From cd488cd038a2659b030fa82713c24488af1e11a8 Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Tue, 12 Nov 2024 17:06:53 +0530 Subject: [PATCH 1/2] handle sctp and add option all to handle all network ops Signed-off-by: rksharma95 --- KubeArmor/BPF/enforcer.bpf.c | 78 +++++++--- KubeArmor/BPF/shared.h | 4 + KubeArmor/enforcer/appArmorProfile.go | 17 ++- KubeArmor/enforcer/bpflsm/enforcer.go | 10 +- KubeArmor/enforcer/bpflsm/rulesHandling.go | 12 +- KubeArmor/enforcer/bpflsm/rulesHelper.go | 90 +++++++++++ KubeArmor/feeder/policyMatcher.go | 50 ++++++- KubeArmor/monitor/syscallParser.go | 140 +++++++++++++++++- deployments/CRD/KubeArmorClusterPolicy.yaml | 29 ++-- deployments/CRD/KubeArmorHostPolicy.yaml | 29 ++-- deployments/CRD/KubeArmorPolicy.yaml | 29 ++-- .../helm/KubeArmor/templates/crds/csp.yaml | 29 ++-- .../helm/KubeArmor/templates/crds/hsp.yaml | 29 ++-- .../helm/KubeArmor/templates/crds/ksp.yaml | 29 ++-- pkg/KubeArmorController/Makefile | 2 +- .../api/security.kubearmor.com/v1/common.go | 2 +- ...ubearmor.com_kubearmorclusterpolicies.yaml | 29 ++-- ...y.kubearmor.com_kubearmorhostpolicies.yaml | 29 ++-- ...urity.kubearmor.com_kubearmorpolicies.yaml | 29 ++-- pkg/KubeArmorController/config/rbac/role.yaml | 2 - .../config/webhook/manifests.yaml | 2 - .../crd/KubeArmorClusterPolicy.yaml | 29 ++-- .../crd/KubeArmorHostPolicy.yaml | 29 ++-- .../crd/KubeArmorPolicy.yaml | 29 ++-- pkg/KubeArmorController/go.mod | 3 - pkg/KubeArmorController/go.sum | 6 - 26 files changed, 522 insertions(+), 244 deletions(-) create mode 100644 KubeArmor/enforcer/bpflsm/rulesHelper.go diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c index 8b8344b8fe..632c050e0b 100644 --- a/KubeArmor/BPF/enforcer.bpf.c +++ b/KubeArmor/BPF/enforcer.bpf.c @@ -310,8 +310,8 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) { return 0; bpf_map_update_elem(&bufk, &one, z, BPF_ANY); - int p0; - int p1; + int p0_t, p1_t; + int p0_p, p1_p; struct data_t *val = bpf_map_lookup_elem(inner, p); bool fromSourceCheck = true; @@ -329,30 +329,56 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) { if (src_offset == NULL) fromSourceCheck = false; - void *ptr = &src_buf->buf[*src_offset]; + // socket type check + if (type == SOCK_STREAM || type == SOCK_DGRAM || type == SOCK_RAW || type == SOCK_RDM || type == SOCK_SEQPACKET || type == SOCK_DCCP || type == SOCK_PACKET) { + p0_t = sock_type; + p1_t = type; + } + + // protocol check if (type == SOCK_STREAM && (protocol == IPPROTO_TCP || protocol == 0)) { - p0 = sock_proto; - p1 = IPPROTO_TCP; + p0_p = sock_proto; + p1_p = IPPROTO_TCP; } else if (type == SOCK_DGRAM && (protocol == IPPROTO_UDP || protocol == 0)) { - p0 = sock_proto; - p1 = IPPROTO_UDP; + p0_p = sock_proto; + p1_p = IPPROTO_UDP; } else if (protocol == IPPROTO_ICMP && (type == SOCK_DGRAM || type == SOCK_RAW)) { - p0 = sock_proto; - p1 = IPPROTO_ICMP; - } else if (type == SOCK_RAW && protocol == 0) { - p0 = sock_type; - p1 = SOCK_RAW; + p0_p = sock_proto; + p1_p = IPPROTO_ICMP; + } else if (protocol == IPPROTO_ICMPV6 && + (type == SOCK_DGRAM || type == SOCK_RAW)) { + p0_p = sock_proto; + p1_p = IPPROTO_ICMPV6; + } else if ((type == SOCK_STREAM || type == SOCK_SEQPACKET) && (protocol == IPPROTO_SCTP || protocol == 0)) { + p0_p = sock_proto; + p1_p = IPPROTO_SCTP; } else { - p0 = sock_proto; - p1 = protocol; + p0_p = sock_proto; + p1_p = protocol; } + // socket type fromsource check if (fromSourceCheck) { + void *ptr = &src_buf->buf[*src_offset]; bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr); - p->path[0] = p0; - p->path[1] = p1; + p->path[0] = p0_t; + p->path[1] = p1_t; + bpf_probe_read_str(store->source, MAX_STRING_SIZE, p->source); + val = bpf_map_lookup_elem(inner, p); + if (val) { + match = true; + goto decision; + } + } + + // protocol fromsource