Merge branch 'main' into mutate_logic_update

Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
5GSEC · Jun 26, 2024 · 3ed0b2e · 3ed0b2e
2 parents 794b380 + 7f047bd
commit 3ed0b2e
Show file tree

Hide file tree

Showing 9 changed files with 60 additions and 32 deletions.
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -153,13 +153,18 @@ jobs:
             kind load docker-image 5gsec/nimbus:latest --name=testing
 
         - name: Install Nimbus
+          working-directory: ./deployments/nimbus
           run: |
-            helm upgrade --install nimbus-operator deployments/nimbus -n nimbus --create-namespace --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.pullPolicy=Never \
+            --set autoDeploy.kubearmor=false \
+            --set autoDeploy.kyverno=false \
+            --set autoDeploy.netpol=false
 
         - name: Wait for Nimbus to start
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
-            kubectl get pods -A
+            kubectl get pods -n nimbus
 
         - name: Run Tests
           run: make integration-test
@@ -183,7 +188,7 @@ jobs:
           uses: helm/kind-action@v1
           with:
             cluster_name: testing
-        
+
         - name: Build nimbus image and load in the kind cluster
           run: |
             make docker-build
@@ -200,30 +205,26 @@ jobs:
           run: |
             make docker-build
             kind load docker-image 5gsec/nimbus-kubearmor:latest --name=testing 
-            
+
         - name: Build nimbus-kyverno image and load in the kind cluster
           working-directory: ./pkg/adapter/nimbus-kyverno
           run: |
             make docker-build
             kind load docker-image 5gsec/nimbus-kyverno:latest --name=testing 
-          
-        - name: Install Kubearmor CRDs
-          run: |
-            kubectl create -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/CRD/KubeArmorPolicy.yaml
-
-        - name: Install Kyverno CRDs
-          run: |
-            kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_clusterpolicies.yaml 
-            kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_policies.yaml
 
         - name: Install Nimbus
+          working-directory: ./deployments/nimbus
           run: |
-            helm upgrade --install nimbus-operator deployments/nimbus -n nimbus --create-namespace --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.pullPolicy=Never \
+            --set autoDeploy.kubearmor=false \
+            --set autoDeploy.kyverno=false \
+            --set autoDeploy.netpol=false
 
         - name: Wait for Nimbus to start
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
-            kubectl get pods -A
+            kubectl get pods -n nimbus
 
         - name: Install nimbus-netpol
           working-directory: deployments/nimbus-netpol/
@@ -233,27 +234,27 @@ jobs:
         - name: Wait for nimbus-netpol to start
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-netpol
-            kubectl get pods -A
+            kubectl get pods -n nimbus
 
         - name: Install nimbus-kubearmor
           working-directory: deployments/nimbus-kubearmor/
           run: |
-            helm upgrade --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
 
         - name: Wait for nimbus-kubearmor to start
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kubearmor
-            kubectl get pods -A
+            kubectl get pods -n nimbus
 
         - name: Install nimbus-kyverno
           working-directory: deployments/nimbus-kyverno/
           run: |
-            helm upgrade --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
-  
+            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
+
         - name: Wait for nimbus-kyverno to start
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kyverno
-            kubectl get pods -A
-            
+            kubectl get pods -n nimbus
+
         - name: Run Tests
           run: make e2e-test
diff --git a/deployments/nimbus-kyverno/templates/clusterrole.yaml b/deployments/nimbus-kyverno/templates/clusterrole.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+  name: kyverno:update-resources
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - update
+  - patch
diff --git a/pkg/adapter/nimbus-k8tls/main.go b/pkg/adapter/nimbus-k8tls/main.go
@@ -16,7 +16,7 @@ import (
 )
 
 func main() {
-	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
+	ctrl.SetLogger(zap.New())
 	logger := ctrl.Log
 
 	ctx, cancelFunc := context.WithCancel(context.Background())

diff --git a/pkg/adapter/nimbus-k8tls/manager/cronjob.go b/pkg/adapter/nimbus-k8tls/manager/cronjob.go
@@ -54,7 +54,7 @@ func createOrUpdateCj(ctx context.Context, logger logr.Logger, cwnp v1alpha1.Clu
 		logger.Info("configured Kubernetes CronJob", "CronJob.Name", cronJob.Name, "CronJob.Namespace", cronJob.Namespace)
 	}
 
