feat: virtual-patch intent (#245)

* feat: virtual-patch initial commit Signed-off-by: VedRatan <[email protected]> * feat: added kyverno, karmor, netpol policy creation, deletion, and updation logic Signed-off-by: VedRatan <[email protected]> * feat: added support for network policy Signed-off-by: VedRatan <[email protected]> * feat: added scheduled fetching of latest CVE data Signed-off-by: VedRatan <[email protected]> * chore: resolved all the review comments Signed-off-by: VedRatan <[email protected]> * (docs): added intent description (#265) * fix: Fix CRDs version in PROJECT file Signed-off-by: Anurag Rajawat <[email protected]> * doc: Add Intent and CRDs spec docs Signed-off-by: Anurag Rajawat <[email protected]> * feat: added intent description Signed-off-by: VedRatan <[email protected]> * docs: added pkg-mgr-execution intent desc Signed-off-by: VedRatan <[email protected]> * docs: added coco-workload intent details Signed-off-by: VedRatan <[email protected]> * docs: update exploit-pfa Signed-off-by: VedRatan <[email protected]> * update command Signed-off-by: VedRatan <[email protected]> * doc: Update docs Signed-off-by: Anurag Rajawat <[email protected]> * refactored the docs Signed-off-by: VedRatan <[email protected]> * updated quick-tutorials Signed-off-by: VedRatan <[email protected]> --------- Signed-off-by: Anurag Rajawat <[email protected]> Signed-off-by: VedRatan <[email protected]> Co-authored-by: Anurag Rajawat <[email protected]> * chore: handled error gracefully, update slice search command Signed-off-by: VedRatan <[email protected]> * fix: tests Signed-off-by: VedRatan <[email protected]> * fix: error handling and review comments Signed-off-by: VedRatan <[email protected]> --------- Signed-off-by: VedRatan <[email protected]> Signed-off-by: Anurag Rajawat <[email protected]> Signed-off-by: Ved Ratan <[email protected]> Co-authored-by: Anurag Rajawat <[email protected]>
5GSEC · Nov 8, 2024 · 67712a9 · 67712a9
1 parent f651a04
commit 67712a9
Show file tree

Hide file tree

Showing 15 changed files with 708 additions and 70 deletions.
diff --git a/docs/intents/escape-to-host.md b/docs/intents/escape-to-host.md
@@ -30,7 +30,7 @@ The escapeToHost intent results in `KyvernoPolicy` and a couple of `KubearmorPol
 
    ```
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
    ```
 
 - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.

diff --git a/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml b/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding

diff --git a/examples/namespaced/escape-to-host-with-params.yaml b/examples/namespaced/escape-to-host-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntentBinding

diff --git a/examples/namespaced/virtual-patch-si-sib.yaml b/examples/namespaced/virtual-patch-si-sib.yaml
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: virtual-patch
+spec: 
+  intent:
+    id: virtualPatch
+    description: >
+      There might exist CVE's associated with certain images, adversaries might exploit these CVE and can cause potential threat,
+      to any production server. Check and apply virtual patch for a given set of CVEs as per a schedule
+    action: Block
+    params: 
+      cveList:
+        - "CVE-2024-4439"
+        - "CVE-2024-27268"
+      schedule: ["0 23 * * SUN"]
+
+---
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: virtual-patch-binding
+spec:
+  intents:
+    - name: virtual-patch
+  selector:
+    workloadSelector:
+      matchLabels:
+        app: prod
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -19,6 +19,7 @@ const (
 	CocoWorkload              = "cocoWorkload"
 	AssessTLS                 = "assessTLS"
 	DenyENAccess              = "denyExternalNetworkAccess"
+	VirtualPatch              = "virtualPatch"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -45,6 +46,7 @@ var NetPolIDs = []string{
 var KyvIds = []string{
 	EscapeToHost,
 	CocoWorkload,
+	VirtualPatch,
 }
 
 // k8tlsIds are IDs supported by k8tls.

diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod
@@ -202,6 +202,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
 	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect

diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum
@@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

diff --git a/pkg/adapter/nimbus-kyverno/manager/manager.go b/pkg/adapter/nimbus-kyverno/manager/manager.go
@@ -59,6 +59,7 @@ func Run(ctx context.Context) {
 	deletedKpCh := make(chan common.Request)
 	go watcher.WatchKps(ctx, updatedKpCh, deletedKpCh)
 
+
 	for {
 		select {
 		case <-ctx.Done():
@@ -431,6 +432,9 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nameNamespace.Name + "-trigger-configmap",
 			Namespace: nameNamespace.Namespace,
+			Labels: map[string]string {
+				"trigger" : "configmap",
+			},
 		},
 		Data: map[string]string{
 			"data": "dummy",

diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go
@@ -121,7 +121,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 			}
 			matchFilters = append(matchFilters, resourceFilter)
 		}
-	} else if namespaces[0] == "*" && len(labels) == 0  {
+	} else if namespaces[0] == "*" && len(labels) == 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
 				ResourceDescription: kyvernov1.ResourceDescription{
@@ -167,7 +167,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 					},
 					Mutation: kyvernov1.Mutation{
 						Targets: []kyvernov1.TargetResourceSpec{
-							kyvernov1.TargetResourceSpec{
+							{
 								ResourceSpec: kyvernov1.ResourceSpec{
 									APIVersion: "apps/v1",
 									Kind:       "Deployment",
@@ -185,16 +185,16 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 }
 
 func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy {
-	var psa_level api.Level = api.LevelBaseline
+	var psaLevel api.Level = api.LevelBaseline
 
-	if rule.Params["psa_level"] != nil {
+	if rule.Params["psaLevel"] != nil {
 
-		switch rule.Params["psa_level"][0] {
+		switch rule.Params["psaLevel"][0] {
 		case "restricted":
-			psa_level = api.LevelRestricted
+			psaLevel = api.LevelRestricted
 
 		default:
-			psa_level = api.LevelBaseline
+			psaLevel = api.LevelBaseline
 		}
 
 	}
@@ -241,7 +241,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 	} else if namespaces[0] == "*" && len(labels) > 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
-				ResourceDescription: kyvernov1.ResourceDescription {
+				ResourceDescription: kyvernov1.ResourceDescription{
 					Namespaces: excludeNamespaces,
 				},
 			}
@@ -296,7 +296,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 					},
 					Validation: kyvernov1.Validation{
 						PodSecurity: &kyvernov1.PodSecurity{
-							Level:   psa_level,
+							Level:   psaLevel,
 							Version: "latest",
 						},
 					},
-Original file line number
+Diff line change
@@ Expand Up @@
        ```
         params:
-          psa_level: ["restricted"]
+          psaLevel: ["restricted"]
        ```
     - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.
@@ Expand Down @@