check + if (fromSourceCheck) { + void *ptr = &src_buf->buf[*src_offset]; + bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr); + p->path[0] = p0_p; + p->path[1] = p1_p; bpf_probe_read_str(store->source, MAX_STRING_SIZE, p->source); val = bpf_map_lookup_elem(inner, p); if (val) { @@ -360,10 +386,23 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) { goto decision; } } - // check for rules without fromSource + + // check for type rules without fromSource bpf_map_update_elem(&bufk, &one, z, BPF_ANY); - p->path[0] = p0; - p->path[1] = p1; + p->path[0] = p0_t; + p->path[1] = p1_t; + + val = bpf_map_lookup_elem(inner, p); + + if (val) { + match = true; + goto decision; + } + + // check for protocol rules without fromSource + bpf_map_update_elem(&bufk, &one, z, BPF_ANY); + p->path[0] = p0_p; + p->path[1] = p1_p; val = bpf_map_lookup_elem(inner, p); @@ -425,6 +464,7 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) { SEC("lsm/socket_create") int BPF_PROG(enforce_net_create, int family, int type, int protocol) { + bpf_printk("type: %d protocol: %d", type, protocol); return match_net_rules(type, protocol, _SOCKET_CREATE); } diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h index 2dbd0d4b8b..7c1d1f862a 100644 --- a/KubeArmor/BPF/shared.h +++ b/KubeArmor/BPF/shared.h @@ -25,6 +25,10 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL"; #define BLOCK_POSTURE 141 #define CAPABLE_KEY 200 +enum { + IPPROTO_ICMPV6 = 58 +}; + enum file_hook_type { dpath = 0, dfileread, dfilewrite }; enum deny_by_default { diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index a1e2accc5b..c5b6800253 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -231,6 +231,11 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp //forcing the protocol to lowercase proto.Protocol = strings.ToLower(proto.Protocol) + // handle icmpv6 protocol same as icmp + if proto.Protocol == "icmpv6" { + proto.Protocol = "icmp" + } + if !deny { prof.Network = head } @@ -238,7 +243,9 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp rule.Deny = deny rule.Allow = !deny if len(proto.FromSource) == 0 { - addRuletoMap(rule, proto.Protocol, prof.NetworkRules) + if proto.Protocol != "all" { + addRuletoMap(rule, proto.Protocol, prof.NetworkRules) + } return } @@ -260,7 +267,9 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp prof.FromSource[source] = val } } - addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules) + if proto.Protocol != "all" { + addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules) + } } } @@ -382,9 +391,9 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo if len(secPolicy.Spec.Network.MatchProtocols) > 0 { for _, proto := range secPolicy.Spec.Network.MatchProtocols { if proto.Action == "Allow" { - ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block") + ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block" || proto.Protocol == "all") } else if proto.Action == "Block" { - ae.SetNetworkMatchProtocols(proto, &profile, true, true) + ae.SetNetworkMatchProtocols(proto, &profile, true, true && proto.Protocol != "all") } } } diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go index 963eb0f3e6..57857ea971 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer.go +++ b/KubeArmor/enforcer/bpflsm/enforcer.go @@ -117,6 +117,12 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mo PinPath: pinpath, }, }); err != nil { + var ve *ebpf.VerifierError + if errors.As(err, &ve) { + // Using %+v will print the whole verifier error, not just the last + // few lines. + be.Logger.Errf("Verifier error: %+v", ve) + } be.Logger.Errf("error loading BPF LSM objects: %v", err) return be, err } @@ -351,9 +357,7 @@ func (be *BPFEnforcer) TraceEvents() { sockProtocol = int32(event.Data.Path[1]) log.Operation = "Network" if event.Data.Path[0] == 