From 73ffb58123a7a9bb40e3f2de32329037e156b49a Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Fri, 21 Jun 2024 19:13:29 +0530 Subject: [PATCH] feat(deployments): Add option to enable auto deployment of adpaters Signed-off-by: Anurag Rajawat --- deployments/nimbus-kubearmor/Chart.yaml | 21 ++-- deployments/nimbus-kubearmor/Readme.md | 28 +----- deployments/nimbus-kubearmor/values.yaml | 5 + deployments/nimbus-kyverno/Chart.yaml | 20 ++-- deployments/nimbus-kyverno/Readme.md | 38 ++----- deployments/nimbus-kyverno/values.yaml | 4 +- deployments/nimbus/Chart.yaml | 32 +++--- deployments/nimbus/Readme.md | 33 ++---- deployments/nimbus/values.yaml | 5 + docs/getting-started.md | 122 ++++++++++------------- docs/quick-tutorials.md | 9 +- 11 files changed, 129 insertions(+), 188 deletions(-) diff --git a/deployments/nimbus-kubearmor/Chart.yaml b/deployments/nimbus-kubearmor/Chart.yaml index 71b7b5fb..62920311 100644 --- a/deployments/nimbus-kubearmor/Chart.yaml +++ b/deployments/nimbus-kubearmor/Chart.yaml @@ -1,24 +1,23 @@ apiVersion: v2 name: nimbus-kubearmor -description: A Helm chart for KubeArmor Security Engine as an adapter for Nimbus. - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. +description: KubeArmor adapter's chart for Nimbus. type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "0.1.2" + +dependencies: + - name: kubearmor-operator + version: ">= 1.3.4" + repository: https://kubearmor.github.io/charts + condition: autoDeploy + +kubeVersion: ">= 1.25" diff --git a/deployments/nimbus-kubearmor/Readme.md b/deployments/nimbus-kubearmor/Readme.md index d077dcdc..2c05339d 100644 --- a/deployments/nimbus-kubearmor/Readme.md +++ b/deployments/nimbus-kubearmor/Readme.md @@ -1,25 +1,18 @@ # Install KubeArmor adapter -> [!Note] -> The `nimbus-kubearmor` adapter leverages the [KubeArmor](https://kubearmor.io) security engine for its functionality. -> To use this adapter, you'll need KubeArmor installed. Please -> follow [this](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment_guide.md) guide for -> installation. -> Creating a KubeArmorPolicy resource without KubeArmor will have no effect. - Install `nimbus-kubearmor` adapter using the official 5GSEC Helm charts. ```shell helm repo add 5gsec https://5gsec.github.io/charts helm repo update 5gsec -helm upgrade --install nimbus-kubearmor 5gsec/nimbus-kubearmor -n nimbus +helm upgrade --dependency-update --install nimbus-kubearmor 5gsec/nimbus-kubearmor -n nimbus ``` Install `nimbus-kubearmor` adapter using Helm charts locally (for testing) ```bash cd deployments/nimbus-kubearmor/ -helm upgrade --install nimbus-kubearmor . -n nimbus +helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus ``` ## Values @@ -29,22 +22,7 @@ helm upgrade --install nimbus-kubearmor . -n nimbus | image.repository | string | 5gsec/nimbus-kubearmor | Image repository from which to pull the `nimbus-kubearmor` adapter's image | | image.pullPolicy | string | Always | `nimbus-kubearmor` adapter image pull policy | | image.tag | string | latest | `nimbus-kubearmor` adapter image tag | - -## Verify if all the resources are up and running - -Once done, the following resources will exist in your cluster: - -```shell -$ kubectl get all -n nimbus -l app.kubernetes.io/instance=nimbus-kubearmor -NAME READY STATUS RESTARTS AGE -pod/nimbus-kubearmor-7f6854cf8f-gm7c8 1/1 Running 0 3m25s - -NAME READY UP-TO-DATE AVAILABLE AGE -deployment.apps/nimbus-kubearmor 1/1 1 1 3m25s - -NAME DESIRED CURRENT READY AGE -replicaset.apps/nimbus-kubearmor-7f6854cf8f 1 1 1 3m25s -``` +| autoDeploy | bool | true | Auto deploy [KubeArmor]() with default configurations | ## Uninstall the KubeArmor adapter diff --git a/deployments/nimbus-kubearmor/values.yaml b/deployments/nimbus-kubearmor/values.yaml index 3acaebfa..beab29f7 100644 --- a/deployments/nimbus-kubearmor/values.yaml +++ b/deployments/nimbus-kubearmor/values.yaml @@ -1,5 +1,7 @@ # Default values for nimbus-kubearmor. +autoDeploy: true + image: repository: 5gsec/nimbus-kubearmor pullPolicy: Always @@ -21,3 +23,6 @@ serviceAccount: securityContext: runAsNonRoot: true runAsUser: 65533 + +kubearmor-operator: + autoDeploy: true diff --git a/deployments/nimbus-kyverno/Chart.yaml b/deployments/nimbus-kyverno/Chart.yaml index c12eb45a..d9920712 100644 --- a/deployments/nimbus-kyverno/Chart.yaml +++ b/deployments/nimbus-kyverno/Chart.yaml @@ -1,24 +1,22 @@ apiVersion: v2 name: nimbus-kyverno -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. +description: Kyverno adapter's chart for Nimbus. type: application +kubeVersion: ">= 1.25" # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "0.1.0" + +dependencies: + - name: kyverno + version: ">= 3.2.0" + repository: https://kyverno.github.io/kyverno/ + condition: autoDeploy diff --git a/deployments/nimbus-kyverno/Readme.md b/deployments/nimbus-kyverno/Readme.md index b380077e..1dae43ec 100644 --- a/deployments/nimbus-kyverno/Readme.md +++ b/deployments/nimbus-kyverno/Readme.md @@ -1,50 +1,28 @@ # Install Kyverno adapter -> [!Note] -> The `nimbus-kyverno` adapter leverages the [kyverno](https://kyverno.io/) security engine for its functionality. -> To use this adapter, you'll need kyverno installed. Please -> follow [this](https://kyverno.io/docs/installation/methods/) guide for -> installation. -> Creating a Policy and ClusterPolicy resource without Kyverno will have no effect. - Install `nimbus-kyverno` adapter using the official 5GSEC Helm charts. ```shell helm repo add 5gsec https://5gsec.github.io/charts helm repo update 5gsec -helm upgrade --install nimbus-kyverno 5gsec/nimbus-kyverno -n nimbus +helm upgrade --dependency-update --install nimbus-kyverno 5gsec/nimbus-kyverno -n nimbus ``` Install `nimbus-kyverno` adapter using Helm charts locally (for testing) ```bash cd deployments/nimbus-kyverno/ -helm upgrade --install nimbus-kyverno . -n nimbus +helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus ``` ## Values -| Key | Type | Default | Description | -|------------------|--------|------------------------|----------------------------------------------------------------------------| -| image.repository | string | 5gsec/nimbus-kyverno | Image repository from which to pull the `nimbus-kyverno` adapter's image | -| image.pullPolicy | string | Always | `nimbus-kyverno` adapter image pull policy | -| image.tag | string | latest | `nimbus-kyverno` adapter image tag | - -## Verify if all the resources are up and running - -Once done, the following resources will exist in your cluster: - -```shell -$ kubectl get all -n nimbus -l app.kubernetes.io/instance=nimbus-kyverno -NAME READY STATUS RESTARTS AGE -pod/nimbus-kyverno-7f6854cf8f-gm7c8 1/1 Running 0 3m25s - -NAME READY UP-TO-DATE AVAILABLE AGE -deployment.apps/nimbus-kyverno 1/1 1 1 3m25s - -NAME DESIRED CURRENT READY AGE -replicaset.apps/nimbus-kyverno-7f6854cf8f 1 1 1 3m25s -``` +| Key | Type | Default | Description | +|------------------|--------|----------------------|---------------------------------------------------------------------------------------------------------------------------| +| image.repository | string | 5gsec/nimbus-kyverno | Image repository from which to pull the `nimbus-kyverno` adapter's image | +| image.pullPolicy | string | Always | `nimbus-kyverno` adapter image pull policy | +| image.tag | string | latest | `nimbus-kyverno` adapter image tag | +| autoDeploy | bool | true | Auto deploy [Kyverno](https://kyverno.io/) in [Standalone](https://kyverno.io/docs/installation/methods/#standalone) mode | ## Uninstall the Kyverno adapter diff --git a/deployments/nimbus-kyverno/values.yaml b/deployments/nimbus-kyverno/values.yaml index d68a837c..dbf2c9d1 100644 --- a/deployments/nimbus-kyverno/values.yaml +++ b/deployments/nimbus-kyverno/values.yaml @@ -1,5 +1,7 @@ # Default values for nimbus-kyverno. +autoDeploy: true + image: repository: 5gsec/nimbus-kyverno pullPolicy: Always @@ -20,4 +22,4 @@ serviceAccount: securityContext: runAsNonRoot: true - runAsUser: 65535 \ No newline at end of file + runAsUser: 65535 diff --git a/deployments/nimbus/Chart.yaml b/deployments/nimbus/Chart.yaml index d036bad3..e284e4aa 100644 --- a/deployments/nimbus/Chart.yaml +++ b/deployments/nimbus/Chart.yaml @@ -1,24 +1,32 @@ apiVersion: v2 name: nimbus -description: A Helm chart for Nimbus - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. +description: A Helm chart for Nimbus operator. type: application - +kubeVersion: ">= 1.25" # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: "0.1.2" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. + appVersion: "0.1.1" + +dependencies: + - name: nimbus-kubearmor + version: ">= 0.1.2" + repository: https://5gsec.github.io/charts + condition: autoDeploy.kubearmor + + - name: nimbus-netpol + version: ">= 0.1.2" + repository: https://5gsec.github.io/charts + condition: autoDeploy.netpol + + - name: nimbus-kyverno + version: ">= 0.1.0" + repository: https://5gsec.github.io/charts + condition: autoDeploy.kyverno diff --git a/deployments/nimbus/Readme.md b/deployments/nimbus/Readme.md index 7dd05fa4..c165158a 100644 --- a/deployments/nimbus/Readme.md +++ b/deployments/nimbus/Readme.md @@ -5,39 +5,26 @@ Install Nimbus operator using the official 5GSEC Helm charts. ```shell helm repo add 5gsec https://5gsec.github.io/charts helm repo update 5gsec -helm upgrade --install nimbus-operator 5gsec/nimbus -n nimbus --create-namespace +helm upgrade --dependency-update --install nimbus-operator 5gsec/nimbus -n nimbus --create-namespace ``` Install Nimbus using Helm charts locally (for testing) ```bash cd deployments/nimbus/ -helm upgrade --install nimbus-operator . -n nimbus --create-namespace +helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace ``` ## Values -| Key | Type | Default | Description | -|------------------|--------|--------------|--------------------------------------------------------| -| image.repository | string | 5gsec/nimbus | Image repository from which to pull the operator image | -| image.pullPolicy | string | Always | Operator image pull policy | -| image.tag | string | latest | Operator image tag | - -## Verify if all the resources are up and running - -Once done, the following resources will exist in your cluster: - -```shell -$ kubectl get all -n nimbus -l app.kubernetes.io/instance=nimbus-operator -NAME READY STATUS RESTARTS AGE -pod/nimbus-operator-57dc75bc4d-9gd5n 1/1 Running 0 20m - -NAME READY UP-TO-DATE AVAILABLE AGE -deployment.apps/nimbus-operator 1/1 1 1 20m - -NAME DESIRED CURRENT READY AGE -replicaset.apps/nimbus-operator-57dc75bc4d 1 1 1 20m -``` +| Key | Type | Default | Description | +|----------------------|--------|--------------|---------------------------------------------------------------------------------------------------------------------------| +| image.repository | string | 5gsec/nimbus | Image repository from which to pull the operator image | +| image.pullPolicy | string | Always | Operator image pull policy | +| image.tag | string | latest | Operator image tag | +| autoDeploy.kubearmor | bool | true | Auto deploy [KubeArmor](https://kubearmor.io/) adapter | +| autoDeploy.netpol | bool | true | Auto deploy [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) adapter | +| autoDeploy.kyverno | bool | true | Auto deploy [Kyverno](https://kyverno.io/) adapter | ## Uninstall the Operator diff --git a/deployments/nimbus/values.yaml b/deployments/nimbus/values.yaml index a0d3a927..afb3a473 100644 --- a/deployments/nimbus/values.yaml +++ b/deployments/nimbus/values.yaml @@ -1,5 +1,10 @@ # Default values for nimbus. +autoDeploy: + kubearmor: true + netpol: true + kyverno: true + replicaCount: 1 image: diff --git a/docs/getting-started.md b/docs/getting-started.md index a643299f..aa784a4c 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -45,101 +45,85 @@ Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operato Just like Nimbus, there are various ways of installing Security engine adapters. -## nimbus-kubearmor +- ## nimbus-kubearmor + ### From source -> [!Note] -> The `nimbus-kubearmor` adapter leverages the [KubeArmor](https://kubearmor.io) security engine for its functionality. -> To use this adapter, you'll need KubeArmor installed. Please -> follow [this](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment_guide.md) guide for -> installation. -> Creating a KubeArmorPolicy resource without KubeArmor will have