From 3a141abf2e64a5f7619abaf6e97cd34863877922 Mon Sep 17 00:00:00 2001 From: shivaccuknox <150668714+shivaccuknox@users.noreply.github.com> Date: Tue, 4 Jun 2024 20:52:26 +0530 Subject: [PATCH] feat: Feature to select namespaces (match or exclude), resources within a namespace, and nodes in ClusterIntentBinding (#108) * - Changing the types * - Modified deepcopy functions * - Predicate functions is defined * - make run * - Sample csib yamls * - Add of the csib is working * - Add subcase - of cases 1, 2, 3 - done * - Add/Update/Delete of the Nimbus policies in the reconcile functionality done * - Changes for kubeArmor, NetPol adapter * - Kyverno adapter watches for NimbusPolicy generated from SecurityIntentBinding only * - Fixes * - Copying the matchNames/excludeNames to the Kyverno Cluster Policy * - Renamed v1alpha to v1alpha1 * - Modified the version in the scheme * - chainsaw test controllers/nimbuspolicy/delete/ - working * - Tests are passing individually - Errors when run together * - For a cluster SIB, cluster nimbus policy is created - Also, one nimbus policy per ns is being created - There is a reconciler error for update. - Potential fix is to backoff for some time * - Add of a csib, creates np in multiple ns - Equality function added but not used - Equality function can be used to add eliminate unnecessary updates * - Nimbus Policies are not updated if the expected and actual is same * - First chainsaw test running * - Updated the test * - Test case for matchNames case * - Test case for excludeName passing * - Example yamls - A given CSIB cannot contain both match and exclude parameters * - Rebased the kcpbuilder.go * - Rebased the kpbuilder.go * - Changing the types * - Modified deepcopy functions * - Predicate functions is defined * - Rebase * - Sample csib yamls * - Add of the csib is working * - Add subcase - of cases 1, 2, 3 - done * - Add/Update/Delete of the Nimbus policies in the reconcile functionality done * - Changes for kubeArmor, NetPol adapter * - Kyverno adapter watches for NimbusPolicy generated from SecurityIntentBinding only * - Fixes * - Copying the matchNames/excludeNames to the Kyverno Cluster Policy * - Renamed v1alpha to v1alpha1 * - Modified the version in the scheme * - chainsaw test controllers/nimbuspolicy/delete/ - working * - Tests are passing individually - Errors when run together * - For a cluster SIB, cluster nimbus policy is created - Also, one nimbus policy per ns is being created - There is a reconciler error for update. - Potential fix is to backoff for some time * - Add of a csib, creates np in multiple ns - Equality function added but not used - Equality function can be used to add eliminate unnecessary updates * - Nimbus Policies are not updated if the expected and actual is same * - First chainsaw test running * - Updated the test * - Test case for matchNames case * - Test case for excludeName passing * - Example yamls - A given CSIB cannot contain both match and exclude parameters * - Rebased the kcpbuilder.go * - Rebased the kpbuilder.go * - e2e/dns-manipulation successfull * - Changes for e2e/escape-to-host - Getting build issues in kyverno adapter - Test failing for now * - chainsaw test test/controllers/ passing with these changes * - kyverno adapter compile * - e2e tests passing - $ chainsaw test --test-dir=tests/e2e --config tests/chainsaw-config.yaml Tests Summary... - Passed tests 6 - Failed tests 0 - Skipped tests 0 Done. * - Latest crds * - Adding a dependency on jobs * - Debug logs * - Testing * - Added testing yaml * - $ make integration-test PASS Tests Summary... - Passed tests 12 - Failed tests 0 - Skipped tests 0 Done. * - Review feedback * - Review feedback * - Review feedback * - fixing the static check fail * - To create csib for all ns, use "*" in matchNames - If csib is invalid, status ValidationFail is set - slices.Contain() is used to reduce code - A blacklist is introduced, to avoid creation of Nimbus Policies in those ns * - Fixed issue related to excludeNames path * - test-doc * - Comments * - Review feedback * - Fix for lint check fail --------- Signed-off-by: shivaccuknox <150668714+shivaccuknox@users.noreply.github.com> Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> --- .github/workflows/pr-checks.yaml | 2 +- .../clusternimbuspolicy_types.go | 8 +- .../clustersecurityintentbinding_types.go | 22 +- api/{v1 => v1alpha1}/groupversion_info.go | 6 +- api/{v1 => v1alpha1}/nimbuspolicy_types.go | 35 +- api/{v1 => v1alpha1}/securityintent_types.go | 2 +- .../securityintentbinding_types.go | 23 +- api/{v1 => v1alpha1}/zz_generated.deepcopy.go | 240 ++-- cmd/main.go | 2 +- ...rity.nimbus.com_clusternimbuspolicies.yaml | 47 +- ...bus.com_clustersecurityintentbindings.yaml | 48 +- ...nt.security.nimbus.com_nimbuspolicies.yaml | 6 +- ...ity.nimbus.com_securityintentbindings.yaml | 55 +- ...t.security.nimbus.com_securityintents.yaml | 2 +- config/rbac/role.yaml | 8 + deployments/nimbus/templates/crds.yaml | 1048 ++++++++--------- deployments/nimbus/templates/roles.yaml | 8 + .../clusterscoped/csib-1-all-ns-selector.yaml | 21 + .../clusterscoped/csib-2-match-names.yaml | 22 + .../clusterscoped/csib-3-exclude-names.yaml | 22 + ...> escape-to-host-si-csib-with-params.yaml} | 25 +- .../clusterscoped/escape-to-host-si-sib.yaml | 36 - .../cel-multi-si-sib-namespaced.yaml | 47 +- .../namespaced/dns-manipulation-si-sib.yaml | 13 +- .../namespaced/escape-to-host-si-sib.yaml | 13 +- .../escape-to-host-with-params.yaml | 13 +- .../multiple-si-sib-namespaced.yaml | 17 +- go.mod | 61 +- go.sum | 155 ++- ...clustersecurityintentbinding_controller.go | 384 +++++- .../controller/securityintent_controller.go | 10 +- .../securityintentbinding_controller.go | 38 +- internal/controller/util.go | 21 +- pkg/adapter/nimbus-kubearmor/go.mod | 62 +- pkg/adapter/nimbus-kubearmor/go.sum | 151 +-- .../nimbus-kubearmor/manager/manager.go | 18 +- .../nimbus-kubearmor/processor/kspbuilder.go | 8 +- .../processor/kspprocessor.go | 48 - pkg/adapter/nimbus-kyverno/go.mod | 72 +- pkg/adapter/nimbus-kyverno/go.sum | 158 ++- pkg/adapter/nimbus-kyverno/manager/manager.go | 18 +- .../nimbus-kyverno/processor/kcpbuilder.go | 104 +- .../nimbus-kyverno/processor/kpbuilder.go | 26 +- .../nimbus-kyverno/watcher/kcpwatcher.go | 7 +- .../nimbus-kyverno/watcher/kpwatcher.go | 3 +- pkg/adapter/nimbus-netpol/go.mod | 61 +- pkg/adapter/nimbus-netpol/go.sum | 149 +-- .../nimbus-netpol/manager/netpols_manager.go | 28 +- .../nimbus-netpol/processor/netpol_builder.go | 4 +- pkg/adapter/util/clusternimbuspolicy_util.go | 6 +- pkg/adapter/util/nimbuspolicy_util.go | 6 +- pkg/adapter/util/watcher_util.go | 12 +- .../watcher/clusternimbuspolicy_watcher.go | 2 +- pkg/adapter/watcher/nimbuspolicy_watcher.go | 11 +- pkg/processor/intentbinder/intent_binder.go | 14 +- .../clusternimbuspolicy_builder.go | 35 +- pkg/processor/policybuilder/common.go | 23 - .../policybuilder/nimbuspolicy_builder.go | 68 +- .../excludename/README.md | 200 ++++ .../excludename/chainsaw-test.yaml | 115 ++ .../cluster-nimbus-policy-assert.yaml | 21 + .../excludename/escape-to-host-csib.yaml | 15 + ...escape-to-host-dev-prod-regional-csib.yaml | 16 + .../excludename/nimbus-policy-assert-dev.yaml | 21 + .../nimbus-policy-assert-management.yaml | 21 + .../nimbus-policy-assert-prod.yaml | 21 + .../nimbus-policy-assert-staging.yaml | 21 + .../excludename/nimbus-policy-assert.yaml | 20 + .../excludename/ns-regional-mgmt.yaml | 12 + .../excludename/ns.yaml | 17 + .../matchall/README.md | 232 ++++ .../matchall/chainsaw-test.yaml | 131 +++ .../cluster-nimbus-policy-assert.yaml | 21 + .../matchall/dns-manipulation-csib.yaml | 14 + .../matchall/nimbus-policy-assert-dev.yaml | 21 + .../matchall/nimbus-policy-assert-prod.yaml | 21 + .../nimbus-policy-assert-staging.yaml | 21 + .../matchall/nimbus-policy-assert.yaml | 20 + .../matchall/ns.yaml | 17 + .../matchname/README.md | 188 +++ .../matchname/chainsaw-test.yaml | 101 ++ .../cluster-nimbus-policy-assert.yaml | 21 + .../matchname/escape-to-host-csib.yaml | 15 + .../escape-to-host-dev-prod-csib.yaml | 15 + .../matchname/nimbus-policy-assert-dev.yaml | 21 + .../matchname/nimbus-policy-assert-prod.yaml | 21 + .../nimbus-policy-assert-staging.yaml | 21 + .../matchname/nimbus-policy-assert.yaml | 20 + .../matchname/ns.yaml | 17 + .../controllers/nimbuspolicy/delete/README.md | 4 +- .../nimbuspolicy/delete/chainsaw-test.yaml | 6 +- .../nimbuspolicy/nimbus-policy-assert.yaml | 5 +- .../controllers/nimbuspolicy/update/README.md | 4 +- .../nimbuspolicy/update/chainsaw-test.yaml | 2 +- .../nimbuspolicy/updated-nimbus-policy.yaml | 2 +- .../namespaced/dns-manipulation-si.yaml | 2 +- .../namespaced/dns-manipulation-sib.yaml | 11 +- .../namespaced/escape-to-host-si.yaml | 12 + .../resources/namespaced/multiple-sis.yaml | 6 +- .../namespaced/sib-for-multiple-sis.yaml | 11 +- .../securityintent/si-status-assert.yaml | 2 +- .../securityintentbinding/create/README.md | 4 +- .../create/chainsaw-test.yaml | 2 +- .../delete/chainsaw-test.yaml | 6 +- .../nimbus-policy-assert.yaml | 4 +- .../np-status-assert.yaml | 4 +- .../sib-status-assert.yaml | 2 +- .../securityintentbinding/updated-np.yaml | 4 +- .../securityintentbinding/updated-sib.yaml | 13 +- .../sis-and-sibs/delete/chainsaw-test.yaml | 6 +- .../sib-status-after-si-deletion-assert.yaml | 2 +- .../sis-and-sibs/nimbus-policy-assert.yaml | 4 +- .../sis-and-sibs/np-status-assert.yaml | 2 +- .../sis-and-sibs/si-status-assert.yaml | 2 +- .../sis-and-sibs/sib-status-assert.yaml | 2 +- .../controllers/sis-and-sibs/update/README.md | 4 +- .../sis-and-sibs/update/chainsaw-test.yaml | 2 +- .../nimbus-policy-after-deleting-one-si.yaml | 4 +- .../nimbus-policy-after-updating-one-si.yaml | 4 +- .../nimbus-policy-for-multiple-sis.yaml | 4 +- .../sib-status-after-si-deletion-assert.yaml | 2 +- .../sis-and-sibs/update/updated-sib.yaml | 10 +- .../update/updated-unauth-sa-si.yaml | 2 +- tests/e2e/dns-manipulation/ksp.yaml | 4 +- tests/e2e/dns-manipulation/netpol.yaml | 2 +- .../nimbus-policy-assert.yaml | 5 +- .../dns-manipulation/np-status-assert.yaml | 4 +- .../dns-manipulation/sib-status-assert.yaml | 2 +- tests/e2e/escape-to-host/kyverno-policy.yaml | 4 +- .../escape-to-host/nimbus-policy-assert.yaml | 4 +- .../e2e/escape-to-host/np-status-assert.yaml | 4 +- .../e2e/escape-to-host/sib-status-assert.yaml | 4 +- .../namespaced/dns-manipulation-si.yaml | 2 +- .../namespaced/dns-manipulation-sib.yaml | 11 +- .../namespaced/escape-to-host-si.yaml | 4 +- .../namespaced/escape-to-host-sib.yaml | 11 +- 136 files changed, 3389 insertions(+), 1820 deletions(-) rename api/{v1 => v1alpha1}/clusternimbuspolicy_types.go (86%) rename api/{v1 => v1alpha1}/clustersecurityintentbinding_types.go (78%) rename api/{v1 => v1alpha1}/groupversion_info.go (83%) rename api/{v1 => v1alpha1}/nimbuspolicy_types.go (76%) rename api/{v1 => v1alpha1}/securityintent_types.go (99%) rename api/{v1 => v1alpha1}/securityintentbinding_types.go (78%) rename api/{v1 => v1alpha1}/zz_generated.deepcopy.go (89%) create mode 100644 examples/clusterscoped/csib-1-all-ns-selector.yaml create mode 100644 examples/clusterscoped/csib-2-match-names.yaml create mode 100644 examples/clusterscoped/csib-3-exclude-names.yaml rename examples/clusterscoped/{escape-to-host-si-sib-with-params.yaml => escape-to-host-si-csib-with-params.yaml} (53%) delete mode 100644 examples/clusterscoped/escape-to-host-si-sib.yaml delete mode 100644 pkg/adapter/nimbus-kubearmor/processor/kspprocessor.go create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/README.md create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/cluster-nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-csib.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-dev.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-management.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-prod.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-staging.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/ns-regional-mgmt.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/excludename/ns.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/README.md create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/cluster-nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/dns-manipulation-csib.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-dev.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-prod.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-staging.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchall/ns.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/README.md create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/cluster-nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-csib.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-dev-prod-csib.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-dev.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-prod.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-staging.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert.yaml create mode 100644 tests/controllers/clustersecurityintentbinding/matchname/ns.yaml create mode 100644 tests/controllers/resources/namespaced/escape-to-host-si.yaml diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index 250833b8..538f6c75 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -160,7 +160,7 @@ jobs: run: | kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus kubectl get pods -A - + - name: Run Tests run: make integration-test diff --git a/api/v1/clusternimbuspolicy_types.go b/api/v1alpha1/clusternimbuspolicy_types.go similarity index 86% rename from api/v1/clusternimbuspolicy_types.go rename to api/v1alpha1/clusternimbuspolicy_types.go index 841e0f5b..e3eded9a 100644 --- a/api/v1/clusternimbuspolicy_types.go +++ b/api/v1alpha1/clusternimbuspolicy_types.go @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -package v1 +package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -9,8 +9,10 @@ import ( // ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy type ClusterNimbusPolicySpec struct { - Selector CwSelector `json:"selector"` - NimbusRules []NimbusRules `json:"rules"` + NodeSelector LabelSelector `json:"nodeSelector,omitempty"` + NsSelector NamespaceSelector `json:"nsSelector,omitempty"` + WorkloadSelector LabelSelector `json:"workloadSelector,omitempty"` + NimbusRules []NimbusRules `json:"rules"` } // ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy diff --git a/api/v1/clustersecurityintentbinding_types.go b/api/v1alpha1/clustersecurityintentbinding_types.go similarity index 78% rename from api/v1/clustersecurityintentbinding_types.go rename to api/v1alpha1/clustersecurityintentbinding_types.go index d400b5a8..007310b1 100644 --- a/api/v1/clustersecurityintentbinding_types.go +++ b/api/v1alpha1/clustersecurityintentbinding_types.go @@ -1,28 +1,28 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -package v1 +package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -type CwResource struct { - Kind string `json:"kind"` - Name string `json:"name"` - Namespace string `json:"namespace,omitempty"` - MatchLabels map[string]string `json:"matchLabels,omitempty"` +type NamespaceSelector struct { + MatchNames []string `json:"matchNames,omitempty"` + ExcludeNames []string `json:"excludeNames,omitempty"` } -type CwSelector struct { - Resources []CwResource `json:"resources,omitempty"` - CEL []string `json:"cel,omitempty"` +type ClusterMatchWorkloads struct { + NodeSelector LabelSelector `json:"nodeSelector,omitempty"` + NsSelector NamespaceSelector `json:"nsSelector,omitempty"` + WorkloadSelector LabelSelector `json:"workloadSelector,omitempty"` } // ClusterSecurityIntentBindingSpec defines the desired state of ClusterSecurityIntentBinding type ClusterSecurityIntentBindingSpec struct { - Intents []MatchIntent `json:"intents"` - Selector CwSelector `json:"selector"` + Intents []MatchIntent `json:"intents"` + Selector ClusterMatchWorkloads `json:"selector,omitempty"` + CEL []string `json:"cel,omitempty"` } // ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding diff --git a/api/v1/groupversion_info.go b/api/v1alpha1/groupversion_info.go similarity index 83% rename from api/v1/groupversion_info.go rename to api/v1alpha1/groupversion_info.go index 4159ec09..45cfb878 100644 --- a/api/v1/groupversion_info.go +++ b/api/v1alpha1/groupversion_info.go @@ -1,10 +1,10 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -// Package v1 contains API Schema definitions for the intent v1 API group +// Package v1alpha1 contains API Schema definitions for the intent v1 API group // +kubebuilder:object:generate=true // +groupName=intent.security.nimbus.com -package v1 +package v1alpha1 import ( "k8s.io/apimachinery/pkg/runtime/schema" @@ -13,7 +13,7 @@ import ( var ( // GroupVersion is group version used to register these objects - GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1"} + GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/api/v1/nimbuspolicy_types.go b/api/v1alpha1/nimbuspolicy_types.go similarity index 76% rename from api/v1/nimbuspolicy_types.go rename to api/v1alpha1/nimbuspolicy_types.go index 5e17223f..305d3639 100644 --- a/api/v1/nimbuspolicy_types.go +++ b/api/v1alpha1/nimbuspolicy_types.go @@ -1,27 +1,23 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -package v1 +package v1alpha1 import ( + "reflect" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // NimbusPolicySpec defines the desired state of NimbusPolicy type NimbusPolicySpec struct { // Selector specifies the target resources to which the policy applies - Selector NimbusSelector `json:"selector"` + Selector LabelSelector `json:"selector"` // PolicyType specifies the type of policy, e.g., "Network", "System", "Cluster" NimbusRules []NimbusRules `json:"rules"` } -// NimbusSelector is used to select specific resources based on labels. -type NimbusSelector struct { - // MatchLabels is a map that holds key-value pairs to match against labels of resources. - MatchLabels map[string]string `json:"matchLabels"` -} - // NimbusRules represents a single policy rule with an ID, type, description, and detailed rule configurations. type NimbusRules struct { ID string `json:"id"` @@ -70,3 +66,26 @@ type NimbusPolicyList struct { func init() { SchemeBuilder.Register(&NimbusPolicy{}, &NimbusPolicyList{}) } + +// Check equality of the spec to decide if we need to update the object +func (a NimbusPolicy) Equal(b NimbusPolicy) (string, bool) { + if a.ObjectMeta.Name != b.ObjectMeta.Name { + return "diff: name", false + } + if a.ObjectMeta.Namespace != b.ObjectMeta.Namespace { + return "diff: Namespace", false + } + + if !reflect.DeepEqual(a.ObjectMeta.Labels, b.ObjectMeta.Labels) { + return "diff: Labels", false + } + + if !reflect.DeepEqual(a.ObjectMeta.OwnerReferences, b.ObjectMeta.OwnerReferences) { + return "diff: OwnerReferences", false + } + + if !reflect.DeepEqual(a.Spec, b.Spec) { + return "diff: Spec", false + } + return "", true +} diff --git a/api/v1/securityintent_types.go b/api/v1alpha1/securityintent_types.go similarity index 99% rename from api/v1/securityintent_types.go rename to api/v1alpha1/securityintent_types.go index d1b3208a..199a915f 100644 --- a/api/v1/securityintent_types.go +++ b/api/v1alpha1/securityintent_types.go @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -package v1 +package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/api/v1/securityintentbinding_types.go b/api/v1alpha1/securityintentbinding_types.go similarity index 78% rename from api/v1/securityintentbinding_types.go rename to api/v1alpha1/securityintentbinding_types.go index 9ba9192f..5540552e 100644 --- a/api/v1/securityintentbinding_types.go +++ b/api/v1alpha1/securityintentbinding_types.go @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of Nimbus -package v1 +package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -9,8 +9,9 @@ import ( // SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding type SecurityIntentBindingSpec struct { - Intents []MatchIntent `json:"intents"` - Selector Selector `json:"selector"` + Intents []MatchIntent `json:"intents"` + Selector MatchWorkloads `json:"selector"` + CEL []string `json:"cel,omitempty"` } // MatchIntent struct defines the request for a specific SecurityIntent @@ -19,21 +20,11 @@ type MatchIntent struct { } // Selector defines the selection criteria for resources -type Selector struct { - Any []ResourceFilter `json:"any,omitempty"` - All []ResourceFilter `json:"all,omitempty"` - CEL []string `json:"cel,omitempty"` +type MatchWorkloads struct { + WorkloadSelector LabelSelector `json:"workloadSelector,omitempty"` } -// ResourceFilter is used for filtering resources -type ResourceFilter struct { - Resources Resources `json:"resources,omitempty"` -} - -// Resources defines the properties for selecting Kubernetes resources -type Resources struct { - Kind string `json:"kind,omitempty"` - Namespace string `json:"namespace,omitempty"` +type LabelSelector struct { MatchLabels map[string]string `json:"matchLabels,omitempty"` } diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go similarity index 89% rename from api/v1/zz_generated.deepcopy.go rename to api/v1alpha1/zz_generated.deepcopy.go index 59b56c06..a4cbae4b 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5,12 +5,30 @@ // Code generated by controller-gen. DO NOT EDIT. -package v1 +package v1alpha1 import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterMatchWorkloads) DeepCopyInto(out *ClusterMatchWorkloads) { + *out = *in + in.NodeSelector.DeepCopyInto(&out.NodeSelector) + in.NsSelector.DeepCopyInto(&out.NsSelector) + in.WorkloadSelector.DeepCopyInto(&out.WorkloadSelector) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterMatchWorkloads. +func (in *ClusterMatchWorkloads) DeepCopy() *ClusterMatchWorkloads { + if in == nil { + return nil + } + out := new(ClusterMatchWorkloads) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterNimbusPolicy) DeepCopyInto(out *ClusterNimbusPolicy) { *out = *in @@ -73,7 +91,9 @@ func (in *ClusterNimbusPolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterNimbusPolicySpec) DeepCopyInto(out *ClusterNimbusPolicySpec) { *out = *in - in.Selector.DeepCopyInto(&out.Selector) + in.NodeSelector.DeepCopyInto(&out.NodeSelector) + in.NsSelector.DeepCopyInto(&out.NsSelector) + in.WorkloadSelector.DeepCopyInto(&out.WorkloadSelector) if in.NimbusRules != nil { in, out := &in.NimbusRules, &out.NimbusRules *out = make([]NimbusRules, len(*in)) @@ -182,6 +202,11 @@ func (in *ClusterSecurityIntentBindingSpec) DeepCopyInto(out *ClusterSecurityInt copy(*out, *in) } in.Selector.DeepCopyInto(&out.Selector) + if in.CEL != nil { + in, out := &in.CEL, &out.CEL + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecurityIntentBindingSpec. @@ -215,55 +240,6 @@ func (in *ClusterSecurityIntentBindingStatus) DeepCopy() *ClusterSecurityIntentB return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CwResource) DeepCopyInto(out *CwResource) { - *out = *in - if in.MatchLabels != nil { - in, out := &in.MatchLabels, &out.MatchLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CwResource. -func (in *CwResource) DeepCopy() *CwResource { - if in == nil { - return nil - } - out := new(CwResource) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CwSelector) DeepCopyInto(out *CwSelector) { - *out = *in - if in.Resources != nil { - in, out := &in.Resources, &out.Resources - *out = make([]CwResource, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.CEL != nil { - in, out := &in.CEL, &out.CEL - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CwSelector. -func (in *CwSelector) DeepCopy() *CwSelector { - if in == nil { - return nil - } - out := new(CwSelector) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Intent) DeepCopyInto(out *Intent) { *out = *in @@ -300,6 +276,28 @@ func (in *Intent) DeepCopy() *Intent { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LabelSelector) DeepCopyInto(out *LabelSelector) { + *out = *in + if in.MatchLabels != nil { + in, out := &in.MatchLabels, &out.MatchLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LabelSelector. +func (in *LabelSelector) DeepCopy() *LabelSelector { + if in == nil { + return nil + } + out := new(LabelSelector) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MatchIntent) DeepCopyInto(out *MatchIntent) { *out = *in @@ -315,6 +313,47 @@ func (in *MatchIntent) DeepCopy() *MatchIntent { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MatchWorkloads) DeepCopyInto(out *MatchWorkloads) { + *out = *in + in.WorkloadSelector.DeepCopyInto(&out.WorkloadSelector) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchWorkloads. +func (in *MatchWorkloads) DeepCopy() *MatchWorkloads { + if in == nil { + return nil + } + out := new(MatchWorkloads) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector) { + *out = *in + if in.MatchNames != nil { + in, out := &in.MatchNames, &out.MatchNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ExcludeNames != nil { + in, out := &in.ExcludeNames, &out.ExcludeNames + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSelector. +func (in *NamespaceSelector) DeepCopy() *NamespaceSelector { + if in == nil { + return nil + } + out := new(NamespaceSelector) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NimbusPolicy) DeepCopyInto(out *NimbusPolicy) { *out = *in @@ -434,66 +473,6 @@ func (in *NimbusRules) DeepCopy() *NimbusRules { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *NimbusSelector) DeepCopyInto(out *NimbusSelector) { - *out = *in - if in.MatchLabels != nil { - in, out := &in.MatchLabels, &out.MatchLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NimbusSelector. -func (in *NimbusSelector) DeepCopy() *NimbusSelector { - if in == nil { - return nil - } - out := new(NimbusSelector) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter) { - *out = *in - in.Resources.DeepCopyInto(&out.Resources) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter. -func (in *ResourceFilter) DeepCopy() *ResourceFilter { - if in == nil { - return nil - } - out := new(ResourceFilter) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Resources) DeepCopyInto(out *Resources) { - *out = *in - if in.MatchLabels != nil { - in, out := &in.MatchLabels, &out.MatchLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. -func (in *Resources) DeepCopy() *Resources { - if in == nil { - return nil - } - out := new(Resources) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Rule) DeepCopyInto(out *Rule) { *out = *in @@ -620,6 +599,11 @@ func (in *SecurityIntentBindingSpec) DeepCopyInto(out *SecurityIntentBindingSpec copy(*out, *in) } in.Selector.DeepCopyInto(&out.Selector) + if in.CEL != nil { + in, out := &in.CEL, &out.CEL + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityIntentBindingSpec. @@ -715,37 +699,3 @@ func (in *SecurityIntentStatus) DeepCopy() *SecurityIntentStatus { in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Selector) DeepCopyInto(out *Selector) { - *out = *in - if in.Any != nil { - in, out := &in.Any, &out.Any - *out = make([]ResourceFilter, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.All != nil { - in, out := &in.All, &out.All - *out = make([]ResourceFilter, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.CEL != nil { - in, out := &in.CEL, &out.CEL - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector. -func (in *Selector) DeepCopy() *Selector { - if in == nil { - return nil - } - out := new(Selector) - in.DeepCopyInto(out) - return out -} diff --git a/cmd/main.go b/cmd/main.go index b947f3a1..66899b5e 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -16,7 +16,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - v1 "github.com/5GSEC/nimbus/api/v1" + v1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/internal/controller" // Importing third-party Kubernetes resource types //+kubebuilder:scaffold:imports diff --git a/config/crd/bases/intent.security.nimbus.com_clusternimbuspolicies.yaml b/config/crd/bases/intent.security.nimbus.com_clusternimbuspolicies.yaml index 4d7bcfd0..bb615d63 100644 --- a/config/crd/bases/intent.security.nimbus.com_clusternimbuspolicies.yaml +++ b/config/crd/bases/intent.security.nimbus.com_clusternimbuspolicies.yaml @@ -26,7 +26,7 @@ spec: - jsonPath: .status.numberOfAdapterPolicies name: Policies type: integer - name: v1 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterNimbusPolicy is the Schema for the clusternimbuspolicies @@ -52,6 +52,24 @@ spec: spec: description: ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy properties: + nodeSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + nsSelector: + properties: + excludeNames: + items: + type: string + type: array + matchNames: + items: + type: string + type: array + type: object rules: items: description: NimbusRules represents a single policy rule with an @@ -81,34 +99,15 @@ spec: - rule type: object type: array - selector: + workloadSelector: properties: - cel: - items: + matchLabels: + additionalProperties: type: string - type: array - resources: - items: - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array + type: object type: object required: - rules - - selector type: object status: description: ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy diff --git a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml index d8f63880..5f7bf97f 100644 --- a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml +++ b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml @@ -29,7 +29,7 @@ spec: - jsonPath: .status.clusterNimbusPolicy name: ClusterNimbusPolicy type: string - name: v1 + name: v1alpha1 schema: openAPIV3Schema: description: ClusterSecurityIntentBinding is the Schema for the clustersecurityintentbindings @@ -56,6 +56,10 @@ spec: description: ClusterSecurityIntentBindingSpec defines the desired state of ClusterSecurityIntentBinding properties: + cel: + items: + type: string + type: array intents: items: description: MatchIntent struct defines the request for a specific @@ -69,32 +73,34 @@ spec: type: array selector: properties: - cel: - items: - type: string - type: array - resources: - items: - properties: - kind: + nodeSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + nsSelector: + properties: + excludeNames: + items: type: string - matchLabels: - additionalProperties: - type: string - type: object - name: + type: array + matchNames: + items: type: string - namespace: + type: array + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: type: string - required: - - kind - - name - type: object - type: array + type: object + type: object type: object required: - intents - - selector type: object status: description: ClusterSecurityIntentBindingStatus defines the observed state diff --git a/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml b/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml index 927bf249..a43a9fa2 100644 --- a/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml +++ b/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml @@ -26,7 +26,7 @@ spec: - jsonPath: .status.numberOfAdapterPolicies name: Policies type: integer - name: v1 + name: v1alpha1 schema: openAPIV3Schema: description: NimbusPolicy is the Schema for the nimbuspolicies API @@ -89,11 +89,7 @@ spec: matchLabels: additionalProperties: type: string - description: MatchLabels is a map that holds key-value pairs to - match against labels of resources. type: object - required: - - matchLabels type: object required: - rules diff --git a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml index f9312309..eb640517 100644 --- a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml +++ b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml @@ -29,7 +29,7 @@ spec: - jsonPath: .status.nimbusPolicy name: NimbusPolicy type: string - name: v1 + name: v1alpha1 schema: openAPIV3Schema: description: SecurityIntentBinding is the Schema for the securityintentbindings @@ -55,6 +55,10 @@ spec: spec: description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding properties: + cel: + items: + type: string + type: array intents: items: description: MatchIntent struct defines the request for a specific @@ -69,48 +73,13 @@ spec: selector: description: Selector defines the selection criteria for resources properties: - all: - items: - description: ResourceFilter is used for filtering resources - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - namespace: - type: string - type: object - type: object - type: array - any: - items: - description: ResourceFilter is used for filtering resources - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - namespace: - type: string - type: object - type: object - type: array - cel: - items: - type: string - type: array + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object required: - intents diff --git a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml index 6c95b276..881b5b2d 100644 --- a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml +++ b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml @@ -31,7 +31,7 @@ spec: name: Action priority: 1 type: string - name: v1 + name: v1alpha1 schema: openAPIV3Schema: description: SecurityIntent is the Schema for the securityintents API diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 1cb9e368..6ccb6cdf 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,6 +4,14 @@ kind: ClusterRole metadata: name: nimbus-operator rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch - apiGroups: - intent.security.nimbus.com resources: diff --git a/deployments/nimbus/templates/crds.yaml b/deployments/nimbus/templates/crds.yaml index 1211d446..96e0dbb5 100644 --- a/deployments/nimbus/templates/crds.yaml +++ b/deployments/nimbus/templates/crds.yaml @@ -1,8 +1,9 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusternimbuspolicies.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -11,129 +12,133 @@ spec: listKind: ClusterNimbusPolicyList plural: clusternimbuspolicies shortNames: - - cwnp + - cwnp singular: clusternimbuspolicy scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.numberOfAdapterPolicies - name: Policies - type: integer - name: v1 - schema: - openAPIV3Schema: - description: ClusterNimbusPolicy is the Schema for the clusternimbuspolicies - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy - properties: - rules: - items: - description: NimbusRules represents a single policy rule with an - ID, type, description, and detailed rule configurations. - properties: - description: - type: string - id: - type: string - rule: - properties: - action: - type: string - params: - additionalProperties: - items: - type: string - type: array - type: object - required: - - action - type: object - type: - type: string - required: - - id - - rule + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfAdapterPolicies + name: Policies + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterNimbusPolicy is the Schema for the clusternimbuspolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy + properties: + nodeSelector: + properties: + matchLabels: + additionalProperties: + type: string type: object - type: array - selector: + type: object + nsSelector: + properties: + excludeNames: + items: + type: string + type: array + matchNames: + items: + type: string + type: array + type: object + rules: + items: + description: NimbusRules represents a single policy rule with an + ID, type, description, and detailed rule configurations. properties: - cel: - items: - type: string - type: array - resources: - items: - properties: - kind: - type: string - matchLabels: - additionalProperties: + description: + type: string + id: + type: string + rule: + properties: + action: + type: string + params: + additionalProperties: + items: type: string - type: object - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array + type: array + type: object + required: + - action + type: object + type: + type: string + required: + - id + - rule type: object - required: - - rules - - selector - type: object - status: - description: ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy - properties: - adapterPolicies: - items: - type: string - type: array - lastUpdated: - format: date-time - type: string - numberOfAdapterPolicies: - format: int32 - type: integer - status: + type: array + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + required: + - rules + type: object + status: + description: ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy + properties: + adapterPolicies: + items: type: string - required: - - numberOfAdapterPolicies - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + lastUpdated: + format: date-time + type: string + numberOfAdapterPolicies: + format: int32 + type: integer + status: + type: string + required: + - numberOfAdapterPolicies + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecurityintentbindings.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -142,119 +147,130 @@ spec: listKind: ClusterSecurityIntentBindingList plural: clustersecurityintentbindings shortNames: - - csib + - csib singular: clustersecurityintentbinding scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.numberOfBoundIntents - name: Intents - type: integer - - jsonPath: .status.clusterNimbusPolicy - name: ClusterNimbusPolicy - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterSecurityIntentBinding is the Schema for the clustersecurityintentbindings - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSecurityIntentBindingSpec defines the desired state - of ClusterSecurityIntentBinding - properties: - intents: - items: - description: MatchIntent struct defines the request for a specific - SecurityIntent + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfBoundIntents + name: Intents + type: integer + - jsonPath: .status.clusterNimbusPolicy + name: ClusterNimbusPolicy + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSecurityIntentBinding is the Schema for the clustersecurityintentbindings + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterSecurityIntentBindingSpec defines the desired state + of ClusterSecurityIntentBinding + properties: + cel: + items: + type: string + type: array + intents: + items: + description: MatchIntent struct defines the request for a specific + SecurityIntent + properties: + name: + type: string + required: + - name + type: object + type: array + selector: + properties: + nodeSelector: properties: - name: - type: string - required: - - name + matchLabels: + additionalProperties: + type: string + type: object type: object - type: array - selector: - properties: - cel: - items: - type: string - type: array - resources: - items: - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - required: - - kind - - name + nsSelector: + properties: + excludeNames: + items: + type: string + type: array + matchNames: + items: + type: string + type: array + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string type: object - type: array - type: object - required: - - intents - - selector - type: object - status: - description: ClusterSecurityIntentBindingStatus defines the observed state - of ClusterSecurityIntentBinding - properties: - boundIntents: - items: - type: string - type: array - clusterNimbusPolicy: - type: string - lastUpdated: - format: date-time - type: string - numberOfBoundIntents: - format: int32 - type: integer - status: + type: object + type: object + required: + - intents + type: object + status: + description: ClusterSecurityIntentBindingStatus defines the observed state + of ClusterSecurityIntentBinding + properties: + boundIntents: + items: type: string - required: - - clusterNimbusPolicy - - numberOfBoundIntents - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + clusterNimbusPolicy: + type: string + lastUpdated: + format: date-time + type: string + numberOfBoundIntents: + format: int32 + type: integer + status: + type: string + required: + - clusterNimbusPolicy + - numberOfBoundIntents + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: nimbuspolicies.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -263,118 +279,119 @@ spec: listKind: NimbusPolicyList plural: nimbuspolicies shortNames: - - np + - np singular: nimbuspolicy scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.numberOfAdapterPolicies - name: Policies - type: integer - name: v1 - schema: - openAPIV3Schema: - description: NimbusPolicy is the Schema for the nimbuspolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NimbusPolicySpec defines the desired state of NimbusPolicy - properties: - rules: - description: PolicyType specifies the type of policy, e.g., "Network", - "System", "Cluster" - items: - description: NimbusRules represents a single policy rule with an - ID, type, description, and detailed rule configurations. - properties: - description: - type: string - id: - type: string - rule: - properties: - action: - type: string - params: - additionalProperties: - items: - type: string - type: array - type: object - required: - - action - type: object - type: - type: string - required: - - id - - rule - type: object - type: array - selector: - description: Selector specifies the target resources to which the - policy applies + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfAdapterPolicies + name: Policies + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: NimbusPolicy is the Schema for the nimbuspolicies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: NimbusPolicySpec defines the desired state of NimbusPolicy + properties: + rules: + description: PolicyType specifies the type of policy, e.g., "Network", + "System", "Cluster" + items: + description: NimbusRules represents a single policy rule with an + ID, type, description, and detailed rule configurations. properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map that holds key-value pairs to - match against labels of resources. + description: + type: string + id: + type: string + rule: + properties: + action: + type: string + params: + additionalProperties: + items: + type: string + type: array + type: object + required: + - action type: object + type: + type: string required: - - matchLabels + - id + - rule type: object - required: - - rules - - selector - type: object - status: - description: NimbusPolicyStatus defines the observed state of NimbusPolicy - properties: - adapterPolicies: - items: - type: string - type: array - lastUpdated: - format: date-time - type: string - numberOfAdapterPolicies: - format: int32 - type: integer - status: + type: array + selector: + description: Selector specifies the target resources to which the + policy applies + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + required: + - rules + - selector + type: object + status: + description: NimbusPolicyStatus defines the observed state of NimbusPolicy + properties: + adapterPolicies: + items: type: string - required: - - numberOfAdapterPolicies - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + lastUpdated: + format: date-time + type: string + numberOfAdapterPolicies: + format: int32 + type: integer + status: + type: string + required: + - numberOfAdapterPolicies + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: securityintentbindings.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -383,139 +400,113 @@ spec: listKind: SecurityIntentBindingList plural: securityintentbindings shortNames: - - sib + - sib singular: securityintentbinding scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.numberOfBoundIntents - name: Intents - type: integer - - jsonPath: .status.nimbusPolicy - name: NimbusPolicy - type: string - name: v1 - schema: - openAPIV3Schema: - description: SecurityIntentBinding is the Schema for the securityintentbindings - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding - properties: - intents: - items: - description: MatchIntent struct defines the request for a specific - SecurityIntent - properties: - name: - type: string - required: - - name - type: object - type: array - selector: - description: Selector defines the selection criteria for resources + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.numberOfBoundIntents + name: Intents + type: integer + - jsonPath: .status.nimbusPolicy + name: NimbusPolicy + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityIntentBinding is the Schema for the securityintentbindings + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding + properties: + cel: + items: + type: string + type: array + intents: + items: + description: MatchIntent struct defines the request for a specific + SecurityIntent properties: - all: - items: - description: ResourceFilter is used for filtering resources - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - namespace: - type: string - type: object - type: object - type: array - any: - items: - description: ResourceFilter is used for filtering resources - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kind: - type: string - matchLabels: - additionalProperties: - type: string - type: object - namespace: - type: string - type: object - type: object - type: array - cel: - items: - type: string - type: array + name: + type: string + required: + - name type: object - required: - - intents - - selector - type: object - status: - description: SecurityIntentBindingStatus defines the observed state of - SecurityIntentBinding - properties: - boundIntents: - items: - type: string - type: array - lastUpdated: - format: date-time - type: string - nimbusPolicy: - type: string - numberOfBoundIntents: - format: int32 - type: integer - status: + type: array + selector: + description: Selector defines the selection criteria for resources + properties: + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + required: + - intents + - selector + type: object + status: + description: SecurityIntentBindingStatus defines the observed state of + SecurityIntentBinding + properties: + boundIntents: + items: type: string - required: - - nimbusPolicy - - numberOfBoundIntents - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + lastUpdated: + format: date-time + type: string + nimbusPolicy: + type: string + numberOfBoundIntents: + format: int32 + type: integer + status: + type: string + required: + - nimbusPolicy + - numberOfBoundIntents + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: securityintents.intent.security.nimbus.com spec: group: intent.security.nimbus.com @@ -524,103 +515,110 @@ spec: listKind: SecurityIntentList plural: securityintents shortNames: - - si + - si singular: securityintent scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.intent.id - name: ID - priority: 1 - type: string - - jsonPath: .spec.intent.action - name: Action - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: SecurityIntent is the Schema for the securityintents API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SecurityIntentSpec defines the desired state of SecurityIntent - properties: - intent: - description: Intent defines the security policy details - properties: - action: - description: Action defines how the security policy will be enforced. - type: string - description: - description: Description is human-readable explanation of the - intent's purpose. - type: string - id: - description: ID is predefined in adapter ID pool. Used by security - engines to generate corresponding security policies. - pattern: ^[a-zA-Z0-9]*$ - type: string - params: - additionalProperties: - items: - type: string - type: array - description: Params are key-value pairs that allows fine-tuning - of intents to specific requirements. - type: object - severity: - default: Low - description: Severity defines the potential impact of a security - violation related to the intent. Defaults to Low. - type: string - tags: - description: Tags are additional metadata for categorization and - grouping of intents. Facilitates searching, filtering, and management - of security policies. + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.intent.id + name: ID + priority: 1 + type: string + - jsonPath: .spec.intent.action + name: Action + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityIntent is the Schema for the securityintents API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecurityIntentSpec defines the desired state of SecurityIntent + properties: + intent: + description: Intent defines the security policy details + properties: + action: + description: Action defines how the security policy will be enforced. + type: string + description: + description: Description is human-readable explanation of the + intent's purpose. + type: string + id: + description: |- + ID is predefined in adapter ID pool. + Used by security engines to generate corresponding security policies. + pattern: ^[a-zA-Z0-9]*$ + type: string + params: + additionalProperties: items: type: string type: array - required: - - action - - id - type: object - required: - - intent - type: object - status: - description: SecurityIntentStatus defines the observed state of SecurityIntent - properties: - action: - type: string - id: - type: string - status: - type: string - required: + description: Params are key-value pairs that allows fine-tuning + of intents to specific requirements. + type: object + severity: + default: Low + description: |- + Severity defines the potential impact of a security violation related to the intent. + Defaults to Low. + type: string + tags: + description: |- + Tags are additional metadata for categorization and grouping of intents. + Facilitates searching, filtering, and management of security policies. + items: + type: string + type: array + required: - action - id - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: object + required: + - intent + type: object + status: + description: SecurityIntentStatus defines the observed state of SecurityIntent + properties: + action: + type: string + id: + type: string + status: + type: string + required: + - action + - id + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deployments/nimbus/templates/roles.yaml b/deployments/nimbus/templates/roles.yaml index 49355902..676e8951 100644 --- a/deployments/nimbus/templates/roles.yaml +++ b/deployments/nimbus/templates/roles.yaml @@ -41,6 +41,14 @@ kind: ClusterRole metadata: name: {{ include "nimbus.fullname" . }} rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch - apiGroups: - intent.security.nimbus.com resources: diff --git a/examples/clusterscoped/csib-1-all-ns-selector.yaml b/examples/clusterscoped/csib-1-all-ns-selector.yaml new file mode 100644 index 00000000..2b536c05 --- /dev/null +++ b/examples/clusterscoped/csib-1-all-ns-selector.yaml @@ -0,0 +1,21 @@ +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: escape-to-host +spec: + intent: + id: escapeToHost + description: "A attacker can breach container boundaries and can gain access to the host machine" + action: Block +--- +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - "*" diff --git a/examples/clusterscoped/csib-2-match-names.yaml b/examples/clusterscoped/csib-2-match-names.yaml new file mode 100644 index 00000000..1fb0f667 --- /dev/null +++ b/examples/clusterscoped/csib-2-match-names.yaml @@ -0,0 +1,22 @@ +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: escape-to-host +spec: + intent: + id: escapeToHost + description: "A attacker can breach container boundaries and can gain access to the host machine" + action: Block +--- +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - ns-1 + - ns-2 diff --git a/examples/clusterscoped/csib-3-exclude-names.yaml b/examples/clusterscoped/csib-3-exclude-names.yaml new file mode 100644 index 00000000..9f7deac1 --- /dev/null +++ b/examples/clusterscoped/csib-3-exclude-names.yaml @@ -0,0 +1,22 @@ +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: escape-to-host +spec: + intent: + id: escapeToHost + description: "A attacker can breach container boundaries and can gain access to the host machine" + action: Block +--- +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + excludeNames: + - ns-2 + - ns-3 diff --git a/examples/clusterscoped/escape-to-host-si-sib-with-params.yaml b/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml similarity index 53% rename from examples/clusterscoped/escape-to-host-si-sib-with-params.yaml rename to examples/clusterscoped/escape-to-host-si-csib-with-params.yaml index 5b9de939..8a664df7 100644 --- a/examples/clusterscoped/escape-to-host-si-sib-with-params.yaml +++ b/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml @@ -1,4 +1,4 @@ -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: escape-to-host @@ -10,7 +10,7 @@ spec: params: psa_level: ["restricted"] --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: name: escape-to-host-binding @@ -18,17 +18,10 @@ spec: intents: - name: escape-to-host selector: - resources: - - kind: Pod - name: pod1 - namespace: ns1 - matchLabels: - app: db - env: dev - - - kind: Pod - name: pod1 - namespace: ns2 - matchLabels: - app: mongo - env: prod \ No newline at end of file + nsSelector: + matchNames: + - prod + workloadSelector: + matchLabels: + app: db + env: dev \ No newline at end of file diff --git a/examples/clusterscoped/escape-to-host-si-sib.yaml b/examples/clusterscoped/escape-to-host-si-sib.yaml deleted file mode 100644 index 1ba49c23..00000000 --- a/examples/clusterscoped/escape-to-host-si-sib.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: escape-to-host -spec: - intent: - id: escapeToHost - description: "A attacker can breach container boundaries and can gain access to the host machine" - action: Block - ---- -apiVersion: intent.security.nimbus.com/v1 -kind: ClusterSecurityIntentBinding -metadata: - name: escape-to-host-binding -spec: - intents: - - name: escape-to-host - selector: - resources: - - kind: Pod - name: pod1 - namespace: ns1 - matchLabels: - app: db - env: dev - - - kind: Pod - name: pod1 - namespace: ns2 - matchLabels: - app: mongo - env: prod - - - kind: Namespace - name: default \ No newline at end of file diff --git a/examples/namespaced/cel-multi-si-sib-namespaced.yaml b/examples/namespaced/cel-multi-si-sib-namespaced.yaml index 2dd5da3c..8583bc20 100644 --- a/examples/namespaced/cel-multi-si-sib-namespaced.yaml +++ b/examples/namespaced/cel-multi-si-sib-namespaced.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: pkg-mgr-exec-multiple-nsscoped @@ -10,7 +10,7 @@ spec: id: swDeploymentTools action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: unauthorized-sa-token-access-multiple-nsscoped @@ -19,7 +19,7 @@ spec: id: unAuthorizedSaTokenAccess action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation-multiple-nsscoped @@ -28,7 +28,7 @@ spec: id: dnsManipulation action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: multiple-sis-nsscoped-binding @@ -38,27 +38,28 @@ spec: - name: unauthorized-sa-token-access-multiple-nsscoped - name: dns-manipulation-multiple-nsscoped selector: - cel: - - labels["app"] == "nginx" + workloadSelector: + cel: + - labels["app"] == "nginx" - #- labels["app"] == "nginx" - #- "'labels[\"app\"] == \"nginx\"'" - #- labels["app"] in ["nginx", "nginx-2"] - #- labels["app"].contains("nginx") - #- labels["app"].startsWith("nginx") - #- labels["app"].endsWith("nginx") - #- labels["app"].matches(".*nginx.*") + #- labels["app"] == "nginx" + #- "'labels[\"app\"] == \"nginx\"'" + #- labels["app"] in ["nginx", "nginx-2"] + #- labels["app"].contains("nginx") + #- labels["app"].startsWith("nginx") + #- labels["app"].endsWith("nginx") + #- labels["app"].matches(".*nginx.*") - # Because certain characters or phrases are used as reserved words or have special meaning in YAML, - # you can't use the negation operator '!' of the Common Expression Language (CEL) directly - # Represent negation statements as strings + # Because certain characters or phrases are used as reserved words or have special meaning in YAML, + # you can't use the negation operator '!' of the Common Expression Language (CEL) directly + # Represent negation statements as strings - #- "'labels[\"app\"] != \"nginx\"'" - #- "'!(labels[\"app\"] in [\"nginx\", \"httpd\"])'" - #- "'!(labels[\"app\"] in [\"nginx\", \"nginx-2\"])'" - #- "'!labels[\"app\"].contains(\"nginx\")'" - #- "'!labels[\"app\"].startsWith(\"nginx\")'" - #- "'!labels[\"app\"].endsWith(\"nginx\")'" - #- "'!labels["app"].matches(".*nginx.*")'" + #- "'labels[\"app\"] != \"nginx\"'" + #- "'!(labels[\"app\"] in [\"nginx\", \"httpd\"])'" + #- "'!(labels[\"app\"] in [\"nginx\", \"nginx-2\"])'" + #- "'!labels[\"app\"].contains(\"nginx\")'" + #- "'!labels[\"app\"].startsWith(\"nginx\")'" + #- "'!labels[\"app\"].endsWith(\"nginx\")'" + #- "'!labels["app"].matches(".*nginx.*")'" diff --git a/examples/namespaced/dns-manipulation-si-sib.yaml b/examples/namespaced/dns-manipulation-si-sib.yaml index 39e69934..0ab32b81 100644 --- a/examples/namespaced/dns-manipulation-si-sib.yaml +++ b/examples/namespaced/dns-manipulation-si-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation @@ -11,7 +11,7 @@ spec: description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding @@ -19,9 +19,6 @@ spec: intents: - name: dns-manipulation selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/examples/namespaced/escape-to-host-si-sib.yaml b/examples/namespaced/escape-to-host-si-sib.yaml index 2e70cd6b..d64a165b 100644 --- a/examples/namespaced/escape-to-host-si-sib.yaml +++ b/examples/namespaced/escape-to-host-si-sib.yaml @@ -1,4 +1,4 @@ -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: escape-to-host @@ -10,7 +10,7 @@ spec: --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: escape-to-host-binding @@ -18,9 +18,6 @@ spec: intents: - name: escape-to-host selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/examples/namespaced/escape-to-host-with-params.yaml b/examples/namespaced/escape-to-host-with-params.yaml index 6eb3f391..5ddaa16d 100644 --- a/examples/namespaced/escape-to-host-with-params.yaml +++ b/examples/namespaced/escape-to-host-with-params.yaml @@ -1,4 +1,4 @@ -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: escape-to-host @@ -12,7 +12,7 @@ spec: --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: escape-to-host-binding @@ -20,9 +20,6 @@ spec: intents: - name: escape-to-host selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/examples/namespaced/multiple-si-sib-namespaced.yaml b/examples/namespaced/multiple-si-sib-namespaced.yaml index f46e772d..3817e4a5 100644 --- a/examples/namespaced/multiple-si-sib-namespaced.yaml +++ b/examples/namespaced/multiple-si-sib-namespaced.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: pkg-mgr-exec-multiple-nsscoped @@ -10,7 +10,7 @@ spec: id: swDeploymentTools action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: unauthorized-sa-token-access-multiple-nsscoped @@ -19,7 +19,7 @@ spec: id: unAuthorizedSaTokenAccess action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation-multiple-nsscoped @@ -28,7 +28,7 @@ spec: id: dnsManipulation action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: multiple-sis-nsscoped-binding @@ -38,9 +38,6 @@ spec: - name: unauthorized-sa-token-access-multiple-nsscoped - name: dns-manipulation-multiple-nsscoped selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/go.mod b/go.mod index 29346087..23f5c718 100644 --- a/go.mod +++ b/go.mod @@ -1,38 +1,39 @@ module github.com/5GSEC/nimbus -go 1.22 +go 1.22.0 + +toolchain go1.22.1 require ( github.com/go-logr/logr v1.4.1 - k8s.io/apimachinery v0.29.1 - k8s.io/client-go v0.29.1 - sigs.k8s.io/controller-runtime v0.17.0 + k8s.io/apimachinery v0.30.0 + k8s.io/client-go v0.30.0 + sigs.k8s.io/controller-runtime v0.18.2 ) require ( github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect - github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect ) require ( github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/cel-go v0.20.1 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect @@ -46,32 +47,30 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.29.1 - k8s.io/apiextensions-apiserver v0.29.1 // indirect - k8s.io/component-base v0.29.1 // indirect + k8s.io/api v0.30.0 + k8s.io/apiextensions-apiserver v0.30.0 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go.sum b/go.sum index 9c27f0f3..2439b57f 100644 --- a/go.sum +++ b/go.sum @@ -2,14 +2,14 @@ github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= @@ -20,35 +20,33 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -72,23 +70,23 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -102,84 +100,65 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No= +google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -191,24 +170,22 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= -k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw= -k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= -k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw= -k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec h1:iGTel2aR8vCZdxJDgmbeY0zrlXy9Qcvyw4R2sB4HLrA= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= -sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/internal/controller/clustersecurityintentbinding_controller.go b/internal/controller/clustersecurityintentbinding_controller.go index 46e872df..2a274570 100644 --- a/internal/controller/clustersecurityintentbinding_controller.go +++ b/internal/controller/clustersecurityintentbinding_controller.go @@ -6,14 +6,17 @@ package controller import ( "context" "errors" + "slices" "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/util/retry" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/event" "sigs.k8s.io/controller-runtime/pkg/handler" @@ -21,7 +24,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" processorerrors "github.com/5GSEC/nimbus/pkg/processor/errors" "github.com/5GSEC/nimbus/pkg/processor/policybuilder" ) @@ -36,13 +39,14 @@ type ClusterSecurityIntentBindingReconciler struct { //+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=clustersecurityintentbindings/status,verbs=get;update;patch //+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=clusternimbuspolicies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=clusternimbuspolicies/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. func (r *ClusterSecurityIntentBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { logger := log.FromContext(ctx) - csib := &v1.ClusterSecurityIntentBinding{} + csib := &v1alpha1.ClusterSecurityIntentBinding{} err := r.Get(ctx, req.NamespacedName, csib) if err != nil { if apierrors.IsNotFound(err) { @@ -59,7 +63,20 @@ func (r *ClusterSecurityIntentBindingReconciler) Reconcile(ctx context.Context, logger.Info("ClusterSecurityIntentBinding configured", "ClusterSecurityIntentBinding.Name", req.Name) } - if err = r.updateCsibStatus(ctx, logger, req); err != nil { + // Check if the object was previouly marked as invalid + if csib.Status.Status == StatusValidationFail { + logger.Info("ClusterSecurityIntentBinding found, not valid", "ClusterSecurityIntentBinding.Name", req.Name) + return doNotRequeue() + } + + if csib.Status.Status == "" && !r.isValidCsib(ctx, logger, req) { + if err = r.updateCsibStatus(ctx, logger, req, StatusValidationFail); err != nil { + return requeueWithError(err) + } + return doNotRequeue() + } + + if err = r.updateCsibStatus(ctx, logger, req, StatusCreated); err != nil { return requeueWithError(err) } @@ -71,14 +88,21 @@ func (r *ClusterSecurityIntentBindingReconciler) Reconcile(ctx context.Context, return requeueWithError(err) } + // Create the namespaced Nimbus policies + if err = r.createOrUpdateNp(ctx, logger, req); err != nil { + return requeueWithError(err) + } + return doNotRequeue() } // SetupWithManager sets up the controller with the Manager. +// WithEventFilter sets up the global predicates for a watch func (r *ClusterSecurityIntentBindingReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&v1.ClusterSecurityIntentBinding{}). - Owns(&v1.ClusterNimbusPolicy{}). + For(&v1alpha1.ClusterSecurityIntentBinding{}). + Owns(&v1alpha1.ClusterNimbusPolicy{}). + Owns(&v1alpha1.NimbusPolicy{}). WithEventFilter( predicate.Funcs{ CreateFunc: r.createFn, @@ -86,14 +110,26 @@ func (r *ClusterSecurityIntentBindingReconciler) SetupWithManager(mgr ctrl.Manag DeleteFunc: r.deleteFn, }, ). - Watches(&v1.SecurityIntent{}, + Watches(&v1alpha1.SecurityIntent{}, handler.EnqueueRequestsFromMapFunc(r.findCsibsForSi), ). + Watches(&corev1.Namespace{}, + handler.EnqueueRequestsFromMapFunc(r.findCsibsForNamespace), + builder.WithPredicates(predicate.Funcs{ + UpdateFunc: func(e event.UpdateEvent) bool { + if e.ObjectNew.GetDeletionTimestamp() != nil { + return true + } else { + return false + } + }, + }), + ). Complete(r) } func (r *ClusterSecurityIntentBindingReconciler) createFn(createEvent event.CreateEvent) bool { - if _, ok := createEvent.Object.(*v1.ClusterNimbusPolicy); ok { + if _, ok := createEvent.Object.(*v1alpha1.ClusterNimbusPolicy); ok { return false } return true @@ -107,10 +143,13 @@ func (r *ClusterSecurityIntentBindingReconciler) updateFn(updateEvent event.Upda func (r *ClusterSecurityIntentBindingReconciler) deleteFn(deleteEvent event.DeleteEvent) bool { obj := deleteEvent.Object - if _, ok := obj.(*v1.ClusterSecurityIntentBinding); ok { + if _, ok := obj.(*v1alpha1.ClusterSecurityIntentBinding); ok { return true } - if _, ok := obj.(*v1.SecurityIntent); ok { + if _, ok := obj.(*v1alpha1.SecurityIntent); ok { + return true + } + if _, ok := obj.(*corev1.Namespace); ok { return true } return ownerExists(r.Client, obj) @@ -119,13 +158,13 @@ func (r *ClusterSecurityIntentBindingReconciler) deleteFn(deleteEvent event.Dele func (r *ClusterSecurityIntentBindingReconciler) createOrUpdateCwnp(ctx context.Context, logger logr.Logger, req ctrl.Request) error { // Always fetch the latest CRs so that we have the latest state of the CRs on the // cluster. - var csib v1.ClusterSecurityIntentBinding + var csib v1alpha1.ClusterSecurityIntentBinding if err := r.Get(ctx, req.NamespacedName, &csib); err != nil { logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding.Name", req.Name) return err } - var cwnp v1.ClusterNimbusPolicy + var cwnp v1alpha1.ClusterNimbusPolicy err := r.Get(ctx, req.NamespacedName, &cwnp) if err != nil { if apierrors.IsNotFound(err) { @@ -137,7 +176,7 @@ func (r *ClusterSecurityIntentBindingReconciler) createOrUpdateCwnp(ctx context. return r.updateCwnp(ctx, logger, csib) } -func (r *ClusterSecurityIntentBindingReconciler) createCwnp(ctx context.Context, logger logr.Logger, csib v1.ClusterSecurityIntentBinding) error { +func (r *ClusterSecurityIntentBindingReconciler) createCwnp(ctx context.Context, logger logr.Logger, csib v1alpha1.ClusterSecurityIntentBinding) error { clusterNp, err := policybuilder.BuildClusterNimbusPolicy(ctx, logger, r.Client, r.Scheme, csib) if err != nil { if errors.Is(err, processorerrors.ErrSecurityIntentsNotFound) { @@ -165,8 +204,8 @@ func (r *ClusterSecurityIntentBindingReconciler) createCwnp(ctx context.Context, ) } -func (r *ClusterSecurityIntentBindingReconciler) updateCwnp(ctx context.Context, logger logr.Logger, csib v1.ClusterSecurityIntentBinding) error { - var existingCwnp v1.ClusterNimbusPolicy +func (r *ClusterSecurityIntentBindingReconciler) updateCwnp(ctx context.Context, logger logr.Logger, csib v1alpha1.ClusterSecurityIntentBinding) error { + var existingCwnp v1alpha1.ClusterNimbusPolicy if err := r.Get(ctx, types.NamespacedName{Name: csib.Name}, &existingCwnp); err != nil { logger.Error(err, "failed to fetch ClusterNimbusPolicy", "ClusterNimbusPolicy.Name", csib.Name) return err @@ -203,7 +242,7 @@ func (r *ClusterSecurityIntentBindingReconciler) updateCwnp(ctx context.Context, func (r *ClusterSecurityIntentBindingReconciler) findCsibsForSi(ctx context.Context, si client.Object) []reconcile.Request { logger := log.FromContext(ctx) - csibs := &v1.ClusterSecurityIntentBindingList{} + csibs := &v1alpha1.ClusterSecurityIntentBindingList{} if err := r.List(ctx, csibs); err != nil { logger.Error(err, "failed to list ClusterSecurityIntentBindings") return []reconcile.Request{} @@ -228,15 +267,316 @@ func (r *ClusterSecurityIntentBindingReconciler) findCsibsForSi(ctx context.Cont return requests } -func (r *ClusterSecurityIntentBindingReconciler) updateCsibStatus(ctx context.Context, logger logr.Logger, req ctrl.Request) error { +type npTrackingObj struct { + create bool + update bool + np *v1alpha1.NimbusPolicy +} + +// we should not create object in these ns +var nsBlackList = []string{"kube-system"} + +const wildcard = "*" + +func (r *ClusterSecurityIntentBindingReconciler) isValidCsib(ctx context.Context, logger logr.Logger, req ctrl.Request) bool { + + // get the csib + var csib v1alpha1.ClusterSecurityIntentBinding + if err := r.Get(ctx, req.NamespacedName, &csib); err != nil { + logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding.Name", req.Name) + return false + } + + // validate the CSIB. + excludeLen := len(csib.Spec.Selector.NsSelector.ExcludeNames) + matchLen := len(csib.Spec.Selector.NsSelector.MatchNames) + if matchLen > 0 && excludeLen > 0 { + err := errors.New("invalid clustersecurityintentbinding") + logger.Error(err, "Both MatchNames and ExcludeNames should not be set", "ClusterSecurityIntentBinding.Name", req.Name) + return false + } + if matchLen == 0 && excludeLen == 0 { + err := errors.New("invalid clustersecurityintentbinding") + logger.Error(err, "Atleast one of MatchNames or ExcludeNames should be set", "ClusterSecurityIntentBinding.Name", req.Name) + return false + } + // In MatchNames, if a "*" is present, it should be the only entry + for i, ns := range csib.Spec.Selector.NsSelector.MatchNames { + if ns == wildcard && i > 0 { + err := errors.New("invalid clustersecurityintentbinding") + logger.Error(err, "If * is present, it should be only entry", "ClusterSecurityIntentBinding.Name", req.Name) + return false + } + } + + return true +} + +func (r *ClusterSecurityIntentBindingReconciler) createOrUpdateNp(ctx context.Context, logger logr.Logger, req ctrl.Request) error { + + // Reconcile the Nimbus Policies with Security Intents, CSIB, NimbusPolicyList, Namespaces + + // get the csib + var csib v1alpha1.ClusterSecurityIntentBinding + if err := r.Get(ctx, req.NamespacedName, &csib); err != nil { + logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding.Name", req.Name) + return err + } + + // get the nimbus policies + // TODO: we might want to index the nimbus policies based on the owner since we are anyways filtering + // based on the owner later + var npList v1alpha1.NimbusPolicyList + err := r.List(ctx, &npList) + if err != nil && !apierrors.IsNotFound(err) { + logger.Error(err, "failed to fetch list of NimbusPolicy", "ClusterNimbusPolicy.Name", req.Name) + return err + } + + // Populate the NP tracking list. Filter out nimbus policies which are owned by other CSIB/SIB + var npFilteredTrackingList []npTrackingObj + for _, np := range npList.Items { + for _, ref := range np.ObjectMeta.OwnerReferences { + if csib.ObjectMeta.UID == ref.UID { + npFilteredTrackingList = append(npFilteredTrackingList, npTrackingObj{np: &np}) + break + } + } + } + + var nsList corev1.NamespaceList + err = r.List(ctx, &nsList) + if err != nil && !apierrors.IsNotFound(err) { + logger.Error(err, "failed to fetch list of Namespaces", "ClusterNimbusPolicy.Name", req.Name) + return err + } + + // Populate a map with all namespaces + nsMap := make(map[string]corev1.Namespace) + for _, nso := range nsList.Items { + nsMap[nso.Name] = nso + } + + // filter out the blacklist, deleted namespaces + for ns, nsObj := range nsMap { + if slices.Contains(nsBlackList, ns) { + delete(nsMap, ns) + continue + } + + if nsObj.GetDeletionTimestamp() != nil { + delete(nsMap, ns) + continue + } + + if len(csib.Spec.Selector.NsSelector.ExcludeNames) > 0 { + if slices.Contains(csib.Spec.Selector.NsSelector.ExcludeNames, ns) { + delete(nsMap, ns) + continue + } + } else if ml := len(csib.Spec.Selector.NsSelector.MatchNames); ml > 0 { + if ml == 1 && csib.Spec.Selector.NsSelector.MatchNames[0] == wildcard { + continue + } + if !slices.Contains(csib.Spec.Selector.NsSelector.MatchNames, ns) { + delete(nsMap, ns) + continue + } + } + } + + // The nsMap is the spec. We need to ensure that there are NP + // for the specified namespaces. 