArmorPolicy/multiple-sis-nsscoped-binding-swdeploymenttools
    KubeArmorPolicy/multiple-sis-nsscoped-binding-unauthorizedsatokenaccess
    KubeArmorPolicy/multiple-sis-nsscoped-binding-dnsmanipulation
  Last Updated:                2024-02-14T11:28:29Z
  Number Of Adapter Policies:  4
  Status:                      Created
Events:                        <none>
  • ClusterSecurityIntentBinding
❯ k get csib -o wide
NAME              STATUS    AGE   INTENTS   CLUSTERNIMBUSPOLICY
si-name-binding   Created   10s   1         si-name-binding

❯ k describe csib si-name-binding
Name:         si-name-binding
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  intent.security.nimbus.com/v1
Kind:         ClusterSecurityIntentBinding
Metadata:
  Creation Timestamp:  2024-02-14T11:33:47Z
  Generation:          1
  Resource Version:    219012
  UID:                 4e44463a-e508-49f0-a1dc-efd6818b9b96
Spec:
  Intents:
    Name:  si-name
  Selector:
    Resources:
      Kind:  Node
      Match Labels:
        kubernetes.io/arch:  arm64
        kubernetes.io/os:    linux
      Name:                  node1
Status:
  Bound Intents:
    si-name
  Cluster Nimbus Policy:    si-name-binding
  Last Updated:             2024-02-14T11:33:47Z
  Number Of Bound Intents:  1
  Status:                   Created
Events:                     <none>
  • ClusterNimbusPolicy
❯ k get cwnp -o wide
NAME              STATUS    AGE   POLICIES
si-name-binding   Created   50s   0

❯ k describe cwnp si-name-binding
Name:         si-name-binding
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  intent.security.nimbus.com/v1
Kind:         ClusterNimbusPolicy
Metadata:
  Creation Timestamp:  2024-02-14T11:33:47Z
  Generation:          1
  Owner References:
    API Version:           intent.security.nimbus.com/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  ClusterSecurityIntentBinding
    Name:                  si-name-binding
    UID:                   4e44463a-e508-49f0-a1dc-efd6818b9b96
  Resource Version:        219011
  UID:                     64e30f24-47b1-44bb-ac06-7df0d2b779a5
Spec:
  Rules:
    Description:  Detailed description
    Id:           sampleId
    Rule:
      Action:  Audit
  Selector:
    Resources:
      Kind:  Node
      Match Labels:
        kubernetes.io/arch:  arm64
        kubernetes.io/os:    linux
      Name:                  node1
Status:
  Last Updated:                2024-02-14T11:33:47Z
  Number Of Adapter Policies:  0
  Status:                      Created
Events:                        <none>

Mention if this PR is part of any design or a continuation of previous PRs

@anurag-rajawat anurag-rajawat force-pushed the feat-crds-status branch 3 times, most recently from 47a4c5f to 285b287 Compare February 11, 2024 11:11
@anurag-rajawat anurag-rajawat marked this pull request as draft February 11, 2024 11:41
@anurag-rajawat anurag-rajawat force-pushed the feat-crds-status branch 3 times, most recently from ed5bb39 to b3192c3 Compare February 13, 2024 09:40
@anurag-rajawat anurag-rajawat marked this pull request as ready for review February 13, 2024 09:42
@anurag-rajawat anurag-rajawat marked this pull request as draft February 14, 2024 07:18
@anurag-rajawat anurag-rajawat marked this pull request as ready for review February 14, 2024 09:28
@anurag-rajawat anurag-rajawat marked this pull request as draft February 14, 2024 16:33
@anurag-rajawat
Copy link
Collaborator Author

Need to fix some other high-priority issues so marking it as a draft.

@anurag-rajawat anurag-rajawat marked this pull request as ready for review February 16, 2024 17:17
@anurag-rajawat anurag-rajawat linked an issue Feb 16, 2024 that may be closed by this pull request
[Core]: Error while creating, editing or deleting SI and SIB #61
Closed
@nandhued nandhued linked an issue Feb 19, 2024 that may be closed by this pull request
[Core]: Logs are getting duplicated #62
Closed
@anurag-rajawat
fix(core): Add error checks
1465159 
Signed-off-by: Anurag Rajawat <[email protected]>
@anurag-rajawat anurag-rajawat merged commit 4cc97b1 into 5GSEC:main Feb 20, 2024
7 checks passed
@anurag-rajawat anurag-rajawat deleted the feat-crds-status branch February 20, 2024 04:00
This was referenced Feb 20, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shivaccuknox shivaccuknox shivaccuknox approved these changes

@daemon1024 daemon1024 Awaiting requested review from daemon1024

@seungsoo-lee seungsoo-lee Awaiting requested review from seungsoo-lee

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@anurag-rajawat @seungsoo-lee @shivaccuknox