docs: Update quick-tutorials and example

Signed-off-by: Anurag Rajawat <[email protected]>
anurag-rajawat · Feb 20, 2024 · 2f21798 · 2f21798
1 parent 8eac18e
commit 2f21798
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 42 deletions.
diff --git a/docs/quick-tutorials.md b/docs/quick-tutorials.md
@@ -1,18 +1,12 @@
 # Quick Tutorials
 
-## Install Nimbus Operator
+## Prerequisites
 
-Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator.
-
-## Install Adapters
-
-### KubeArmor
-
-Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter.
-
-### Network Policy
-
-Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter.
+- **Nimbus operator**: Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator.
+- Nimbus adapters: To generate multiple security engines policies
+    - `nimbus-kubearmor`: Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor`
+      adapter.
+    - `nimbus-netpol`: Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter.
 
 ## Create a sample deployment
 
@@ -32,35 +26,90 @@ securityintent.intent.security.nimbus.com/dns-manipulation created
 securityintentbinding.intent.security.nimbus.com/dns-manipulation-binding created
 ```
 
-## Verify SecurityIntent and SecurityIntentBinding
+## Verify Resources
 
-* Verify SecurityIntent
+* SecurityIntent
 
 ```shell
 $ kubectl get securityintent
-NAME               STATUS
-dns-manipulation   Created
+NAME               STATUS    AGE
+dns-manipulation   Created   9s
 ```
 
-* Verify SecurityIntentBinding
+Output in `-o wide` for detailed info:
+```shell
+$ kubectl get securityintent dns-manipulation -o wide
+NAME               STATUS    AGE   ID                ACTION
+dns-manipulation   Created   17s   dnsManipulation   Block
+```
+
+* SecurityIntentBinding
 
 ```shell
 $ kubectl get securityintentbinding
-NAME                       STATUS
-dns-manipulation-binding   Created
+NAME                       STATUS    AGE   INTENTS   NIMBUSPOLICY
+dns-manipulation-binding   Created   69s   1         dns-manipulation-binding
 ```
 
-## Verify the Security Engines policies
+* NimbusPolicy
 
-### KubeArmorPolicy
+```shell
+$ kubectl get nimbuspolicy
+NAME                       STATUS    AGE    POLICIES
+dns-manipulation-binding   Created   2m9s   2
+```
+
+Describe the nimbuspolicy to check which policies are created:
+
+```shell
+$ kubectl describe nimbuspolicy dns-manipulation-binding
+Name:         dns-manipulation-binding
+Namespace:    default
+Labels:       <none>
+Annotations:  <none>
+API Version:  intent.security.nimbus.com/v1
+Kind:         NimbusPolicy
+Metadata:
+  Creation Timestamp:  2024-02-20T06:04:32Z
+  Generation:          1
+  Owner References:
+    API Version:           intent.security.nimbus.com/v1
+    Block Owner Deletion:  true
+    Controller:            true
+    Kind:                  SecurityIntentBinding
+    Name:                  dns-manipulation-binding
+    UID:                   c3b7046f-26c7-4edb-ad82-de243e9ee378
+  Resource Version:        56960
+  UID:                     109a7b54-8643-487e-9454-6a79c5f4cacc
+Spec:
+  Rules:
+    Description:  An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity.
+    Id:           dnsManipulation
+    Rule:
+      Action:  Block
+  Selector:
+    Match Labels:
+      App:  nginx
+Status:
+  Adapter Policies:
+    KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation
+    NetworkPolicy/dns-manipulation-binding-dnsmanipulation
+  Last Updated:                2024-02-20T06:04:32Z
+  Number Of Adapter Policies:  2
+  Status:                      Created
+Events:                        <none>
+```
 
-Review the policies that were successfully generated as part of `DNSManipulation` SecurityIntent and
+## Verify the Security Engines policies
+Review the policies that are successfully generated as part of `DNSManipulation` SecurityIntent and
 SecurityIntentBinding:
 
+### KubeArmorPolicy
+
 ```shell
 $ kubectl get kubearmorpolicy
 NAME                                       AGE
-dns-manipulation-binding-dnsmanipulation   2m44s
+dns-manipulation-binding-dnsmanipulation   5m45s
 ```
 
 Inspect the policy for detailed info:
@@ -75,7 +124,7 @@ kind: KubeArmorPolicy
 metadata:
   annotations:
     app.kubernetes.io/managed-by: nimbus-kubearmor
-  creationTimestamp: "2024-02-02T08:27:03Z"
+  creationTimestamp: "2024-02-20T06:04:32Z"
   generation: 1
   name: dns-manipulation-binding-dnsmanipulation
   namespace: default
@@ -85,16 +134,18 @@ metadata:
       controller: true
       kind: NimbusPolicy
       name: dns-manipulation-binding
-      uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f
-  resourceVersion: "610470"
-  uid: 7f23a7f3-3012-449d-92ee-1ea2a741b7ec
+      uid: 109a7b54-8643-487e-9454-6a79c5f4cacc
+  resourceVersion: "56955"
+  uid: 03afa2ec-ea86-4248-9f63-243493aa1db9
 spec:
   action: Block
   capabilities: { }
   file:
     matchPaths:
       - path: /etc/resolv.conf
         readOnly: true
+  message: An adversary can manipulate DNS requests to redirect network traffic and
+    potentially reveal end user activity.
   network: { }
   process: { }
   selector:
@@ -105,19 +156,16 @@ spec:
 
 ### NetworkPolicy
 
-Review the network policies that were successfully generated as part of `DNSManipulation` SecurityIntent and
-SecurityIntentBinding:
-
 ```shell
-$ kubectl get networkpolicy
+$  kubectl get networkpolicy
 NAME                                       POD-SELECTOR   AGE
-dns-manipulation-binding-dnsmanipulation   app=nginx      5m54s
+dns-manipulation-binding-dnsmanipulation   app=nginx      6m43s
 ```
 
 Inspect policy for detailed info:
 
 ```shell
-$ kubectl get networkpolicy multiple-sis-nsscoped-binding-dnsmanipulation -o yaml
+$ kubectl get networkpolicy dns-manipulation-binding-dnsmanipulation -o yaml
 ```
 
 ```yaml
@@ -126,7 +174,7 @@ kind: NetworkPolicy
 metadata:
   annotations:
     app.kubernetes.io/managed-by: nimbus-netpol
-  creationTimestamp: "2024-02-02T08:27:03Z"
+  creationTimestamp: "2024-02-20T06:04:32Z"
   generation: 1
   name: dns-manipulation-binding-dnsmanipulation
   namespace: default
@@ -136,9 +184,9 @@ metadata:
       controller: true
       kind: NimbusPolicy
       name: dns-manipulation-binding
-      uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f
-  resourceVersion: "610469"
-  uid: 7cbf50e3-8c47-443e-8851-01b0ca167bd3
+      uid: 109a7b54-8643-487e-9454-6a79c5f4cacc
+  resourceVersion: "56956"
+  uid: 473c293e-3006-4843-9eb3-2a21f142d6e3
 spec:
   egress:
     - ports:
@@ -190,7 +238,7 @@ deployment.apps "nginx" deleted
 * Confirm all resources have been deleted (Optional)
 
 ```shell
-$ kubectl get securityintent,securityintentbinding,kubearmorpolicy,netpol -A
+$ kubectl get securityintent,securityintentbinding,nimbuspolicy,kubearmorpolicy,netpol -A
 No resources found
 ```
 

diff --git a/examples/namespaced/cel-multi-si-sib-namespaced.yaml b/examples/namespaced/cel-multi-si-sib-namespaced.yaml
@@ -9,7 +9,6 @@ spec:
   intent:
     id: swDeploymentTools
     action: Block
-    mode: strict
 ---
 apiVersion: intent.security.nimbus.com/v1
 kind: SecurityIntent
@@ -19,7 +18,6 @@ spec:
   intent:
     id: unAuthorizedSaTokenAccess
     action: Block
-    mode: strict
 ---
 apiVersion: intent.security.nimbus.com/v1
 kind: SecurityIntent
@@ -29,8 +27,6 @@ spec:
   intent:
     id: dnsManipulation
     action: Block
-    mode: best-effort
-    #mode: strict
 ---
 apiVersion: intent.security.nimbus.com/v1
 kind: SecurityIntentBinding