2 { - if event.Data.Path[1] == 3 { - log.Resource = fd.GetProtocolFromName("raw") - } + log.Resource = fd.GetProtocolFromType(int32(event.Data.Path[1])) } else if event.Data.Path[0] == 3 { log.Resource = fd.GetProtocolFromName(mon.GetProtocol(sockProtocol)) } diff --git a/KubeArmor/enforcer/bpflsm/rulesHandling.go b/KubeArmor/enforcer/bpflsm/rulesHandling.go index dfe92924c2..029174bc9f 100644 --- a/KubeArmor/enforcer/bpflsm/rulesHandling.go +++ b/KubeArmor/enforcer/bpflsm/rulesHandling.go @@ -53,11 +53,18 @@ var protocols = map[string]uint8{ "TCP": 6, "UDP": 17, "ICMPv6": 58, + "SCTP": 132, } // Socket Type Identifiers for Network Rules var netType = map[string]uint8{ - "RAW": 3, + "STREAM": 1, + "DGRAM": 2, + "RAW": 3, + "RDM": 4, + "SEQPACKET": 5, + "DCCP": 6, + "PACKET": 10, } // Array Keys for Network Rule Keys @@ -251,6 +258,9 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec } } + // handle protocol: all|ALL rules + handleAllNetworkRule(&secPolicy.Spec.Network.MatchProtocols) + for _, net := range secPolicy.Spec.Network.MatchProtocols { var val [2]uint8 var key = InnerKey{Path: [256]byte{}, Source: [256]byte{}} diff --git a/KubeArmor/enforcer/bpflsm/rulesHelper.go b/KubeArmor/enforcer/bpflsm/rulesHelper.go new file mode 100644 index 0000000000..230f8b345c --- /dev/null +++ b/KubeArmor/enforcer/bpflsm/rulesHelper.go @@ -0,0 +1,90 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2022 Authors of KubeArmor + +package bpflsm + +import ( + "strings" + + tp "github.com/kubearmor/KubeArmor/KubeArmor/types" +) + +func handleAllNetworkRule(protocols *[]tp.NetworkProtocolType) { + allProtocols := []tp.NetworkProtocolType{} + + allWithNoFromSourceAllow := false + allWithNoFromSourceBlock := false + + sourcesBlock := map[string]string{} + sourcesAllow := map[string]string{} + + for _, net := range *protocols { + if strings.ToUpper(net.Protocol) == "ALL" { + if len(net.FromSource) == 0 { + if net.Action == "Allow" && !allWithNoFromSourceAllow { + for r := range netType { + allProtocols = append(allProtocols, tp.NetworkProtocolType{ + Protocol: r, + Action: net.Action, + }) + } + allWithNoFromSourceAllow = true + } else if net.Action == "Block" && !allWithNoFromSourceBlock { + for r := range netType { + allProtocols = append(allProtocols, tp.NetworkProtocolType{ + Protocol: r, + Action: net.Action, + }) + } + allWithNoFromSourceBlock = true + } + } else { + for _, src := range net.FromSource { + if _, ok := sourcesAllow[src.Path]; !ok && net.Action == "Allow" { + sourcesAllow[src.Path] = net.Action + } + if _, ok := sourcesBlock[src.Path]; !ok && net.Action == "Block" { + sourcesBlock[src.Path] = net.Action + } + } + } + } + } + + // add all with fromsource rules + + if len(sourcesAllow) > 0 { + sources := []tp.MatchSourceType{} + for src := range sourcesAllow { + sources = append(sources, tp.MatchSourceType{ + Path: src, + }) + } + for r := range netType { + allProtocols = append(allProtocols, tp.NetworkProtocolType{ + Protocol: r, + Action: "Allow", + FromSource: sources, + }) + } + } + + if len(sourcesBlock) > 0 { + sources := []tp.MatchSourceType{} + for src := range sourcesBlock { + sources = append(sources, tp.MatchSourceType{ + Path: src, + }) + } + for r := range netType { + allProtocols = append(allProtocols, tp.NetworkProtocolType{ + Protocol: r, + Action: "Block", + FromSource: sources, + }) + } + } + + *protocols = append(*protocols, allProtocols...) + +} diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 9970c228b6..f779a22e46 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -28,10 +28,33 @@ func GetProtocolFromName(proto string) string { return "protocol=UDP,type=SOCK_DGRAM" case "icmp": return "protocol=ICMP,type=SOCK_RAW" - case "raw": + case "icmpv6": + return "protocol=ICMPv6,type=SOCK_RAW" + case "sctp": + return "protocol=SCTP,type=SOCK_STREAM|SOCK_SEQPACKET" + default: + return proto + } +} + +func GetProtocolFromType(proto int32) string { + switch proto { + case 1: + return "type=SOCK_STREAM" + case 2: + return "type=SOCK_DGRAM" + case 3: return "type=SOCK_RAW" + case 4: + return "type=SOCK_RDM" + case 5: + return "type=SOCK_SEQPACKET" + case 6: + return "type=SOCK_DCCP" + case 10: + return "type=SOCK_PACKET" default: - return "unknown" + return string(proto) } } @@ -44,9 +67,24 @@ func fetchProtocol(resource string) string { return "icmp" } else if strings.Contains(resource, "SOCK_RAW") { return "raw" + } else if strings.Contains(resource, "protocol=ICMPv6") { + return "icmpv6" + } else if strings.Contains(resource, "protocol=SCTP") { + return "sctp" + } else if strings.Contains(resource, "SOCK_STREAM") { + return "stream" + } else if strings.Contains(resource, "SOCK_DGRAM") { + return "dgram" + } else if strings.Contains(resource, "SOCK_RDM") { + return "rdm" + } else if strings.Contains(resource, "SOCK_SEQPACKET") { + return "seqpacket" + } else if strings.Contains(resource, "SOCK_DCCP") { + return "dccp" + } else if strings.Contains(resource, "SOCK_PACKET") { + return "packet" } - - return "unknown" + return resource } func getFileProcessUID(path string) string { @@ -204,7 +242,7 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Message = npt.Message match.Operation = "Network" - match.Resource = npt.Protocol + match.Resource = strings.ToLower(npt.Protocol) match.ResourceType = "Protocol" // TODO: Handle cases where AppArmor network enforcement is not present @@ -1303,7 +1341,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { matchedFlags := false protocol := fetchProtocol(log.Resource) - if protocol == secPolicy.Resource { + if protocol == secPolicy.Resource || secPolicy.Resource == "all" { matchedFlags = true } diff --git a/KubeArmor/monitor/syscallParser.go b/KubeArmor/monitor/syscallParser.go index 5064f7d0f2..7aaaca74da 100644 --- a/KubeArmor/monitor/syscallParser.go +++ b/KubeArmor/monitor/syscallParser.go @@ -548,10 +548,142 @@ func GetSocketType(st uint32) string { } var protocols = map[int32]string{ - 1: "ICMP", - 6: "TCP", - 17: "UDP", - 58: "ICMPv6", + 0: "HOPOPT", + 1: "ICMP", + 2: "IGMP", + 3: "GGP", + 4: "IPv4", + 5: "ST", + 6: "TCP", + 7: "CBT", + 8: "EGP", + 9: "IGP", + 10: "BBN-RCC-MON", + 11: "NVP-II", + 12: "PUP", + 14: "EMCON", + 15: "XNET", + 16: "CHAOS", + 17: "UDP", + 18: "MUX", + 19: "DCN-MEAS", + 20: "HMP", + 21: "PRM", + 22: "XNS-IDP", + 23: "TRUNK-1", + 24: "TRUNK-2", + 25: "LEAF-1", + 26: "LEAF-2", + 27: "RDP", + 28: "IRTP", + 29: "ISO-TP4", + 30: "NETBLT", + 31: "MFE-NSP", + 32: "MERIT-INP", + 33: "DCCP", + 34: "3PC", + 35: "IDPR", + 36: "XTP", + 37: "DDP", + 38: "IDPR-CMTP", + 39: "TP++", + 40: "IL", + 41: "IPv6", + 42: "SDRP", + 43: "IPv6-Route", + 44: "IPv6-Frag", + 45: "IDRP", + 46: "RSVP", + 47: "GRE", + 48: "DSR", + 49: "BNA", + 50: "ESP", + 51: "AH", + 52: "I-NLSP", + 54: "NARP", + 55: "Min-IPv4", + 56: "TLSP", + 57: "SKIP", + 58: "IPv6-ICMP", + 59: "IPv6-NoNxt", + 60: "IPv6-Opts", + 62: "CFTP", + 64: "SAT-EXPAK", + 65: "KRYPTOLAN", + 66: "RVD", + 67: "IPPC", + 69: "SAT-MON", + 70: "VISA", + 71: "IPCV", + 72: "CPNX", + 73: "CPHB", + 74: "WSN", + 75: "PVP", + 76: "BR-SAT-MON", + 77: "SUN-ND", + 78: "WB-MON", + 79: "WB-EXPAK", + 80: "ISO-IP", + 81: "VMTP", + 82: "SECURE-VMTP", + 83: "VINES", + 84: "IPTM", + 85: "NSFNET-IGP", + 86: "DGP", + 87: "TCF", + 88: "EIGRP", + 89: "OSPF", + 90: "Sprite-RPC", + 91: "LARP", + 92: "MTP", + 93: "AX.25", + 94: "IPIP", + 96: "SCC-SP", + 97: "ETHERIP", + 98: "ENCAP", + 100: "GMTP", + 101: "IFMP", + 102: "PNNI", + 103: "PIM", + 104: "ARIS", + 105: "SCPS", + 106: "QNX", + 107: "A/N", + 108: "IPComp", + 109: "SNP", + 110: "Compaq-Peer", + 111: "IPX-in-IP", + 112: "VRRP", + 113: "PGM", + 115: "L2TP", + 116: "DDX", + 117: "IATP", + 118: "STP", + 119: "SRP", + 120: "UTI", + 121: "SMP", + 123: "PTP", + 125: "FIRE", + 126: "CRTP", + 127: "CRUDP", + 128: "SSCOPMCE", + 129: "IPLT", + 130: "SPS", + 131: "PIPE", + 132: "SCTP", + 133: "FC", + 134: "RSVP-E2E-IGNORE", + 136: "UDPLite", + 137: "MPLS-in-IP", + 138: "manet", + 139: "HIP", + 140: "Shim6", + 141: "WESP", + 142: "ROHC", + 143: "Ethernet", + 144: "AGGFRAG", + 145: "NSH", + 255: "Reserved", } // getProtocol Function diff --git a/deployments/CRD/KubeArmorClusterPolicy.yaml b/deployments/CRD/KubeArmorClusterPolicy.yaml index 75bfcced26..e29ad014cc 100644 --- a/deployments/CRD/KubeArmorClusterPolicy.yaml +++ b/deployments/CRD/KubeArmorClusterPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorclusterpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -268,7 +271,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1188,9 +1191,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/CRD/KubeArmorHostPolicy.yaml b/deployments/CRD/KubeArmorHostPolicy.yaml index 497c216ff7..faca51f4da 100644 --- a/deployments/CRD/KubeArmorHostPolicy.yaml +++ b/deployments/CRD/KubeArmorHostPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -269,7 +272,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1177,9 +1180,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/CRD/KubeArmorPolicy.yaml b/deployments/CRD/KubeArmorPolicy.yaml index ce3ef593fa..a7cee7520e 100644 --- a/deployments/CRD/KubeArmorPolicy.yaml +++ b/deployments/CRD/KubeArmorPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -36,14 +34,19 @@ spec: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -267,7 +270,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1172,9 +1175,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/helm/KubeArmor/templates/crds/csp.yaml b/deployments/helm/KubeArmor/templates/crds/csp.yaml index 75bfcced26..e29ad014cc 100644 --- a/deployments/helm/KubeArmor/templates/crds/csp.yaml +++ b/deployments/helm/KubeArmor/templates/crds/csp.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorclusterpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -268,7 +271,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1188,9 +1191,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/helm/KubeArmor/templates/crds/hsp.yaml b/deployments/helm/KubeArmor/templates/crds/hsp.yaml index 497c216ff7..faca51f4da 100644 --- a/deployments/helm/KubeArmor/templates/crds/hsp.yaml +++ b/deployments/helm/KubeArmor/templates/crds/hsp.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -269,7 +272,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1177,9 +1180,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/helm/KubeArmor/templates/crds/ksp.yaml b/deployments/helm/KubeArmor/templates/crds/ksp.yaml index ce3ef593fa..a7cee7520e 100644 --- a/deployments/helm/KubeArmor/templates/crds/ksp.yaml +++ b/deployments/helm/KubeArmor/templates/crds/ksp.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -36,14 +34,19 @@ spec: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -267,7 +270,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1172,9 +1175,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/Makefile b/pkg/KubeArmorController/Makefile index e7c5638589..0974f1703b 100644 --- a/pkg/KubeArmorController/Makefile +++ b/pkg/KubeArmorController/Makefile @@ -49,7 +49,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - go mod tidy; $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases + go mod tidy; $(CONTROLLER_GEN) crd rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases cp config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml ../../deployments/CRD/KubeArmorPolicy.yaml cp config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml crd/KubeArmorPolicy.yaml cp