diff --git a/.dockerignore b/.dockerignore index a3aab7af..08ca0a4d 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,2 @@ -# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file -# Ignore build and test binaries. bin/ +go.work* diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index 333f0685..8f89b3ed 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -34,9 +34,9 @@ jobs: - 'cmd/**' - 'internal/**' - 'pkg/processor/**' - - 'tests/controllers/**' - 'Dockerfile' - 'Makefile' + - 'go.mod' adapters: - 'pkg/adapter/**' tests: @@ -112,6 +112,13 @@ jobs: - name: Build image run: make docker-build + - name: Scan image + uses: anchore/scan-action@v4 + with: + image: '5gsec/nimbus:latest' + severity-cutoff: critical + output-format: sarif + build-adapters-image: needs: files-changed if: ${{ needs.files-changed.outputs.adapters == 'true' }} @@ -129,6 +136,13 @@ jobs: working-directory: ./pkg/adapter/${{ matrix.adapters }} run: make docker-build + - name: Scan image + uses: anchore/scan-action@v4 + with: + image: '5gsec/${{ matrix.adapters }}:latest' + severity-cutoff: critical + output-format: sarif + integration-tests: needs: files-changed if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.tests == 'true' }} @@ -158,6 +172,7 @@ jobs: working-directory: ./deployments/nimbus run: | helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \ + --set image.tag=latest \ --set image.pullPolicy=Never \ --set autoDeploy.kubearmor=false \ --set autoDeploy.kyverno=false \ @@ -218,6 +233,7 @@ jobs: working-directory: ./deployments/nimbus run: | helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \ + --set image.tag=latest \ --set image.pullPolicy=Never \ --set autoDeploy.kubearmor=false \ --set autoDeploy.kyverno=false \ @@ -231,7 +247,7 @@ jobs: - name: Install nimbus-netpol working-directory: deployments/nimbus-netpol/ run: | - helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never + helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never --set image.tag=latest - name: Wait for nimbus-netpol to start run: | @@ -241,7 +257,7 @@ jobs: - name: Install nimbus-kubearmor working-directory: deployments/nimbus-kubearmor/ run: | - helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never + helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never --set image.tag=latest - name: Wait for nimbus-kubearmor to start run: | @@ -251,7 +267,7 @@ jobs: - name: Install nimbus-kyverno working-directory: deployments/nimbus-kyverno/ run: | - helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never + helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never --set image.tag=latest - name: Wait for nimbus-kyverno to start run: | diff --git a/.github/workflows/release-helm-charts.yaml b/.github/workflows/release-helm-charts.yaml new file mode 100644 index 00000000..131aa76d --- /dev/null +++ b/.github/workflows/release-helm-charts.yaml @@ -0,0 +1,44 @@ +name: Release Helm charts + +on: + workflow_dispatch: + inputs: + tag: + description: "Release tag which has to be updated" + type: "string" + required: true + +jobs: + release_helm_charts: + if: github.repository == '5GSEC/nimbus' + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + + - name: Install Helm + uses: azure/setup-helm@v4 + + - name: Generate a token + id: generate-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.ACTIONS_APP_ID }} + private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} + repositories: charts + + - name: Publish Helm chart + uses: stefanprodan/helm-gh-pages@master + with: + # Access token which can push to a different repo in the same org + token: ${{ steps.generate-token.outputs.token }} + charts_dir: deployments/ + # repo where charts would be published + owner: 5GSEC + repository: charts + branch: gh-pages + charts_url: https://5gsec.github.io/charts/ + commit_username: "github-actions[bot]" + commit_email: "github-actions[bot]@users.noreply.github.com" diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index d0be0771..9fbcbbc8 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -50,7 +50,7 @@ jobs: working-directory: ${{ inputs.WORKING_DIRECTORY }} - name: Scan image - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v4 with: image: '5gsec/${{ inputs.NAME }}:${{ steps.tag.outputs.tag }}' severity-cutoff: critical diff --git a/.github/workflows/stable-release.yaml b/.github/workflows/stable-release.yaml index bea1b27d..90c79763 100644 --- a/.github/workflows/stable-release.yaml +++ b/.github/workflows/stable-release.yaml @@ -3,7 +3,10 @@ name: Stable release -on: workflow_dispatch +on: + create: + tags: + - "v*" permissions: read-all @@ -25,7 +28,7 @@ jobs: if: github.repository == '5GSEC/nimbus' strategy: matrix: - adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ] + adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno", "nimbus-k8tls" ] name: Build and push ${{ matrix.adapters }} adapter's image uses: ./.github/workflows/release-image.yaml with: @@ -33,36 +36,38 @@ jobs: NAME: ${{ matrix.adapters }} secrets: inherit - release_helm_charts: + update-image-tags-in-helm-charts: if: github.repository == '5GSEC/nimbus' + needs: [ release-nimbus-image, release-adapters-image ] permissions: + pull-requests: write contents: write runs-on: ubuntu-latest steps: - name: Checkout source code uses: actions/checkout@v4 - - name: Install Helm - uses: azure/setup-helm@v4 + - name: Get tag + id: tag + run: | + if [ ${{ github.ref }} == "refs/heads/main" ]; then + echo "tag=latest" >> $GITHUB_OUTPUT + else + echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + fi - - name: Generate a token - id: generate-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ vars.ACTIONS_APP_ID }} - private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} - repositories: charts + - name: Update images tag + run: | + ./scripts/update-image-tag.sh ${{ steps.tag.outputs.tag }} - - name: Publish Helm chart - uses: stefanprodan/helm-gh-pages@master + - name: Create PR to update images tag in Helm charts + uses: peter-evans/create-pull-request@v7 with: - # Access token which can push to a different repo in the same org - token: ${{ steps.generate-token.outputs.token }} - charts_dir: deployments/ - # repo where charts would be published - owner: 5GSEC - repository: charts - branch: gh-pages - charts_url: https://5gsec.github.io/charts/ - commit_username: "github-actions[bot]" - commit_email: "github-actions[bot]@users.noreply.github.com" + branch: update-helm-${{ steps.tag.outputs.tag }} + commit-message: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}" + committer: "github-actions[bot] " + author: "github-actions[bot] " + title: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}" + base: main + signoff: true + delete-branch: true diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..e25c272a --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,130 @@ +# Want to contribute? + +Great! We welcome contributions of all kinds, big or small! This includes bug reports, code fixes, documentation +improvements, and code examples. + +Before you dive in, please take a moment to read through this guide. + +# Reporting issue + +We use [GitHub](https://github.com/5GSEC/nimbus) to manage the issues. Please open +a [new issue](https://github.com/5GSEC/nimbus/issues/new) directly there. + +# Getting Started + +## Setting Up Your Environment + +- Head over to [GitHub](https://github.com/5GSEC/nimbus) and fork the 5GSec Nimbus repository. +- Clone your forked repository onto your local machine. + ```shell + git clone git@github.com:/nimbus.git + ``` + +## Install development tools + +You'll need these tools for a smooth development experience: + +- [Make](https://www.gnu.org/software/make/#download) +- [Go](https://go.dev/doc/install) SDK, version 1.21 or later +- Go IDE ([Goland](https://www.jetbrains.com/go/) / [VS Code](https://code.visualstudio.com/download)) +- Container tools ([Docker](https://www.docker.com/) / [Podman](https://podman.io/)) +- [Kubernetes cluster](https://kubernetes.io/docs/setup/) running version 1.26 or later. +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) version 1.26 or later. + +# Project Setup + +## Building Locally + +- Install development tools (mentioned above). + +- Build Nimbus using: + ```shell + make build + ``` + +## Testing Local Build + +### Against the Cluster (without installing as workload): + +#### Nimbus operator + +- Generate code and manifests: + ```shell + make manifests generate + ``` + +- Install CRDs: + ```shell + make install + ``` + +- Run the operator: + ```shell + make run + ``` + +#### Adapters + +- Navigate to adapter's directory: + ```shell + cd pkg/adapter/ + ``` +- Run it: + ```shell + make run + ``` + +### In the Cluster (installing as workload): + +Follow [this](deployments/nimbus/Readme.md) guide to install Nimbus or the complete suite. + +Alternatively, follow [this](docs/adapters.md) guide to install individual adapters. + +# Contributing Code + +### Understanding the Project + +Before contributing to any Open Source project, it's important to have basic understanding of what the project is about. +It is advised to try out the project as an end user. + +### Pull Requests and Code Reviews + +We use GitHub [pull requests](https://github.com/5GSEC/nimbus/pulls) for code contributions. All submissions, including +those from project members, require review before merging. +We typically aim for two approvals per pull request, with reviews happening within a week or two. +Feel free to ping reviewers if you haven't received feedback within that timeframe. + +#### Commit Messages + +We follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification for clear and +consistent commit messages. + +Please make sure you have added the **Signed-off-by:** footer in your git commit. In order to do it automatically, use +the **--signoff** flag: + +```shell +git commit --signoff +``` + +With this command, git would automatically add a footer by reading your name and email from git config. + +# Testing and Documentation + +Tests and documentation are not optional, make sure your pull requests include: + +- Tests that verify your changes and don't break existing functionality. +- Updated [documentation](docs) reflecting your code changes. +- Reference information and any other relevant details. + +## Commands to run tests + +- Integration tests: + ```shell + make integration-test + ``` + +- End-to-end tests: + **Requires installing the complete suite, follow [this](deployments/nimbus/Readme.md)** + ```shell + make e2e-test + ``` diff --git a/Dockerfile b/Dockerfile index 318f9881..67e3b01a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,37 +1,29 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -# Build the manager binary -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH +# Required to embed build info into binary. +COPY .git /.git + WORKDIR /workspace -# Copy the Go Modules manifests -COPY go.mod go.mod -COPY go.sum go.sum -# cache deps before building and copying source so that we don't need to re-download as much -# and so that source changes don't invalidate our downloaded layer -RUN go mod download -# Copy the go source -COPY cmd/main.go cmd/main.go -COPY api/ api/ -COPY internal/ internal/ -COPY pkg/processor/ pkg/processor/ +COPY . . # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /workspace/manager . +COPY --from=builder /workspace/bin/nimbus . USER 65532:65532 -ENTRYPOINT ["/manager"] +ENTRYPOINT ["/nimbus"] diff --git a/Makefile b/Makefile index fb96f231..2bed4867 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,8 @@ TAG ?= latest TEST_DIR ?= tests/controllers +BINARY_NAME ?= nimbus + # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin @@ -46,6 +48,8 @@ all: build help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) +.DEFAULT_GOAL := help + ##@ Development .PHONY: manifests @@ -96,12 +100,12 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes ##@ Build .PHONY: build -build: manifests generate fmt vet ## Build manager binary. - go build -o bin/manager cmd/main.go +build: fmt vet ## Build manager binary. + @go build -ldflags="-s" -o bin/"${BINARY_NAME}" ./cmd .PHONY: run -run: manifests generate fmt vet ## Run a controller from your host. - go run cmd/main.go +run: manifests generate fmt vet build ## Run a controller from your host. + @./bin/"${BINARY_NAME}" # If you wish to build the manager image targeting other platforms you can use the --platform flag. # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. diff --git a/README.md b/README.md index c45e502f..84a66501 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ best implementation method available given the deployment. * [Getting Started](docs/getting-started.md) * [Quick Tutorials](docs/quick-tutorials.md) +* [Contribution guide](CONTRIBUTING.md) # Credits diff --git a/cmd/main.go b/cmd/main.go index 66899b5e..3ad4f88d 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -5,11 +5,11 @@ package main import ( "flag" - "os" - - "k8s.io/apimachinery/pkg/runtime" + "github.com/5GSEC/nimbus/pkg/util" + k8sruntime "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "os" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/config" "sigs.k8s.io/controller-runtime/pkg/healthz" @@ -24,7 +24,7 @@ import ( // Global variables for scheme registration and setup logging. var ( - scheme = runtime.NewScheme() // Scheme for registering API types for client and server. + scheme = k8sruntime.NewScheme() // Scheme for registering API types for client and server. setupLog = ctrl.Log.WithName("setup") // Logger for setup process. ) @@ -51,6 +51,7 @@ func main() { // Setting the logger with the provided options. ctrl.SetLogger(zap.New()) + util.LogBuildInfo(ctrl.Log) // Creating a new manager which will manage all the controllers. mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ diff --git a/deployments/nimbus-k8tls/Chart.yaml b/deployments/nimbus-k8tls/Chart.yaml index 199be992..cab9a9f2 100644 --- a/deployments/nimbus-k8tls/Chart.yaml +++ b/deployments/nimbus-k8tls/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: nimbus-k8tls -version: 0.1.0 -appVersion: "0.1.0" +version: 0.1.1 +appVersion: "0.1.1" description: Nimbus adapter for k8tls sources: - https://github.com/5GSEC/nimbus diff --git a/deployments/nimbus-k8tls/Readme.md b/deployments/nimbus-k8tls/Readme.md index 28fa3438..0f043666 100644 --- a/deployments/nimbus-k8tls/Readme.md +++ b/deployments/nimbus-k8tls/Readme.md @@ -23,6 +23,20 @@ helm upgrade --install nimbus-k8tls . -n nimbus | image.pullPolicy | string | Always | `nimbus-k8tls` adapter image pull policy | | image.tag | string | latest | `nimbus-k8tls` adapter image tag | +Set the following values accordingly to send the k8tls report to elasticsearch (By default we send report to STDOUT) + +## + +| Key | Type | Default | Description | +|------------------------------|--------|--------------------|-----------------------------------------------------------------| +| output.elasticsearch.enabled | bool | false | Elasticsearch enabled or not | +| elasticsearch.host | string | localhost | Elasticsearch host | +| elasticsearch.user | string | elastic | Elastic user | +| elasticsearch.port | string | 9200 | Elasticsearch port | +| elasticsearch.index | string | findings | Elasticsearch index | +| output.elasticsearch.password| string | | The password in base64 encoded format | + + ## Verify if all the resources are up and running Once done, the following resources will exist in your cluster: diff --git a/deployments/nimbus-k8tls/templates/NOTES.txt b/deployments/nimbus-k8tls/templates/NOTES.txt new file mode 100644 index 00000000..0935bdca --- /dev/null +++ b/deployments/nimbus-k8tls/templates/NOTES.txt @@ -0,0 +1,3 @@ +Thank you for installing nimbus-k8tls. + +Your release is named '{{ include "nimbus-k8tls.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. diff --git a/deployments/nimbus-k8tls/templates/configmap.yaml b/deployments/nimbus-k8tls/templates/configmap.yaml new file mode 100644 index 00000000..4b72738d --- /dev/null +++ b/deployments/nimbus-k8tls/templates/configmap.yaml @@ -0,0 +1,142 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fluent-bit-config + namespace: {{ include "nimbus-k8tls.fullname" . }}-env + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} +data: + fluent-bit.conf: | + [SERVICE] + Flush 1 + Log_Level info + Parsers_File parsers.conf + + [INPUT] + Name tail + Path /tmp/compact_report.json + Parser json + Tag json.data + DB /tmp/compact_report.db + Read_from_Head true + Exit_On_Eof true + + {{- if .Values.output.elasticsearch.enabled }} + [OUTPUT] + Name es + Match * + Host {{ .Values.output.elasticsearch.host }} + Port {{ .Values.output.elasticsearch.port }} + Index {{ .Values.output.elasticsearch.index }} + HTTP_User {{ .Values.output.elasticsearch.user }} + HTTP_Passwd ${ES_PASSWORD} + tls On + tls.verify Off + Suppress_Type_Name On + Replace_Dots On + {{- end }} + + [OUTPUT] + Name stdout + Match * +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: fips-config + namespace: {{ include "nimbus-k8tls.fullname" . }}-env + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} +data: + fips-140-3.json: |2- + { + "TLS_versions": [ + { + "TLS_version": "TLSv1.0_1.1", + "cipher_suites": [ + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + } + ] + }, + { + "TLS_version": "TLSv1.2", + "cipher_suites": [ + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" + }, + { + "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" + }, + { + "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" + } + ] + }, + { + "TLS_version": "TLSv1.3", + "cipher_suites": [ + { + "cipher_suite": "TLS_AES_256_GCM_SHA384" + }, + { + "cipher_suite": "TLS_AES_128_GCM_SHA256" + }, + { + "cipher_suite": "TLS_AES_128_CCM_SHA256" + }, + { + "cipher_suite": "TLS_AES_128_CCM_8_SHA256" + } + ] + } + ] + } diff --git a/deployments/nimbus-k8tls/templates/daemonset.yaml b/deployments/nimbus-k8tls/templates/deployment.yaml similarity index 71% rename from deployments/nimbus-k8tls/templates/daemonset.yaml rename to deployments/nimbus-k8tls/templates/deployment.yaml index 82000859..f084f305 100644 --- a/deployments/nimbus-k8tls/templates/daemonset.yaml +++ b/deployments/nimbus-k8tls/templates/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: {{ include "nimbus-k8tls.fullname" . }} labels: @@ -21,4 +21,10 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - terminationGracePeriodSeconds: 10 \ No newline at end of file + {{- if .Values.output.elasticsearch.enabled }} + env: + - name: TTLSECONDSAFTERFINISHED + value: "{{ .Values.output.elasticsearch.ttlsecondsafterfinished }}" + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/deployments/nimbus-k8tls/templates/k8tls-role.yaml