Skip to content

Commit

Permalink
(feat): denyExternalNetworkAccess Intent (5GSEC#190)
Browse files Browse the repository at this point in the history
* denyExternalNetworkAccess Intent

---------

Signed-off-by: Ved Ratan <[email protected]>
  • Loading branch information
VedRatan authored Jun 20, 2024
1 parent 2e642c2 commit 3624ce6
Show file tree
Hide file tree
Showing 4 changed files with 115 additions and 1 deletion.
26 changes: 26 additions & 0 deletions examples/clusterscoped/deny-external-network-access.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: intent.security.nimbus.com/v1alpha1
kind: SecurityIntent
metadata:
name: deny-ext-nw-access
spec:
intent:
id: denyExternalNetworkAccess
description: "Deny external network access to prevent data exfiltration"
action: Block

---

apiVersion: intent.security.nimbus.com/v1alpha1
kind: ClusterSecurityIntentBinding
metadata:
name: deny-ext-nw-access-foo-binding
spec:
intents:
- name: deny-ext-nw-access
selector:
nsSelector:
matchNames:
- prod
workloadSelector:
matchLabels:
app: foo
2 changes: 2 additions & 0 deletions pkg/adapter/idpool/idpool.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const (
DisallowCapabilities = "disallowCapabilities"
ExploitPFA = "preventExecutionFromTempOrLogsFolders"
EnsureTLS = "ensureTLS"
DenyENAccess = "denyExternalNetworkAccess"
)

// KaIds are IDs supported by KubeArmor.
Expand All @@ -36,6 +37,7 @@ var KaIDPolicies = map[string][]string{
// NetPolIDs are IDs supported by Network Policy adapter.
var NetPolIDs = []string{
DNSManipulation,
DenyENAccess,
}

// KyvIds are IDs supported by Kyverno.
Expand Down
2 changes: 1 addition & 1 deletion pkg/adapter/nimbus-netpol/manager/netpols_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string
return
}

if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding") {
if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding", "ClusterSecurityIntentBinding") {
logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace)
return
}
Expand Down
86 changes: 86 additions & 0 deletions pkg/adapter/nimbus-netpol/processor/netpol_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.Netw
var netpols []netv1.NetworkPolicy
for _, nimbusRule := range np.Spec.NimbusRules {
id := nimbusRule.ID
logger.Info(id)
if idpool.IsIdSupportedBy(id, "netpol") {
netpol := buildNetPolFor(id)
netpol.Name = np.Name + "-" + strings.ToLower(id)
Expand All @@ -40,11 +41,96 @@ func buildNetPolFor(id string) netv1.NetworkPolicy {
switch id {
case idpool.DNSManipulation:
return dnsManipulationNetpol()
case idpool.DenyENAccess:
return denyExternalNetworkAcessNetpol()
default:
return netv1.NetworkPolicy{}
}
}

func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy {
udpProtocol := corev1.ProtocolUDP
tcpProtocol := corev1.ProtocolTCP
dnsPort := &intstr.IntOrString{
Type: 0,
IntVal: 53,
}

return netv1.NetworkPolicy{
Spec: netv1.NetworkPolicySpec{
Ingress: []netv1.NetworkPolicyIngressRule{
{
From: []netv1.NetworkPolicyPeer{
{
IPBlock: &netv1.IPBlock{
CIDR: "10.0.0.0/8",
},
},
{
IPBlock: &netv1.IPBlock{
CIDR: "172.16.0.0/12",
},
},
{
IPBlock: &netv1.IPBlock{
CIDR: "192.168.0.0/16",
},
},
},
},
},
Egress: []netv1.NetworkPolicyEgressRule{
{
To: []netv1.NetworkPolicyPeer{
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"k8s-app": "kube-dns",
},
},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"kubernetes.io/metadata.name": "kube-system",
},
},
},

{
IPBlock: &netv1.IPBlock{
CIDR: "10.0.0.0/8",
},
},
{
IPBlock: &netv1.IPBlock{
CIDR: "172.16.0.0/12",
},
},
{
IPBlock: &netv1.IPBlock{
CIDR: "192.168.0.0/16",
},
},
},
Ports: []netv1.NetworkPolicyPort{
{
Protocol: &udpProtocol,
Port: dnsPort,
},
{
Protocol: &tcpProtocol,
Port: dnsPort,
},
},
},
},
PolicyTypes: []netv1.PolicyType{
netv1.PolicyTypeEgress,
netv1.PolicyTypeIngress,
},
},
}
}

func dnsManipulationNetpol() netv1.NetworkPolicy {
udpProtocol := corev1.ProtocolUDP
tcpProtocol := corev1.ProtocolTCP
Expand Down

0 comments on commit 3624ce6

Please sign in to comment.