config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml ../../deployments/helm/KubeArmor/templates/crds/ksp.yaml diff --git a/pkg/KubeArmorController/api/security.kubearmor.com/v1/common.go b/pkg/KubeArmorController/api/security.kubearmor.com/v1/common.go index 4d9611c612..372cf0eaee 100644 --- a/pkg/KubeArmorController/api/security.kubearmor.com/v1/common.go +++ b/pkg/KubeArmorController/api/security.kubearmor.com/v1/common.go @@ -179,7 +179,7 @@ type FileType struct { Action ActionType `json:"action,omitempty"` } -// +kubebuilder:validation:Pattern=(icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ +// +kubebuilder:validation:Pattern=(tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type MatchNetworkProtocolStringType string type MatchNetworkProtocolType struct { diff --git a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorclusterpolicies.yaml b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorclusterpolicies.yaml index 75bfcced26..e29ad014cc 100644 --- a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorclusterpolicies.yaml +++ b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorclusterpolicies.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorclusterpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -268,7 +271,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1188,9 +1191,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorhostpolicies.yaml b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorhostpolicies.yaml index 497c216ff7..faca51f4da 100644 --- a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorhostpolicies.yaml +++ b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorhostpolicies.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -269,7 +272,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1177,9 +1180,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml index ce3ef593fa..a7cee7520e 100644 --- a/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml +++ b/pkg/KubeArmorController/config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -36,14 +34,19 @@ spec: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -267,7 +270,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1172,9 +1175,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/config/rbac/role.yaml b/pkg/KubeArmorController/config/rbac/role.yaml index 2dfb1f17c6..d67deff627 100644 --- a/pkg/KubeArmorController/config/rbac/role.yaml +++ b/pkg/KubeArmorController/config/rbac/role.yaml @@ -1,9 +1,7 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: diff --git a/pkg/KubeArmorController/config/webhook/manifests.yaml b/pkg/KubeArmorController/config/webhook/manifests.yaml index d152733068..537d93cd04 100644 --- a/pkg/KubeArmorController/config/webhook/manifests.yaml +++ b/pkg/KubeArmorController/config/webhook/manifests.yaml @@ -1,9 +1,7 @@ - --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - creationTimestamp: null name: mutating-webhook-configuration webhooks: - admissionReviewVersions: diff --git a/pkg/KubeArmorController/crd/KubeArmorClusterPolicy.yaml b/pkg/KubeArmorController/crd/KubeArmorClusterPolicy.yaml index 75bfcced26..e29ad014cc 100644 --- a/pkg/KubeArmorController/crd/KubeArmorClusterPolicy.yaml +++ b/pkg/KubeArmorController/crd/KubeArmorClusterPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorclusterpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -268,7 +271,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1188,9 +1191,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/crd/KubeArmorHostPolicy.yaml b/pkg/KubeArmorController/crd/KubeArmorHostPolicy.yaml index 497c216ff7..faca51f4da 100644 --- a/pkg/KubeArmorController/crd/KubeArmorHostPolicy.yaml +++ b/pkg/KubeArmorController/crd/KubeArmorHostPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -37,14 +35,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -269,7 +272,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1177,9 +1180,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/crd/KubeArmorPolicy.yaml b/pkg/KubeArmorController/crd/KubeArmorPolicy.yaml index ce3ef593fa..a7cee7520e 100644 --- a/pkg/KubeArmorController/crd/KubeArmorPolicy.yaml +++ b/pkg/KubeArmorController/crd/KubeArmorPolicy.