diff --git a/examples/clusterscoped/ensuretls-default.yaml b/examples/clusterscoped/assesstls-default.yaml similarity index 86% rename from examples/clusterscoped/ensuretls-default.yaml rename to examples/clusterscoped/assesstls-default.yaml index 7727185a..aabedbfb 100644 --- a/examples/clusterscoped/ensuretls-default.yaml +++ b/examples/clusterscoped/assesstls-default.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-default + name: assess-tls-default spec: intent: - id: ensureTLS + id: assessTLS action: Audit description: | Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version, @@ -17,10 +17,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-default + name: assess-tls-default spec: intents: - - name: ensure-tls-default + - name: assess-tls-default selector: nsSelector: matchNames: diff --git a/examples/clusterscoped/ensuretls-with-external-addresses.yaml b/examples/clusterscoped/assesstls-with-external-addresses.yaml similarity index 86% rename from examples/clusterscoped/ensuretls-with-external-addresses.yaml rename to examples/clusterscoped/assesstls-with-external-addresses.yaml index ddade528..4d556373 100644 --- a/examples/clusterscoped/ensuretls-with-external-addresses.yaml +++ b/examples/clusterscoped/assesstls-with-external-addresses.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-external-addresses + name: assess-tls-external-addresses spec: intent: - id: ensureTLS + id: assessTLS action: Audit severity: "medium" description: | @@ -21,10 +21,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-external-addresses + name: assess-tls-external-addresses spec: intents: - - name: ensure-tls-external-addresses + - name: assess-tls-external-addresses selector: nsSelector: matchNames: diff --git a/examples/clusterscoped/ensuretls-with-schedule.yaml b/examples/clusterscoped/assesstls-with-schedule.yaml similarity index 87% rename from examples/clusterscoped/ensuretls-with-schedule.yaml rename to examples/clusterscoped/assesstls-with-schedule.yaml index 33a9fcdc..c56704db 100644 --- a/examples/clusterscoped/ensuretls-with-schedule.yaml +++ b/examples/clusterscoped/assesstls-with-schedule.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-scheduled + name: assess-tls-scheduled spec: intent: - id: ensureTLS + id: assessTLS action: Audit severity: "medium" description: | @@ -20,10 +20,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-scheduled + name: assess-tls-scheduled spec: intents: - - name: ensure-tls-scheduled + - name: assess-tls-scheduled selector: nsSelector: matchNames: diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go index 73468089..c5d4f939 100644 --- a/pkg/adapter/idpool/idpool.go +++ b/pkg/adapter/idpool/idpool.go @@ -17,7 +17,7 @@ const ( DisallowCapabilities = "disallowCapabilities" ExploitPFA = "preventExecutionFromTempOrLogsFolders" CocoWorkload = "cocoWorkload" - EnsureTLS = "ensureTLS" + AssessTLS = "assessTLS" DenyENAccess = "denyExternalNetworkAccess" ) @@ -49,7 +49,7 @@ var KyvIds = []string{ // k8tlsIds are IDs supported by k8tls. var k8tlsIds = []string{ - EnsureTLS, + AssessTLS, } // IsIdSupportedBy determines whether a given ID is supported by a security engine. diff --git a/pkg/adapter/nimbus-k8tls/Dockerfile b/pkg/adapter/nimbus-k8tls/Dockerfile index 53569ab1..1b079f67 100644 --- a/pkg/adapter/nimbus-k8tls/Dockerfile +++ b/pkg/adapter/nimbus-k8tls/Dockerfile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH diff --git a/pkg/adapter/nimbus-k8tls/builder/builder.go b/pkg/adapter/nimbus-k8tls/builder/builder.go index f1fb1c3f..cda292e4 100644 --- a/pkg/adapter/nimbus-k8tls/builder/builder.go +++ b/pkg/adapter/nimbus-k8tls/builder/builder.go @@ -10,19 +10,20 @@ import ( "strconv" "strings" - "github.com/5GSEC/nimbus/api/v1alpha1" - "github.com/5GSEC/nimbus/pkg/adapter/common" - "github.com/5GSEC/nimbus/pkg/adapter/idpool" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" + + "github.com/5GSEC/nimbus/api/v1alpha1" + "github.com/5GSEC/nimbus/pkg/adapter/common" + "github.com/5GSEC/nimbus/pkg/adapter/idpool" ) var ( DefaultSchedule = "@weekly" - backOffLimit = int32(5) + backOffLimit = int32(5) ) func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batchv1.CronJob, *corev1.ConfigMap) { @@ -45,29 +46,29 @@ func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batc func cronJobFor(ctx context.Context, id string, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { switch id { - case idpool.EnsureTLS: - return ensureTlsCronJob(ctx, rule) + case idpool.AssessTLS: + return assessTlsCronJob(ctx, rule) default: return nil, nil } } -func ensureTlsCronJob(ctx context.Context, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { +func assessTlsCronJob(ctx context.Context, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { schedule, scheduleKeyExists := rule.Rule.Params["schedule"] externalAddresses, addrKeyExists := rule.Rule.Params["external_addresses"] if scheduleKeyExists && addrKeyExists { - return cronJobForEnsureTls(ctx, schedule[0], externalAddresses...) + return cronJobForAssessTls(ctx, schedule[0], externalAddresses...) } if scheduleKeyExists { - return cronJobForEnsureTls(ctx, schedule[0]) + return cronJobForAssessTls(ctx, schedule[0]) } if addrKeyExists { - return cronJobForEnsureTls(ctx, DefaultSchedule, externalAddresses...) + return cronJobForAssessTls(ctx, DefaultSchedule, externalAddresses...) } - return cronJobForEnsureTls(ctx, DefaultSchedule) + return cronJobForAssessTls(ctx, DefaultSchedule) } -func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) { +func cronJobForAssessTls(ctx context.Context, schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) { logger := log.FromContext(ctx) cj := &batchv1.CronJob{ Spec: batchv1.CronJobSpec{ @@ -183,7 +184,7 @@ func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses if len(externalAddresses) > 0 { cm := buildConfigMap(externalAddresses) - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{ + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts, corev1.VolumeMount{ Name: cm.Name, ReadOnly: true, MountPath: "/var/k8tls/", @@ -199,10 +200,11 @@ func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses }, }) - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command[0] = "./tlsscan" - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command, + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command[0] = "./tlsscan" + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command, "--infile", - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts[2].MountPath+"addresses", + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts[2].MountPath+"addresses", + "--compact-json", ) return cj, cm }