no effect. + Clone the repository: -### From source + ```shell + git clone https://github.com/5GSEC/nimbus.git + ``` -Clone the repository: + Go to nimbus-kubearmor directory: -```shell -git clone https://github.com/5GSEC/nimbus.git -``` + ```shell + cd nimbus/pkg/adapter/nimbus-kubearmor + ``` -Go to nimbus-kubearmor directory: + Run `nimbus-kubearmor` adapter: -```shell -cd nimbus/pkg/adapter/nimbus-kubearmor -``` + ```shell + make run + ``` -Run `nimbus-kubearmor` adapter: + ### From Helm Chart -```shell -make run -``` + Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. -### From Helm Chart +- ## nimbus-netpol -Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. + > [!Note] + > The `nimbus-netpol` adapter leverages + > the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). + > To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a + > NetworkPolicy resource without a controller that implements it will have no effect. -## nimbus-netpol + ### From source -> [!Note] -> The `nimbus-netpol` adapter leverages -> the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). -> To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a -> NetworkPolicy resource without a controller that implements it will have no effect. + Clone the repository: -### From source + ```shell + git clone https://github.com/5GSEC/nimbus.git + ``` -Clone the repository: + Go to nimbus-netpol directory: -```shell -git clone https://github.com/5GSEC/nimbus.git -``` + ```shell + cd nimbus/pkg/adapter/nimbus-netpol + ``` -Go to nimbus-netpol directory: + Run `nimbus-netpol` adapter: -```shell -cd nimbus/pkg/adapter/nimbus-netpol -``` + ```shell + make run + ``` -Run `nimbus-netpol` adapter: + ### From Helm Chart -```shell -make run -``` - -### From Helm Chart - -Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. + Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. -## nimbus-kyverno +- ## nimbus-kyverno -> [!Note] -> The `nimbus-kyverno` adapter leverages the [Kyverno](https://kyverno.io/) security engine for its functionality. -> To use this adapter, you'll need Kyverno installed. Please -> follow [this](https://kyverno.io/docs/installation/methods/) guide for -> installation. -> Creating a KyvernoPolicy resource without Kyverno will have no effect. + ### From source -### From source + Clone the repository: -Clone the repository: + ```shell + git clone https://github.com/5GSEC/nimbus.git + ``` -```shell -git clone https://github.com/5GSEC/nimbus.git -``` + Go to nimbus-kyverno directory: -Go to nimbus-kyverno directory: + ```shell + cd nimbus/pkg/adapter/nimbus-kyverno + ``` -```shell -cd nimbus/pkg/adapter/nimbus-kyverno -``` - -Run `nimbus-kyverno` adapter: - -```shell -make run -``` + Run `nimbus-kyverno` adapter: -### From Helm Chart + ```shell + make run + ``` -Follow [this](../deployments/nimbus-kyverno/Readme.md) guide to install `nimbus-kyverno` adapter. + ### From Helm Chart + Follow [this](../deployments/nimbus-kyverno/Readme.md) guide to install `nimbus-kyverno` adapter. diff --git a/docs/quick-tutorials.md b/docs/quick-tutorials.md index 37c0ab7a..5ce53700 100644 --- a/docs/quick-tutorials.md +++ b/docs/quick-tutorials.md @@ -2,12 +2,7 @@ ## Prerequisites -- **Nimbus operator**: Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. -- Nimbus adapters: To generate multiple security engines policies - - `nimbus-kubearmor`: Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` - adapter. - - `nimbus-netpol`: Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. - - `nimbus-kyverno`: Follow [this](../deployments/nimbus-kyverno/Readme.md) guide to install `nimbus-kyverno` adapter. +- **Nimbus suite**: Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator and its adapters. ## Create a sample deployment @@ -38,6 +33,7 @@ dns-manipulation Created 9s ``` Output in `-o wide` for detailed info: + ```shell $ kubectl get securityintent dns-manipulation -o wide NAME STATUS AGE ID ACTION @@ -102,6 +98,7 @@ Events: ``` ## Verify the Security Engines policies + Review the policies that are successfully generated as part of `DNSManipulation` SecurityIntent and SecurityIntentBinding: