feat: Feature to select namespaces (match or exclude), resources within a namespace, and nodes in ClusterIntentBinding #108
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SecurityIntentBinding only
- Errors when run together
- Also, one nimbus policy per ns is being created - There is a reconciler error for update. - Potential fix is to backoff for some time
- Equality function added but not used - Equality function can be used to add eliminate unnecessary updates
- A given CSIB cannot contain both match and exclude parameters
…us into shiv/namespace_exclude
- If csib is invalid, status ValidationFail is set - slices.Contain() is used to reduce code - A blacklist is introduced, to avoid creation of Nimbus Policies in those ns
VedRatan
reviewed
May 31, 2024
There was a problem hiding this comment.
@shivaccuknox you need to run make test-doc to reflect your changes in e2e-tests and integration tests
anurag-rajawat
requested changes
Jun 2, 2024
Signed-off-by: shivaccuknox <150668714+shivaccuknox@users.noreply.github.com>
|
After applying
$ kubectl get si,sib,np,csib,cwnp,ksp,netpol,pol,cpol -A
NAME STATUS AGE
securityintent.intent.security.nimbus.com/escape-to-host Created 17m
NAMESPACE NAME STATUS AGE POLICIES
chainsaw-hardy-boar nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
default nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
istio-system nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
k0s-autopilot nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-node-lease nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-public nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kubearmor nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kyverno nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
nimbus nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
NAMESPACE NAME STATUS AGE INTENTS CLUSTERNIMBUSPOLICY
clustersecurityintentbinding.intent.security.nimbus.com/escape-to-host-binding Created 17m 1 escape-to-host-binding
NAMESPACE NAME STATUS AGE POLICIES
clusternimbuspolicy.intent.security.nimbus.com/escape-to-host-binding Created 17m 0
nimbus/pkg/adapter/idpool/idpool.go Line 27 in 5a42174 {"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmor adapter started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmorPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
No-op for ClusterNimbusPolicy
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"istio-system"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kyverno"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"nimbus"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kubearmor"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"chainsaw-hardy-boar"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"k0s-autopilot"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-node-lease"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-public"}
nimbus/pkg/adapter/idpool/idpool.go Lines 44 to 47 in 5a42174 {"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"Kyverno adapter started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoClusterPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
{"level":"error","ts":"2024-06-04T14:52:56+05:30","msg":"failed to create KyvernoClusterPolicy","KyvernoClusterPolicy.Name":"escape-to-host-binding-escapetohost","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: spec.rules[0].match.any[0].selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string(nil), MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: The requirements are not specified in selector","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKcp\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:220\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:75\nmain.main\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/opt/homebrew/opt/go/libexec/src/runtime/proc.go:271"} |
|
@VedRatan the e2e-tests are passing, but I'm little surprised given the recent changes. Is there something I might be missing? |
This was referenced Jun 4, 2024
anurag-rajawat
approved these changes
Jun 4, 2024
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request implements the design described in https://docs.google.com/document/d/1-zxAMBpX-ZdpmDTjS0qzmFk5pueOCtLaGa970KJLTNc/edit#heading=h.yr2q844nprgt
Fixes # #105
BREAKING CHANGE:
Checklist
<type>: <description>conventionAdditional information for reviewer
Mention if this PR is part of any design or a continuation of previous PRs