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com @@ -36,14 +34,19 @@ spec: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -267,7 +270,7 @@ spec: message: type: string protocol: - pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ + pattern: (tcp|TCP|udp|UDP|raw|RAW|icmp|ICMP|icmpv6|ICMPV6|sctp|SCTP|stream|STREAM|dgram|DGRAM|rdm|RDM|seqpacket|SEQPACKET|dccp|DCCP|packet|PACKET|all|ALL)$ type: string severity: maximum: 10 @@ -1172,9 +1175,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorController/go.mod b/pkg/KubeArmorController/go.mod index 20c689a22e..79d5511de2 100644 --- a/pkg/KubeArmorController/go.mod +++ b/pkg/KubeArmorController/go.mod @@ -12,7 +12,6 @@ require ( k8s.io/apiextensions-apiserver v0.29.0 k8s.io/apimachinery v0.29.0 k8s.io/client-go v0.29.0 - k8s.io/cri-api v0.29.7 sigs.k8s.io/controller-runtime v0.15.3 sigs.k8s.io/yaml v1.4.0 ) @@ -64,8 +63,6 @@ require ( golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/grpc v1.58.3 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/pkg/KubeArmorController/go.sum b/pkg/KubeArmorController/go.sum index 2ea6eee87b..c4cc8e5e52 100644 --- a/pkg/KubeArmorController/go.sum +++ b/pkg/KubeArmorController/go.sum @@ -165,10 +165,6 @@ gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= -google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ= -google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= @@ -194,8 +190,6 @@ k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= -k8s.io/cri-api v0.29.7 h1:5X1Fid6oxYsP9/W1NtX0RYUefM2UNwaqfew8z7Pbf/M= -k8s.io/cri-api v0.29.7/go.mod h1:A6pdbjzML2xi9B0Clqn5qt1HJ3Ik12x2j+jv/TkqjRE= k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 h1:1Rp/XEKP5uxPs6QrsngEHAxBjaAR78iJRiJq5Fi7LSU= From 83218946968de9233dd0ca6e52492488b5c5f7fb Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Tue, 12 Nov 2024 17:08:21 +0530 Subject: [PATCH 2/2] add a test case for protocol:all handling Signed-off-by: rksharma95 --- tests/k8s_env/ksp/ksp_test.go | 26 +++++++++++++++++++ .../ksp-ubuntu-1-block-net-all.yaml | 15 +++++++++++ 2 files changed, 41 insertions(+) create mode 100644 tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..21fe2aa200 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -266,6 +266,32 @@ var _ = Describe("Ksp", func() { }) + It("it can block all network traffic", func() { + + // Apply Policy + err := K8sApplyFile("multiubuntu/ksp-ubuntu-1-block-net-all.yaml") + Expect(err).To(BeNil()) + + // Start KubeArmor Logs + err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) + Expect(err).To(BeNil()) + AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, + MatchRegexp("arping.*Permission denied"), true, + ) + + expect := protobuf.Alert{ + PolicyName: "ksp-ubuntu-1-block-net-all", + Severity: "8", + Action: "Block", + Result: "Permission denied", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + + }) + }) Describe("Apply Capabilities Policy", func() { diff --git a/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml new file mode 100644 index 0000000000..8f64a1e628 --- /dev/null +++ b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml @@ -0,0 +1,15 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-ubuntu-1-block-net-all + namespace: multiubuntu +spec: + severity: 8 + selector: + matchLabels: + container: ubuntu-1 + network: + matchProtocols: + - protocol: all + action: + Block \ No newline at end of file