3 cases here + // - If a namespace is in spec, and in the NP list, then mark NP for update. + // - If the namespace is in spec, and not there in the NP list, then + // build an NP for this namespace, and mark it for create. + // - If there are NPs in namespaces which are not in the spec list, delete + // those NPs + for _, nsSpec := range nsMap { + var seen bool = false + for index, np_actual := range npFilteredTrackingList { + if nsSpec.Name == np_actual.np.Namespace { + npFilteredTrackingList[index].update = true + seen = true + break + } + } + if !seen { + // construct the nimbus policy object as it is not present in cluster + nimbusPolicy, err := policybuilder.BuildNimbusPolicyFromClusterBinding(ctx, logger, r.Client, r.Scheme, csib, nsSpec.Name) + if err == nil { + npFilteredTrackingList = append(npFilteredTrackingList, npTrackingObj{create: true, np: nimbusPolicy}) + } + } + } + + // run through the tracking list, and create/update/delete the nimbus policies + for _, nobj := range npFilteredTrackingList { + if nobj.create { + if err := r.Create(ctx, nobj.np); err != nil { + logger.Error(err, "failed to create NimbusPolicy", "NimbusPolicy.Name", nobj.np.Name) + return err + } + npReq := ctrl.Request{ + NamespacedName: types.NamespacedName{ + Namespace: nobj.np.GetNamespace(), + Name: nobj.np.GetName(), + }} + if err = r.updateNpStatus(ctx, logger, npReq, StatusCreated); err != nil { + return err + } + logger.Info("NimbusPolicy created", "NimbusPolicy.Name", nobj.np.Name) + + } else if nobj.update { + // update intents, parameters. Build a new Nimbus Policy + // TODO: Might be more efficient to simply update the intents, params + newNimbusPolicy, err := policybuilder.BuildNimbusPolicyFromClusterBinding(ctx, logger, r.Client, r.Scheme, csib, nobj.np.Namespace) + if err != nil { + if errors.Is(err, processorerrors.ErrSecurityIntentsNotFound) { + // Since the SecurityIntent(s) referenced in ClusterSecurityIntentBinding spec do not + // exist, so delete ClusterNimbusPolicy if it exists. + if err := r.deleteCwnp(ctx, csib.GetName()); err != nil { + return err + } + return nil + } + logger.Error(err, "failed to build ClusterNimbusPolicy") + return err + } + + // Check equality + // Another option is to check which CSIB was used to generate this nimbus policy + if reason, equal := nobj.np.Equal(*newNimbusPolicy); equal { + logger.Info("NimbusPolicy not updated as objects are same", "NimbusPolicy.name", nobj.np.Name, "Namespace", nobj.np.Namespace) + continue + } else { + logger.Info("NimbusPolicy updated as objects are not same", "NimbusPolicy.name", nobj.np.Name, "Namespace", nobj.np.Namespace, "Reason", reason) + } + + newNimbusPolicy.ObjectMeta.ResourceVersion = nobj.np.ObjectMeta.ResourceVersion + if err := r.Update(ctx, newNimbusPolicy); err != nil { + logger.Error(err, "failed to update NimbusPolicy", "NimbusPolicy.Name", newNimbusPolicy.Name) + return err + } + npReq := ctrl.Request{ + NamespacedName: types.NamespacedName{ + Namespace: newNimbusPolicy.GetNamespace(), + Name: newNimbusPolicy.GetName(), + }} + if err = r.updateNpStatus(ctx, logger, npReq, StatusCreated); err != nil { + return err + } + logger.Info("NimbusPolicy updated", "NimbusPolicy.Name", newNimbusPolicy.Name) + + return nil + + } else { + // delete the object + logger.Info("Deleting NimbusPolicy since no namespaces found", "NimbusPolicyName", nobj.np.Name) + if err = r.Delete(ctx, nobj.np); err != nil { + logger.Error(err, "failed to delete NimbusPolicy", "NimbusPolicyName", nobj.np.Name) + return err + } + logger.Info("NimbusPolicy deleted", "NimbusPolicyName", nobj.np.Name) + } + } + + return nil +} + +func (r *ClusterSecurityIntentBindingReconciler) updateNpStatus(ctx context.Context, logger logr.Logger, req ctrl.Request, status string) error { + np := &v1alpha1.NimbusPolicy{} + if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { + if err := r.Get(ctx, req.NamespacedName, np); err != nil { + return err + } + + np.Status.Status = status + np.Status.LastUpdated = metav1.Now() + if err := r.Status().Update(ctx, np); err != nil { + return err + } + return nil + }); retryErr != nil { + logger.Error(retryErr, "failed to update NimbusPolicy status", "NimbusPolicy.Name", req.Name, "NimbusPolicy.Namespace", req.Namespace) + return retryErr + } + return nil +} + +func (r *ClusterSecurityIntentBindingReconciler) findCsibsForNamespace(ctx context.Context, nsObj client.Object) []reconcile.Request { + logger := log.FromContext(ctx) + + csibs := &v1alpha1.ClusterSecurityIntentBindingList{} + if err := r.List(ctx, csibs); err != nil { + logger.Error(err, "failed to list ClusterSecurityIntentBindings") + return []reconcile.Request{} + } + + requests := make([]reconcile.Request, len(csibs.Items)) + + for _, csib := range csibs.Items { + + var toBeReconciled = false + + if csib.Status.Status == StatusValidationFail { + continue + } + + /* + * If the csib has a wildcard, then it is of interest since + * we have to modify the number of fanout of the csib. + * In case of add, the fanout will increase, and in case of + * delete the fanout will reduce. + */ + if len(csib.Spec.Selector.NsSelector.MatchNames) == 1 && + csib.Spec.Selector.NsSelector.MatchNames[0] == wildcard { + toBeReconciled = true + } else if len(csib.Spec.Selector.NsSelector.MatchNames) > 0 { + /* + * If the ns being added/deleted appears in the csib matchNames, then + * the csib is of interest + */ + if slices.Contains(csib.Spec.Selector.NsSelector.MatchNames, nsObj.GetName()) { + toBeReconciled = true + } + } + + /* + * We need to reconcile if the namespace object does not appear + * in the CSIB exclude list + * For example, there was a excludeName consisting of ns_1, ns_2. + * and now ns_3 is added in the cluster. So, as part of + * reconciliation we now have to create NimbusPolicy for ns_3. + */ + if len(csib.Spec.Selector.NsSelector.ExcludeNames) > 0 { + if !slices.Contains(csib.Spec.Selector.NsSelector.ExcludeNames, nsObj.GetName()) { + toBeReconciled = true + } + } + if toBeReconciled { + + requests = append(requests, ctrl.Request{ + NamespacedName: types.NamespacedName{ + Namespace: csib.GetNamespace(), + Name: csib.GetName(), + }, + }) + } + } + + return requests +} + +func (r *ClusterSecurityIntentBindingReconciler) updateCsibStatus(ctx context.Context, logger logr.Logger, req ctrl.Request, status string) error { if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - latestCsib := &v1.ClusterSecurityIntentBinding{} + latestCsib := &v1alpha1.ClusterSecurityIntentBinding{} if err := r.Get(ctx, req.NamespacedName, latestCsib); err != nil && !apierrors.IsNotFound(err) { logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "clusterSecurityIntentBindingName", req.Name) return err } - latestCsib.Status.Status = StatusCreated + latestCsib.Status.Status = status latestCsib.Status.LastUpdated = metav1.Now() if err := r.Status().Update(ctx, latestCsib); err != nil { return err @@ -252,7 +592,7 @@ func (r *ClusterSecurityIntentBindingReconciler) updateCsibStatus(ctx context.Co } func (r *ClusterSecurityIntentBindingReconciler) updateCwnpStatus(ctx context.Context, logger logr.Logger, req ctrl.Request) error { - cwnp := &v1.ClusterNimbusPolicy{} + cwnp := &v1alpha1.ClusterNimbusPolicy{} // To handle potential latency or outdated cache issues with the Kubernetes API // server, we implement an exponential backoff strategy when fetching the @@ -296,7 +636,7 @@ func (r *ClusterSecurityIntentBindingReconciler) updateCwnpStatus(ctx context.Co func (r *ClusterSecurityIntentBindingReconciler) deleteCwnp(ctx context.Context, name string) error { logger := log.FromContext(ctx) - var cwnp v1.ClusterNimbusPolicy + var cwnp v1alpha1.ClusterNimbusPolicy err := r.Get(ctx, types.NamespacedName{Name: name}, &cwnp) if err != nil { if apierrors.IsNotFound(err) { @@ -316,13 +656,13 @@ func (r *ClusterSecurityIntentBindingReconciler) deleteCwnp(ctx context.Context, } func (r *ClusterSecurityIntentBindingReconciler) updateCSibStatusWithBoundSisAndCwnpInfo(ctx context.Context, logger logr.Logger, req ctrl.Request) error { - latestCsib := &v1.ClusterSecurityIntentBinding{} + latestCsib := &v1alpha1.ClusterSecurityIntentBinding{} if err := r.Get(ctx, req.NamespacedName, latestCsib); err != nil && !apierrors.IsNotFound(err) { logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding.Name", req.Name) return err } - latestCwnp := &v1.ClusterNimbusPolicy{} + latestCwnp := &v1alpha1.ClusterNimbusPolicy{} if retryErr := retry.OnError(retry.DefaultRetry, apierrors.IsNotFound, func() error { if err := r.Get(ctx, req.NamespacedName, latestCwnp); err != nil { return err diff --git a/internal/controller/securityintent_controller.go b/internal/controller/securityintent_controller.go index 15a5f543..f64fa9a4 100644 --- a/internal/controller/securityintent_controller.go +++ b/internal/controller/securityintent_controller.go @@ -14,7 +14,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/predicate" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" ) type SecurityIntentReconciler struct { @@ -30,7 +30,7 @@ type SecurityIntentReconciler struct { func (r *SecurityIntentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { logger := log.FromContext(ctx) - si := &v1.SecurityIntent{} + si := &v1alpha1.SecurityIntent{} err := r.Get(ctx, types.NamespacedName{Name: req.Name}, si) if err != nil { if apierrors.IsNotFound(err) { @@ -58,7 +58,7 @@ func (r *SecurityIntentReconciler) Reconcile(ctx context.Context, req ctrl.Reque // SetupWithManager sets up the reconciler with the provided manager. func (r *SecurityIntentReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&v1.SecurityIntent{}). + For(&v1alpha1.SecurityIntent{}). WithEventFilter( predicate.GenerationChangedPredicate{}, ). @@ -66,11 +66,11 @@ func (r *SecurityIntentReconciler) SetupWithManager(mgr ctrl.Manager) error { } func (r *SecurityIntentReconciler) updateStatus(ctx context.Context, name string) error { - latestSi := &v1.SecurityIntent{} + latestSi := &v1alpha1.SecurityIntent{} if getErr := r.Get(ctx, types.NamespacedName{Name: name}, latestSi); getErr != nil { return getErr } - latestSi.Status = v1.SecurityIntentStatus{ + latestSi.Status = v1alpha1.SecurityIntentStatus{ ID: latestSi.Spec.Intent.ID, Action: latestSi.Spec.Intent.Action, Status: StatusCreated, diff --git a/internal/controller/securityintentbinding_controller.go b/internal/controller/securityintentbinding_controller.go index 64c4a119..ffe6a595 100644 --- a/internal/controller/securityintentbinding_controller.go +++ b/internal/controller/securityintentbinding_controller.go @@ -22,7 +22,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" processorerrors "github.com/5GSEC/nimbus/pkg/processor/errors" "github.com/5GSEC/nimbus/pkg/processor/policybuilder" ) @@ -43,7 +43,7 @@ type SecurityIntentBindingReconciler struct { func (r *SecurityIntentBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { logger := log.FromContext(ctx) - sib := &v1.SecurityIntentBinding{} + sib := &v1alpha1.SecurityIntentBinding{} err := r.Get(ctx, req.NamespacedName, sib) if err != nil { if apierrors.IsNotFound(err) { @@ -78,8 +78,8 @@ func (r *SecurityIntentBindingReconciler) Reconcile(ctx context.Context, req ctr // SetupWithManager sets up the controller with the Manager. func (r *SecurityIntentBindingReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&v1.SecurityIntentBinding{}). - Owns(&v1.NimbusPolicy{}). + For(&v1alpha1.SecurityIntentBinding{}). + Owns(&v1alpha1.NimbusPolicy{}). WithEventFilter( predicate.Funcs{ CreateFunc: r.createFn, @@ -87,14 +87,14 @@ func (r *SecurityIntentBindingReconciler) SetupWithManager(mgr ctrl.Manager) err DeleteFunc: r.deleteFn, }, ). - Watches(&v1.SecurityIntent{}, + Watches(&v1alpha1.SecurityIntent{}, handler.EnqueueRequestsFromMapFunc(r.findSibsForSi), ). Complete(r) } func (r *SecurityIntentBindingReconciler) createFn(createEvent event.CreateEvent) bool { - if _, ok := createEvent.Object.(*v1.NimbusPolicy); ok { + if _, ok := createEvent.Object.(*v1alpha1.NimbusPolicy); ok { return false } return true @@ -108,10 +108,10 @@ func (r *SecurityIntentBindingReconciler) updateFn(updateEvent event.UpdateEvent func (r *SecurityIntentBindingReconciler) deleteFn(deleteEvent event.DeleteEvent) bool { obj := deleteEvent.Object - if _, ok := obj.(*v1.SecurityIntentBinding); ok { + if _, ok := obj.(*v1alpha1.SecurityIntentBinding); ok { return true } - if _, ok := obj.(*v1.SecurityIntent); ok { + if _, ok := obj.(*v1alpha1.SecurityIntent); ok { return true } return ownerExists(r.Client, obj) @@ -121,13 +121,13 @@ func (r *SecurityIntentBindingReconciler) createOrUpdateNp(ctx context.Context, // Always fetch the CRs so that we have the latest state of the CRs on the // cluster. - var sib v1.SecurityIntentBinding + var sib v1alpha1.SecurityIntentBinding if err := r.Get(ctx, req.NamespacedName, &sib); err != nil { logger.Error(err, "failed to fetch SecurityIntentBinding", "SecurityIntentBinding.Name", req.Name, "SecurityIntentBinding.Namespace", req.Namespace) return err } - var np v1.NimbusPolicy + var np v1alpha1.NimbusPolicy err := r.Get(ctx, req.NamespacedName, &np) if err != nil { if apierrors.IsNotFound(err) { @@ -139,7 +139,7 @@ func (r *SecurityIntentBindingReconciler) createOrUpdateNp(ctx context.Context, return r.updateNp(ctx, logger, sib) } -func (r *SecurityIntentBindingReconciler) createNp(ctx context.Context, logger logr.Logger, sib v1.SecurityIntentBinding) error { +func (r *SecurityIntentBindingReconciler) createNp(ctx context.Context, logger logr.Logger, sib v1alpha1.SecurityIntentBinding) error { nimbusPolicy, err := policybuilder.BuildNimbusPolicy(ctx, logger, r.Client, r.Scheme, sib) // TODO: Improve error handling for CEL if err != nil { @@ -178,8 +178,8 @@ func (r *SecurityIntentBindingReconciler) createNp(ctx context.Context, logger l ) } -func (r *SecurityIntentBindingReconciler) updateNp(ctx context.Context, logger logr.Logger, sib v1.SecurityIntentBinding) error { - var existingNp v1.NimbusPolicy +func (r *SecurityIntentBindingReconciler) updateNp(ctx context.Context, logger logr.Logger, sib v1alpha1.SecurityIntentBinding) error { + var existingNp v1alpha1.NimbusPolicy if err := r.Get(ctx, types.NamespacedName{Name: sib.Name, Namespace: sib.Namespace}, &existingNp); err != nil { logger.Error(err, "failed to fetch NimbusPolicy", "NimbusPolicy.Name", sib.Name, "NimbusPolicy.Namespace", sib.Namespace) return err @@ -227,7 +227,7 @@ func (r *SecurityIntentBindingReconciler) updateNp(ctx context.Context, logger l func (r *SecurityIntentBindingReconciler) findSibsForSi(ctx context.Context, si client.Object) []reconcile.Request { logger := log.FromContext(ctx) - sibs := &v1.SecurityIntentBindingList{} + sibs := &v1alpha1.SecurityIntentBindingList{} if err := r.List(ctx, sibs); err != nil { logger.Error(err, "failed to list SecurityIntentBindings") return []reconcile.Request{} @@ -255,7 +255,7 @@ func (r *SecurityIntentBindingReconciler) findSibsForSi(ctx context.Context, si func (r *SecurityIntentBindingReconciler) deleteNp(ctx context.Context, name, namespace string) error { logger := log.FromContext(ctx) - var np v1.NimbusPolicy + var np v1alpha1.NimbusPolicy err := r.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &np) if err != nil { if apierrors.IsNotFound(err) { @@ -275,7 +275,7 @@ func (r *SecurityIntentBindingReconciler) deleteNp(ctx context.Context, name, na } func (r *SecurityIntentBindingReconciler) updateNpStatus(ctx context.Context, logger logr.Logger, req ctrl.Request) error { - np := &v1.NimbusPolicy{} + np := &v1alpha1.NimbusPolicy{} // To handle potential latency or outdated cache issues with the Kubernetes API // server, we implement an exponential backoff strategy when fetching the @@ -318,7 +318,7 @@ func (r *SecurityIntentBindingReconciler) updateNpStatus(ctx context.Context, lo func (r *SecurityIntentBindingReconciler) updateSibStatus(ctx context.Context, logger logr.Logger, req ctrl.Request) error { if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - latestSib := &v1.SecurityIntentBinding{} + latestSib := &v1alpha1.SecurityIntentBinding{} if err := r.Get(ctx, req.NamespacedName, latestSib); err != nil { logger.Error(err, "failed to fetch SecurityIntentBinding", "securityIntentBindingName", req.Name, "securityIntentBindingNamespace", req.Namespace) return err @@ -340,13 +340,13 @@ func (r *SecurityIntentBindingReconciler) updateSibStatus(ctx context.Context, l } func (r *SecurityIntentBindingReconciler) updateSibStatusWithBoundSisAndNpInfo(ctx context.Context, logger logr.Logger, req ctrl.Request) error { - latestSib := &v1.SecurityIntentBinding{} + latestSib := &v1alpha1.SecurityIntentBinding{} if err := r.Get(ctx, req.NamespacedName, latestSib); err != nil { logger.Error(err, "failed to fetch SecurityIntentBinding", "SecurityIntentBinding.Name", req.Name, "SecurityIntentBinding.Namespace", req.Namespace) return err } - latestNp := &v1.NimbusPolicy{} + latestNp := &v1alpha1.NimbusPolicy{} if retryErr := retry.OnError(retry.DefaultRetry, apierrors.IsNotFound, func() error { if err := r.Get(ctx, req.NamespacedName, latestNp); err != nil { return err diff --git a/internal/controller/util.go b/internal/controller/util.go index 8ff00ea7..68f603de 100644 --- a/internal/controller/util.go +++ b/internal/controller/util.go @@ -12,14 +12,15 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" ) // TODO: Add constants for recommend labels and update objects accordingly. // https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ const ( - StatusCreated = "Created" + StatusCreated = "Created" + StatusValidationFail = "ValidationFail" ) func doNotRequeue() (ctrl.Result, error) { @@ -35,14 +36,14 @@ func extractBoundIntentsNameFromSib(ctx context.Context, c client.Client, name, var boundIntentsName []string - var sib v1.SecurityIntentBinding + var sib v1alpha1.SecurityIntentBinding if err := c.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &sib); err != nil { logger.Error(err, "failed to fetch SecurityIntentBinding", "securityIntentBindingName", name, "securityIntentBindingNamespace", namespace) return boundIntentsName } for _, intent := range sib.Spec.Intents { - var si v1.SecurityIntent + var si v1alpha1.SecurityIntent if err := c.Get(ctx, types.NamespacedName{Name: intent.Name}, &si); err == nil { boundIntentsName = append(boundIntentsName, intent.Name) } @@ -55,14 +56,14 @@ func extractBoundIntentsNameFromCSib(ctx context.Context, c client.Client, name var boundIntentsName []string - var csib v1.ClusterSecurityIntentBinding + var csib v1alpha1.ClusterSecurityIntentBinding if err := c.Get(ctx, types.NamespacedName{Name: name}, &csib); err != nil { logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding", name) return boundIntentsName } for _, intent := range csib.Spec.Intents { - var si v1.SecurityIntent + var si v1alpha1.SecurityIntent if err := c.Get(ctx, types.NamespacedName{Name: intent.Name}, &si); err == nil { boundIntentsName = append(boundIntentsName, intent.Name) } @@ -83,10 +84,10 @@ func ownerExists(c client.Client, controllee client.Object) bool { var objToGet client.Object switch controllee.(type) { - case *v1.NimbusPolicy: - objToGet = &v1.SecurityIntentBinding{} - case *v1.ClusterNimbusPolicy: - objToGet = &v1.ClusterSecurityIntentBinding{} + case *v1alpha1.NimbusPolicy: + objToGet = &v1alpha1.SecurityIntentBinding{} + case *v1alpha1.ClusterNimbusPolicy: + objToGet = &v1alpha1.ClusterSecurityIntentBinding{} } if err := c.Get(context.Background(), types.NamespacedName{Name: ownerName, Namespace: controllee.GetNamespace()}, objToGet); err != nil { diff --git a/pkg/adapter/nimbus-kubearmor/go.mod b/pkg/adapter/nimbus-kubearmor/go.mod index 689d2ebc..b10905b9 100644 --- a/pkg/adapter/nimbus-kubearmor/go.mod +++ b/pkg/adapter/nimbus-kubearmor/go.mod @@ -1,36 +1,37 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-kubearmor -go 1.22 +go 1.22.0 +toolchain go1.22.1 replace github.com/5GSEC/nimbus => ../../../../nimbus + require ( - github.com/5GSEC/nimbus v0.0.0-20240313065715-b91563b0ccd3 + github.com/5GSEC/nimbus v0.0.0-20240503063208-5bd27400462f github.com/go-logr/logr v1.4.1 - github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240125171707-8e6641511fe3 - k8s.io/apimachinery v0.29.1 - k8s.io/client-go v0.29.1 - sigs.k8s.io/controller-runtime v0.17.0 + github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240509053911-a5f584c38ee7 + k8s.io/apimachinery v0.30.0 + k8s.io/client-go v0.30.0 + sigs.k8s.io/controller-runtime v0.18.2 ) require ( github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect github.com/google/uuid v1.6.