Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for crown jewel policies #739

Open
wants to merge 2 commits into
base: crown-jewel
Choose a base branch
from
+620 −27
Open

add support for crown jewel policies #739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
098eaaa
add support for crown jewel policies
Ankurk99 May 9, 2023
84dc43c
enhance(crownjewels): handle service accounts and include network mic…
daemon1024 Oct 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 65 additions & 7 deletions src/cluster/k8sClientHandler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,10 @@ import (
"sort"
"strings"

"github.com/accuknox/auto-policy-discovery/src/config"
"github.com/accuknox/auto-policy-discovery/src/libs"
"github.com/accuknox/auto-policy-discovery/src/types"
"github.com/rs/zerolog/log"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -346,6 +348,7 @@ func GetClusterNameFromK8sClient() string {

func GetDeploymentsFromK8sClient() []types.Deployment {
results := []types.Deployment{}
nsNotFilter := config.CurrentCfg.ConfigSysPolicy.NsNotFilter

client := ConnectK8sClient()
if client == nil {
Expand All @@ -361,8 +364,10 @@ func GetDeploymentsFromK8sClient() []types.Deployment {
}

for _, d := range deployments.Items {
if d.Namespace == "kube-system" {
continue
for _, notns := range nsNotFilter {
if strings.Contains(d.Namespace, notns) {
continue
}
}

if d.Spec.Selector.MatchLabels != nil {
Expand All @@ -379,9 +384,9 @@ func GetDeploymentsFromK8sClient() []types.Deployment {
})
}
}

results = append(results, GetReplicaSetsFromK8sClient()...)
results = append(results, GetStatefulSetsFromK8sClient()...)
results = append(results, GetDaemonSetsFromK8sClient()...)

return results
}
Expand All @@ -392,6 +397,7 @@ func GetDeploymentsFromK8sClient() []types.Deployment {

func GetReplicaSetsFromK8sClient() []types.Deployment {
results := []types.Deployment{}
nsNotFilter := config.CurrentCfg.ConfigSysPolicy.NsNotFilter

client := ConnectK8sClient()
if client == nil {
Expand All @@ -408,8 +414,10 @@ func GetReplicaSetsFromK8sClient() []types.Deployment {

for _, rs := range replicasets.Items {
if rs.OwnerReferences == nil {
if rs.Namespace == "kube-system" {
continue
for _, notns := range nsNotFilter {
if strings.Contains(rs.Namespace, notns) {
continue
}
}

if rs.Spec.Selector.MatchLabels != nil {
Expand All @@ -430,12 +438,60 @@ func GetReplicaSetsFromK8sClient() []types.Deployment {
return results
}

// ================= //
// == Daemonset == //
// ================= //

func GetDaemonSetsFromK8sClient() []types.Deployment {
results := []types.Deployment{}
nsNotFilter := config.CurrentCfg.ConfigSysPolicy.NsNotFilter

client := ConnectK8sClient()
if client == nil {
log.Error().Msg("failed to create k8s client")
return results
}

// get namespaces from k8s api client
daemonsets, err := client.AppsV1().DaemonSets("").List(context.Background(), metav1.ListOptions{})
if err != nil {
log.Error().Msg(err.Error())
return results
}

for _, ds := range daemonsets.Items {
if ds.OwnerReferences == nil {
for _, notns := range nsNotFilter {
if strings.Contains(ds.Namespace, notns) {
continue
}
}

if ds.Spec.Selector.MatchLabels != nil {
var labels []string

for k, v := range ds.Spec.Selector.MatchLabels {
labels = append(labels, k+"="+v)
}

results = append(results, types.Deployment{
Name: ds.Name,
Namespace: ds.Namespace,
Labels: strings.Join(labels, ","),
})
}
}
}
return results
}

// ================= //
// == StatefulSet == //
// ================= //

func GetStatefulSetsFromK8sClient() []types.Deployment {
results := []types.Deployment{}
nsNotFilter := config.CurrentCfg.ConfigSysPolicy.NsNotFilter

client := ConnectK8sClient()
if client == nil {
Expand All @@ -452,8 +508,10 @@ func GetStatefulSetsFromK8sClient() []types.Deployment {

for _, sts := range statefulset.Items {
if sts.OwnerReferences == nil {
if sts.Namespace == "kube-system" {
continue
for _, notns := range nsNotFilter {
if strings.Contains(sts.Namespace, notns) {
continue
}
}

if sts.Spec.Selector.MatchLabels != nil {
Expand Down
9 changes: 7 additions & 2 deletions src/conf/local-file.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,8 +119,13 @@ recommend:
operation-mode: 1 # 1: cronjob | 2: one-time-job
cron-job-time-interval: "1h0m00s" # format: XhYmZs
recommend-host-policy: true
template-version: "" # policy template version to be used for recommendation (keep empty to fetches latest)
admission-controller-policy: false
template-version: "v0.2.2" # policy template version to be used for recommendation (keep empty to fetches latest)

# Recommended policies configuration
crownjewel:
operation-mode: 1 # 1: cronjob | 2: one-time-job
cron-job-time-interval: "0h0m20s" # format: XhYmZs

# license
license:
enabled: false
Expand Down
5 changes: 5 additions & 0 deletions src/conf/local.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@ recommend:
template-version: ""
admission-controller-policy: false

# Recommended policies configuration
crownjewel:
operation-mode: 1 # 1: cronjob | 2: one-time-job
cron-job-time-interval: "1h0m00s" # format: XhYmZs

# license
license:
enabled: false
Expand Down
26 changes: 26 additions & 0 deletions src/config/configManager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,13 @@ func LoadConfigFromFile() {
RecommendTemplateVersion: viper.GetString("recommend.template-version"),
}

// crown jewel policy configurations
CurrentCfg.ConfigCrownjewelPolicy = types.ConfigCrownjewelPolicy{
CronJobTimeInterval: "@every " + viper.GetString("crownjewel.cron-job-time-interval"),
OneTimeJobTimeSelection: "", // e.g., 2021-01-20 07:00:23|2021-01-20 07:00:25
OperationMode: viper.GetInt("crownjewel.operation-mode"),
}

// load database
CurrentCfg.ConfigDB = LoadConfigDB()

Expand Down Expand Up @@ -533,6 +540,25 @@ func GetCfgRecommendAdmissionControllerPolicy() bool {
return CurrentCfg.ConfigRecommendPolicy.RecommendAdmissionControllerPolicy
}

// ================================== //
// == Get Crown Jewel Config Info == //
// ================================ //

// run the Crown jewel scan once
func GetCfgCrownjewelOneTime() string {
return CurrentCfg.ConfigCrownjewelPolicy.OneTimeJobTimeSelection
}

// run the Crown jewel scan as a cron job
func GetCfgCrownjewelCronJobTime() string {
return CurrentCfg.ConfigCrownjewelPolicy.CronJobTimeInterval
}

// dont' run the Crown jewel scan
func GetCfgCrownjewelOperationMode() int {
return CurrentCfg.ConfigCrownjewelPolicy.OperationMode
}

func GetCfgRecommendTemplateVersion() string {
return CurrentCfg.ConfigRecommendPolicy.RecommendTemplateVersion
}
Expand Down
Loading
Loading