feat: virtual-patch intent (#245)

* feat: virtual-patch initial commit Signed-off-by: VedRatan <vedratan8@gmail.com> * feat: added kyverno, karmor, netpol policy creation, deletion, and updation logic Signed-off-by: VedRatan <vedratan8@gmail.com> * feat: added support for network policy Signed-off-by: VedRatan <vedratan8@gmail.com> * feat: added scheduled fetching of latest CVE data Signed-off-by: VedRatan <vedratan8@gmail.com> * chore: resolved all the review comments Signed-off-by: VedRatan <vedratan8@gmail.com> * (docs): added intent description (#265) * fix: Fix CRDs version in PROJECT file Signed-off-by: Anurag Rajawat <anurag@accuknox.com> * doc: Add Intent and CRDs spec docs Signed-off-by: Anurag Rajawat <anurag@accuknox.com> * feat: added intent description Signed-off-by: VedRatan <vedratan8@gmail.com> * docs: added pkg-mgr-execution intent desc Signed-off-by: VedRatan <vedratan8@gmail.com> * docs: added coco-workload intent details Signed-off-by: VedRatan <vedratan8@gmail.com> * docs: update exploit-pfa Signed-off-by: VedRatan <vedratan8@gmail.com> * update command Signed-off-by: VedRatan <vedratan8@gmail.com> * doc: Update docs Signed-off-by: Anurag Rajawat <anurag@accuknox.com> * refactored the docs Signed-off-by: VedRatan <vedratan8@gmail.com> * updated quick-tutorials Signed-off-by: VedRatan <vedratan8@gmail.com> --------- Signed-off-by: Anurag Rajawat <anurag@accuknox.com> Signed-off-by: VedRatan <vedratan8@gmail.com> Co-authored-by: Anurag Rajawat <anurag@accuknox.com> * chore: handled error gracefully, update slice search command Signed-off-by: VedRatan <vedratan8@gmail.com> * fix: tests Signed-off-by: VedRatan <vedratan8@gmail.com> * fix: error handling and review comments Signed-off-by: VedRatan <vedratan8@gmail.com> --------- Signed-off-by: VedRatan <vedratan8@gmail.com> Signed-off-by: Anurag Rajawat <anurag@accuknox.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Co-authored-by: Anurag Rajawat <anurag@accuknox.com>
5GSEC · Nov 8, 2024 · 67712a9 · 67712a9
1 parent f651a04
commit 67712a9
Show file tree

Hide file tree

Showing 15 changed files with 708 additions and 70 deletions.
diff --git a/docs/intents/escape-to-host.md b/docs/intents/escape-to-host.md
@@ -30,7 +30,7 @@ The escapeToHost intent results in `KyvernoPolicy` and a couple of `KubearmorPol
 
    ```
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
    ```
 
 - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.

diff --git a/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml b/examples/clusterscoped/escape-to-host-si-csib-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding

diff --git a/examples/namespaced/escape-to-host-with-params.yaml b/examples/namespaced/escape-to-host-with-params.yaml
@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntentBinding

diff --git a/examples/namespaced/virtual-patch-si-sib.yaml b/examples/namespaced/virtual-patch-si-sib.yaml
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: virtual-patch
+spec: 
+  intent:
+    id: virtualPatch
+    description: >
+      There might exist CVE's associated with certain images, adversaries might exploit these CVE and can cause potential threat,
+      to any production server. Check and apply virtual patch for a given set of CVEs as per a schedule
+    action: Block
+    params: 
+      cveList:
+        - "CVE-2024-4439"
+        - "CVE-2024-27268"
+      schedule: ["0 23 * * SUN"]
+
+---
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: virtual-patch-binding
+spec:
+  intents:
+    - name: virtual-patch
+  selector:
+    workloadSelector:
+      matchLabels:
+        app: prod
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -19,6 +19,7 @@ const (
 	CocoWorkload              = "cocoWorkload"
 	AssessTLS                 = "assessTLS"
 	DenyENAccess              = "denyExternalNetworkAccess"
+	VirtualPatch              = "virtualPatch"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -45,6 +46,7 @@ var NetPolIDs = []string{
 var KyvIds = []string{
 	EscapeToHost,
 	CocoWorkload,
+	VirtualPatch,
 }
 
 // k8tlsIds are IDs supported by k8tls.

diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod
@@ -202,6 +202,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
 	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect

diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum
@@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

diff --git a/pkg/adapter/nimbus-kyverno/manager/manager.go b/pkg/adapter/nimbus-kyverno/manager/manager.go
@@ -59,6 +59,7 @@ func Run(ctx context.Context) {
 	deletedKpCh := make(chan common.Request)
 	go watcher.WatchKps(ctx, updatedKpCh, deletedKpCh)
 
+
 	for {
 		select {
 		case <-ctx.Done():
@@ -431,6 +432,9 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nameNamespace.Name + "-trigger-configmap",
 			Namespace: nameNamespace.Namespace,
+			Labels: map[string]string {
+				"trigger" : "configmap",
+			},
 		},
 		Data: map[string]string{
 			"data": "dummy",

diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go
@@ -121,7 +121,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 			}
 			matchFilters = append(matchFilters, resourceFilter)
 		}
-	} else if namespaces[0] == "*" && len(labels) == 0  {
+	} else if namespaces[0] == "*" && len(labels) == 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
 				ResourceDescription: kyvernov1.ResourceDescription{
@@ -167,7 +167,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 					},
 					Mutation: kyvernov1.Mutation{
 						Targets: []kyvernov1.TargetResourceSpec{
-							kyvernov1.TargetResourceSpec{
+							{
 								ResourceSpec: kyvernov1.ResourceSpec{
 									APIVersion: "apps/v1",
 									Kind:       "Deployment",
@@ -185,16 +185,16 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 }
 
 func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy {
-	var psa_level api.Level = api.LevelBaseline
+	var psaLevel api.Level = api.LevelBaseline
 
-	if rule.Params["psa_level"] != nil {
+	if rule.Params["psaLevel"] != nil {
 
-		switch rule.Params["psa_level"][0] {
+		switch rule.Params["psaLevel"][0] {
 		case "restricted":
-			psa_level = api.LevelRestricted
+			psaLevel = api.LevelRestricted
 
 		default:
-			psa_level = api.LevelBaseline
+			psaLevel = api.LevelBaseline
 		}
 
 	}
@@ -241,7 +241,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 	} else if namespaces[0] == "*" && len(labels) > 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
-				ResourceDescription: kyvernov1.ResourceDescription {
+				ResourceDescription: kyvernov1.ResourceDescription{
 					Namespaces: excludeNamespaces,
 				},
 			}
@@ -296,7 +296,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 					},
 					Validation: kyvernov1.Validation{
 						PodSecurity: &kyvernov1.PodSecurity{
-							Level:   psa_level,
+							Level:   psaLevel,
 							Version: "latest",
 						},
 					},
-Original file line number
+Diff line change
@@ Expand Up @@
        ```
         params:
-          psa_level: ["restricted"]
+          psaLevel: ["restricted"]
        ```
     - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.
@@ Expand Down @@