b/deployments/nimbus-k8tls/templates/k8tls-role.yaml new file mode 100644 index 00000000..fd8edf17 --- /dev/null +++ b/deployments/nimbus-k8tls/templates/k8tls-role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k8tls + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list diff --git a/deployments/nimbus-k8tls/templates/namespace.yaml b/deployments/nimbus-k8tls/templates/namespace.yaml new file mode 100644 index 00000000..2caea99f --- /dev/null +++ b/deployments/nimbus-k8tls/templates/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "nimbus-k8tls.fullname" . }}-env + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} diff --git a/deployments/nimbus-k8tls/templates/role.yaml b/deployments/nimbus-k8tls/templates/role.yaml index eaa63fd1..873edb4b 100644 --- a/deployments/nimbus-k8tls/templates/role.yaml +++ b/deployments/nimbus-k8tls/templates/role.yaml @@ -2,60 +2,56 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: nimbus-k8tls-clusterrole + name: nimbus-k8tls + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - serviceaccounts - verbs: - - create - - delete - - get - - update -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - intent.security.nimbus.com - resources: - - clusternimbuspolicies - verbs: - - get - - list - - watch -- apiGroups: - - intent.security.nimbus.com - resources: - - clusternimbuspolicies/status - verbs: - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - create - - delete - - get - - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - update + - apiGroups: + - "" + resources: + - namespaces + - serviceaccounts + verbs: + - get + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - intent.security.nimbus.com + resources: + - clusternimbuspolicies + verbs: + - get + - list + - watch + - apiGroups: + - intent.security.nimbus.com + resources: + - clusternimbuspolicies/status + verbs: + - get + - patch + - update +{{- if .Values.output.elasticsearch.enabled }} + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: [ "elasticsearch-password" ] + verbs: [ "get" ] +{{- end }} diff --git a/deployments/nimbus-k8tls/templates/rolebinding.yaml b/deployments/nimbus-k8tls/templates/rolebinding.yaml index 5b21eac6..f2d322f5 100644 --- a/deployments/nimbus-k8tls/templates/rolebinding.yaml +++ b/deployments/nimbus-k8tls/templates/rolebinding.yaml @@ -1,12 +1,29 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "nimbus-k8tls.fullname" . }}-clusterrole-binding + name: {{ include "nimbus-k8tls.fullname" . }} + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: nimbus-k8tls-clusterrole + name: {{ include "nimbus-k8tls.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "nimbus-k8tls.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k8tls + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k8tls +subjects: + - kind: ServiceAccount + name: k8tls + namespace: {{ include "nimbus-k8tls.fullname" . }}-env diff --git a/deployments/nimbus-k8tls/templates/secret.yaml b/deployments/nimbus-k8tls/templates/secret.yaml new file mode 100644 index 00000000..b73d0a0a --- /dev/null +++ b/deployments/nimbus-k8tls/templates/secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.output.elasticsearch.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: elasticsearch-password + namespace: {{ include "nimbus-k8tls.fullname" . }}-env + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} +type: Opaque +data: + es_password: {{ .Values.output.elasticsearch.password }} +{{- end }} \ No newline at end of file diff --git a/deployments/nimbus-k8tls/templates/serviceaccount.yaml b/deployments/nimbus-k8tls/templates/serviceaccount.yaml index 471ec9a6..0219d415 100644 --- a/deployments/nimbus-k8tls/templates/serviceaccount.yaml +++ b/deployments/nimbus-k8tls/templates/serviceaccount.yaml @@ -8,3 +8,11 @@ metadata: {{- include "nimbus-k8tls.labels" . | nindent 4 }} automountServiceAccountToken: {{ .Values.serviceAccount.automount }} {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8tls + namespace: {{ include "nimbus-k8tls.fullname" . }}-env + labels: + {{- include "nimbus-k8tls.labels" . | nindent 4 }} diff --git a/deployments/nimbus-k8tls/values.yaml b/deployments/nimbus-k8tls/values.yaml index 758164ad..7f56f8f7 100644 --- a/deployments/nimbus-k8tls/values.yaml +++ b/deployments/nimbus-k8tls/values.yaml @@ -1,18 +1,35 @@ -# Default values for nimbus-k8tls. - image: repository: 5gsec/nimbus-k8tls pullPolicy: Always - tag: "latest" - + tag: "v0.4" nameOverride: "" fullnameOverride: "nimbus-k8tls" - serviceAccount: create: true automount: true name: "nimbus-k8tls" - +podSecurityContext: + fsGroup: 2000 securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65533 + runAsUser: 1000 +resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi +output: + elasticsearch: + enabled: false + host: "localhost" + user: elastic + port: 9200 + index: "findings" + password: "" # Password in base64 encoded format + ttlsecondsafterfinished: "10" # Amount of time to keep the pod around after job has been completed diff --git a/deployments/nimbus-kubearmor/Chart.yaml b/deployments/nimbus-kubearmor/Chart.yaml index 62920311..73681c7e 100644 --- a/deployments/nimbus-kubearmor/Chart.yaml +++ b/deployments/nimbus-kubearmor/Chart.yaml @@ -6,7 +6,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -16,7 +16,7 @@ appVersion: "0.1.2" dependencies: - name: kubearmor-operator - version: ">= 1.3.4" + version: ">= 1.4.3" repository: https://kubearmor.github.io/charts condition: autoDeploy diff --git a/deployments/nimbus-kubearmor/Readme.md b/deployments/nimbus-kubearmor/Readme.md index 2c05339d..2b4a720d 100644 --- a/deployments/nimbus-kubearmor/Readme.md +++ b/deployments/nimbus-kubearmor/Readme.md @@ -22,7 +22,7 @@ helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus | image.repository | string | 5gsec/nimbus-kubearmor | Image repository from which to pull the `nimbus-kubearmor` adapter's image | | image.pullPolicy | string | Always | `nimbus-kubearmor` adapter image pull policy | | image.tag | string | latest | `nimbus-kubearmor` adapter image tag | -| autoDeploy | bool | true | Auto deploy [KubeArmor]() with default configurations | +| autoDeploy | bool | true | Auto deploy [KubeArmor](https://kubearmor.io/) with default configurations | ## Uninstall the KubeArmor adapter diff --git a/deployments/nimbus-kubearmor/templates/NOTES.txt b/deployments/nimbus-kubearmor/templates/NOTES.txt new file mode 100644 index 00000000..563b9af6 --- /dev/null +++ b/deployments/nimbus-kubearmor/templates/NOTES.txt @@ -0,0 +1,3 @@ +Thank you for installing nimbus-kubearmor. + +Your release is named '{{ include "nimbus-kubearmor.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. diff --git a/deployments/nimbus-kubearmor/templates/daemonset.yaml b/deployments/nimbus-kubearmor/templates/deployment.yaml similarity index 89% rename from deployments/nimbus-kubearmor/templates/daemonset.yaml rename to deployments/nimbus-kubearmor/templates/deployment.yaml index ff273ce2..138ac436 100644 --- a/deployments/nimbus-kubearmor/templates/daemonset.yaml +++ b/deployments/nimbus-kubearmor/templates/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: {{ include "nimbus-kubearmor.fullname" . }} labels: @@ -21,4 +21,5 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - terminationGracePeriodSeconds: 10 \ No newline at end of file + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/deployments/nimbus-kubearmor/values.yaml b/deployments/nimbus-kubearmor/values.yaml index beab29f7..781c346e 100644 --- a/deployments/nimbus-kubearmor/values.yaml +++ b/deployments/nimbus-kubearmor/values.yaml @@ -1,16 +1,10 @@ -# Default values for nimbus-kubearmor. - -autoDeploy: true - image: repository: 5gsec/nimbus-kubearmor pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" - + tag: "v0.4" nameOverride: "" fullnameOverride: "nimbus-kubearmor" - serviceAccount: # Specifies whether a service account should be created create: true @@ -19,10 +13,23 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "nimbus-kubearmor" - +podSecurityContext: + fsGroup: 2000 securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65533 - + runAsUser: 1000 +resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi +# Deploy engine +autoDeploy: true kubearmor-operator: autoDeploy: true diff --git a/deployments/nimbus-kyverno/Chart.yaml b/deployments/nimbus-kyverno/Chart.yaml index d9920712..70fc548a 100644 --- a/deployments/nimbus-kyverno/Chart.yaml +++ b/deployments/nimbus-kyverno/Chart.yaml @@ -7,7 +7,7 @@ kubeVersion: ">= 1.25" # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -17,6 +17,6 @@ appVersion: "0.1.0" dependencies: - name: kyverno - version: ">= 3.2.0" + version: ">= 3.2.6" repository: https://kyverno.github.io/kyverno/ condition: autoDeploy diff --git a/deployments/nimbus-kyverno/templates/NOTES.txt b/deployments/nimbus-kyverno/templates/NOTES.txt new file mode 100644 index 00000000..b9ce5753 --- /dev/null +++ b/deployments/nimbus-kyverno/templates/NOTES.txt @@ -0,0 +1,3 @@ +Thank you for installing nimbus-kyverno. + +Your release is named '{{ include "nimbus-kyverno.