feat: Feature to select namespaces (match or exclude), resources with…

…in a namespace, and nodes in ClusterIntentBinding (5GSEC#108) * - Changing the types * - Modified deepcopy functions * - Predicate functions is defined * - make run * - Sample csib yamls * - Add of the csib is working * - Add subcase - of cases 1, 2, 3 - done * - Add/Update/Delete of the Nimbus policies in the reconcile functionality done * - Changes for kubeArmor, NetPol adapter * - Kyverno adapter watches for NimbusPolicy generated from SecurityIntentBinding only * - Fixes * - Copying the matchNames/excludeNames to the Kyverno Cluster Policy * - Renamed v1alpha to v1alpha1 * - Modified the version in the scheme * - chainsaw test controllers/nimbuspolicy/delete/ - working * - Tests are passing individually - Errors when run together * - For a cluster SIB, cluster nimbus policy is created - Also, one nimbus policy per ns is being created - There is a reconciler error for update. - Potential fix is to backoff for some time * - Add of a csib, creates np in multiple ns - Equality function added but not used - Equality function can be used to add eliminate unnecessary updates * - Nimbus Policies are not updated if the expected and actual is same * - First chainsaw test running * - Updated the test * - Test case for matchNames case * - Test case for excludeName passing * - Example yamls - A given CSIB cannot contain both match and exclude parameters * - Rebased the kcpbuilder.go * - Rebased the kpbuilder.go * - Changing the types * - Modified deepcopy functions * - Predicate functions is defined * - Rebase * - Sample csib yamls * - Add of the csib is working * - Add subcase - of cases 1, 2, 3 - done * - Add/Update/Delete of the Nimbus policies in the reconcile functionality done * - Changes for kubeArmor, NetPol adapter * - Kyverno adapter watches for NimbusPolicy generated from SecurityIntentBinding only * - Fixes * - Copying the matchNames/excludeNames to the Kyverno Cluster Policy * - Renamed v1alpha to v1alpha1 * - Modified the version in the scheme * - chainsaw test controllers/nimbuspolicy/delete/ - working * - Tests are passing individually - Errors when run together * - For a cluster SIB, cluster nimbus policy is created - Also, one nimbus policy per ns is being created - There is a reconciler error for update. - Potential fix is to backoff for some time * - Add of a csib, creates np in multiple ns - Equality function added but not used - Equality function can be used to add eliminate unnecessary updates * - Nimbus Policies are not updated if the expected and actual is same * - First chainsaw test running * - Updated the test * - Test case for matchNames case * - Test case for excludeName passing * - Example yamls - A given CSIB cannot contain both match and exclude parameters * - Rebased the kcpbuilder.go * - Rebased the kpbuilder.go * - e2e/dns-manipulation successfull * - Changes for e2e/escape-to-host - Getting build issues in kyverno adapter - Test failing for now * - chainsaw test test/controllers/ passing with these changes * - kyverno adapter compile * - e2e tests passing - $ chainsaw test --test-dir=tests/e2e --config tests/chainsaw-config.yaml Tests Summary... - Passed tests 6 - Failed tests 0 - Skipped tests 0 Done. * - Latest crds * - Adding a dependency on jobs * - Debug logs * - Testing * - Added testing yaml * - $ make integration-test PASS Tests Summary... - Passed tests 12 - Failed tests 0 - Skipped tests 0 Done. * - Review feedback * - Review feedback * - Review feedback * - fixing the static check fail * - To create csib for all ns, use "*" in matchNames - If csib is invalid, status ValidationFail is set - slices.Contain() is used to reduce code - A blacklist is introduced, to avoid creation of Nimbus Policies in those ns * - Fixed issue related to excludeNames path * - test-doc * - Comments * - Review feedback * - Fix for lint check fail --------- Signed-off-by: shivaccuknox <[email protected]> Co-authored-by: Ved Ratan <[email protected]>
shivaccuknox · Jun 4, 2024 · 3a141ab · 3a141ab
1 parent 5a42174
commit 3a141ab
Show file tree

Hide file tree

Showing 136 changed files with 3,389 additions and 1,820 deletions.
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -160,7 +160,7 @@ jobs:
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
             kubectl get pods -A
-          
+
         - name: Run Tests
           run: make integration-test
 

diff --git a/api/v1/clusternimbuspolicy_types.go → api/v1alpha1/clusternimbuspolicy_types.go b/api/v1/clusternimbuspolicy_types.go → api/v1alpha1/clusternimbuspolicy_types.go
@@ -1,16 +1,18 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy
 type ClusterNimbusPolicySpec struct {
-	Selector    CwSelector    `json:"selector"`
-	NimbusRules []NimbusRules `json:"rules"`
+	NodeSelector     LabelSelector     `json:"nodeSelector,omitempty"`
+	NsSelector       NamespaceSelector `json:"nsSelector,omitempty"`
+	WorkloadSelector LabelSelector     `json:"workloadSelector,omitempty"`
+	NimbusRules      []NimbusRules     `json:"rules"`
 }
 
 // ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy

diff --git a/api/v1/clustersecurityintentbinding_types.go → ...ha1/clustersecurityintentbinding_types.go b/api/v1/clustersecurityintentbinding_types.go → ...ha1/clustersecurityintentbinding_types.go
@@ -1,28 +1,28 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-type CwResource struct {
-	Kind        string            `json:"kind"`
-	Name        string            `json:"name"`
-	Namespace   string            `json:"namespace,omitempty"`
-	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+type NamespaceSelector struct {
+	MatchNames   []string `json:"matchNames,omitempty"`
+	ExcludeNames []string `json:"excludeNames,omitempty"`
 }
 
-type CwSelector struct {
-	Resources []CwResource `json:"resources,omitempty"`
-	CEL       []string     `json:"cel,omitempty"`
+type ClusterMatchWorkloads struct {
+	NodeSelector     LabelSelector     `json:"nodeSelector,omitempty"`
+	NsSelector       NamespaceSelector `json:"nsSelector,omitempty"`
+	WorkloadSelector LabelSelector     `json:"workloadSelector,omitempty"`
 }
 
 // ClusterSecurityIntentBindingSpec defines the desired state of ClusterSecurityIntentBinding
 type ClusterSecurityIntentBindingSpec struct {
-	Intents  []MatchIntent `json:"intents"`
-	Selector CwSelector    `json:"selector"`
+	Intents  []MatchIntent         `json:"intents"`
+	Selector ClusterMatchWorkloads `json:"selector,omitempty"`
+	CEL      []string              `json:"cel,omitempty"`
 }
 
 // ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding

diff --git a/api/v1/groupversion_info.go → api/v1alpha1/groupversion_info.go b/api/v1/groupversion_info.go → api/v1alpha1/groupversion_info.go
@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-// Package v1 contains API Schema definitions for the intent v1 API group
+// Package v1alpha1 contains API Schema definitions for the intent v1 API group
 // +kubebuilder:object:generate=true
 // +groupName=intent.security.nimbus.com
-package v1
+package v1alpha1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -13,7 +13,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1"}
+	GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/api/v1/nimbuspolicy_types.go → api/v1alpha1/nimbuspolicy_types.go b/api/v1/nimbuspolicy_types.go → api/v1alpha1/nimbuspolicy_types.go
@@ -1,27 +1,23 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
+	"reflect"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // NimbusPolicySpec defines the desired state of NimbusPolicy
 type NimbusPolicySpec struct {
 	// Selector specifies the target resources to which the policy applies
-	Selector NimbusSelector `json:"selector"`
+	Selector LabelSelector `json:"selector"`
 
 	// PolicyType specifies the type of policy, e.g., "Network", "System", "Cluster"
 	NimbusRules []NimbusRules `json:"rules"`
 }
 
-// NimbusSelector is used to select specific resources based on labels.
-type NimbusSelector struct {
-	// MatchLabels is a map that holds key-value pairs to match against labels of resources.
-	MatchLabels map[string]string `json:"matchLabels"`
-}
-
 // NimbusRules represents a single policy rule with an ID, type, description, and detailed rule configurations.
 type NimbusRules struct {
 	ID          string `json:"id"`
@@ -70,3 +66,26 @@ type NimbusPolicyList struct {
 func init() {
 	SchemeBuilder.Register(&NimbusPolicy{}, &NimbusPolicyList{})
 }
+
+// Check equality of the spec to decide if we need to update the object
+func (a NimbusPolicy) Equal(b NimbusPolicy) (string, bool) {
+	if a.ObjectMeta.Name != b.ObjectMeta.Name {
+		return "diff: name", false
+	}
+	if a.ObjectMeta.Namespace != b.ObjectMeta.Namespace {
+		return "diff: Namespace", false
+	}
+
+	if !reflect.DeepEqual(a.ObjectMeta.Labels, b.ObjectMeta.Labels) {
+		return "diff: Labels", false
+	}
+
+	if !reflect.DeepEqual(a.ObjectMeta.OwnerReferences, b.ObjectMeta.OwnerReferences) {
+		return "diff: OwnerReferences", false
+	}
+
+	if !reflect.DeepEqual(a.Spec, b.Spec) {
+		return "diff: Spec", false
+	}
+	return "", true
+}
diff --git a/api/v1/securityintent_types.go → api/v1alpha1/securityintent_types.go b/api/v1/securityintent_types.go → api/v1alpha1/securityintent_types.go
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

diff --git a/api/v1/securityintentbinding_types.go → api/v1alpha1/securityintentbinding_types.go b/api/v1/securityintentbinding_types.go → api/v1alpha1/securityintentbinding_types.go
@@ -1,16 +1,17 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding
 type SecurityIntentBindingSpec struct {
-	Intents  []MatchIntent `json:"intents"`
-	Selector Selector      `json:"selector"`
+	Intents  []MatchIntent  `json:"intents"`
+	Selector MatchWorkloads `json:"selector"`
+	CEL      []string       `json:"cel,omitempty"`
 }
 
 // MatchIntent struct defines the request for a specific SecurityIntent
@@ -19,21 +20,11 @@ type MatchIntent struct {
 }
 
 // Selector defines the selection criteria for resources
-type Selector struct {
-	Any []ResourceFilter `json:"any,omitempty"`
-	All []ResourceFilter `json:"all,omitempty"`
-	CEL []string         `json:"cel,omitempty"`
+type MatchWorkloads struct {
+	WorkloadSelector LabelSelector `json:"workloadSelector,omitempty"`
 }
 
-// ResourceFilter is used for filtering resources
-type ResourceFilter struct {
-	Resources Resources `json:"resources,omitempty"`
-}
-
-// Resources defines the properties for selecting Kubernetes resources
-type Resources struct {
-	Kind        string            `json:"kind,omitempty"`
-	Namespace   string            `json:"namespace,omitempty"`
+type LabelSelector struct {
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 }