5GSEC · anurag-rajawat · Nov 8, 2024 · Aug 19, 2024 · Aug 24, 2024 · Sep 3, 2024
diff --git a/docs/intents/escape-to-host.md b/docs/intents/escape-to-host.md
@@ -30,7 +30,7 @@ The escapeToHost intent results in `KyvernoPolicy` and a couple of `KubearmorPol
 
    ```
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
    ```
 
 - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.

diff --git a/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml b/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding

diff --git a/examples/namespaced/escape-to-host-with-params.yaml b/examples/namespaced/escape-to-host-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntentBinding

diff --git a/examples/namespaced/virtual-patch-si-sib.yaml b/examples/namespaced/virtual-patch-si-sib.yaml
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: virtual-patch
+spec: 
+  intent:
+    id: virtualPatch
+    description: >
+      There might exist CVE's associated with certain images, adversaries might exploit these CVE and can cause potential threat,
+      to any production server. Check and apply virtual patch for a given set of CVEs as per a schedule
+    action: Block
+    params: 
+      cveList:
+        - "CVE-2024-4439"
+        - "CVE-2024-27268"
+      schedule: ["0 23 * * SUN"]
+
+---
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: virtual-patch-binding
+spec:
+  intents:
+    - name: virtual-patch
+  selector:
+    workloadSelector:
+      matchLabels:
+        app: prod
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -19,6 +19,7 @@ const (
 	CocoWorkload              = "cocoWorkload"
 	AssessTLS                 = "assessTLS"
 	DenyENAccess              = "denyExternalNetworkAccess"
+	VirtualPatch              = "virtualPatch"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -45,6 +46,7 @@ var NetPolIDs = []string{
 var KyvIds = []string{
 	EscapeToHost,
 	CocoWorkload,
+	VirtualPatch,
 }
 
 // k8tlsIds are IDs supported by k8tls.

diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod
@@ -202,6 +202,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
 	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect

diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum
@@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

diff --git a/pkg/adapter/nimbus-kyverno/manager/manager.go b/pkg/adapter/nimbus-kyverno/manager/manager.go
@@ -59,6 +59,7 @@ func Run(ctx context.Context) {
 	deletedKpCh := make(chan common.Request)
 	go watcher.WatchKps(ctx, updatedKpCh, deletedKpCh)
 
+
 	for {
 		select {
 		case <-ctx.Done():
@@ -431,6 +432,9 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nameNamespace.Name + "-trigger-configmap",
 			Namespace: nameNamespace.Namespace,
+			Labels: map[string]string {
+				"trigger" : "configmap",
+			},
 		},
 		Data: map[string]string{
 			"data": "dummy",

diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go
@@ -121,7 +121,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 			}
 			matchFilters = append(matchFilters, resourceFilter)
 		}
-	} else if namespaces[0] == "*" && len(labels) == 0  {
+	} else if namespaces[0] == "*" && len(labels) == 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
 				ResourceDescription: kyvernov1.ResourceDescription{
@@ -167,7 +167,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 					},
 					Mutation: kyvernov1.Mutation{
 						Targets: []kyvernov1.TargetResourceSpec{
-							kyvernov1.TargetResourceSpec{
+							{
 								ResourceSpec: kyvernov1.ResourceSpec{
 									APIVersion: "apps/v1",
 									Kind:       "Deployment",
@@ -185,16 +185,16 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 }
 
 func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy {
-	var psa_level api.Level = api.LevelBaseline
+	var psaLevel api.Level = api.LevelBaseline
 
-	if rule.Params["psa_level"] != nil {
+	if rule.Params["psaLevel"] != nil {
 
-		switch rule.Params["psa_level"][0] {
+		switch rule.Params["psaLevel"][0] {
 		case "restricted":
-			psa_level = api.LevelRestricted
+			psaLevel = api.LevelRestricted
 
 		default:
-			psa_level = api.LevelBaseline
+			psaLevel = api.LevelBaseline
 		}
 
 	}
@@ -241,7 +241,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 	} else if namespaces[0] == "*" && len(labels) > 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
-				ResourceDescription: kyvernov1.ResourceDescription {
+				ResourceDescription: kyvernov1.ResourceDescription{
 					Namespaces: excludeNamespaces,
 				},
 			}
@@ -296,7 +296,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 					},
 					Validation: kyvernov1.Validation{
 						PodSecurity: &kyvernov1.PodSecurity{
-							Level:   psa_level,
+							Level:   psaLevel,
 							Version: "latest",
 						},
 					},
-Original file line number
+Diff line change
@@ Expand Up @@
        ```
         params:
-          psa_level: ["restricted"]
+          psaLevel: ["restricted"]
        ```
     - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.
@@ Expand Down @@