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. diff --git a/deployments/nimbus-kyverno/templates/daemonset.yaml b/deployments/nimbus-kyverno/templates/deployment.yaml similarity index 89% rename from deployments/nimbus-kyverno/templates/daemonset.yaml rename to deployments/nimbus-kyverno/templates/deployment.yaml index 551c76a7..08a25872 100644 --- a/deployments/nimbus-kyverno/templates/daemonset.yaml +++ b/deployments/nimbus-kyverno/templates/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: {{ include "nimbus-kyverno.fullname" . }} labels: @@ -21,4 +21,5 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - terminationGracePeriodSeconds: 10 \ No newline at end of file + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/deployments/nimbus-kyverno/values.yaml b/deployments/nimbus-kyverno/values.yaml index dbf2c9d1..a40535c3 100644 --- a/deployments/nimbus-kyverno/values.yaml +++ b/deployments/nimbus-kyverno/values.yaml @@ -1,16 +1,10 @@ -# Default values for nimbus-kyverno. - -autoDeploy: true - image: repository: 5gsec/nimbus-kyverno pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" - + tag: "v0.4" nameOverride: "" fullnameOverride: "nimbus-kyverno" - serviceAccount: # Specifies whether a service account should be created create: true @@ -19,7 +13,21 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "nimbus-kyverno" - +podSecurityContext: + fsGroup: 2000 securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65535 + runAsUser: 1000 +resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi +# Deploy engine +autoDeploy: true diff --git a/deployments/nimbus-netpol/Chart.yaml b/deployments/nimbus-netpol/Chart.yaml index abcde436..3b8e701c 100644 --- a/deployments/nimbus-netpol/Chart.yaml +++ b/deployments/nimbus-netpol/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/deployments/nimbus-netpol/templates/NOTES.txt b/deployments/nimbus-netpol/templates/NOTES.txt new file mode 100644 index 00000000..14075be9 --- /dev/null +++ b/deployments/nimbus-netpol/templates/NOTES.txt @@ -0,0 +1,3 @@ +Thank you for installing nimbus-netpol. + +Your release is named '{{ include "nimbus-netpol.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. diff --git a/deployments/nimbus-netpol/templates/daemonset.yaml b/deployments/nimbus-netpol/templates/deployment.yaml similarity index 89% rename from deployments/nimbus-netpol/templates/daemonset.yaml rename to deployments/nimbus-netpol/templates/deployment.yaml index 9c53ca92..4e49e46d 100644 --- a/deployments/nimbus-netpol/templates/daemonset.yaml +++ b/deployments/nimbus-netpol/templates/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: {{ include "nimbus-netpol.fullname" . }} labels: @@ -21,4 +21,5 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - terminationGracePeriodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/deployments/nimbus-netpol/values.yaml b/deployments/nimbus-netpol/values.yaml index 02310caf..4e20dd7f 100644 --- a/deployments/nimbus-netpol/values.yaml +++ b/deployments/nimbus-netpol/values.yaml @@ -4,11 +4,9 @@ image: repository: 5gsec/nimbus-netpol pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" - + tag: "v0.4" nameOverride: "" fullnameOverride: "nimbus-netpol" - serviceAccount: # Specifies whether a service account should be created create: true @@ -17,7 +15,19 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "nimbus-netpol" - +podSecurityContext: + fsGroup: 2000 securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65532 + runAsUser: 1000 +resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi diff --git a/deployments/nimbus/templates/NOTES.txt b/deployments/nimbus/templates/NOTES.txt new file mode 100644 index 00000000..bd9047a9 --- /dev/null +++ b/deployments/nimbus/templates/NOTES.txt @@ -0,0 +1,23 @@ +Thank you for installing Nimbus suite. + +Your release is named '{{ include "nimbus.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. +{{printf "" }} + +{{- if .Values.autoDeploy.kubearmor }} +Deployed nimbus-kubearmor adapter along with KubeArmor security engine in '{{ .Release.Namespace }}' namespace. +{{ printf "" }} +{{- end}} + +{{- if .Values.autoDeploy.kyverno }} +Deployed nimbus-kyverno adapter along with Kyverno security engine in '{{ .Release.Namespace }}' namespace. +{{ printf "" }} +{{- end}} + +{{- if .Values.autoDeploy.k8tls }} +Deployed nimbus-k8tls adapter in '{{ .Release.Namespace }}' namespace. +{{ printf "" }} +{{- end}} + +{{- if .Values.autoDeploy.netpol }} +Deployed nimbus-netpol adapter in '{{ .Release.Namespace }}' namespace. +{{- end}} diff --git a/deployments/nimbus/templates/deployment.yaml b/deployments/nimbus/templates/deployment.yaml index 9487b874..cc9e4862 100644 --- a/deployments/nimbus/templates/deployment.yaml +++ b/deployments/nimbus/templates/deployment.yaml @@ -26,4 +26,5 @@ spec: {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} - terminationGracePeriodSeconds: 10 \ No newline at end of file + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/deployments/nimbus/values.yaml b/deployments/nimbus/values.yaml index 4c65d5ce..795b83e1 100644 --- a/deployments/nimbus/values.yaml +++ b/deployments/nimbus/values.yaml @@ -1,22 +1,17 @@ -# Default values for nimbus. - +# Deploy adapters autoDeploy: kubearmor: true netpol: true kyverno: true k8tls: true - replicaCount: 1 - image: repository: 5gsec/nimbus pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" - + tag: "v0.4" nameOverride: "" fullnameOverride: "nimbus-operator" - serviceAccount: # Specifies whether a service account should be created create: true @@ -25,11 +20,22 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "nimbus-operator" - +podSecurityContext: + fsGroup: 2000 securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65534 - + runAsUser: 1000 +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi livenessProbe: httpGet: path: /healthz diff --git a/docs/adapters.md b/docs/adapters.md new file mode 100644 index 00000000..5d177b72 --- /dev/null +++ b/docs/adapters.md @@ -0,0 +1,101 @@ +# Adapters + +Clone your forked repository onto your local machine. + +```shell +git clone git@github.com:/nimbus.git +``` + +## nimbus-kubearmor + +### From source + +**Requires installing corresponding security engine**: +Follow [this](https://docs.kubearmor.io/kubearmor/quick-links/deployment_guide) to install +KubeArmor. + +Navigate to `nimbus-kubearmor` directory: + +```shell +cd nimbus/pkg/adapter/nimbus-kubearmor +``` + +Run adapter: + +```shell +make run +``` + +### From Helm chart + +Follow [this](../deployments/nimbus-kubearmor/Readme.md) to install using a helm chart. + +## nimbus-netpol + +> [!Note] +> The `nimbus-netpol` adapter leverages +> the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). +> To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a +> NetworkPolicy resource without a controller that implements it will have no effect. + +### From source + +Navigate to `nimbus-netpol` directory: + +```shell +cd nimbus/pkg/adapter/nimbus-netpol +``` + +Run adapter: + +```shell +make run +``` + +### From Helm chart + +Follow [this](../deployments/nimbus-netpol/Readme.md) to install using a helm chart. + +## nimbus-kyverno + +**Requires installing corresponding security engine**: +Follow [this](https://kyverno.io/docs/installation/) to install +Kyverno. + +### From source + +Navigate to `nimbus-kyverno` directory: + +```shell +cd nimbus/pkg/adapter/nimbus-kyverno +``` + +Run adapter: + +```shell +make run +``` + +### From Helm chart + +Follow [this](../deployments/nimbus-kyverno/Readme.md) to install using a helm chart. + +## nimbus-k8tls + +### From source + +Navigate to `nimbus-k8tls` directory: + +```shell +cd nimbus/pkg/adapter/nimbus-kyverno +``` + +Run adapter: + +```shell +make run +``` + +### From Helm chart + +Follow [this](../deployments/nimbus-k8tls/Readme.md) to install using a helm chart. diff --git a/docs/getting-started.md b/docs/getting-started.md index 3ad4a8be..5cf928e3 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -25,32 +25,6 @@ gcloud compute instances create $VM_NAME --zone=$VM_ZONE --machine-type=$VM_MACH # Nimbus - -There are various ways of installing Nimbus. - -## From source - -Install [go](https://go.dev/doc/install) version 1.20 or later. - -Clone the repository: - -```shell -git clone https://github.com/5GSEC/nimbus.git -cd nimbus -``` - -Install CRDs: - -```shell -make install -``` - -Run the operator: - -```shell -make run -``` - ## From Helm Chart Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. By default the install of the `nimbus` operator installs the adapters also, and all the security engines - except confidential containers - too. @@ -109,90 +83,3 @@ kata-qemu-sev kata-qemu-sev 10d kata-qemu-snp kata-qemu-snp 10d kata-qemu-tdx kata-qemu-tdx 10d ``` - -# Adapters - -Just like Nimbus, there are various ways of installing Security engine adapters. - -- ## nimbus-kubearmor - ### From source - - Clone the repository: - - ```shell - git clone https://github.com/5GSEC/nimbus.git - ``` - - Go to nimbus-kubearmor directory: - - ```shell - cd nimbus/pkg/adapter/nimbus-kubearmor - ``` - - Run `nimbus-kubearmor` adapter: - - ```shell - make run - ``` - - ### From Helm Chart - - Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. - -- ## nimbus-netpol - - > [!Note] - > The `nimbus-netpol` adapter leverages - > the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). - > To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a - > NetworkPolicy resource without a controller that implements it will have no effect. - - ### From source - - Clone the repository: - - ```shell - git clone