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -40,33 +41,30 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.29.1 // indirect - k8s.io/apiextensions-apiserver v0.29.1 // indirect - k8s.io/component-base v0.29.1 // indirect + k8s.io/api v0.30.0 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/pkg/adapter/nimbus-kubearmor/go.sum b/pkg/adapter/nimbus-kubearmor/go.sum index 4d78de60..cb9c9d88 100644 --- a/pkg/adapter/nimbus-kubearmor/go.sum +++ b/pkg/adapter/nimbus-kubearmor/go.sum @@ -1,13 +1,13 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= @@ -18,33 +18,31 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -59,8 +57,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240125171707-8e6641511fe3 h1:xDg2EAk7rV3psrUkwC7JqY6pzOutWwh4VuUEybypcrA= -github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240125171707-8e6641511fe3/go.mod h1:Z7ZPkMwtVcjSaDigSekvooXRxapWsLAVVmX3ltL673k= +github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240509053911-a5f584c38ee7 h1:baKO1tl2AMd5OgZOMHB+zB9Xgfdqwtowak4KF2NgLp4= +github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240509053911-a5f584c38ee7/go.mod h1:qLa1gghYadWYgU2WopYx3FE1EyzFbZ/IK/J6aTbVdFI= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -70,103 +68,84 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -177,24 +156,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= -k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw= -k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= -k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw= -k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec h1:iGTel2aR8vCZdxJDgmbeY0zrlXy9Qcvyw4R2sB4HLrA= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= -sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/nimbus-kubearmor/manager/manager.go b/pkg/adapter/nimbus-kubearmor/manager/manager.go index 8d79322a..04cc4f08 100644 --- a/pkg/adapter/nimbus-kubearmor/manager/manager.go +++ b/pkg/adapter/nimbus-kubearmor/manager/manager.go @@ -18,7 +18,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - intentv1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/common" "github.com/5GSEC/nimbus/pkg/adapter/k8s" adapterutil "github.com/5GSEC/nimbus/pkg/adapter/util" @@ -34,7 +34,7 @@ var ( ) func init() { - utilruntime.Must(intentv1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(kubearmorv1.AddToScheme(scheme)) k8sClient = k8s.NewOrDie(scheme) } @@ -42,7 +42,7 @@ func init() { func Run(ctx context.Context) { npCh := make(chan common.Request) deletedNpCh := make(chan common.Request) - go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh) + go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh, "SecurityIntentBinding", "ClusterSecurityIntentBinding") clusterNpChan := make(chan string) deletedClusterNpChan := make(chan string) @@ -70,9 +70,11 @@ func Run(ctx context.Context) { reconcileKsp(ctx, updatedKsp.Name, updatedKsp.Namespace, false) case deletedKsp := <-deletedKspCh: reconcileKsp(ctx, deletedKsp.Name, deletedKsp.Namespace, true) - case _ = <-clusterNpChan: // Fixme: CreateKSP based on ClusterNP + case <-clusterNpChan: // Fixme: CreateKSP based on ClusterNP + // From ClusterNP, KubeArmor can create HostSecurityPolicies + // The NodeSelector in ClusterNP should be set for such cases fmt.Println("No-op for ClusterNimbusPolicy") - case _ = <-deletedClusterNpChan: // Fixme: DeleteKSP based on ClusterNP + case <-deletedClusterNpChan: // Fixme: DeleteKSP based on ClusterNP fmt.Println("No-op for ClusterNimbusPolicy") } } @@ -81,7 +83,7 @@ func Run(ctx context.Context) { func reconcileKsp(ctx context.Context, kspName, namespace string, deleted bool) { logger := log.FromContext(ctx) npName := adapterutil.ExtractNpName(kspName) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, &np) if err != nil { if !errors.IsNotFound(err) { @@ -99,7 +101,7 @@ func reconcileKsp(ctx context.Context, kspName, namespace string, deleted bool) func createOrUpdateKsp(ctx context.Context, npName, npNamespace string) { logger := log.FromContext(ctx) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: npNamespace}, &np); err != nil { logger.Error(err, "failed to get NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace) return @@ -173,7 +175,7 @@ func deleteKsp(ctx context.Context, npName, npNamespace string) { } } -func deleteDanglingKsps(ctx context.Context, np intentv1.NimbusPolicy, logger logr.Logger) { +func deleteDanglingKsps(ctx context.Context, np v1alpha1.NimbusPolicy, logger logr.Logger) { var existingKsps kubearmorv1.KubeArmorPolicyList if err := k8sClient.List(ctx, &existingKsps, client.InNamespace(np.Namespace)); err != nil { logger.Error(err, "failed to list KubeArmorPolicies for cleanup") diff --git a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go index 8aba7689..c7a3938c 100644 --- a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go +++ b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go @@ -9,11 +9,11 @@ import ( "github.com/go-logr/logr" kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/idpool" ) -func BuildKspsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kubearmorv1.KubeArmorPolicy { +func BuildKspsFrom(logger logr.Logger, np *v1alpha1.NimbusPolicy) []kubearmorv1.KubeArmorPolicy { // Build KSPs based on given IDs var ksps []kubearmorv1.KubeArmorPolicy var ksp kubearmorv1.KubeArmorPolicy @@ -28,7 +28,6 @@ func BuildKspsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kubearmorv1.KubeAr ksp.Spec.Message = nimbusRule.Description ksp.Spec.Selector.MatchLabels = np.Spec.Selector.MatchLabels ksp.Spec.Action = kubearmorv1.ActionType(nimbusRule.Rule.RuleAction) - processRuleParams(&ksp, nimbusRule.Rule) addManagedByAnnotation(&ksp) ksps = append(ksps, ksp) } @@ -39,10 +38,9 @@ func BuildKspsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kubearmorv1.KubeAr ksp.Spec.Message = nimbusRule.Description ksp.Spec.Selector.MatchLabels = np.Spec.Selector.MatchLabels ksp.Spec.Action = kubearmorv1.ActionType(nimbusRule.Rule.RuleAction) - processRuleParams(&ksp, nimbusRule.Rule) addManagedByAnnotation(&ksp) ksps = append(ksps, ksp) - } + } } else { logger.Info("KubeArmor does not support this ID", "ID", id, "NimbusPolicy", np.Name, "NimbusPolicy.Namespace", np.Namespace) diff --git a/pkg/adapter/nimbus-kubearmor/processor/kspprocessor.go b/pkg/adapter/nimbus-kubearmor/processor/kspprocessor.go deleted file mode 100644 index 27093df4..00000000 --- a/pkg/adapter/nimbus-kubearmor/processor/kspprocessor.go +++ /dev/null @@ -1,48 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package processor - -import ( - kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" - - v1 "github.com/5GSEC/nimbus/api/v1" -) - -// processRuleParams processes the given nimbus policy rules, generating corresponding KubeArmorPolicy rules. -func processRuleParams(ksp *kubearmorv1.KubeArmorPolicy, rule v1.Rule) { - // Process - // Why only process rules? Nimbus Policy has only process rules that's why we're processing only those rules. - //for _, matchPath := range rule.MatchPaths { - // ksp.Spec.Process.MatchPaths = append(ksp.Spec.Process.MatchPaths, kubearmorv1.ProcessPathType{ - // Path: kubearmorv1.MatchPathType(matchPath.Path), - // }) - //} - // - //for idx, matchDir := range rule.MatchDirectories { - // ksp.Spec.Process.MatchDirectories = append(ksp.Spec.Process.MatchDirectories, kubearmorv1.ProcessDirectoryType{ - // Directory: kubearmorv1.MatchDirectoryType(matchDir.Directory), - // }) - // var fromSources []kubearmorv1.MatchSourceType - // for _, fromSource := range matchDir.FromSource { - // fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - // Path: kubearmorv1.MatchPathType(fromSource.Path), - // }) - // } - // ksp.Spec.Process.MatchDirectories[idx].FromSource = fromSources - //} - // - //for _, matchPattern := range rule.MatchPatterns { - // ksp.Spec.Process.MatchPatterns = append(ksp.Spec.Process.MatchPatterns, kubearmorv1.ProcessPatternType{ - // Pattern: matchPattern.Pattern, - // }) - //} - // - //// Network - //for _, matchProtocol := range rule.MatchProtocols { - // ksp.Spec.Network.MatchProtocols = append(ksp.Spec.Network.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ - // Protocol: kubearmorv1.MatchNetworkProtocolStringType(matchProtocol.Protocol), - // }) - //} - // Ignoring SysCalls and Capabilities -} diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod index 5b3850a1..2bb608a3 100644 --- a/pkg/adapter/nimbus-kyverno/go.mod +++ b/pkg/adapter/nimbus-kyverno/go.mod @@ -1,6 +1,8 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno -go 1.22 +go 1.22.0 + +toolchain go1.22.1 require github.com/kyverno/kyverno v1.11.4 @@ -11,14 +13,13 @@ require ( github.com/go-logr/logr v1.4.1 github.com/google/flatbuffers v2.0.8+incompatible // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - k8s.io/apimachinery v0.29.1 - k8s.io/client-go v0.29.1 - sigs.k8s.io/controller-runtime v0.17.0 + k8s.io/apimachinery v0.30.0 + k8s.io/client-go v0.30.0 + sigs.k8s.io/controller-runtime v0.18.2 ) require ( - cloud.google.com/go/compute v1.23.2 // indirect - cloud.google.com/go/compute/metadata v0.2.3 // indirect + cloud.google.com/go/compute/metadata v0.3.0 // indirect cuelang.org/go v0.6.0 // indirect filippo.io/edwards25519 v1.0.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect @@ -76,7 +77,7 @@ require ( github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/agent/v3 v3.58.0 // indirect github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect github.com/cloudflare/circl v1.3.7 // indirect @@ -97,7 +98,7 @@ require ( github.com/docker/docker-credential-helpers v0.8.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/ebitengine/purego v0.6.0-alpha // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/emicklei/proto v1.12.1 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect @@ -110,13 +111,13 @@ require ( github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/analysis v0.21.4 // indirect github.com/go-openapi/errors v0.20.4 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.21.2 // indirect github.com/go-openapi/runtime v0.26.0 // indirect github.com/go-openapi/spec v0.20.9 // indirect github.com/go-openapi/strfmt v0.21.7 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.22.1 // indirect github.com/go-piv/piv-go v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect @@ -127,7 +128,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.1.7 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect @@ -186,10 +187,10 @@ require ( github.com/pelletier/go-toml/v2 v2.1.0 // indirect github.com/philhofer/fwd v1.1.2 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf // indirect github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect github.com/r3labs/diff v1.1.0 // indirect @@ -241,26 +242,25 @@ require ( go.step.sm/crypto v0.36.1 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect + go.uber.org/zap v1.27.0 // indirect go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect - golang.org/x/text v0.14.0 + golang.org/x/crypto v0.23.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.21.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/api v0.149.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect google.golang.org/grpc v1.59.0 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/DataDog/dd-trace-go.v1 v1.56.1 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect @@ -269,14 +269,14 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a // indirect - k8s.io/api v0.29.1 // indirect - k8s.io/apiextensions-apiserver v0.29.1 // indirect - k8s.io/component-base v0.29.1 // indirect + k8s.io/api v0.30.0 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/component-base v0.30.0 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect k8s.io/kubectl v0.28.4 // indirect - k8s.io/pod-security-admission v0.29.0 - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/pod-security-admission v0.30.0 + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/release-utils v0.7.7 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum index 3b4f8325..f6930d77 100644 --- a/pkg/adapter/nimbus-kyverno/go.sum +++ b/pkg/adapter/nimbus-kyverno/go.sum @@ -27,10 +27,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.23.2 h1:nWEMDhgbBkBJjfpVySqU4jgWdc22PLR0o4vEexZHers= -cloud.google.com/go/compute v1.23.2/go.mod h1:JJ0atRC0J/oWYiiVBmsSsrRnh92DhZPG4hFDcR04Rns= -cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= @@ -299,8 +297,8 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/charithe/durationcheck v0.0.6/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= github.com/chavacava/garif v0.0.0-20210405163807-87a70f3d418b/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= @@ -409,8 +407,8 @@ github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaB github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE= github.com/emicklei/proto v1.12.1/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= @@ -501,15 +499,15 @@ github.com/go-openapi/errors v0.20.4/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuA github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= @@ -532,8 +530,8 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU= github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= @@ -556,7 +554,8 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= @@ -651,8 +650,8 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= @@ -718,8 +717,8 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= @@ -1083,8 +1082,8 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -1094,8 +1093,8 @@ github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/open-policy-agent/cert-controller v0.2.0/go.mod h1:SWS7Ame8oKHF11cDsQCFlULrrOMV5Z59FIGEAF/M6YI= github.com/open-policy-agent/frameworks/constraint v0.0.0-20210701194838-1dbe2618668d/go.mod h1:y8wOVfZ6+bEmbhBMnLnFlQrJB9eQpVk+dIDa7YrtocI= @@ -1164,16 +1163,16 @@ github.com/prometheus/client_golang v1.6.0/go.mod h1:ZLOG9ck3JLRdB5MgO8f+lLTe83A github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.9.0/go.mod h1:FqZLKOZnGdFAhOK4nqGHa7D66IdsO+O441Eve7ptJDU= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.0.0-20181020173914-7e9e6cabbd39/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= @@ -1187,8 +1186,8 @@ github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1199,8 +1198,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.1/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= github.com/prometheus/statsd_exporter v0.20.0/go.mod h1:YL3FWCG8JBBtaUSxAg4Gz2ZYu22bS84XM89ZQXXTWmQ= github.com/prometheus/statsd_exporter v0.21.0/go.mod h1:rbT83sZq2V+p73lHhPZfMc3MLCHmSHelCh9hSGYNLTQ= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= @@ -1367,8 +1366,9 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= @@ -1524,8 +1524,8 @@ go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA= go4.org/intern v0.0.0-20230525184215-6c62f75575cb h1:ae7kzL5Cfdmcecbh22ll7lYP3iuUdnfnhiPcSaDgH/8= go4.org/intern v0.0.0-20230525184215-6c62f75575cb/go.mod h1:Ycrt6raEcnF5FTsLiLKkhBTO6DPX3RCUCUVnks3gFJU= @@ -1562,8 +1562,8 @@ golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1575,8 +1575,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181023182221-1baf3a9d7d67/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1606,8 +1606,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1674,8 +1674,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1686,8 +1686,8 @@ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1702,8 +1702,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1793,8 +1793,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1805,8 +1805,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1824,8 +1824,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1945,8 +1945,8 @@ golang.org/x/tools v0.1.2-0.20210512205948-8287d5da45e4/go.mod h1:o0xws9oXOQQZyj golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1989,8 +1989,6 @@ google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -2038,10 +2036,10 @@ google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA= google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= +google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No= +google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -2082,8 +2080,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/DataDog/dd-trace-go.v1 v1.56.1 h1:AUe/ZF7xm6vYnigPe+TY54DmfWYJxhMRaw/TfvrbzvE= gopkg.in/DataDog/dd-trace-go.v1 v1.56.1/go.mod h1:KDLJ3CWVOSuVVwu+0ZR5KZo2rP6c7YyBV3v387dIpUU= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -2149,28 +2147,28 @@ inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a h1:1XCVEdxrvL6c0TGOhecLuB7U9z inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a/go.mod h1:e83i32mAQOW1LAqEIweALsuK2Uw4mhQadA5r7b0Wobo= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk= k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs= -k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw= -k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0= -k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw= -k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= +k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o= +k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= @@ -2181,16 +2179,16 @@ k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec h1:iGTel2aR8vCZdxJDgmbeY0zrlXy9Qcvyw4R2sB4HLrA= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= k8s.io/kubectl v0.28.4 h1:gWpUXW/T7aFne+rchYeHkyB8eVDl5UZce8G4X//kjUQ= k8s.io/kubectl v0.28.4/go.mod h1:CKOccVx3l+3MmDbkXtIUtibq93nN2hkDR99XDCn7c/c= -k8s.io/pod-security-admission v0.29.0 h1:tY/ldtkbBCulMYVSWg6ZDLlgDYDWy6rLj8e/AgmwSj4= -k8s.io/pod-security-admission v0.29.0/go.mod h1:bGIeKCzU0Q0Nl185NHmqcMCiOjTcqTrBfAQaeupwq0E= +k8s.io/pod-security-admission v0.30.0 h1:C8J/zbrA3hVR7jatN+mN/ymUWxwU6KceS5HsEEt6rTY= +k8s.io/pod-security-admission v0.30.0/go.mod h1:eyzZB+gtMwnNduqr9tVO2vjf2DdepZsUA11SzyfXhfM= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= @@ -2201,8 +2199,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/controller-runtime v0.8.2/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= sigs.k8s.io/controller-runtime v0.8.3/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= -sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= -sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU= diff --git a/pkg/adapter/nimbus-kyverno/manager/manager.go b/pkg/adapter/nimbus-kyverno/manager/manager.go index efd8f80e..75af5b32 100644 --- a/pkg/adapter/nimbus-kyverno/manager/manager.go +++ b/pkg/adapter/nimbus-kyverno/manager/manager.go @@ -17,7 +17,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - intentv1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/common" "github.com/5GSEC/nimbus/pkg/adapter/k8s" "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/processor" @@ -32,7 +32,7 @@ var ( ) func init() { - utilruntime.Must(intentv1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(kyvernov1.AddToScheme(scheme)) k8sClient = k8s.NewOrDie(scheme) } @@ -41,7 +41,7 @@ func Run(ctx context.Context) { npCh := make(chan common.Request) deletedNpCh := make(chan common.Request) - go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh) + go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh, "SecurityIntentBinding") clusterNpChan := make(chan string) deletedClusterNpChan := make(chan string) @@ -93,7 +93,7 @@ func Run(ctx context.Context) { func reconcileKp(ctx context.Context, kpName, namespace string, deleted bool) { logger := log.FromContext(ctx) npName := adapterutil.ExtractNpName(kpName) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, &np) if err != nil { if !errors.IsNotFound(err) { @@ -112,7 +112,7 @@ func reconcileKp(ctx context.Context, kpName, namespace string, deleted bool) { func reconcileKcp(ctx context.Context, kcpName string, deleted bool) { logger := log.FromContext(ctx) cnpName := adapterutil.ExtractClusterNpName(kcpName) - var cnp intentv1.ClusterNimbusPolicy + var cnp v1alpha1.ClusterNimbusPolicy err := k8sClient.Get(ctx, types.NamespacedName{Name: cnpName}, &cnp) if err != nil { if !errors.IsNotFound(err) { @@ -130,7 +130,7 @@ func reconcileKcp(ctx context.Context, kcpName string, deleted bool) { func createOrUpdateKp(ctx context.Context, npName, npNamespace string) { logger := log.FromContext(ctx) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: npNamespace}, &np); err != nil { logger.Error(err, "failed to get NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace) return @@ -185,7 +185,7 @@ func createOrUpdateKp(ctx context.Context, npName, npNamespace string) { func createOrUpdateKcp(ctx context.Context, cnpName string) { logger := log.FromContext(ctx) - var cnp intentv1.ClusterNimbusPolicy + var cnp v1alpha1.ClusterNimbusPolicy if err := k8sClient.Get(ctx, types.NamespacedName{Name: cnpName}, &cnp); err != nil { logger.Error(err, "failed to get ClusterNimbusPolicy", "ClusterNimbusPolicy.Name", cnpName) return @@ -258,7 +258,7 @@ func deleteKp(ctx context.Context, npName, npNamespace string) { } } -func deleteDanglingkps(ctx context.Context, np intentv1.NimbusPolicy, logger logr.Logger) { +func deleteDanglingkps(ctx context.Context, np v1alpha1.NimbusPolicy, logger logr.Logger) { var existingkps kyvernov1.PolicyList if err := k8sClient.List(ctx, &existingkps, client.InNamespace(np.Namespace)); err != nil { logger.Error(err, "failed to list KyvernoPolicies for cleanup") @@ -326,7 +326,7 @@ func deleteKcp(ctx context.Context, cnpName string) { } } -func deleteDanglingkcps(ctx context.Context, cnp intentv1.ClusterNimbusPolicy, logger logr.Logger) { +func deleteDanglingkcps(ctx context.Context, cnp v1alpha1.ClusterNimbusPolicy, logger logr.Logger) { var existingkcps kyvernov1.ClusterPolicyList if err := k8sClient.List(ctx, &existingkcps); err != nil { logger.Error(err, "failed to list KyvernoClusterPolicies for cleanup") diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go index d1934a79..ee03f514 100644 --- a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go +++ b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go @@ -6,16 +6,15 @@ package processor import ( "strings" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/idpool" - "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/pod-security-admission/api" ) -func BuildKcpsFrom(logger logr.Logger, cnp *v1.ClusterNimbusPolicy) []kyvernov1.ClusterPolicy { +func BuildKcpsFrom(logger logr.Logger, cnp *v1alpha1.ClusterNimbusPolicy) []kyvernov1.ClusterPolicy { // Build KCPs based on given IDs var kcps []kyvernov1.ClusterPolicy for _, nimbusRule := range cnp.Spec.NimbusRules { @@ -41,7 +40,7 @@ func BuildKcpsFrom(logger logr.Logger, cnp *v1.ClusterNimbusPolicy) []kyvernov1. } // buildKpFor builds a KyvernoPolicy based on intent ID supported by Kyverno Policy Engine. -func buildKcpFor(id string, cnp *v1.ClusterNimbusPolicy) kyvernov1.ClusterPolicy { +func buildKcpFor(id string, cnp *v1alpha1.ClusterNimbusPolicy) kyvernov1.ClusterPolicy { switch id { case idpool.EscapeToHost: return clusterEscapeToHost(cnp, cnp.Spec.NimbusRules[0].Rule) @@ -50,7 +49,7 @@ func buildKcpFor(id string, cnp *v1.ClusterNimbusPolicy) kyvernov1.ClusterPolicy } } -func clusterEscapeToHost(cnp *v1.ClusterNimbusPolicy, rule v1.Rule) kyvernov1.ClusterPolicy { +func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy { var psa_level api.Level = api.LevelBaseline if rule.Params["psa_level"] != nil { @@ -58,85 +57,59 @@ func clusterEscapeToHost(cnp *v1.ClusterNimbusPolicy, rule v1.Rule) kyvernov1.Cl switch rule.Params["psa_level"][0] { case "restricted": psa_level = api.LevelRestricted - + case "privileged": psa_level = api.LevelPrivileged - + default: psa_level = api.LevelBaseline } - - } - - var resourceFilters []kyvernov1.ResourceFilter - - for _,resource := range cnp.Spec.Selector.Resources { - kind := resource.Kind - name := resource.Name - switch kind { - case "Namespace": - resourceFilterForNamespace := kyvernov1.ResourceFilter{ - ResourceDescription: kyvernov1.ResourceDescription{ - Kinds: []string{ - utils.GetGVK("pod"), - }, - Namespaces: []string{ - name, - }, - }, - } - resourceFilters = append(resourceFilters, resourceFilterForNamespace) - - default: - namespace := resource.Namespace - labels := resource.MatchLabels - var resourceFilter kyvernov1.ResourceFilter - if len(labels) != 0 { - resourceFilter = kyvernov1.ResourceFilter{ - ResourceDescription: kyvernov1.ResourceDescription{ - Kinds: []string{ - "v1/Pod", - }, - Namespaces: []string{ - namespace, - }, - Selector: &metav1.LabelSelector{ - MatchLabels: labels, - }, - }, - } - } else { - resourceFilter = kyvernov1.ResourceFilter{ - ResourceDescription: kyvernov1.ResourceDescription{ - Kinds: []string{ - "v1/Pod", - }, - Namespaces: []string{ - namespace, - }, - }, - } - } + } + var matchFilters, excludeFilters []kyvernov1.ResourceFilter + var resourceFilter kyvernov1.ResourceFilter - resourceFilters = append(resourceFilters, resourceFilter) + if len(cnp.Spec.NsSelector.MatchNames) > 0 { + resourceFilter = kyvernov1.ResourceFilter{ + ResourceDescription: kyvernov1.ResourceDescription{ + Kinds: []string{ + "v1/Pod", + }, + Namespaces: cnp.Spec.NsSelector.MatchNames, + Selector: &metav1.LabelSelector{ + MatchLabels: cnp.Spec.WorkloadSelector.MatchLabels, + }, + }, + } + matchFilters = append(matchFilters, resourceFilter) + } + if len(cnp.Spec.NsSelector.ExcludeNames) > 0 { + resourceFilter = kyvernov1.ResourceFilter{ + ResourceDescription: kyvernov1.ResourceDescription{ + Namespaces: cnp.Spec.NsSelector.ExcludeNames, + }, } - } + excludeFilters = append(excludeFilters, resourceFilter) + } + background := true return kyvernov1.ClusterPolicy{ Spec: kyvernov1.Spec{ - Background: &background , + Background: &background, Rules: []kyvernov1.Rule{ { Name: "restricted", MatchResources: kyvernov1.MatchResources{ - Any: resourceFilters, + Any: matchFilters, + }, + ExcludeResources: kyvernov1.MatchResources{ + Any: excludeFilters, }, Validation: kyvernov1.Validation{ - PodSecurity : &kyvernov1.PodSecurity{ - Level: psa_level, + PodSecurity: &kyvernov1.PodSecurity{ + Level: psa_level, Version: "latest", }, }, @@ -149,4 +122,3 @@ func clusterEscapeToHost(cnp *v1.ClusterNimbusPolicy, rule v1.Rule) kyvernov1.Cl func addManagedByAnnotationForClusterScopedPolicy(kcp *kyvernov1.ClusterPolicy) { kcp.Annotations["app.kubernetes.io/managed-by"] = "nimbus-kyverno" } - diff --git a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go index 719184d7..8cdf153d 100644 --- a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go +++ b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go @@ -6,7 +6,7 @@ package processor import ( "strings" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/idpool" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -14,7 +14,7 @@ import ( "k8s.io/pod-security-admission/api" ) -func BuildKpsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kyvernov1.Policy { +func BuildKpsFrom(logger logr.Logger, np *v1alpha1.NimbusPolicy) []kyvernov1.Policy { // Build KPs based on given IDs var kps []kyvernov1.Policy for _, nimbusRule := range np.Spec.NimbusRules { @@ -41,7 +41,7 @@ func BuildKpsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kyvernov1.Policy { } // buildKpFor builds a KyvernoPolicy based on intent ID supported by Kyverno Policy Engine. -func buildKpFor(id string, np *v1.NimbusPolicy) kyvernov1.Policy { +func buildKpFor(id string, np *v1alpha1.NimbusPolicy) kyvernov1.Policy { switch id { case idpool.EscapeToHost: return escapeToHost(np, np.Spec.NimbusRules[0].Rule) @@ -50,8 +50,8 @@ func buildKpFor(id string, np *v1.NimbusPolicy) kyvernov1.Policy { } } -func escapeToHost(np *v1.NimbusPolicy, rule v1.Rule) kyvernov1.Policy { - background := true +func escapeToHost(np *v1alpha1.NimbusPolicy, rule v1alpha1.Rule) kyvernov1.Policy { + var psa_level api.Level = api.LevelBaseline if rule.Params["psa_level"] != nil { @@ -59,28 +59,18 @@ func escapeToHost(np *v1.NimbusPolicy, rule v1.Rule) kyvernov1.Policy { switch rule.Params["psa_level"][0] { case "restricted": psa_level = api.LevelRestricted - + case "privileged": psa_level = api.LevelPrivileged - + default: psa_level = api.LevelBaseline } - } labels := np.Spec.Selector.MatchLabels - lis := rule.Params["exclude_resources"] - exclusionLables := make(map[string]string) - for _, item := range lis { - parts := strings.Split(item, ":") - if len(parts) == 2 { - key := parts[0] - value := parts[1] - exclusionLables[key] = value - } - } + background := true kp := kyvernov1.Policy{ Spec: kyvernov1.Spec{ Background: &background, diff --git a/pkg/adapter/nimbus-kyverno/watcher/kcpwatcher.go b/pkg/adapter/nimbus-kyverno/watcher/kcpwatcher.go index db1f72f6..0bd7a6b5 100644 --- a/pkg/adapter/nimbus-kyverno/watcher/kcpwatcher.go +++ b/pkg/adapter/nimbus-kyverno/watcher/kcpwatcher.go @@ -31,8 +31,7 @@ func kcpInformer() cache.SharedIndexInformer { return informer } - -// WatchKsps watches update and delete event for KyvernoClusterPolicies owned by +// WatchKcps watches update and delete event for KyvernoClusterPolicies owned by // NimbusPolicy or ClusterNimbusPolicy and put their info on respective channels. func WatchKcps(ctx context.Context, updatedKcpCh, deletedKcpCh chan string) { logger := log.FromContext(ctx) @@ -42,7 +41,7 @@ func WatchKcps(ctx context.Context, updatedKcpCh, deletedKcpCh chan string) { oldU := oldObj.