From 232a1b1b4a53517859aa5889a6d81882202e01e2 Mon Sep 17 00:00:00 2001 From: VedRatan Date: Wed, 4 Sep 2024 11:20:39 +0530 Subject: [PATCH] feat: added scheduled fetching of latest CVE data Signed-off-by: VedRatan --- pkg/adapter/nimbus-kyverno/go.mod | 1 + pkg/adapter/nimbus-kyverno/go.sum | 3 + .../nimbus-kyverno/processor/kpbuilder.go | 55 +++++++++++++------ pkg/adapter/nimbus-kyverno/utils/utils.go | 8 ++- .../nimbus-kyverno/watcher/kpwatcher.go | 1 + vp.json | 3 +- 6 files changed, 51 insertions(+), 20 deletions(-) diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod index 2bb608a3..a0b0aa6f 100644 --- a/pkg/adapter/nimbus-kyverno/go.mod +++ b/pkg/adapter/nimbus-kyverno/go.mod @@ -195,6 +195,7 @@ require ( github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect github.com/r3labs/diff v1.1.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect + github.com/robfig/cron/v3 v3.0.1 github.com/sagikazarmark/locafero v0.3.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum index f6930d77..eff41149 100644 --- a/pkg/adapter/nimbus-kyverno/go.sum +++ b/pkg/adapter/nimbus-kyverno/go.sum @@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA= github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk= +github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= +github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= +github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= diff --git a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go index fd80c9fd..c350e771 100644 --- a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go +++ b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go @@ -14,10 +14,10 @@ import ( "github.com/5GSEC/nimbus/pkg/adapter/idpool" "github.com/5GSEC/nimbus/pkg/adapter/k8s" "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils" + "github.com/robfig/cron/v3" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "go.uber.org/multierr" - "gopkg.in/yaml.v2" v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -89,10 +89,45 @@ func buildKpFor(id string, np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error return kps, err } kps = append(kps, kpols...) + watchCVES(np) } return kps, nil } +func watchCVES(np *v1alpha1.NimbusPolicy) { + rule := np.Spec.NimbusRules[0].Rule + schedule := "0 0 * * *" + if rule.Params["schedule"] != nil { + schedule = rule.Params["schedule"][0] + } + // Schedule the deletion of the Nimbus policy + c := cron.New() + _, err := c.AddFunc(schedule, func() { + fmt.Println("Checking for CVE updates and updation of policies") + err := deleteNimbusPolicy(np) + if err != nil { + fmt.Println(err) + } + }) + if err != nil { + panic(err) + } + c.Start() + +} + + + +func deleteNimbusPolicy(np *v1alpha1.NimbusPolicy) error { + nimbusPolicyGVR := schema.GroupVersionResource{Group: "intent.security.nimbus.com", Version: "v1alpha1", Resource: "nimbuspolicies"} + err := client.Resource(nimbusPolicyGVR).Namespace(np.Namespace).Delete(context.TODO(), np.Name,metav1.DeleteOptions{}) + if err != nil { + return fmt.Errorf("failed to delete Nimbus Policy: %s", err.Error()) + } + fmt.Println("Nimbus policy deleted successfully") + return nil +} + func escapeToHost(np *v1alpha1.NimbusPolicy) kyvernov1.Policy { rule := np.Spec.NimbusRules[0].Rule var psa_level api.Level = api.LevelBaseline @@ -319,20 +354,17 @@ func virtualPatch(np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error) { // tbd // schedule := rule.Params["schedule"][0] var kps []kyvernov1.Policy - resp, err := utils.GetVirtualPatchData[[]map[string]any]() + resp, err := utils.FetchVirtualPatchData[[]map[string]any]() if err != nil { - return nil, fmt.Errorf("failed to fetch the response from knoxguard: %s", err.Error()) + return kps, err } for _, currObj := range resp { image := currObj["image"].(string) - fmt.Println(image) - fmt.Println("------------------------------------------------------------------") cves := currObj["cves"].([]any) for _, obj := range cves { cveData := obj.(map[string]any) cve := cveData["cve"].(string) if utils.Contains(requiredCVES, cve) { - fmt.Println(cveData["virtual_patch"]) // create generate kyverno policies which will generate the native virtual patch policies based on the CVE's karmorPolCount := 1 kyvPolCount := 1 @@ -372,12 +404,6 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus labels := np.Spec.Selector.MatchLabels cve = strings.ToLower(cve) uid := np.ObjectMeta.GetUID() - // Marshal the data into YAML - yamlData, err := yaml.Marshal(&policyData) - if err != nil { - fmt.Println("unable to parse the response to YAML: ", err.Error()) - return pol - } ownerShipList := []any{ map[string]any{ "apiVersion": "intent.security.nimbus.com/v1alpha1", @@ -521,8 +547,6 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus delete(rule, "match") rule["match"] = newMatchMap - fmt.Println("rule after modification: ", rule["match"]) - // appending the image matching precondition to the existing preconditions preCndMap := rule["preconditions"].(map[string]any) conditionsList, ok := preCndMap["any"].([]any) @@ -632,8 +656,5 @@ func generatePol(polengine string, cve string, image string, np *v1alpha1.Nimbus } } - - // Print the YAML data - fmt.Println(string(yamlData)) return pol } diff --git a/pkg/adapter/nimbus-kyverno/utils/utils.go b/pkg/adapter/nimbus-kyverno/utils/utils.go index cc2818c2..7f779605 100644 --- a/pkg/adapter/nimbus-kyverno/utils/utils.go +++ b/pkg/adapter/nimbus-kyverno/utils/utils.go @@ -9,6 +9,7 @@ import ( "os" "reflect" "strings" + "sync" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "golang.org/x/text/cases" @@ -16,6 +17,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +var VirtualPatchData []map[string]any +var mu sync.RWMutex + func GetGVK(kind string) string { // Map to store the mappings of kinds to their corresponding API versions kindToAPIVersion := map[string]string{ @@ -125,7 +129,7 @@ func Title(input string) string { return toTitle.String(input) } -func GetVirtualPatchData[T any]()(T, error) { +func FetchVirtualPatchData[T any]()(T, error) { var out T // Open the JSON file file, err := os.Open("../../../vp.json") @@ -167,4 +171,4 @@ func ParseImageString(imageString string) (string, string) { } return repository, tag -} \ No newline at end of file +} diff --git a/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go b/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go index 055a9a31..9bfc7e0b 100644 --- a/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go +++ b/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go @@ -11,6 +11,7 @@ import ( "github.com/5GSEC/nimbus/pkg/adapter/common" "github.com/5GSEC/nimbus/pkg/adapter/k8s" "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils" + adapterutil "github.com/5GSEC/nimbus/pkg/adapter/util" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" diff --git a/vp.json b/vp.json index ad87e33a..1b44e807 100644 --- a/vp.json +++ b/vp.json @@ -99,7 +99,8 @@ "spec": { "podSelector": { "matchLabels": { - "role": "db" + "role": "db", + "app": "dsfsdf" } }, "policyTypes": [