-	if err = adapterutil.UpdateCwnpStatus(ctx, k8sClient, "CronJob/"+cronJob.Name, cwnp.Name, false); err != nil {
+	if err = adapterutil.UpdateCwnpStatus(ctx, k8sClient, cronJob.Namespace+"/CronJob/"+cronJob.Name, cwnp.Name, false); err != nil {
 		logger.Error(err, "failed to update ClusterNimbusPolicy status")
 	}
 }
@@ -67,7 +67,7 @@ func deleteCronJobs(ctx context.Context, logger logr.Logger, cwnpName string, cr
 			continue
 		}
 
-		if err := adapterutil.UpdateCwnpStatus(ctx, k8sClient, "CronJob/"+cronJob.Name, cwnpName, true); err != nil {
+		if err := adapterutil.UpdateCwnpStatus(ctx, k8sClient, cronJob.Namespace+"/CronJob/"+cronJob.Name, cwnpName, true); err != nil {
 			logger.Error(err, "failed to update ClusterNimbusPolicy status")
 		}
 		logger.Info("Dangling Kubernetes CronJob deleted", "CronJobJob.Name", cronJob.Name, "CronJob.Namespace", cronJob.Namespace)

diff --git a/pkg/adapter/nimbus-k8tls/manager/k8tls.go b/pkg/adapter/nimbus-k8tls/manager/k8tls.go
@@ -202,8 +202,16 @@ func setupK8tlsEnv(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy, schem
 	objs := []client.Object{ns, cm, sa, clusterRole, clusterRoleBinding}
 	for idx := range objs {
 		objToCreate := objs[idx]
-		if err := ctrl.SetControllerReference(&cwnp, objToCreate, scheme); err != nil {
-			return err
+
+		// Don't set owner ref on namespace. In environments with configured Pod Security
+		// Standards labelling namespaces becomes a requirement. However, on deletion of
+		// CWNP a namespace with ownerReferences set also gets deleted. Since we need to
+		// keep the nimbus-k8tls-env namespace labeled, removing the ownerReferences
+		// prevents this deletion.
+		if idx != 0 {
+			if err := ctrl.SetControllerReference(&cwnp, objToCreate, scheme); err != nil {
+				return err
+			}
 		}
 
 		var existingObj client.Object

diff --git a/pkg/adapter/nimbus-kyverno/clusterrole.yaml b/pkg/adapter/nimbus-kyverno/clusterrole.yaml
@@ -5,7 +5,7 @@ metadata:
     app.kubernetes.io/component: background-controller
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/part-of: kyverno
-  name: kyverno:update-pods
+  name: kyverno:update-resources
 rules:
 - apiGroups:
   - '*'

diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go
@@ -72,7 +72,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 			resourceFilter = kyvernov1.ResourceFilter{
 				ResourceDescription: kyvernov1.ResourceDescription{
 					Kinds: []string{
-						"v1/Pod",
+						"apps/v1/Deployment",
 					},
 					Namespaces: cnp.Spec.NsSelector.MatchNames,
 					Selector: &metav1.LabelSelector{

diff --git a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go
@@ -189,6 +189,12 @@ func cocoRuntimeAddition(np *v1alpha1.NimbusPolicy, rule v1alpha1.Rule) ([]kyver
 									Kinds: []string{
 										"apps/v1/Deployment",
 									},
+						Targets: []kyvernov1.TargetResourceSpec{
+							kyvernov1.TargetResourceSpec{
+								ResourceSpec: kyvernov1.ResourceSpec{
+									APIVersion: "apps/v1",
+									Kind:       "Deployment",
+									Namespace:  np.Namespace,
 								},
 							},
 						},

diff --git a/pkg/processor/policybuilder/nimbuspolicy_builder.go b/pkg/processor/policybuilder/nimbuspolicy_builder.go
@@ -46,9 +46,6 @@ func BuildNimbusPolicy(ctx context.Context, logger logr.Logger, k8sClient client
 	if err != nil {
 		return nil, err
 	}
-	if len(matchLabels) == 0 {
-		return nil, errors.Wrap(err, "No labels matched the CEL expressions, aborting NimbusPolicy creation due to missing keys in labels")
-	}
 
 	nimbusPolicy := &v1.NimbusPolicy{
 		ObjectMeta: metav1.ObjectMeta{