(*unstructured.Unstructured) newU := newObj.(*unstructured.Unstructured) - if adapterutil.IsOrphan(newU.GetOwnerReferences(), "NimbusPolicy") { + if adapterutil.IsOrphan(newU.GetOwnerReferences(), "ClusterNimbusPolicy") { logger.V(4).Info("Ignoring orphan KyvernoClusterPolicy", "KyvernoClusterPolicy.Name", oldU.GetName(), "Operation", "Update") return } @@ -56,7 +55,7 @@ func WatchKcps(ctx context.Context, updatedKcpCh, deletedKcpCh chan string) { }, DeleteFunc: func(obj interface{}) { u := obj.(*unstructured.Unstructured) - if adapterutil.IsOrphan(u.GetOwnerReferences(), "NimbusPolicy") { + if adapterutil.IsOrphan(u.GetOwnerReferences(), "ClusterNimbusPolicy") { logger.V(4).Info("Ignoring orphan KyvernoClusterPolicy", "KyvernoClusterPolicy.Name", u.GetName(), "Operation", "Delete") return } diff --git a/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go b/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go index 529ae849..119ad763 100644 --- a/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go +++ b/pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go @@ -36,8 +36,7 @@ func kpInformer() cache.SharedIndexInformer { return informer } - -// WatchKsps watches update and delete event for KyvernoPolicies owned by +// WatchKps watches update and delete event for KyvernoPolicies owned by // NimbusPolicy or ClusterNimbusPolicy and put their info on respective channels. func WatchKps(ctx context.Context, updatedKpCh, deletedKpCh chan common.Request) { logger := log.FromContext(ctx) diff --git a/pkg/adapter/nimbus-netpol/go.mod b/pkg/adapter/nimbus-netpol/go.mod index 29984cb9..033ee9ec 100644 --- a/pkg/adapter/nimbus-netpol/go.mod +++ b/pkg/adapter/nimbus-netpol/go.mod @@ -1,35 +1,37 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-netpol -go 1.22 +go 1.22.0 + +toolchain go1.22.1 + replace github.com/5GSEC/nimbus => ../../../../nimbus require ( - github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f + github.com/5GSEC/nimbus v0.0.0-20240503063208-5bd27400462f github.com/go-logr/logr v1.4.1 - k8s.io/api v0.29.1 - k8s.io/apimachinery v0.29.1 - k8s.io/client-go v0.29.1 - sigs.k8s.io/controller-runtime v0.17.0 + k8s.io/api v0.30.0 + k8s.io/apimachinery v0.30.0 + k8s.io/client-go v0.30.0 + sigs.k8s.io/controller-runtime v0.18.2 ) require ( github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/swag v0.22.9 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect github.com/google/uuid v1.6.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -39,32 +41,29 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.46.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.29.1 // indirect - k8s.io/component-base v0.29.1 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/pkg/adapter/nimbus-netpol/go.sum b/pkg/adapter/nimbus-netpol/go.sum index 1a89950d..66301cf8 100644 --- a/pkg/adapter/nimbus-netpol/go.sum +++ b/pkg/adapter/nimbus-netpol/go.sum @@ -1,15 +1,13 @@ -github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f h1:FOwBcqhGFm8RXXjgJTdBhjhb3k5UbaDOJ6TpK+5Zmvk= -github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f/go.mod h1:FflBHoOu8LpzZJucobgLdGG4j+22A97JX8cXlNY1fXc= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= @@ -20,33 +18,31 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -70,103 +66,84 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= -github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -177,24 +154,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= -k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw= -k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= -k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw= -k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec h1:iGTel2aR8vCZdxJDgmbeY0zrlXy9Qcvyw4R2sB4HLrA= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= -sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go index 9aee3b74..00b64f1c 100644 --- a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go +++ b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go @@ -5,7 +5,6 @@ package manager import ( "context" - "fmt" "strings" "github.com/go-logr/logr" @@ -18,7 +17,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - intentv1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/common" "github.com/5GSEC/nimbus/pkg/adapter/k8s" adapterutil "github.com/5GSEC/nimbus/pkg/adapter/util" @@ -34,19 +33,18 @@ var ( ) func init() { - utilruntime.Must(intentv1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(netv1.AddToScheme(scheme)) k8sClient = k8s.NewOrDie(scheme) } func Run(ctx context.Context) { + + // Watch NimbusPolicies only, and not ClusterNimbusPolicies as NetworkPolicy is + // namespaced scoped npCh := make(chan common.Request) deletedNpCh := make(chan common.Request) - go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh) - - clusterNpChan := make(chan string) - deletedClusterNpChan := make(chan string) - go globalwatcher.WatchClusterNimbusPolicies(ctx, clusterNpChan, deletedClusterNpChan) + go globalwatcher.WatchNimbusPolicies(ctx, npCh, deletedNpCh, "SecurityIntentBinding", "ClusterSecurityIntentBinding") updatedNetpolCh := make(chan common.Request) deletedNetpolCh := make(chan common.Request) @@ -54,11 +52,9 @@ func Run(ctx context.Context) { for { select { - case _ = <-ctx.Done(): + case <-ctx.Done(): close(npCh) close(deletedNpCh) - close(clusterNpChan) - close(deletedClusterNpChan) close(updatedNetpolCh) close(deletedNetpolCh) return @@ -70,10 +66,6 @@ func Run(ctx context.Context) { reconcileNetPol(ctx, updatedNetpol.Name, updatedNetpol.Namespace, false) case deletedNetpol := <-deletedNetpolCh: reconcileNetPol(ctx, deletedNetpol.Name, deletedNetpol.Namespace, true) - case _ = <-clusterNpChan: // Fixme: Create netpol based on ClusterNP - fmt.Println("No-op for ClusterNimbusPolicy") - case _ = <-deletedClusterNpChan: // Fixme: Delete netpol based on ClusterNP - fmt.Println("No-op for ClusterNimbusPolicy") } } } @@ -81,7 +73,7 @@ func Run(ctx context.Context) { func reconcileNetPol(ctx context.Context, netpolName, namespace string, deleted bool) { logger := log.FromContext(ctx) npName := adapterutil.ExtractNpName(netpolName) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, &np) if err != nil { if !errors.IsNotFound(err) { @@ -99,7 +91,7 @@ func reconcileNetPol(ctx context.Context, netpolName, namespace string, deleted func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string) { logger := log.FromContext(ctx) - var np intentv1.NimbusPolicy + var np v1alpha1.NimbusPolicy if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: npNamespace}, &np); err != nil { logger.Error(err, "failed to get NimbusPolicy", "NimbusPolicy.Name", npName[0], "NimbusPolicy.Namespace", npName[1]) return @@ -172,7 +164,7 @@ func deleteNetworkPolicy(ctx context.Context, npName, npNamespace string) { } } -func deleteDanglingNetpols(ctx context.Context, np intentv1.NimbusPolicy, logger logr.Logger) { +func deleteDanglingNetpols(ctx context.Context, np v1alpha1.NimbusPolicy, logger logr.Logger) { var existingNetpols netv1.NetworkPolicyList if err := k8sClient.List(ctx, &existingNetpols, client.InNamespace(np.Namespace)); err != nil { logger.Error(err, "failed to list NetworkPolicies for cleanup") diff --git a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go index df7de1b8..5132841c 100644 --- a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go +++ b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go @@ -12,11 +12,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" "github.com/5GSEC/nimbus/pkg/adapter/idpool" ) -func BuildNetPolsFrom(logger logr.Logger, np v1.NimbusPolicy) []netv1.NetworkPolicy { +func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.NetworkPolicy { // Build netpols based on given IDs var netpols []netv1.NetworkPolicy for _, nimbusRule := range np.Spec.NimbusRules { diff --git a/pkg/adapter/util/clusternimbuspolicy_util.go b/pkg/adapter/util/clusternimbuspolicy_util.go index f042348a..fbe5aac1 100644 --- a/pkg/adapter/util/clusternimbuspolicy_util.go +++ b/pkg/adapter/util/clusternimbuspolicy_util.go @@ -11,7 +11,7 @@ import ( "k8s.io/client-go/util/retry" "sigs.k8s.io/controller-runtime/pkg/client" - intentv1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" ) // ExtractNpName extracts the actual NimbusPolicy name from a formatted policy @@ -34,7 +34,7 @@ func UpdateCnpStatus(ctx context.Context, k8sClient client.Client, currPolicyFul // exponential backoff strategy. This provides resilience against potential // issues while preventing indefinite retries in case of persistent conflicts. if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - latestCnp := &intentv1.ClusterNimbusPolicy{} + latestCnp := &v1alpha1.ClusterNimbusPolicy{} if err := k8sClient.Get(ctx, types.NamespacedName{Name: cnpName}, latestCnp); err != nil { return nil } @@ -51,7 +51,7 @@ func UpdateCnpStatus(ctx context.Context, k8sClient client.Client, currPolicyFul return nil } -func updateCountAndClusterPoliciesName(latestCnp *intentv1.ClusterNimbusPolicy, currPolicyFullName string, decrement bool) { +func updateCountAndClusterPoliciesName(latestCnp *v1alpha1.ClusterNimbusPolicy, currPolicyFullName string, decrement bool) { if !contains(latestCnp.Status.Policies, currPolicyFullName) { latestCnp.Status.NumberOfAdapterPolicies++ latestCnp.Status.Policies = append(latestCnp.Status.Policies, currPolicyFullName) diff --git a/pkg/adapter/util/nimbuspolicy_util.go b/pkg/adapter/util/nimbuspolicy_util.go index 5987e46e..b120bdba 100644 --- a/pkg/adapter/util/nimbuspolicy_util.go +++ b/pkg/adapter/util/nimbuspolicy_util.go @@ -11,7 +11,7 @@ import ( "k8s.io/client-go/util/retry" "sigs.k8s.io/controller-runtime/pkg/client" - intentv1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" ) // ExtractNpName extracts the actual NimbusPolicy name from a formatted policy @@ -34,7 +34,7 @@ func UpdateNpStatus(ctx context.Context, k8sClient client.Client, currPolicyFull // exponential backoff strategy. This provides resilience against potential // issues while preventing indefinite retries in case of persistent conflicts. if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - latestNp := &intentv1.NimbusPolicy{} + latestNp := &v1alpha1.NimbusPolicy{} if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, latestNp); err != nil { return nil } @@ -51,7 +51,7 @@ func UpdateNpStatus(ctx context.Context, k8sClient client.Client, currPolicyFull return nil } -func updateCountAndPoliciesName(latestNp *intentv1.NimbusPolicy, currPolicyFullName string, decrement bool) { +func updateCountAndPoliciesName(latestNp *v1alpha1.NimbusPolicy, currPolicyFullName string, decrement bool) { if !contains(latestNp.Status.Policies, currPolicyFullName) { latestNp.Status.NumberOfAdapterPolicies++ latestNp.Status.Policies = append(latestNp.Status.Policies, currPolicyFullName) diff --git a/pkg/adapter/util/watcher_util.go b/pkg/adapter/util/watcher_util.go index 936fba90..fd0b3288 100644 --- a/pkg/adapter/util/watcher_util.go +++ b/pkg/adapter/util/watcher_util.go @@ -7,6 +7,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func IsOrphan(ownerRefs []metav1.OwnerReference, ownerKind string) bool { - return len(ownerRefs) == 0 || ownerRefs[0].Kind != ownerKind +func IsOrphan(ownerRefs []metav1.OwnerReference, ownerKind ...string) bool { + if len(ownerRefs) == 0 { + return true + } + for _, oKind := range ownerKind { + if ownerRefs[0].Kind == oKind { + return false + } + } + return true } diff --git a/pkg/adapter/watcher/clusternimbuspolicy_watcher.go b/pkg/adapter/watcher/clusternimbuspolicy_watcher.go index b1a72627..949fc28a 100644 --- a/pkg/adapter/watcher/clusternimbuspolicy_watcher.go +++ b/pkg/adapter/watcher/clusternimbuspolicy_watcher.go @@ -19,7 +19,7 @@ import ( func setupClusterNpInformer() cache.SharedIndexInformer { clusterNpGvr := schema.GroupVersionResource{ Group: "intent.security.nimbus.com", - Version: "v1", + Version: "v1alpha1", Resource: "clusternimbuspolicies", } clusterNpInformer := factory.ForResource(clusterNpGvr).Informer() diff --git a/pkg/adapter/watcher/nimbuspolicy_watcher.go b/pkg/adapter/watcher/nimbuspolicy_watcher.go index fe4980d2..0104985d 100644 --- a/pkg/adapter/watcher/nimbuspolicy_watcher.go +++ b/pkg/adapter/watcher/nimbuspolicy_watcher.go @@ -30,7 +30,7 @@ func init() { func npInformer() cache.SharedIndexInformer { nimbusPolicyGvr := schema.GroupVersionResource{ Group: "intent.security.nimbus.com", - Version: "v1", + Version: "v1alpha1", Resource: "nimbuspolicies", } nimbusPolicyInformer := factory.ForResource(nimbusPolicyGvr).Informer() @@ -40,14 +40,15 @@ func npInformer() cache.SharedIndexInformer { // WatchNimbusPolicies watches for create, update and delete events for // NimbusPolicies owned by SecurityIntentBinding and put their info on respective // channels. -func WatchNimbusPolicies(ctx context.Context, npCh, deleteNpCh chan common.Request) { +// ownerKind indicates which owners of the NimbusPolicy are fine +func WatchNimbusPolicies(ctx context.Context, npCh, deleteNpCh chan common.Request, ownerKind ...string) { nimbusPolicyInformer := npInformer() logger := log.FromContext(ctx) handlers := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { u := obj.(*unstructured.Unstructured) - if adapterutil.IsOrphan(u.GetOwnerReferences(), "SecurityIntentBinding") { + if adapterutil.IsOrphan(u.GetOwnerReferences(), ownerKind...) { logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", u.GetName(), "NimbusPolicy.Namespace", u.GetNamespace(), "Operation", "Create") return } @@ -62,7 +63,7 @@ func WatchNimbusPolicies(ctx context.Context, npCh, deleteNpCh chan common.Reque oldU := oldObj.(*unstructured.Unstructured) newU := newObj.(*unstructured.Unstructured) - if adapterutil.IsOrphan(newU.GetOwnerReferences(), "SecurityIntentBinding") { + if adapterutil.IsOrphan(newU.GetOwnerReferences(), ownerKind...) { logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", oldU.GetName(), "NimbusPolicy.Namespace", oldU.GetNamespace(), "Operation", "Update") return } @@ -86,7 +87,7 @@ func WatchNimbusPolicies(ctx context.Context, npCh, deleteNpCh chan common.Reque }, DeleteFunc: func(obj interface{}) { u := obj.(*unstructured.Unstructured) - if adapterutil.IsOrphan(u.GetOwnerReferences(), "SecurityIntentBinding") { + if adapterutil.IsOrphan(u.GetOwnerReferences(), ownerKind...) { logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", u.GetName(), "NimbusPolicy.Namespace", u.GetNamespace(), "Operation", "Delete") return } diff --git a/pkg/processor/intentbinder/intent_binder.go b/pkg/processor/intentbinder/intent_binder.go index ed55feaf..6d6d573c 100644 --- a/pkg/processor/intentbinder/intent_binder.go +++ b/pkg/processor/intentbinder/intent_binder.go @@ -11,25 +11,25 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" ) // ExtractIntents extract the SecurityIntent from the given SecurityIntentBinding // or ClusterSecurityIntentBinding objects. -func ExtractIntents(ctx context.Context, c client.Client, object client.Object) []v1.SecurityIntent { +func ExtractIntents(ctx context.Context, c client.Client, object client.Object) []v1alpha1.SecurityIntent { logger := log.FromContext(ctx) - var intents []v1.SecurityIntent - var givenIntents []v1.MatchIntent + var intents []v1alpha1.SecurityIntent + var givenIntents []v1alpha1.MatchIntent switch obj := object.(type) { - case *v1.SecurityIntentBinding: + case *v1alpha1.SecurityIntentBinding: givenIntents = obj.Spec.Intents - case *v1.ClusterSecurityIntentBinding: + case *v1alpha1.ClusterSecurityIntentBinding: givenIntents = obj.Spec.Intents } for _, intent := range givenIntents { - var si v1.SecurityIntent + var si v1alpha1.SecurityIntent if err := c.Get(ctx, types.NamespacedName{Name: intent.Name}, &si); err != nil && apierrors.IsNotFound(err) { logger.V(2).Info("failed to fetch SecurityIntent", "SecurityIntent.Name", intent.Name) continue diff --git a/pkg/processor/policybuilder/clusternimbuspolicy_builder.go b/pkg/processor/policybuilder/clusternimbuspolicy_builder.go index b7968c09..cfeba7c5 100644 --- a/pkg/processor/policybuilder/clusternimbuspolicy_builder.go +++ b/pkg/processor/policybuilder/clusternimbuspolicy_builder.go @@ -13,14 +13,14 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - v1 "github.com/5GSEC/nimbus/api/v1" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" processorerrors "github.com/5GSEC/nimbus/pkg/processor/errors" "github.com/5GSEC/nimbus/pkg/processor/intentbinder" ) // BuildClusterNimbusPolicy generates a ClusterNimbusPolicy based on given // SecurityIntents and ClusterSecurityIntentBinding. -func BuildClusterNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client.Client, scheme *runtime.Scheme, csib v1.ClusterSecurityIntentBinding) (*v1.ClusterNimbusPolicy, error) { +func BuildClusterNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client.Client, scheme *runtime.Scheme, csib v1alpha1.ClusterSecurityIntentBinding) (*v1alpha1.ClusterNimbusPolicy, error) { logger.Info("Building ClusterNimbusPolicy") intents := intentbinder.ExtractIntents(ctx, k8sClient, &csib) if len(intents) == 0 { @@ -28,27 +28,28 @@ func BuildClusterNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient return nil, processorerrors.ErrSecurityIntentsNotFound } - var nimbusRules []v1.NimbusRules + var nimbusRules []v1alpha1.NimbusRules for _, intent := range intents { - nimbusRules = append(nimbusRules, v1.NimbusRules{ + nimbusRules = append(nimbusRules, v1alpha1.NimbusRules{ ID: intent.Spec.Intent.ID, Description: intent.Spec.Intent.Description, - Rule: v1.Rule{ + Rule: v1alpha1.Rule{ RuleAction: intent.Spec.Intent.Action, Params: intent.Spec.Intent.Params, }, }) } - clusterBindingSelector := extractClusterBindingSelector(csib.Spec.Selector) - clusterNp := &v1.ClusterNimbusPolicy{ + clusterNp := &v1alpha1.ClusterNimbusPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: csib.Name, Labels: csib.Labels, }, - Spec: v1.ClusterNimbusPolicySpec{ - Selector: clusterBindingSelector, - NimbusRules: nimbusRules, + Spec: v1alpha1.ClusterNimbusPolicySpec{ + NodeSelector: csib.Spec.Selector.NodeSelector, + NsSelector: csib.Spec.Selector.NsSelector, + WorkloadSelector: csib.Spec.Selector.WorkloadSelector, + NimbusRules: nimbusRules, }, } @@ -59,17 +60,3 @@ func BuildClusterNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient logger.Info("ClusterNimbusPolicy built successfully", "ClusterNimbusPolicy.Name", clusterNp.Name) return clusterNp, nil } - -func extractClusterBindingSelector(cwSelector v1.CwSelector) v1.CwSelector { - // Todo: Handle CEL expression - var clusterBindingSelector v1.CwSelector - for _, resource := range cwSelector.Resources { - var cwresource v1.CwResource - cwresource.Kind = resource.Kind - cwresource.Name = resource.Name - cwresource.Namespace = resource.Namespace - cwresource.MatchLabels = resource.MatchLabels - clusterBindingSelector.Resources = append(clusterBindingSelector.Resources, cwresource) - } - return clusterBindingSelector -} diff --git a/pkg/processor/policybuilder/common.go b/pkg/processor/policybuilder/common.go index e386cd92..61ce01d4 100644 --- a/pkg/processor/policybuilder/common.go +++ b/pkg/processor/policybuilder/common.go @@ -14,8 +14,6 @@ import ( corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - - v1 "github.com/5GSEC/nimbus/api/v1" ) // ProcessCEL processes CEL expressions to generate matchLabels. @@ -299,24 +297,3 @@ func excludeLabels(podList corev1.PodList, excludeMap map[string]string) map[str return remainingLabels } - -// ProcessMatchLabels processes any/all fields to generate matchLabels. -func ProcessMatchLabels(any, all []v1.ResourceFilter) (map[string]string, error) { - matchLabels := make(map[string]string) - - // Process logic for Any field. - for _, filter := range any { - for key, value := range filter.Resources.MatchLabels { - matchLabels[key] = value - } - } - - // Process logic for All field. - for _, filter := range all { - for key, value := range filter.Resources.MatchLabels { - matchLabels[key] = value - } - } - - return matchLabels, nil -} diff --git a/pkg/processor/policybuilder/nimbuspolicy_builder.go b/pkg/processor/policybuilder/nimbuspolicy_builder.go index f57a037a..be3a2c76 100644 --- a/pkg/processor/policybuilder/nimbuspolicy_builder.go +++ b/pkg/processor/policybuilder/nimbuspolicy_builder.go @@ -14,7 +14,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - v1 "github.com/5GSEC/nimbus/api/v1" + v1 "github.com/5GSEC/nimbus/api/v1alpha1" processorerrors "github.com/5GSEC/nimbus/pkg/processor/errors" "github.com/5GSEC/nimbus/pkg/processor/intentbinder" ) @@ -42,7 +42,7 @@ func BuildNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client }) } - matchLabels, err := extractSelector(ctx, k8sClient, sib.Namespace, sib.Spec.Selector) + matchLabels, err := extractSelector(ctx, k8sClient, sib.Namespace, sib.Spec.Selector.WorkloadSelector, sib.Spec.CEL) if err != nil { return nil, err } @@ -57,7 +57,7 @@ func BuildNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client Labels: sib.Labels, }, Spec: v1.NimbusPolicySpec{ - Selector: v1.NimbusSelector{ + Selector: v1.LabelSelector{ MatchLabels: matchLabels, }, NimbusRules: nimbusRules, @@ -73,12 +73,12 @@ func BuildNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client } // extractSelector extracts match labels from a Selector. -func extractSelector(ctx context.Context, k8sClient client.Client, namespace string, selector v1.Selector) (map[string]string, error) { +func extractSelector(ctx context.Context, k8sClient client.Client, namespace string, selector v1.LabelSelector, cel []string) (map[string]string, error) { matchLabels := make(map[string]string) // Initialize map for match labels. // Process CEL expressions. - if len(selector.CEL) > 0 { - celExpressions := selector.CEL + if len(cel) > 0 { + celExpressions := cel celMatchLabels, err := ProcessCEL(ctx, k8sClient, namespace, celExpressions) if err != nil { return nil, fmt.Errorf("error processing CEL: %v", err) @@ -88,16 +88,58 @@ func extractSelector(ctx context.Context, k8sClient client.Client, namespace str } } - // Process Any/All fields. - if len(selector.Any) > 0 || len(selector.All) > 0 { - matchLabelsFromAnyAll, err := ProcessMatchLabels(selector.Any, selector.All) - if err != nil { - return nil, fmt.Errorf("error processing Any/All match labels: %v", err) - } - for key, value := range matchLabelsFromAnyAll { + // Process the workload selector + if len(selector.MatchLabels) > 0 { + for key, value := range selector.MatchLabels { matchLabels[key] = value } } return matchLabels, nil } + +// BuildNimbusPolicyFromClusterBinding generates a NimbusPolicy based on given ClusterSecurityIntentBinding. +func BuildNimbusPolicyFromClusterBinding(ctx context.Context, logger logr.Logger, k8sClient client.Client, scheme *runtime.Scheme, csib v1.ClusterSecurityIntentBinding, ns string) (*v1.NimbusPolicy, error) { + logger.Info("Building NimbusPolicy") + + intents := intentbinder.ExtractIntents(ctx, k8sClient, &csib) + if len(intents) == 0 { + logger.Info("NimbusPolicy creation aborted since no SecurityIntents found") + return nil, processorerrors.ErrSecurityIntentsNotFound + } + + var nimbusRules []v1.NimbusRules + for _, intent := range intents { + nimbusRules = append(nimbusRules, v1.NimbusRules{ + ID: intent.Spec.Intent.ID, + Description: intent.Spec.Intent.Description, + Rule: v1.Rule{ + RuleAction: intent.Spec.Intent.Action, + Params: intent.Spec.Intent.Params, + }, + }) + } + + // set the namespace to the parameter passed + // A prefix is added to the name of the policy + nimbusPolicy := &v1.NimbusPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "nimbus-ctlr-gen-" + csib.Name, + Namespace: ns, + Labels: csib.Labels, + }, + Spec: v1.NimbusPolicySpec{ + Selector: v1.LabelSelector{ + MatchLabels: csib.Spec.Selector.WorkloadSelector.MatchLabels, + }, + NimbusRules: nimbusRules, + }, + } + + if err := ctrl.SetControllerReference(&csib, nimbusPolicy, scheme); err != nil { + return nil, errors.Wrap(err, "failed to set NimbusPolicy OwnerReference") + } + + logger.Info("NimbusPolicy built successfully", "NimbusPolicy.Name", nimbusPolicy.Name, "NimbusPolicy.Namespace", nimbusPolicy.Namespace) + return nimbusPolicy, nil +} diff --git a/tests/controllers/clustersecurityintentbinding/excludename/README.md b/tests/controllers/clustersecurityintentbinding/excludename/README.md new file mode 100644 index 00000000..4d67fad5 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/README.md @@ -0,0 +1,200 @@ +# Test: `exclude-names-add-csib` + +1. Add dev, staging, prod ns 2. Adds a csib for excludeNames with dev, staging 3. Update csib for excludeNames with dev, prod, regional 4. Add a ns with name management - this ns is not part of the excludeNames + Add a ns with name regional - this is part of the excludeNames + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [1. Create prod, dev, staging Namespaces](#step-1. Create prod, dev, staging Namespaces) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [2. Create a ClusterSecurityIntentBinding](#step-2. Create a ClusterSecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify ClusterNimbusPolicy creation](#step-Verify ClusterNimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | +| 6 | [Verify NimbusPolicy absence in staging namespace](#step-Verify NimbusPolicy absence in staging namespace) | 0 | 1 | 0 | 0 | +| 7 | [Verify NimbusPolicy creation in prod](#step-Verify NimbusPolicy creation in prod) | 0 | 1 | 0 | 0 | +| 8 | [3. Update the ClusterSecurityIntentBinding to have dev, prod, regional in excludeNames](#step-3. Update the ClusterSecurityIntentBinding to have dev, prod, regional in excludeNames) | 0 | 1 | 0 | 0 | +| 9 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 10 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | +| 11 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 | +| 12 | [4. Create the management, regional namespaces](#step-4. Create the management, regional namespaces) | 0 | 1 | 0 | 0 | +| 13 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 14 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | +| 15 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | +| 16 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 | +| 17 | [Verify NimbusPolicy absence in regional namespace](#step-Verify NimbusPolicy absence in regional namespace) | 0 | 1 | 0 | 0 | + +### Step: `1. Create prod, dev, staging Namespaces` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `2. Create a ClusterSecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in prod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `3. Update the ClusterSecurityIntentBinding to have dev, prod, regional in excludeNames` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `4. Create the management, regional namespaces` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in regional namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +--- + diff --git a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml new file mode 100644 index 00000000..d53368b4 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml @@ -0,0 +1,115 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: exclude-names-add-csib +spec: + description: > + 1. Add dev, staging, prod ns + 2. Adds a csib for excludeNames with dev, staging + 3. Update csib for excludeNames with dev, prod, regional + 4. Add a ns with name management - this ns is not part of the excludeNames + Add a ns with name regional - this is part of the excludeNames + steps: + - name: "1. Create prod, dev, staging Namespaces" + try: + - apply: + file: ns.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "2. Create a ClusterSecurityIntentBinding" + try: + - apply: + file: escape-to-host-csib.yaml + + - name: "Verify ClusterNimbusPolicy creation" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy absence in dev namespace" + try: + - script: + content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy absence in staging namespace" + try: + - script: + content: kubectl -n staging get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy creation in prod" + try: + - assert: + file: nimbus-policy-assert-prod.yaml + + - name: "3. Update the ClusterSecurityIntentBinding to have dev, prod, regional in excludeNames" + try: + - apply: + file: escape-to-host-dev-prod-regional-csib.yaml + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy absence in dev namespace" + try: + - script: + content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy absence in prod namespace" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "4. Create the management, regional namespaces" + try: + - apply: + file: ns-regional-mgmt.yaml + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy absence in dev namespace" + try: + - script: + content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy absence in prod namespace" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy absence in prod namespace" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Verify NimbusPolicy absence in regional namespace" + try: + - script: + content: kubectl -n regional get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true diff --git a/tests/controllers/clustersecurityintentbinding/excludename/cluster-nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/excludename/cluster-nimbus-policy-assert.yaml new file mode 100644 index 00000000..4b842ca9 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/cluster-nimbus-policy-assert.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterNimbusPolicy +metadata: + name: escape-to-host + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to the + host machine + id: escapeToHost + rule: + action: Block + diff --git a/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-csib.yaml b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-csib.yaml new file mode 100644 index 00000000..17011f62 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-csib.yaml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + excludeNames: + - dev + - staging diff --git a/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml new file mode 100644 index 00000000..6d009200 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - dev + - prod + - regional diff --git a/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-dev.yaml b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-dev.yaml new file mode 100644 index 00000000..8dff66ed --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-dev.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: dev + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-management.yaml b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-management.yaml new file mode 100644 index 00000000..dc24d685 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-management.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: management + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-prod.yaml b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-prod.yaml new file mode 100644 index 00000000..fdaa7bdb --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-prod.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: prod + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-staging.yaml b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-staging.yaml new file mode 100644 index 00000000..fb3122c0 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-staging.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: staging + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert.yaml new file mode 100644 index 00000000..48307f9b --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert.yaml @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/excludename/ns-regional-mgmt.yaml b/tests/controllers/clustersecurityintentbinding/excludename/ns-regional-mgmt.yaml new file mode 100644 index 00000000..221b47b8 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/ns-regional-mgmt.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: v1 +kind: Namespace +metadata: + name: management +--- +apiVersion: v1 +kind: Namespace +metadata: + name: regional \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/excludename/ns.yaml b/tests/controllers/clustersecurityintentbinding/excludename/ns.yaml new file mode 100644 index 00000000..48c5e248 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/excludename/ns.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: v1 +kind: Namespace +metadata: + name: dev +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging +--- +apiVersion: v1 +kind: Namespace +metadata: + name: prod \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchall/README.md b/tests/controllers/clustersecurityintentbinding/matchall/README.md new file mode 100644 index 00000000..26f9c2d4 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/README.md @@ -0,0 +1,232 @@ +# Test: `multiple-ns-add-csib` + +1. Create prod, dev, staging ns 2. Add security intent 3. Add csib 4. Delete prod namespace 5. Create prod namespace again + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create prod, dev, staging Namespaces](#step-Create prod, dev, staging Namespaces) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [Create a ClusterSecurityIntentBinding](#step-Create a ClusterSecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify ClusterNimbusPolicy creation](#step-Verify ClusterNimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy creation in default](#step-Verify NimbusPolicy creation in default) | 0 | 1 | 0 | 0 | +| 6 | [Verify NimbusPolicy creation in dev namespace](#step-Verify NimbusPolicy creation in dev namespace) | 0 | 1 | 0 | 0 | +| 7 | [Verify NimbusPolicy creation in staging namespace](#step-Verify NimbusPolicy creation in staging namespace) | 0 | 1 | 0 | 0 | +| 8 | [Verify NimbusPolicy creation in prod namespace](#step-Verify NimbusPolicy creation in prod namespace) | 0 | 1 | 0 | 0 | +| 9 | [Delete prod namespace](#step-Delete prod namespace) | 0 | 1 | 0 | 0 | +| 10 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 0 | 1 | 0 | 0 | +| 11 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 12 | [Verify NimbusPolicy presence in default](#step-Verify NimbusPolicy presence in default) | 0 | 1 | 0 | 0 | +| 13 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 14 | [Verify NimbusPolicy presence in staging namespace](#step-Verify NimbusPolicy presence in staging namespace) | 0 | 1 | 0 | 0 | +| 15 | [Create prod Namespace again](#step-Create prod Namespace again) | 0 | 1 | 0 | 0 | +| 16 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 17 | [Verify NimbusPolicy presence in default](#step-Verify NimbusPolicy presence in default) | 0 | 1 | 0 | 0 | +| 18 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 19 | [Verify NimbusPolicy presence in staging namespace](#step-Verify NimbusPolicy presence in staging namespace) | 0 | 1 | 0 | 0 | +| 20 | [Verify NimbusPolicy creation in prod namespace](#step-Verify NimbusPolicy creation in prod namespace) | 0 | 1 | 0 | 0 | + +### Step: `Create prod, dev, staging Namespaces` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a ClusterSecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in default` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Delete prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | + +### Step: `Verify the NimbusPolicy deletion` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in default` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Create prod Namespace again` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in default` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml new file mode 100644 index 00000000..81656de0 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml @@ -0,0 +1,131 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: multiple-ns-add-csib +spec: + description: > + 1. Create prod, dev, staging ns + 2. Add security intent + 3. Add csib + 4. Delete prod namespace + 5. Create prod namespace again + steps: + - name: "Create prod, dev, staging Namespaces" + try: + - apply: + file: ns.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + + - name: "Create a ClusterSecurityIntentBinding" + try: + - apply: + file: dns-manipulation-csib.yaml + + - name: "Verify ClusterNimbusPolicy creation" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy creation in default" + try: + - assert: + file: nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy creation in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy creation in staging namespace" + try: + - assert: + file: nimbus-policy-assert-staging.yaml + + - name: "Verify NimbusPolicy creation in prod namespace" + try: + - assert: + file: nimbus-policy-assert-prod.yaml + + - name: "Delete prod namespace" + try: + - delete: + ref: + apiVersion: v1 + kind: namespace + name: prod + expect: + - match: + # this check applies only if the match + # statement below evaluates to `true` + apiVersion: v1 + kind: namespace + name: prod + check: + # an error is expected, this will: + # - succeed if the operation failed + # - fail if the operation succeeded + ($error != null): true + + - name: "Verify the NimbusPolicy deletion" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-dns-manipulation-binding + check: + ($error != null): true + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in default" + try: + - assert: + file: nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy presence in staging namespace" + try: + - assert: + file: nimbus-policy-assert-staging.yaml + + - name: "Create prod Namespace again" + try: + - apply: + file: ns.yaml + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in default" + try: + - assert: + file: nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy presence in staging namespace" + try: + - assert: + file: nimbus-policy-assert-staging.yaml + + - name: "Verify NimbusPolicy creation in prod namespace" + try: + - assert: + file: nimbus-policy-assert-prod.yaml diff --git a/tests/controllers/clustersecurityintentbinding/matchall/cluster-nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/matchall/cluster-nimbus-policy-assert.yaml new file mode 100644 index 00000000..6a3c27bb --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/cluster-nimbus-policy-assert.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterNimbusPolicy +metadata: + name: dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block + diff --git a/tests/controllers/clustersecurityintentbinding/matchall/dns-manipulation-csib.yaml b/tests/controllers/clustersecurityintentbinding/matchall/dns-manipulation-csib.yaml new file mode 100644 index 00000000..723ab43e --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/dns-manipulation-csib.yaml @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: dns-manipulation-binding +spec: + intents: + - name: dns-manipulation + selector: + nsSelector: + matchNames: + - "*" diff --git a/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-dev.yaml b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-dev.yaml new file mode 100644 index 00000000..58a97d64 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-dev.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + namespace: dev + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-prod.yaml b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-prod.yaml new file mode 100644 index 00000000..05a6d334 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-prod.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + namespace: prod + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-staging.yaml b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-staging.yaml new file mode 100644 index 00000000..823bc93c --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-staging.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + namespace: staging + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert.yaml new file mode 100644 index 00000000..dc2111f3 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert.yaml @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchall/ns.yaml b/tests/controllers/clustersecurityintentbinding/matchall/ns.yaml new file mode 100644 index 00000000..48c5e248 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchall/ns.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: v1 +kind: Namespace +metadata: + name: dev +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging +--- +apiVersion: v1 +kind: Namespace +metadata: + name: prod \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchname/README.md b/tests/controllers/clustersecurityintentbinding/matchname/README.md new file mode 100644 index 00000000..18c4b115 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/README.md @@ -0,0 +1,188 @@ +# Test: `match-names-add-csib` + +1. Adds a csib for matchNames with dev, staging 2. Delete staging ns 3. Update csib for matchNames with dev, prod + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create prod, dev, staging Namespaces](#step-Create prod, dev, staging Namespaces) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [Create a ClusterSecurityIntentBinding](#step-Create a ClusterSecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify ClusterNimbusPolicy creation](#step-Verify ClusterNimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy creation in dev namespace](#step-Verify NimbusPolicy creation in dev namespace) | 0 | 1 | 0 | 0 | +| 6 | [Verify NimbusPolicy creation in staging namespace](#step-Verify NimbusPolicy creation in staging namespace) | 0 | 1 | 0 | 0 | +| 7 | [Verify NimbusPolicy absence in prod](#step-Verify NimbusPolicy absence in prod) | 0 | 1 | 0 | 0 | +| 8 | [Delete staging namespace](#step-Delete staging namespace) | 0 | 1 | 0 | 0 | +| 9 | [Verify the NimbusPolicy deletion in staging](#step-Verify the NimbusPolicy deletion in staging) | 0 | 1 | 0 | 0 | +| 10 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 11 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 12 | [Verify NimbusPolicy absence in prod](#step-Verify NimbusPolicy absence in prod) | 0 | 1 | 0 | 0 | +| 13 | [Update the ClusterSecurityIntentBinding to add prod](#step-Update the ClusterSecurityIntentBinding to add prod) | 0 | 1 | 0 | 0 | +| 14 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 15 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 16 | [Verify NimbusPolicy presence in prod namespace](#step-Verify NimbusPolicy presence in prod namespace) | 0 | 1 | 0 | 0 | + +### Step: `Create prod, dev, staging Namespaces` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a ClusterSecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation in staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in prod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Delete staging namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | + +### Step: `Verify the NimbusPolicy deletion in staging` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in prod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Update the ClusterSecurityIntentBinding to add prod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy presence` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in dev namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy presence in prod namespace` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml new file mode 100644 index 00000000..3c878148 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml @@ -0,0 +1,101 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: match-names-add-csib +spec: + description: > + 1. Adds a csib for matchNames with dev, staging + 2. Delete staging ns + 3. Update csib for matchNames with dev, prod + steps: + - name: "Create prod, dev, staging Namespaces" + try: + - apply: + file: ns.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "Create a ClusterSecurityIntentBinding" + try: + - apply: + file: escape-to-host-csib.yaml + + - name: "Verify ClusterNimbusPolicy creation" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy creation in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy creation in staging namespace" + try: + - assert: + file: nimbus-policy-assert-staging.yaml + + - name: "Verify NimbusPolicy absence in prod" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Delete staging namespace" + try: + - delete: + ref: + apiVersion: v1 + kind: namespace + name: staging + expect: + - match: + apiVersion: v1 + kind: namespace + name: staging + check: + ($error != null): true + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy absence in prod" + try: + - script: + content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + check: + ($error != null): true + + - name: "Update the ClusterSecurityIntentBinding to add prod" + try: + - apply: + file: escape-to-host-dev-prod-csib.yaml + + - name: "Verify ClusterNimbusPolicy presence" + try: + - assert: + file: cluster-nimbus-policy-assert.yaml + + - name: "Verify NimbusPolicy presence in dev namespace" + try: + - assert: + file: nimbus-policy-assert-dev.yaml + + - name: "Verify NimbusPolicy presence in prod namespace" + try: + - assert: + file: nimbus-policy-assert-prod.yaml diff --git a/tests/controllers/clustersecurityintentbinding/matchname/cluster-nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/matchname/cluster-nimbus-policy-assert.yaml new file mode 100644 index 00000000..4b842ca9 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/cluster-nimbus-policy-assert.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterNimbusPolicy +metadata: + name: escape-to-host + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to the + host machine + id: escapeToHost + rule: + action: Block + diff --git a/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-csib.yaml b/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-csib.yaml new file mode 100644 index 00000000..ef614d1d --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-csib.yaml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - dev + - staging diff --git a/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-dev-prod-csib.yaml b/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-dev-prod-csib.yaml new file mode 100644 index 00000000..04dd697b --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-dev-prod-csib.yaml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - dev + - prod diff --git a/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-dev.yaml b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-dev.yaml new file mode 100644 index 00000000..8dff66ed --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-dev.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: dev + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-prod.yaml b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-prod.yaml new file mode 100644 index 00000000..fdaa7bdb --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-prod.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: prod + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-staging.yaml b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-staging.yaml new file mode 100644 index 00000000..fb3122c0 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-staging.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host + namespace: staging + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block diff --git a/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert.yaml b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert.yaml new file mode 100644 index 00000000..48307f9b --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert.yaml @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: dns-manipulation-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block \ No newline at end of file diff --git a/tests/controllers/clustersecurityintentbinding/matchname/ns.yaml b/tests/controllers/clustersecurityintentbinding/matchname/ns.yaml new file mode 100644 index 00000000..48c5e248 --- /dev/null +++ b/tests/controllers/clustersecurityintentbinding/matchname/ns.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: v1 +kind: Namespace +metadata: + name: dev +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging +--- +apiVersion: v1 +kind: Namespace +metadata: + name: prod \ No newline at end of file diff --git a/tests/controllers/nimbuspolicy/delete/README.md b/tests/controllers/nimbuspolicy/delete/README.md index c3fb5eac..2f1c80c3 100644 --- a/tests/controllers/nimbuspolicy/delete/README.md +++ b/tests/controllers/nimbuspolicy/delete/README.md @@ -9,7 +9,7 @@ This test validates that when a NimbusPolicy is directly deleted, nimbus automat |:-:|---|:-:|:-:|:-:|:-:| | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Delete existing NimbusPolicy](#step-Delete existing NimbusPolicy) | 0 | 1 | 0 | 0 | | 5 | [Verify NimbusPolicy recreation](#step-Verify NimbusPolicy recreation) | 0 | 1 | 0 | 0 | @@ -33,7 +33,7 @@ This test validates that when a NimbusPolicy is directly deleted, nimbus automat |:-:|---|:-:|:-:|---| | 1 | `apply` | 0 | 0 | *No description* | -### Step: `Verity NimbusPolicy creation` +### Step: `Verify NimbusPolicy creation` *No description* diff --git a/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml index 923029bd..20f48713 100644 --- a/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml +++ b/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml @@ -20,7 +20,7 @@ spec: - apply: file: ../../resources/namespaced/dns-manipulation-sib.yaml - - name: "Verity NimbusPolicy creation" + - name: "Verify NimbusPolicy creation" try: - assert: file: ../nimbus-policy-assert.yaml @@ -29,12 +29,12 @@ spec: try: - delete: ref: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy name: dns-manipulation-binding expect: - match: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy name: dns-manipulation-binding check: diff --git a/tests/controllers/nimbuspolicy/nimbus-policy-assert.yaml b/tests/controllers/nimbuspolicy/nimbus-policy-assert.yaml index 8868dfab..c45f1cc2 100644 --- a/tests/controllers/nimbuspolicy/nimbus-policy-assert.yaml +++ b/tests/controllers/nimbuspolicy/nimbus-policy-assert.yaml @@ -1,17 +1,16 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding name: dns-manipulation-binding - # Since UID is not predictable so don't add it. spec: rules: - description: An adversary can manipulate DNS requests to redirect network traffic diff --git a/tests/controllers/nimbuspolicy/update/README.md b/tests/controllers/nimbuspolicy/update/README.md index b4618d41..0521283e 100644 --- a/tests/controllers/nimbuspolicy/update/README.md +++ b/tests/controllers/nimbuspolicy/update/README.md @@ -9,7 +9,7 @@ This test validates that direct updates to a NimbusPolicy resource are ignored, |:-:|---|:-:|:-:|:-:|:-:| | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Update existing NimbusPolicy](#step-Update existing NimbusPolicy) | 0 | 1 | 0 | 0 | | 5 | [Verify discarding of changes to NimbusPolicy](#step-Verify discarding of changes to NimbusPolicy) | 0 | 1 | 0 | 0 | @@ -33,7 +33,7 @@ This test validates that direct updates to a NimbusPolicy resource are ignored, |:-:|---|:-:|:-:|---| | 1 | `apply` | 0 | 0 | *No description* | -### Step: `Verity NimbusPolicy creation` +### Step: `Verify NimbusPolicy creation` *No description* diff --git a/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml index 5e872d96..398df425 100644 --- a/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml +++ b/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml @@ -20,7 +20,7 @@ spec: - apply: file: ../../resources/namespaced/dns-manipulation-sib.yaml - - name: "Verity NimbusPolicy creation" + - name: "Verify NimbusPolicy creation" try: - assert: file: ../nimbus-policy-assert.yaml diff --git a/tests/controllers/nimbuspolicy/updated-nimbus-policy.yaml b/tests/controllers/nimbuspolicy/updated-nimbus-policy.yaml index 523ddb7b..efb745ae 100644 --- a/tests/controllers/nimbuspolicy/updated-nimbus-policy.yaml +++ b/tests/controllers/nimbuspolicy/updated-nimbus-policy.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding diff --git a/tests/controllers/resources/namespaced/dns-manipulation-si.yaml b/tests/controllers/resources/namespaced/dns-manipulation-si.yaml index 03c63fe9..bcb90dd5 100644 --- a/tests/controllers/resources/namespaced/dns-manipulation-si.yaml +++ b/tests/controllers/resources/namespaced/dns-manipulation-si.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation diff --git a/tests/controllers/resources/namespaced/dns-manipulation-sib.yaml b/tests/controllers/resources/namespaced/dns-manipulation-sib.yaml index cd2f5ac6..745f7b08 100644 --- a/tests/controllers/resources/namespaced/dns-manipulation-sib.yaml +++ b/tests/controllers/resources/namespaced/dns-manipulation-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding @@ -9,9 +9,6 @@ spec: intents: - name: dns-manipulation selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/tests/controllers/resources/namespaced/escape-to-host-si.yaml b/tests/controllers/resources/namespaced/escape-to-host-si.yaml new file mode 100644 index 00000000..9fc50bf3 --- /dev/null +++ b/tests/controllers/resources/namespaced/escape-to-host-si.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: escape-to-host +spec: + intent: + id: escapeToHost + description: "A attacker can breach container boundaries and can gain access to the host machine" + action: Block diff --git a/tests/controllers/resources/namespaced/multiple-sis.yaml b/tests/controllers/resources/namespaced/multiple-sis.yaml index e669655a..612dbf1f 100644 --- a/tests/controllers/resources/namespaced/multiple-sis.yaml +++ b/tests/controllers/resources/namespaced/multiple-sis.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: pkg-mgr-exec-multiple @@ -10,7 +10,7 @@ spec: id: swDeploymentTools action: Block --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: unauthorized-sa-token-access-multiple @@ -19,7 +19,7 @@ spec: id: unAuthorizedSaTokenAccess action: Audit --- -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation-multiple diff --git a/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml b/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml index 3eaf9db9..f2e4bbf9 100644 --- a/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml +++ b/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: multiple-sis-binding @@ -11,9 +11,6 @@ spec: - name: unauthorized-sa-token-access-multiple - name: dns-manipulation-multiple selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/tests/controllers/securityintent/si-status-assert.yaml b/tests/controllers/securityintent/si-status-assert.yaml index 9b74be8b..b92fde98 100644 --- a/tests/controllers/securityintent/si-status-assert.yaml +++ b/tests/controllers/securityintent/si-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation diff --git a/tests/controllers/securityintentbinding/create/README.md b/tests/controllers/securityintentbinding/create/README.md index 34bcf274..09bb101a 100644 --- a/tests/controllers/securityintentbinding/create/README.md +++ b/tests/controllers/securityintentbinding/create/README.md @@ -9,7 +9,7 @@ This test validates the automated creation of a NimbusPolicy resource when a cor |:-:|---|:-:|:-:|:-:|:-:| | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | | 5 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | @@ -33,7 +33,7 @@ This test validates the automated creation of a NimbusPolicy resource when a cor |:-:|---|:-:|:-:|---| | 1 | `apply` | 0 | 0 | *No description* | -### Step: `Verity NimbusPolicy creation` +### Step: `Verify NimbusPolicy creation` *No description* diff --git a/tests/controllers/securityintentbinding/create/chainsaw-test.yaml b/tests/controllers/securityintentbinding/create/chainsaw-test.yaml index 7f034fb3..9b9bdd8a 100644 --- a/tests/controllers/securityintentbinding/create/chainsaw-test.yaml +++ b/tests/controllers/securityintentbinding/create/chainsaw-test.yaml @@ -20,7 +20,7 @@ spec: - apply: file: ../../resources/namespaced/dns-manipulation-sib.yaml - - name: "Verity NimbusPolicy creation" + - name: "Verify NimbusPolicy creation" try: - assert: file: ../nimbus-policy-assert.yaml diff --git a/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml b/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml index 21e7e688..3fc308e0 100644 --- a/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml +++ b/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml @@ -26,12 +26,12 @@ spec: try: - delete: ref: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding name: dns-manipulation-binding expect: - match: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding name: dns-manipulation-binding check: @@ -40,6 +40,6 @@ spec: - name: "Verify the NimbusPolicy deletion" try: - script: - content: kubectl get np -n $NAMESPACE dns-manipulation-binding + content: kubectl get np dns-manipulation-binding check: ($error != null): true diff --git a/tests/controllers/securityintentbinding/nimbus-policy-assert.yaml b/tests/controllers/securityintentbinding/nimbus-policy-assert.yaml index 4cb5c161..272202e9 100644 --- a/tests/controllers/securityintentbinding/nimbus-policy-assert.yaml +++ b/tests/controllers/securityintentbinding/nimbus-policy-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/securityintentbinding/np-status-assert.yaml b/tests/controllers/securityintentbinding/np-status-assert.yaml index 8f70f418..92e3e8c9 100644 --- a/tests/controllers/securityintentbinding/np-status-assert.yaml +++ b/tests/controllers/securityintentbinding/np-status-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/securityintentbinding/sib-status-assert.yaml b/tests/controllers/securityintentbinding/sib-status-assert.yaml index 811e0955..eea88deb 100644 --- a/tests/controllers/securityintentbinding/sib-status-assert.yaml +++ b/tests/controllers/securityintentbinding/sib-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding diff --git a/tests/controllers/securityintentbinding/updated-np.yaml b/tests/controllers/securityintentbinding/updated-np.yaml index ad1a9b80..2fde73d2 100644 --- a/tests/controllers/securityintentbinding/updated-np.yaml +++ b/tests/controllers/securityintentbinding/updated-np.yaml @@ -1,13 +1,13 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: generation: 2 name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/securityintentbinding/updated-sib.yaml b/tests/controllers/securityintentbinding/updated-sib.yaml index c66fd8de..ebaa1439 100644 --- a/tests/controllers/securityintentbinding/updated-sib.yaml +++ b/tests/controllers/securityintentbinding/updated-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding @@ -9,10 +9,7 @@ spec: intents: - name: dns-manipulation selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx - env: prod + workloadSelector: + matchLabels: + app: nginx + env: prod diff --git a/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml index 87a2d128..a1701b58 100644 --- a/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml +++ b/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml @@ -31,12 +31,12 @@ spec: try: - delete: ref: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent name: dns-manipulation expect: - match: - apiVersion: intent.security.nimbus.com/v1 + apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent name: dns-manipulation check: @@ -45,7 +45,7 @@ spec: - name: "Verify the NimbusPolicy deletion" try: - script: - content: kubectl get np -n $NAMESPACE dns-manipulation-binding + content: kubectl get np dns-manipulation-binding check: ($error != null): true diff --git a/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml b/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml index dfe72f22..3ccfbe6d 100644 --- a/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml +++ b/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding diff --git a/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml b/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml index 4cb5c161..272202e9 100644 --- a/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml +++ b/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/sis-and-sibs/np-status-assert.yaml b/tests/controllers/sis-and-sibs/np-status-assert.yaml index 793d1972..00026f7c 100644 --- a/tests/controllers/sis-and-sibs/np-status-assert.yaml +++ b/tests/controllers/sis-and-sibs/np-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding diff --git a/tests/controllers/sis-and-sibs/si-status-assert.yaml b/tests/controllers/sis-and-sibs/si-status-assert.yaml index 9b74be8b..b92fde98 100644 --- a/tests/controllers/sis-and-sibs/si-status-assert.yaml +++ b/tests/controllers/sis-and-sibs/si-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation diff --git a/tests/controllers/sis-and-sibs/sib-status-assert.yaml b/tests/controllers/sis-and-sibs/sib-status-assert.yaml index fc6d1f14..3622a094 100644 --- a/tests/controllers/sis-and-sibs/sib-status-assert.yaml +++ b/tests/controllers/sis-and-sibs/sib-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding diff --git a/tests/controllers/sis-and-sibs/update/README.md b/tests/controllers/sis-and-sibs/update/README.md index 39fd926b..0805dbf6 100644 --- a/tests/controllers/sis-and-sibs/update/README.md +++ b/tests/controllers/sis-and-sibs/update/README.md @@ -9,7 +9,7 @@ This test verifies that modifying a SecurityIntent triggers the desired updates |:-:|---|:-:|:-:|:-:|:-:| | 1 | [Create a SecurityIntentBinding for multiple SecurityIntents](#step-Create a SecurityIntentBinding for multiple SecurityIntents) | 0 | 1 | 0 | 0 | | 2 | [Create multiple SecurityIntents](#step-Create multiple SecurityIntents) | 0 | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Update one SecurityIntent](#step-Update one SecurityIntent) | 0 | 1 | 0 | 0 | | 5 | [Verify NimbusPolicy update](#step-Verify NimbusPolicy update) | 0 | 1 | 0 | 0 | | 6 | [Update SecurityIntentBinding to remove one SecurityIntent](#step-Update SecurityIntentBinding to remove one SecurityIntent) | 0 | 1 | 0 | 0 | @@ -36,7 +36,7 @@ This test verifies that modifying a SecurityIntent triggers the desired updates |:-:|---|:-:|:-:|---| | 1 | `apply` | 0 | 0 | *No description* | -### Step: `Verity NimbusPolicy creation` +### Step: `Verify NimbusPolicy creation` *No description* diff --git a/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml index 01a731f8..56184058 100644 --- a/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml +++ b/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml @@ -21,7 +21,7 @@ spec: - apply: file: ../../resources/namespaced/multiple-sis.yaml - - name: "Verity NimbusPolicy creation" + - name: "Verify NimbusPolicy creation" try: - assert: file: nimbus-policy-for-multiple-sis.yaml diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml index efe68a2f..ad2db196 100644 --- a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: multiple-sis-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml index 9b3da3c7..87a9e283 100644 --- a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: multiple-sis-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml index 87762d56..27ad6cba 100644 --- a/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: multiple-sis-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml b/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml index 5cebb0bf..2e29a94c 100644 --- a/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml +++ b/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: multiple-sis-binding diff --git a/tests/controllers/sis-and-sibs/update/updated-sib.yaml b/tests/controllers/sis-and-sibs/update/updated-sib.yaml index 20fe3267..2f1f6cd4 100644 --- a/tests/controllers/sis-and-sibs/update/updated-sib.yaml +++ b/tests/controllers/sis-and-sibs/update/updated-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: multiple-sis-binding @@ -10,9 +10,5 @@ spec: - name: unauthorized-sa-token-access-multiple - name: dns-manipulation-multiple selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml b/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml index e83e913f..6ba2769b 100644 --- a/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml +++ b/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: unauthorized-sa-token-access-multiple diff --git a/tests/e2e/dns-manipulation/ksp.yaml b/tests/e2e/dns-manipulation/ksp.yaml index 0ef95467..39b509be 100644 --- a/tests/e2e/dns-manipulation/ksp.yaml +++ b/tests/e2e/dns-manipulation/ksp.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/managed-by: nimbus-kubearmor name: dns-manipulation-binding-dnsmanipulation ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: NimbusPolicy @@ -24,4 +24,4 @@ spec: matchLabels: app: nginx syscalls: {} - \ No newline at end of file + diff --git a/tests/e2e/dns-manipulation/netpol.yaml b/tests/e2e/dns-manipulation/netpol.yaml index bfb20bb2..ea41fa94 100644 --- a/tests/e2e/dns-manipulation/netpol.yaml +++ b/tests/e2e/dns-manipulation/netpol.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/managed-by: nimbus-netpol name: dns-manipulation-binding-dnsmanipulation ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: NimbusPolicy diff --git a/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml b/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml index 8868dfab..c45f1cc2 100644 --- a/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml +++ b/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml @@ -1,17 +1,16 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding name: dns-manipulation-binding - # Since UID is not predictable so don't add it. spec: rules: - description: An adversary can manipulate DNS requests to redirect network traffic diff --git a/tests/e2e/dns-manipulation/np-status-assert.yaml b/tests/e2e/dns-manipulation/np-status-assert.yaml index 56a2ad94..1509af72 100644 --- a/tests/e2e/dns-manipulation/np-status-assert.yaml +++ b/tests/e2e/dns-manipulation/np-status-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: dns-manipulation-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/e2e/dns-manipulation/sib-status-assert.yaml b/tests/e2e/dns-manipulation/sib-status-assert.yaml index fc6d1f14..3622a094 100644 --- a/tests/e2e/dns-manipulation/sib-status-assert.yaml +++ b/tests/e2e/dns-manipulation/sib-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding diff --git a/tests/e2e/escape-to-host/kyverno-policy.yaml b/tests/e2e/escape-to-host/kyverno-policy.yaml index 531981ff..570978d7 100644 --- a/tests/e2e/escape-to-host/kyverno-policy.yaml +++ b/tests/e2e/escape-to-host/kyverno-policy.yaml @@ -7,7 +7,7 @@ metadata: and can gain access to the host machine name: escape-to-host-binding-escapetohost ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: NimbusPolicy @@ -37,4 +37,4 @@ spec: podSecurity: level: baseline version: latest - validationFailureAction: Enforce \ No newline at end of file + validationFailureAction: Enforce diff --git a/tests/e2e/escape-to-host/nimbus-policy-assert.yaml b/tests/e2e/escape-to-host/nimbus-policy-assert.yaml index f0708fe7..4106563e 100644 --- a/tests/e2e/escape-to-host/nimbus-policy-assert.yaml +++ b/tests/e2e/escape-to-host/nimbus-policy-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: escape-to-host-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/e2e/escape-to-host/np-status-assert.yaml b/tests/e2e/escape-to-host/np-status-assert.yaml index 006f190e..90df34c0 100644 --- a/tests/e2e/escape-to-host/np-status-assert.yaml +++ b/tests/e2e/escape-to-host/np-status-assert.yaml @@ -1,12 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: NimbusPolicy metadata: name: escape-to-host-binding ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: SecurityIntentBinding diff --git a/tests/e2e/escape-to-host/sib-status-assert.yaml b/tests/e2e/escape-to-host/sib-status-assert.yaml index 592f2c08..4b94d43c 100644 --- a/tests/e2e/escape-to-host/sib-status-assert.yaml +++ b/tests/e2e/escape-to-host/sib-status-assert.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: escape-to-host-binding @@ -10,4 +10,4 @@ status: - escape-to-host nimbusPolicy: escape-to-host-binding numberOfBoundIntents: 1 - status: Created \ No newline at end of file + status: Created diff --git a/tests/e2e/resources/namespaced/dns-manipulation-si.yaml b/tests/e2e/resources/namespaced/dns-manipulation-si.yaml index 03c63fe9..bcb90dd5 100644 --- a/tests/e2e/resources/namespaced/dns-manipulation-si.yaml +++ b/tests/e2e/resources/namespaced/dns-manipulation-si.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: dns-manipulation diff --git a/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml b/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml index cd2f5ac6..745f7b08 100644 --- a/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml +++ b/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: dns-manipulation-binding @@ -9,9 +9,6 @@ spec: intents: - name: dns-manipulation selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx diff --git a/tests/e2e/resources/namespaced/escape-to-host-si.yaml b/tests/e2e/resources/namespaced/escape-to-host-si.yaml index 206da8e6..9fc50bf3 100644 --- a/tests/e2e/resources/namespaced/escape-to-host-si.yaml +++ b/tests/e2e/resources/namespaced/escape-to-host-si.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: name: escape-to-host @@ -9,4 +9,4 @@ spec: intent: id: escapeToHost description: "A attacker can breach container boundaries and can gain access to the host machine" - action: Block \ No newline at end of file + action: Block diff --git a/tests/e2e/resources/namespaced/escape-to-host-sib.yaml b/tests/e2e/resources/namespaced/escape-to-host-sib.yaml index 231803c2..41a8e104 100644 --- a/tests/e2e/resources/namespaced/escape-to-host-sib.yaml +++ b/tests/e2e/resources/namespaced/escape-to-host-sib.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -apiVersion: intent.security.nimbus.com/v1 +apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding metadata: name: escape-to-host-binding @@ -9,9 +9,6 @@ spec: intents: - name: escape-to-host selector: - any: - - resources: - kind: Pod - namespace: default - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx