-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Anurag Rajawat <[email protected]>
- Loading branch information
Anurag Rajawat
committed
Aug 16, 2024
1 parent
9476d9e
commit 95513ac
Showing
11 changed files
with
1,063 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# Copyright 2023 Authors of Nimbus | ||
|
||
apiVersion: intent.security.nimbus.com/v1alpha1 | ||
kind: SecurityIntent | ||
metadata: | ||
name: network-segmentation | ||
spec: | ||
intent: | ||
id: netSegment | ||
action: Block # Audit action has no effect here | ||
severity: Medium | ||
tags: | ||
- 5G | ||
--- | ||
apiVersion: intent.security.nimbus.com/v1alpha1 | ||
kind: SecurityIntentBinding | ||
metadata: | ||
name: network-segmentation-for-ns | ||
spec: | ||
intents: | ||
- name: network-segmentation | ||
selector: | ||
workloadSelector: | ||
matchLabels: | ||
app: httpd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# Copyright 2023 Authors of Nimbus | ||
|
||
FROM golang:1.22 as builder | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
WORKDIR /nimbus | ||
|
||
# relative deps requried by the adapter | ||
ADD api/ api/ | ||
ADD pkg/ pkg/ | ||
ADD go.mod go.mod | ||
ADD go.sum go.sum | ||
|
||
ARG ADAPTER_DIR=pkg/adapter/nimbus-de | ||
WORKDIR /nimbus/$ADAPTER_DIR | ||
|
||
COPY $ADAPTER_DIR/go.mod go.mod | ||
# cache deps before building and copying source so that we don't need to re-download as much | ||
# and so that source changes don't invalidate our downloaded layer | ||
RUN go mod download | ||
|
||
COPY $ADAPTER_DIR/manager manager | ||
COPY $ADAPTER_DIR/watcher watcher | ||
COPY $ADAPTER_DIR/main.go main.go | ||
|
||
# Build | ||
# the GOARCH has not a default value to allow the binary be built according to the host where the command | ||
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO | ||
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | ||
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | ||
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-s" -o bin/nimbus-de main.go | ||
|
||
FROM gcr.io/distroless/static:nonroot | ||
WORKDIR / | ||
COPY --from=builder /nimbus/pkg/adapter/nimbus-de/bin/nimbus-de . | ||
USER 65532:65532 | ||
|
||
ENTRYPOINT ["/nimbus-de"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# Copyright 2023 Authors of Nimbus | ||
|
||
# Image URL to use all building/pushing image targets | ||
IMG ?= 5gsec/nimbus-de | ||
# Image Tag to use all building/pushing image targets | ||
TAG ?= latest | ||
|
||
CONTAINER_TOOL ?= docker | ||
BINARY ?= bin/nimbus-de | ||
CONTROLLER_TOOLS_VERSION ?= v0.14.0 | ||
LOCALBIN ?= $(shell pwd)/bin | ||
$(LOCALBIN): | ||
mkdir -p $(LOCALBIN) | ||
CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen | ||
|
||
.PHONY: help | ||
help: ## Display this help. | ||
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) | ||
|
||
build: ## Build nimbus-de executable. | ||
@go build -ldflags="-s" -o ${BINARY} main.go | ||
|
||
run: build ## Run nimbus-de. | ||
@./${BINARY} | ||
|
||
.PHONY: docker-build | ||
docker-build: ## Build nimbus-de container image. | ||
$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ | ||
|
||
.PHONY: docker-push | ||
docker-push: ## Push nimbus-de container image. | ||
$(CONTAINER_TOOL) push ${IMG}:${TAG} | ||
|
||
PLATFORMS ?= linux/arm64,linux/amd64 | ||
.PHONY: docker-buildx | ||
docker-buildx: ## Build and push container image for cross-platform support | ||
sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross | ||
- $(CONTAINER_TOOL) buildx create --name project-v3-builder | ||
$(CONTAINER_TOOL) buildx use project-v3-builder | ||
- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; } | ||
- $(CONTAINER_TOOL) buildx rm project-v3-builder | ||
rm Dockerfile.cross | ||
|
||
.PHONY: manifests | ||
manifests: controller-gen ## Generate ClusterRole. | ||
$(CONTROLLER_GEN) rbac:roleName=nimbus-de-clusterrole paths="./..." output:dir=../../../deployments/nimbus-de/templates/ | ||
|
||
.PHONY: controller-gen | ||
controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. | ||
$(CONTROLLER_GEN): $(LOCALBIN) | ||
test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ | ||
GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
module github.com/5GSEC/nimbus/pkg/adapter/nimbus-de | ||
|
||
go 1.22.3 | ||
|
||
require ( | ||
github.com/5GSEC/nimbus v1.0.1 | ||
github.com/accuknox/dev2/dsp/pkg/DiscoveredPolicy v1.28.0 | ||
github.com/cilium/cilium v1.15.7 | ||
github.com/go-logr/logr v1.4.2 | ||
github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240109175053-214237906794 | ||
k8s.io/api v0.30.1 | ||
k8s.io/apimachinery v0.30.1 | ||
k8s.io/client-go v0.30.1 | ||
sigs.k8s.io/controller-runtime v0.18.4 | ||
) | ||
|
||
require ( | ||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect | ||
github.com/beorn7/perks v1.0.1 // indirect | ||
github.com/blang/semver/v4 v4.0.0 // indirect | ||
github.com/cespare/xxhash/v2 v2.3.0 // indirect | ||
github.com/cilium/ebpf v0.12.3 // indirect | ||
github.com/cilium/proxy v0.0.0-20231202123106-38b645b854f3 // indirect | ||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect | ||
github.com/emicklei/go-restful/v3 v3.12.0 // indirect | ||
github.com/evanphx/json-patch/v5 v5.9.0 // indirect | ||
github.com/fsnotify/fsnotify v1.7.0 // indirect | ||
github.com/go-logr/stdr v1.2.2 // indirect | ||
github.com/go-logr/zapr v1.3.0 // indirect | ||
github.com/go-ole/go-ole v1.2.6 // indirect | ||
github.com/go-openapi/analysis v0.21.4 // indirect | ||
github.com/go-openapi/errors v0.20.4 // indirect | ||
github.com/go-openapi/jsonpointer v0.21.0 // indirect | ||
github.com/go-openapi/jsonreference v0.21.0 // indirect | ||
github.com/go-openapi/loads v0.21.2 // indirect | ||
github.com/go-openapi/runtime v0.26.2 // indirect | ||
github.com/go-openapi/spec v0.20.11 // indirect | ||
github.com/go-openapi/strfmt v0.21.9 // indirect | ||
github.com/go-openapi/swag v0.23.0 // indirect | ||
github.com/go-openapi/validate v0.22.3 // indirect | ||
github.com/gogo/protobuf v1.3.2 // indirect | ||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | ||
github.com/golang/protobuf v1.5.4 // indirect | ||
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect | ||
github.com/google/go-cmp v0.6.0 // indirect | ||
github.com/google/gofuzz v1.2.0 // indirect | ||
github.com/google/gopacket v1.1.19 // indirect | ||
github.com/google/uuid v1.6.0 // indirect | ||
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect | ||
github.com/hashicorp/hcl v1.0.0 // indirect | ||
github.com/imdario/mergo v0.3.16 // indirect | ||
github.com/inconshreveable/mousetrap v1.1.0 // indirect | ||
github.com/josharian/intern v1.0.0 // indirect | ||
github.com/json-iterator/go v1.1.12 // indirect | ||
github.com/kr/pretty v0.3.1 // indirect | ||
github.com/kr/text v0.2.0 // indirect | ||
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect | ||
github.com/magiconair/properties v1.8.7 // indirect | ||
github.com/mailru/easyjson v0.7.7 // indirect | ||
github.com/mitchellh/mapstructure v1.5.0 // indirect | ||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
github.com/modern-go/reflect2 v1.0.2 // indirect | ||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
github.com/oklog/ulid v1.3.1 // indirect | ||
github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect | ||
github.com/pelletier/go-toml/v2 v2.1.0 // indirect | ||
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect | ||
github.com/pkg/errors v0.9.1 // indirect | ||
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect | ||
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect | ||
github.com/prometheus/client_golang v1.19.1 // indirect | ||
github.com/prometheus/client_model v0.6.1 // indirect | ||
github.com/prometheus/common v0.53.0 // indirect | ||
github.com/prometheus/procfs v0.15.0 // indirect | ||
github.com/rogpeppe/go-internal v1.11.0 // indirect | ||
github.com/sagikazarmark/locafero v0.4.0 // indirect | ||
github.com/sagikazarmark/slog-shim v0.1.0 // indirect | ||
github.com/sasha-s/go-deadlock v0.3.1 // indirect | ||
github.com/shirou/gopsutil/v3 v3.23.5 // indirect | ||
github.com/sirupsen/logrus v1.9.3 // indirect | ||
github.com/sourcegraph/conc v0.3.0 // indirect | ||
github.com/spf13/afero v1.11.0 // indirect | ||
github.com/spf13/cast v1.6.0 // indirect | ||
github.com/spf13/cobra v1.8.0 // indirect | ||
github.com/spf13/pflag v1.0.5 // indirect | ||
github.com/spf13/viper v1.18.1 // indirect | ||
github.com/subosito/gotenv v1.6.0 // indirect | ||
github.com/tklauser/go-sysconf v0.3.11 // indirect | ||
github.com/tklauser/numcpus v0.6.0 // indirect | ||
github.com/vishvananda/netlink v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 // indirect | ||
github.com/vishvananda/netns v0.0.4 // indirect | ||
github.com/yusufpapurcu/wmi v1.2.3 // indirect | ||
go.mongodb.org/mongo-driver v1.13.1 // indirect | ||
go.opentelemetry.io/otel v1.21.0 // indirect | ||
go.opentelemetry.io/otel/metric v1.21.0 // indirect | ||
go.opentelemetry.io/otel/trace v1.21.0 // indirect | ||
go.uber.org/dig v1.17.1 // indirect | ||
go.uber.org/multierr v1.11.0 // indirect | ||
go.uber.org/zap v1.27.0 // indirect | ||
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect | ||
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect | ||
golang.org/x/net v0.25.0 // indirect | ||
golang.org/x/oauth2 v0.20.0 // indirect | ||
golang.org/x/sync v0.7.0 // indirect | ||
golang.org/x/sys v0.20.0 // indirect | ||
golang.org/x/term v0.20.0 // indirect | ||
golang.org/x/text v0.15.0 // indirect | ||
golang.org/x/time v0.5.0 // indirect | ||
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect | ||
google.golang.org/protobuf v1.34.1 // indirect | ||
gopkg.in/inf.v0 v0.9.1 // indirect | ||
gopkg.in/ini.v1 v1.67.0 // indirect | ||
gopkg.in/yaml.v2 v2.4.0 // indirect | ||
gopkg.in/yaml.v3 v3.0.1 // indirect | ||
k8s.io/apiextensions-apiserver v0.30.1 // indirect | ||
k8s.io/klog/v2 v2.120.1 // indirect | ||
k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect | ||
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect | ||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect | ||
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect | ||
sigs.k8s.io/yaml v1.4.0 // indirect | ||
) |
Oops, something went wrong.