https://github.com/5GSEC/nimbus.git - ``` - - Go to nimbus-netpol directory: - - ```shell - cd nimbus/pkg/adapter/nimbus-netpol - ``` - - Run `nimbus-netpol` adapter: - - ```shell - make run - ``` - - ### From Helm Chart - - Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. - -- ## nimbus-kyverno - - ### From source - - Clone the repository: - - ```shell - git clone https://github.com/5GSEC/nimbus.git - ``` - - Go to nimbus-kyverno directory: - - ```shell - cd nimbus/pkg/adapter/nimbus-kyverno - ``` - - Run `nimbus-kyverno` adapter: - - ```shell - make run - ``` - - ### From Helm Chart - - Follow [this](../deployments/nimbus-kyverno/Readme.md) guide to install `nimbus-kyverno` adapter. diff --git a/docs/quick-tutorials.md b/docs/quick-tutorials.md index 5ce53700..ac5a6fe5 100644 --- a/docs/quick-tutorials.md +++ b/docs/quick-tutorials.md @@ -2,12 +2,12 @@ ## Prerequisites -- **Nimbus suite**: Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator and its adapters. +- **Nimbus suite**: Follow [this](../deployments/nimbus/Readme.md) guide to install complete suite. ## Create a sample deployment ```shell -kubectl apply -f ./examples/env/nginx-deploy.yaml +kubectl create deploy nginx --image=nginx ``` ## Create SecurityIntent and SecurityIntentBinding @@ -17,9 +17,30 @@ kubectl apply -f ./examples/env/nginx-deploy.yaml Create SecurityIntent and SecurityIntentBinding to prevent DNS Manipulation. ```shell -$ kubectl apply -f ./examples/namespaced/dns-manipulation-si-sib.yaml -securityintent.intent.security.nimbus.com/dns-manipulation created -securityintentbinding.intent.security.nimbus.com/dns-manipulation-binding created +cat << EOF | kubectl apply -f - +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: dns-manipulation +spec: + intent: + id: dnsManipulation + description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." + action: Block + severity: medium +--- +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +spec: + intents: + - name: dns-manipulation + selector: + workloadSelector: + matchLabels: + app: nginx +EOF ``` ## Verify Resources @@ -64,20 +85,20 @@ Name: dns-manipulation-binding Namespace: default Labels: Annotations: -API Version: intent.security.nimbus.com/v1 +API Version: intent.security.nimbus.com/v1alpha1 Kind: NimbusPolicy Metadata: - Creation Timestamp: 2024-02-20T06:04:32Z + Creation Timestamp: 2024-07-09T08:03:40Z Generation: 1 Owner References: - API Version: intent.security.nimbus.com/v1 + API Version: intent.security.nimbus.com/v1alpha1 Block Owner Deletion: true Controller: true Kind: SecurityIntentBinding Name: dns-manipulation-binding - UID: c3b7046f-26c7-4edb-ad82-de243e9ee378 - Resource Version: 56960 - UID: 109a7b54-8643-487e-9454-6a79c5f4cacc + UID: 58ca4f82-c930-42ad-b3d3-7486805abeb9 + Resource Version: 4307 + UID: e942a5dc-397b-4ea5-ae59-54521ca520de Spec: Rules: Description: An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity. @@ -91,7 +112,7 @@ Status: Adapter Policies: KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation NetworkPolicy/dns-manipulation-binding-dnsmanipulation - Last Updated: 2024-02-20T06:04:32Z + Last Updated: 2024-07-09T08:03:40Z Number Of Adapter Policies: 2 Status: Created Events: @@ -122,19 +143,19 @@ kind: KubeArmorPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-kubearmor - creationTimestamp: "2024-02-20T06:04:32Z" + creationTimestamp: "2024-07-09T08:03:40Z" generation: 1 name: dns-manipulation-binding-dnsmanipulation namespace: default ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: NimbusPolicy name: dns-manipulation-binding - uid: 109a7b54-8643-487e-9454-6a79c5f4cacc - resourceVersion: "56955" - uid: 03afa2ec-ea86-4248-9f63-243493aa1db9 + uid: e942a5dc-397b-4ea5-ae59-54521ca520de + resourceVersion: "4303" + uid: 7644a152-ca15-45be-8659-3bd7a28fa40d spec: action: Block capabilities: { } @@ -155,7 +176,7 @@ spec: ### NetworkPolicy ```shell -$ kubectl get networkpolicy +$ kubectl get networkpolicy NAME POD-SELECTOR AGE dns-manipulation-binding-dnsmanipulation app=nginx 6m43s ``` @@ -172,19 +193,19 @@ kind: NetworkPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-netpol - creationTimestamp: "2024-02-20T06:04:32Z" + creationTimestamp: "2024-07-09T08:03:40Z" generation: 1 name: dns-manipulation-binding-dnsmanipulation namespace: default ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 + - apiVersion: intent.security.nimbus.com/v1alpha1 blockOwnerDeletion: true controller: true kind: NimbusPolicy name: dns-manipulation-binding - uid: 109a7b54-8643-487e-9454-6a79c5f4cacc - resourceVersion: "56956" - uid: 473c293e-3006-4843-9eb3-2a21f142d6e3 + uid: e942a5dc-397b-4ea5-ae59-54521ca520de + resourceVersion: "4304" + uid: 61a3f401-6725-4791-84cc-3ec701e90a62 spec: egress: - ports: @@ -216,12 +237,14 @@ From the `DNSManipulation` SecurityIntent two security policies were generated: `kube-dns` pods within the `kube-system` namespace. This restricts access to the DNS server, enhancing security while enabling pods to resolve DNS names. +**Enforcement is handled by the relevant security engines. Here, KubeArmor and a NetworkPolicy-enforcing CNI solution.** + ## Cleanup * The SecurityIntent and SecurityIntentBinding created earlier are no longer needed and can be deleted: ```shell -$ kubectl delete -f ./examples/namespaced/dns-manipulation-si-sib.yaml +$ kubectl delete securityintent,securityintentbinding --all securityintent.intent.security.nimbus.com "dns-manipulation" deleted securityintentbinding.intent.security.nimbus.com "dns-manipulation-binding" deleted ``` @@ -229,18 +252,18 @@ securityintentbinding.intent.security.nimbus.com "dns-manipulation-binding" dele * Delete deployment ```shell -$ kubectl delete -f ./examples/env/nginx-deploy.yaml +$ kubectl delete deploy nginx deployment.apps "nginx" deleted ``` * Confirm all resources have been deleted (Optional) ```shell -$ kubectl get securityintent,securityintentbinding,nimbuspolicy,kubearmorpolicy,netpol -A +$ kubectl get securityintent,securityintentbinding,nimbuspolicy,kubearmorpolicy,netpol No resources found ``` ## Next steps -- Try out other sample [SecurityIntents](../examples/namespaced) and review the policy generation. +- Try out other [SecurityIntents](../examples/namespaced) and review the policy generation. - Checkout [Security Intents](https://github.com/5GSEC/security-intents). diff --git a/examples/clusterscoped/ensuretls-default.yaml b/examples/clusterscoped/assesstls-default.yaml similarity index 86% rename from examples/clusterscoped/ensuretls-default.yaml rename to examples/clusterscoped/assesstls-default.yaml index 7727185a..aabedbfb 100644 --- a/examples/clusterscoped/ensuretls-default.yaml +++ b/examples/clusterscoped/assesstls-default.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-default + name: assess-tls-default spec: intent: - id: ensureTLS + id: assessTLS action: Audit description: | Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version, @@ -17,10 +17,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-default + name: assess-tls-default spec: intents: - - name: ensure-tls-default + - name: assess-tls-default selector: nsSelector: matchNames: diff --git a/examples/clusterscoped/ensuretls-with-external-addresses.yaml b/examples/clusterscoped/assesstls-with-external-addresses.yaml similarity index 86% rename from examples/clusterscoped/ensuretls-with-external-addresses.yaml rename to examples/clusterscoped/assesstls-with-external-addresses.yaml index ddade528..4d556373 100644 --- a/examples/clusterscoped/ensuretls-with-external-addresses.yaml +++ b/examples/clusterscoped/assesstls-with-external-addresses.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-external-addresses + name: assess-tls-external-addresses spec: intent: - id: ensureTLS + id: assessTLS action: Audit severity: "medium" description: | @@ -21,10 +21,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-external-addresses + name: assess-tls-external-addresses spec: intents: - - name: ensure-tls-external-addresses + - name: assess-tls-external-addresses selector: nsSelector: matchNames: diff --git a/examples/clusterscoped/ensuretls-with-schedule.yaml b/examples/clusterscoped/assesstls-with-schedule.yaml similarity index 87% rename from examples/clusterscoped/ensuretls-with-schedule.yaml rename to examples/clusterscoped/assesstls-with-schedule.yaml index 33a9fcdc..c56704db 100644 --- a/examples/clusterscoped/ensuretls-with-schedule.yaml +++ b/examples/clusterscoped/assesstls-with-schedule.yaml @@ -4,10 +4,10 @@ apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntent metadata: - name: ensure-tls-scheduled + name: assess-tls-scheduled spec: intent: - id: ensureTLS + id: assessTLS action: Audit severity: "medium" description: | @@ -20,10 +20,10 @@ spec: apiVersion: intent.security.nimbus.com/v1alpha1 kind: ClusterSecurityIntentBinding metadata: - name: ensure-tls-scheduled + name: assess-tls-scheduled spec: intents: - - name: ensure-tls-scheduled + - name: assess-tls-scheduled selector: nsSelector: matchNames: diff --git a/examples/namespaced/coco-workload-si-sib.yaml b/examples/namespaced/coco-workload-si-sib.yaml index 748cec6e..716c4a7e 100644 --- a/examples/namespaced/coco-workload-si-sib.yaml +++ b/examples/namespaced/coco-workload-si-sib.yaml @@ -7,6 +7,8 @@ spec: id: cocoWorkload description: "Ensure workload is encryted by running the specified workload in a Confidential VM" action: Block + params: + runtimeClass: ["kata-qemu"] --- apiVersion: intent.security.nimbus.com/v1alpha1 kind: SecurityIntentBinding diff --git a/go.mod b/go.mod index 23f5c718..1397f2ec 100644 --- a/go.mod +++ b/go.mod @@ -5,10 +5,10 @@ go 1.22.0 toolchain go1.22.1 require ( - github.com/go-logr/logr v1.4.1 - k8s.io/apimachinery v0.30.0 - k8s.io/client-go v0.30.0 - sigs.k8s.io/controller-runtime v0.18.2 + github.com/go-logr/logr v1.4.2 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + sigs.k8s.io/controller-runtime v0.18.3 ) require ( @@ -34,7 +34,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/cel-go v0.20.1 + github.com/google/cel-go v0.21.0 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -66,10 +66,10 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.30.0 - k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/api v0.30.3 + k8s.io/apiextensions-apiserver v0.30.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/go.sum b/go.sum index 2439b57f..a1abb189 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= @@ -35,8 +35,8 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -170,22 +170,22 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= -k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= -k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= -k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= -k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= -k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= -k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= +k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= -sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= +sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/common/common.go b/pkg/adapter/common/common.go index 6b5de7b5..ce62a2db 100644 --- a/pkg/adapter/common/common.go +++ b/pkg/adapter/common/common.go @@ -7,3 +7,10 @@ type Request struct { Name string Namespace string } + +type ContextKey string + +const ( + K8sClientKey ContextKey = "k8sClient" + NamespaceNameKey ContextKey = "K8tlsNamespace" +) diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go index 73468089..c5d4f939 100644 --- a/pkg/adapter/idpool/idpool.go +++ b/pkg/adapter/idpool/idpool.go @@ -17,7 +17,7 @@ const ( DisallowCapabilities = "disallowCapabilities" ExploitPFA = "preventExecutionFromTempOrLogsFolders" CocoWorkload = "cocoWorkload" - EnsureTLS = "ensureTLS" + AssessTLS = "assessTLS" DenyENAccess = "denyExternalNetworkAccess" ) @@ -49,7 +49,7 @@ var KyvIds = []string{ // k8tlsIds are IDs supported by k8tls. var k8tlsIds = []string{ - EnsureTLS, + AssessTLS, } // IsIdSupportedBy determines whether a given ID is supported by a security engine. diff --git a/pkg/adapter/nimbus-k8tls/Dockerfile b/pkg/adapter/nimbus-k8tls/Dockerfile index 53569ab1..fddb2773 100644 --- a/pkg/adapter/nimbus-k8tls/Dockerfile +++ b/pkg/adapter/nimbus-k8tls/Dockerfile @@ -1,10 +1,13 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH +# Required to embed build info into binary. +COPY .git /.git + WORKDIR /nimbus # relative deps requried by the adapter @@ -25,13 +28,14 @@ COPY $ADAPTER_DIR/manager manager COPY $ADAPTER_DIR/builder builder COPY $ADAPTER_DIR/watcher watcher COPY $ADAPTER_DIR/main.go main.go +COPY $ADAPTER_DIR/Makefile Makefile # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-s" -o bin/nimbus-k8tls main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build FROM gcr.io/distroless/static:nonroot WORKDIR / diff --git a/pkg/adapter/nimbus-k8tls/Makefile b/pkg/adapter/nimbus-k8tls/Makefile index 22025afd..6149b5ad 100644 --- a/pkg/adapter/nimbus-k8tls/Makefile +++ b/pkg/adapter/nimbus-k8tls/Makefile @@ -18,9 +18,13 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) +.DEFAULT_GOAL := help + +.PHONY: build build: ## Build nimbus-k8tls executable. - @go build -ldflags="-s" -o ${BINARY} main.go + @go build -ldflags="-s" -o ${BINARY} . +.PHONY: run run: build ## Run nimbus-k8tls. @./${BINARY} diff --git a/pkg/adapter/nimbus-k8tls/builder/builder.go b/pkg/adapter/nimbus-k8tls/builder/builder.go index c7d4ac50..cda292e4 100644 --- a/pkg/adapter/nimbus-k8tls/builder/builder.go +++ b/pkg/adapter/nimbus-k8tls/builder/builder.go @@ -6,21 +6,24 @@ package builder import ( "context" "fmt" + "os" + "strconv" "strings" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" "github.com/5GSEC/nimbus/api/v1alpha1" + "github.com/5GSEC/nimbus/pkg/adapter/common" "github.com/5GSEC/nimbus/pkg/adapter/idpool" ) var ( - DefaultSchedule = "@weekly" - backOffLimit = int32(5) - hostPathDirectoryOrCreate = corev1.HostPathDirectoryOrCreate + DefaultSchedule = "@weekly" + backOffLimit = int32(5) ) func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batchv1.CronJob, *corev1.ConfigMap) { @@ -28,7 +31,7 @@ func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batc for _, nimbusRule := range cwnp.Spec.NimbusRules { id := nimbusRule.ID if idpool.IsIdSupportedBy(id, "k8tls") { - cronJob, configMap := cronJobFor(id, nimbusRule) + cronJob, configMap := cronJobFor(ctx, id, nimbusRule) cronJob.SetName(cwnp.Name + "-" + strings.ToLower(id)) cronJob.SetAnnotations(map[string]string{ "app.kubernetes.io/managed-by": "nimbus-k8tls", @@ -41,31 +44,32 @@ func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batc return nil, nil } -func cronJobFor(id string, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { +func cronJobFor(ctx context.Context, id string, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { switch id { - case idpool.EnsureTLS: - return ensureTlsCronJob(rule) + case idpool.AssessTLS: + return assessTlsCronJob(ctx, rule) default: return nil, nil } } -func ensureTlsCronJob(rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { +func assessTlsCronJob(ctx context.Context, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) { schedule, scheduleKeyExists := rule.Rule.Params["schedule"] externalAddresses, addrKeyExists := rule.Rule.Params["external_addresses"] if scheduleKeyExists && addrKeyExists { - return cronJobForEnsureTls(schedule[0], externalAddresses...) + return cronJobForAssessTls(ctx, schedule[0], externalAddresses...) } if scheduleKeyExists { - return cronJobForEnsureTls(schedule[0]) + return cronJobForAssessTls(ctx, schedule[0]) } if addrKeyExists { - return cronJobForEnsureTls(DefaultSchedule, externalAddresses...) + return cronJobForAssessTls(ctx, DefaultSchedule, externalAddresses...) } - return cronJobForEnsureTls(DefaultSchedule) + return cronJobForAssessTls(ctx, DefaultSchedule) } -func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) { +func cronJobForAssessTls(ctx context.Context, schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) { + logger := log.FromContext(ctx) cj := &batchv1.CronJob{ Spec: batchv1.CronJobSpec{ Schedule: schedule, @@ -75,7 +79,7 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1 Template: corev1.PodTemplateSpec{ Spec: corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyNever, - Containers: []corev1.Container{ + InitContainers: []corev1.Container{ { Name: "k8tls", Image: "kubearmor/k8tls:latest", @@ -94,6 +98,25 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1 }, }, }, + Containers: []corev1.Container{ + { + Name: "fluent-bit", + Image: "fluent/fluent-bit:latest", + ImagePullPolicy: corev1.PullAlways, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "fluent-bit-config", + MountPath: "/fluent-bit/etc/fluent-bit.conf", + SubPath: "fluent-bit.conf", + ReadOnly: true, + }, + { + Name: "k8tls-report", + MountPath: "/tmp/", + }, + }, + }, + }, Volumes: []corev1.Volume{ { Name: "fips-config", @@ -106,14 +129,21 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1 }, }, { - Name: "k8tls-report", + Name: "fluent-bit-config", VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/tmp/", - Type: &hostPathDirectoryOrCreate, + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "fluent-bit-config", + }, }, }, }, + { + Name: "k8tls-report", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, }, }, }, @@ -122,10 +152,39 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1 }, } + // Fetch the elasticsearch password secret. If the secret is present, set TTLSecondsAfterFinished and reference the secret in the cronjob templateZ + var elasticsearchPasswordSecret corev1.Secret + err := ctx.Value(common.K8sClientKey).(client.Client).Get(ctx, client.ObjectKey{Namespace: ctx.Value(common.NamespaceNameKey).(string), Name: "elasticsearch-password"}, &elasticsearchPasswordSecret) + if err == nil { + // Convert string to int + i, err := strconv.ParseInt(os.Getenv("TTLSECONDSAFTERFINISHED"), 10, 32) + if err != nil { + logger.Error(err, "Error converting string to int", "TTLSECONDSAFTERFINISHED: ", os.Getenv("TTLSECONDSAFTERFINISHED")) + return nil, nil + } + // Convert int to int32 + ttlSecondsAfterFinished := int32(i) + // If we are sending the report to elasticsearch, then we delete the pod spawned by job after 1 hour. Else we keep the pod + cj.Spec.JobTemplate.Spec.TTLSecondsAfterFinished = &ttlSecondsAfterFinished + cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env = []corev1.EnvVar{ + { + Name: "ES_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "elasticsearch-password", + }, + Key: "es_password", + }, + }, + }, + } + } + if len(externalAddresses) > 0 { cm := buildConfigMap(externalAddresses) - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{ + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts, corev1.VolumeMount{ Name: cm.Name, ReadOnly: true, MountPath: "/var/k8tls/", @@ -141,10 +200,11 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1 }, }) - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command[0] = "./tlsscan" - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command, + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command[0] = "./tlsscan" + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command, "--infile", - cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts[2].MountPath+"addresses", + cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts[2].MountPath+"addresses", + "--compact-json", ) return cj, cm } diff --git a/pkg/adapter/nimbus-k8tls/go.mod b/pkg/adapter/nimbus-k8tls/go.mod index 65116816..1a0f3837 100644 --- a/pkg/adapter/nimbus-k8tls/go.mod +++ b/pkg/adapter/nimbus-k8tls/go.mod @@ -9,10 +9,10 @@ replace github.com/5GSEC/nimbus => ../../../../nimbus require ( github.com/5GSEC/nimbus v0.0.0-20240313065715-b91563b0ccd3 github.com/go-logr/logr v1.4.2 - k8s.io/api v0.30.1 - k8s.io/apimachinery v0.30.1 - k8s.io/client-go v0.30.1 - sigs.k8s.io/controller-runtime v0.18.2 + k8s.io/api v0.30.3 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + sigs.k8s.io/controller-runtime v0.18.3 ) require ( diff --git a/pkg/adapter/nimbus-k8tls/go.sum b/pkg/adapter/nimbus-k8tls/go.sum index 1dd0a0b1..8db39b94 100644 --- a/pkg/adapter/nimbus-k8tls/go.sum +++ b/pkg/adapter/nimbus-k8tls/go.sum @@ -154,22 +154,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= -k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= -k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= -k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= -k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= -sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= +sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/nimbus-k8tls/main.go b/pkg/adapter/nimbus-k8tls/main.go index ba7d46c7..83b431a4 100644 --- a/pkg/adapter/nimbus-k8tls/main.go +++ b/pkg/adapter/nimbus-k8tls/main.go @@ -5,6 +5,7 @@ package main import ( "context" + "github.com/5GSEC/nimbus/pkg/util" "os" "os/signal" "syscall" @@ -18,6 +19,7 @@ import ( func main() { ctrl.SetLogger(zap.New()) logger := ctrl.Log + util.LogBuildInfo(logger) ctx, cancelFunc := context.WithCancel(context.Background()) ctrl.LoggerInto(ctx, logger) diff --git a/pkg/adapter/nimbus-k8tls/manager/cronjob.go b/pkg/adapter/nimbus-k8tls/manager/cronjob.go index 4b8ccc13..763f2675 100644 --- a/pkg/adapter/nimbus-k8tls/manager/cronjob.go +++ b/pkg/adapter/nimbus-k8tls/manager/cronjob.go @@ -22,8 +22,8 @@ import ( ) func createOrUpdateCj(ctx context.Context, logger logr.Logger, cwnp v1alpha1.ClusterNimbusPolicy, cronJob *batchv1.CronJob) { - cronJob.Namespace = NamespaceName - cronJob.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = NamespaceName + cronJob.Namespace = K8tlsNamespace + cronJob.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = k8tls if err := ctrl.SetControllerReference(&cwnp, cronJob, scheme); err != nil { logger.Error(err, "failed to set OwnerReference on Kubernetes CronJob", "CronJob.Name", cronJob.Name) return @@ -76,7 +76,7 @@ func deleteCronJobs(ctx context.Context, logger logr.Logger, cwnpName string, cr func createCm(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy, scheme *runtime.Scheme, k8sClient client.Client, configMap *corev1.ConfigMap) error { logger := log.FromContext(ctx) - configMap.SetNamespace(NamespaceName) + configMap.SetNamespace(K8tlsNamespace) if err := ctrl.SetControllerReference(&cwnp, configMap, scheme); err != nil { return err } diff --git a/pkg/adapter/nimbus-k8tls/manager/k8tls.go b/pkg/adapter/nimbus-k8tls/manager/k8tls.go index ee51746c..8f826d6f 100644 --- a/pkg/adapter/nimbus-k8tls/manager/k8tls.go +++ b/pkg/adapter/nimbus-k8tls/manager/k8tls.go @@ -5,252 +5,28 @@ package manager import ( "context" - "fmt" - "strings" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" - - "github.com/5GSEC/nimbus/api/v1alpha1" ) -//+kubebuilder:rbac:groups="",resources=namespaces;serviceaccounts;configmaps,verbs=get;create;delete;update -//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles;clusterrolebindings,verbs=get;create;delete;update -//+kubebuilder:rbac:groups="",resources=services,verbs=get;list - -func setupK8tlsEnv(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy, scheme *runtime.Scheme, k8sClient client.Client) error { +func k8tlsEnvExist(ctx context.Context, k8sClient client.Client) bool { logger := log.FromContext(ctx) - ns := &corev1.Namespace{ - TypeMeta: metav1.TypeMeta{ - APIVersion: corev1.SchemeGroupVersion.String(), - Kind: "Namespace", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: NamespaceName, - Labels: cwnp.Labels, - Annotations: map[string]string{ - "app.kubernetes.io/managed-by": "nimbus-k8tls", - }, - }, + ns := &corev1.Namespace{} + if err := k8sClient.Get(ctx, client.ObjectKey{Name: K8tlsNamespace}, ns); err != nil { + logger.Error(err, "'k8tls' namespace not found") + return false } - cm := &corev1.ConfigMap{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "v1", - Kind: "ConfigMap", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "fips-config", - Namespace: NamespaceName, - Labels: ns.Labels, - Annotations: ns.Annotations, - }, - Data: map[string]string{ - "fips-140-3.json": ` -{ - "TLS_versions": [ - { - "TLS_version": "TLSv1.0_1.1", - "cipher_suites": [ - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" - } - ] - }, - { - "TLS_version": "TLSv1.2", - "cipher_suites": [ - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" - }, - { - "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" - }, - { - "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" - } - ] - }, - { - "TLS_version": "TLSv1.3", - "cipher_suites": [ - { - "cipher_suite": "TLS_AES_256_GCM_SHA384" - }, - { - "cipher_suite": "TLS_AES_128_GCM_SHA256" - }, - { - "cipher_suite": "TLS_AES_128_CCM_SHA256" - }, - { - "cipher_suite": "TLS_AES_128_CCM_8_SHA256" - } - ] - } - ] -}`, - }, - } - - objectMeta := metav1.ObjectMeta{ - Name: ns.Name, - Namespace: ns.Name, - Labels: ns.Labels, - Annotations: ns.Annotations, - } - - sa := &corev1.ServiceAccount{ - TypeMeta: metav1.TypeMeta{ - APIVersion: corev1.SchemeGroupVersion.String(), - Kind: "ServiceAccount", - }, - ObjectMeta: objectMeta, - } - - clusterRole := &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{ - APIVersion: rbacv1.SchemeGroupVersion.String(), - Kind: "ClusterRole", - }, - ObjectMeta: objectMeta, - Rules: []rbacv1.PolicyRule{ - { - Verbs: []string{"get", "list"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - }, - }, - } - - clusterRoleBinding := &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{ - APIVersion: rbacv1.SchemeGroupVersion.String(), - Kind: "ClusterRoleBinding", - }, - ObjectMeta: objectMeta, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - APIGroup: "", - Name: sa.Name, - Namespace: sa.Namespace, - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: clusterRole.Name, - }, - } - - objs := []client.Object{ns, cm, sa, clusterRole, clusterRoleBinding} - for idx := range objs { - objToCreate := objs[idx] - - // Don't set owner ref on namespace. In environments with configured Pod Security - // Standards labelling namespaces becomes a requirement. However, on deletion of - // CWNP a namespace with ownerReferences set also gets deleted. Since we need to - // keep the nimbus-k8tls-env namespace labeled, removing the ownerReferences - // prevents this deletion. - if idx != 0 { - if err := ctrl.SetControllerReference(&cwnp, objToCreate, scheme); err != nil { - return err - } - } - - var existingObj client.Object - - // Set the type of object, otherwise existingObj will always remain nil. - switch objToCreate.(type) { - case *corev1.Namespace: - existingObj = &corev1.Namespace{} - case *corev1.ConfigMap: - existingObj = &corev1.ConfigMap{} - case *corev1.ServiceAccount: - existingObj = &corev1.ServiceAccount{} - case *rbacv1.ClusterRole: - existingObj = &rbacv1.ClusterRole{} - case *rbacv1.ClusterRoleBinding: - existingObj = &rbacv1.ClusterRoleBinding{} - } - - err := k8sClient.Get(ctx, client.ObjectKeyFromObject(objToCreate), existingObj) - if err != nil && !errors.IsNotFound(err) { - return err - } - - objKind := strings.ToLower(objToCreate.GetObjectKind().GroupVersionKind().Kind) - if err != nil { - if errors.IsNotFound(err) { - if err := k8sClient.Create(ctx, objToCreate); err != nil { - return err - } - logger.Info(fmt.Sprintf("created %s/%s", objKind, objToCreate.GetName())) - } - } else { - objToCreate.SetResourceVersion(existingObj.GetResourceVersion()) - if err := k8sClient.Update(ctx, objToCreate); err != nil { - return err - } - logger.Info(fmt.Sprintf("configured %s/%s", objKind, objToCreate.GetName())) - } + sa := &corev1.ServiceAccount{} + if err := k8sClient.Get(ctx, client.ObjectKey{Name: k8tls, Namespace: K8tlsNamespace}, sa); err != nil { + logger.Error(err, "'k8tls' serviceaccount not found") + return false } - return nil + // If the required ClusterRole and ClusterRoleBinding resources don't exist, the + // job itself will describe/log that error. + return true } diff --git a/pkg/adapter/nimbus-k8tls/manager/manager.go b/pkg/adapter/nimbus-k8tls/manager/manager.go index c01dfb73..31598f73 100644 --- a/pkg/adapter/nimbus-k8tls/manager/manager.go +++ b/pkg/adapter/nimbus-k8tls/manager/manager.go @@ -29,9 +29,10 @@ import ( ) var ( - scheme = runtime.NewScheme() - k8sClient client.Client - NamespaceName = "nimbus-k8tls-env" + scheme = runtime.NewScheme() + k8sClient client.Client + K8tlsNamespace = "nimbus-k8tls-env" + k8tls = "k8tls" ) func init() { @@ -45,6 +46,8 @@ func init() { //+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=clusternimbuspolicies,verbs=get;list;watch //+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=clusternimbuspolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;create;delete;list;watch;update +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;delete;update +//+kubebuilder:rbac:groups="",resources=namespaces;serviceaccounts,verbs=get func Run(ctx context.Context) { cwnpCh := make(chan string) @@ -55,6 +58,7 @@ func Run(ctx context.Context) { deletedCronJobCh := make(chan common.Request) go watcher.WatchCronJobs(ctx, updateCronJobCh, deletedCronJobCh) + // Get the namespace name within which the k8tls environment needs to be set for { select { case <-ctx.Done(): @@ -106,13 +110,15 @@ func createOrUpdateCronJob(ctx context.Context, cwnpName string) { } deleteDanglingCj(ctx, logger, cwnp) - cronJob, configMap := builder.BuildCronJob(ctx, cwnp) + newCtx := context.WithValue(ctx, common.K8sClientKey, k8sClient) + newCtx = context.WithValue(newCtx, common.NamespaceNameKey, K8tlsNamespace) + cronJob, configMap := builder.BuildCronJob(newCtx, cwnp) if cronJob != nil { - if err := setupK8tlsEnv(ctx, cwnp, scheme, k8sClient); err != nil { - logger.Error(err, "failed to setup k8tls env") + if !k8tlsEnvExist(ctx, k8sClient) { return } + if configMap != nil { if err := createCm(ctx, cwnp, scheme, k8sClient, configMap); err != nil { logger.Error(err, "failed to create ConfigMap", "ConfigMap.Name", configMap.Name) @@ -127,7 +133,7 @@ func logCronJobsToDelete(ctx context.Context, deletedCwnp *unstructured.Unstruct logger := log.FromContext(ctx) var existingCronJobs batchv1.CronJobList - if err := k8sClient.List(ctx, &existingCronJobs, &client.ListOptions{Namespace: NamespaceName}); err != nil { + if err := k8sClient.List(ctx, &existingCronJobs, &client.ListOptions{Namespace: K8tlsNamespace}); err != nil { logger.Error(err, "failed to list Kubernetes CronJob") return } @@ -148,7 +154,7 @@ func logCronJobsToDelete(ctx context.Context, deletedCwnp *unstructured.Unstruct func deleteDanglingCj(ctx context.Context, logger logr.Logger, cwnp v1alpha1.ClusterNimbusPolicy) { var existingCronJobs batchv1.CronJobList - if err := k8sClient.List(ctx, &existingCronJobs, &client.ListOptions{Namespace: NamespaceName}); err != nil { + if err := k8sClient.List(ctx, &existingCronJobs, &client.ListOptions{Namespace: K8tlsNamespace}); err != nil { logger.Error(err, "failed to list Kubernetes CronJob for cleanup") return } diff --git a/pkg/adapter/nimbus-kubearmor/Dockerfile b/pkg/adapter/nimbus-kubearmor/Dockerfile index 31493915..8803b926 100644 --- a/pkg/adapter/nimbus-kubearmor/Dockerfile +++ b/pkg/adapter/nimbus-kubearmor/Dockerfile @@ -2,15 +2,16 @@ # Copyright 2023 Authors of Nimbus # Build the nimbus-kubearmor binary -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH -WORKDIR /nimbus +# Required to embed build info into binary. +COPY .git /.git +WORKDIR /nimbus # relative deps requried by the adapter - ADD api/ api/ ADD pkg/ pkg/ ADD go.mod go.mod @@ -32,18 +33,18 @@ COPY $ADAPTER_DIR/manager manager COPY $ADAPTER_DIR/processor processor COPY $ADAPTER_DIR/watcher watcher COPY $ADAPTER_DIR/main.go main.go - +COPY $ADAPTER_DIR/Makefile Makefile # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kubearmor main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /nimbus/pkg/adapter/nimbus-kubearmor . +COPY --from=builder /nimbus/pkg/adapter/nimbus-kubearmor/bin/nimbus-kubearmor . USER 65532:65532 ENTRYPOINT ["/nimbus-kubearmor"] diff --git a/pkg/adapter/nimbus-kubearmor/Makefile b/pkg/adapter/nimbus-kubearmor/Makefile index cf656017..3c1c4b4f 100644 --- a/pkg/adapter/nimbus-kubearmor/Makefile +++ b/pkg/adapter/nimbus-kubearmor/Makefile @@ -9,23 +9,31 @@ TAG ?= latest CONTAINER_TOOL ?= docker BINARY ?= bin/nimbus-kubearmor -build: - @go build -ldflags="-w" -o ${BINARY} main.go +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) -run: build +.DEFAULT_GOAL := help + +.PHONY: build +build: ## Build nimbus-kubearmor executable. + @go build -ldflags="-w" -o ${BINARY} . + +.PHONY: run +run: build ## Run nimbus-kubearmor locally. @./${BINARY} .PHONY: docker-build -docker-build: +docker-build: ## Build nimbus-kubearmor container image. $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push -docker-push: +docker-push: ## Push nimbus-kubearmor container image. $(CONTAINER_TOOL) push ${IMG}:${TAG} PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx -docker-buildx: +docker-buildx: ## Build and push container image for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder diff --git a/pkg/adapter/nimbus-kubearmor/go.mod b/pkg/adapter/nimbus-kubearmor/go.mod index b10905b9..7d861ea7 100644 --- a/pkg/adapter/nimbus-kubearmor/go.mod +++ b/pkg/adapter/nimbus-kubearmor/go.mod @@ -8,11 +8,11 @@ replace github.com/5GSEC/nimbus => ../../../../nimbus require ( github.com/5GSEC/nimbus v0.0.0-20240503063208-5bd27400462f - github.com/go-logr/logr v1.4.1 + github.com/go-logr/logr v1.4.2 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240509053911-a5f584c38ee7 - k8s.io/apimachinery v0.30.0 - k8s.io/client-go v0.30.0 - sigs.k8s.io/controller-runtime v0.18.2 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + sigs.k8s.io/controller-runtime v0.18.3 ) require ( @@ -60,10 +60,10 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.30.0 // indirect - k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/api v0.30.3 // indirect + k8s.io/apiextensions-apiserver v0.30.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/pkg/adapter/nimbus-kubearmor/go.sum b/pkg/adapter/nimbus-kubearmor/go.sum index cb9c9d88..f0ebcaf7 100644 --- a/pkg/adapter/nimbus-kubearmor/go.sum +++ b/pkg/adapter/nimbus-kubearmor/go.sum @@ -14,8 +14,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= @@ -156,22 +156,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= -k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= -k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= -k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= -k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= -k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= -k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= +k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= -sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= +sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/nimbus-kubearmor/main.go b/pkg/adapter/nimbus-kubearmor/main.go index 3f544d12..22ec6662 100644 --- a/pkg/adapter/nimbus-kubearmor/main.go +++ b/pkg/adapter/nimbus-kubearmor/main.go @@ -5,6 +5,7 @@ package main import ( "context" + "github.com/5GSEC/nimbus/pkg/util" "os" "os/signal" "syscall" @@ -18,6 +19,7 @@ import ( func main() { ctrl.SetLogger(zap.New()) logger := ctrl.Log + util.LogBuildInfo(logger) ctx, cancelFunc := context.WithCancel(context.Background()) ctrl.LoggerInto(ctx, logger) diff --git a/pkg/adapter/nimbus-kyverno/Dockerfile b/pkg/adapter/nimbus-kyverno/Dockerfile index 5f2f8d5e..c1ba74ee 100644 --- a/pkg/adapter/nimbus-kyverno/Dockerfile +++ b/pkg/adapter/nimbus-kyverno/Dockerfile @@ -2,10 +2,13 @@ # Copyright 2023 Authors of Nimbus # Build the nimbus-kubearmor binary -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH +# Required to embed build info into binary. +COPY .git /.git + WORKDIR /nimbus # relative deps requried by the adapter @@ -31,17 +34,18 @@ COPY $ADAPTER_DIR/processor processor COPY $ADAPTER_DIR/watcher watcher COPY $ADAPTER_DIR/utils utils COPY $ADAPTER_DIR/main.go main.go +COPY $ADAPTER_DIR/Makefile Makefile # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kyverno main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /nimbus/pkg/adapter/nimbus-kyverno . +COPY --from=builder /nimbus/pkg/adapter/nimbus-kyverno/bin/nimbus-kyverno . USER 65532:65532 ENTRYPOINT ["/nimbus-kyverno"] diff --git a/pkg/adapter/nimbus-kyverno/Makefile b/pkg/adapter/nimbus-kyverno/Makefile index 9861a417..c39a6a4b 100644 --- a/pkg/adapter/nimbus-kyverno/Makefile +++ b/pkg/adapter/nimbus-kyverno/Makefile @@ -9,23 +9,31 @@ TAG ?= latest CONTAINER_TOOL ?= docker BINARY ?= bin/nimbus-kyverno -build: - @go build -ldflags="-w" -o ${BINARY} main.go +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) -run: build +.DEFAULT_GOAL := help + +.PHONY: build +build: ## Build nimbus-kyverno executable. + @go build -ldflags="-w" -o ${BINARY} . + +.PHONY: run +run: build ## Run nimbus-kyverno locally. @./${BINARY} .PHONY: docker-build -docker-build: +docker-build: ## Build nimbus-kyverno container image. $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push -docker-push: +docker-push: ## Push nimbus-kyverno container image. $(CONTAINER_TOOL) push ${IMG}:${TAG} PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx -docker-buildx: +docker-buildx: ## Build and push container image for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder diff --git a/pkg/adapter/nimbus-kyverno/clusterrole.yaml b/pkg/adapter/nimbus-kyverno/clusterrole.yaml index 00869131..d036a35e 100644 --- a/pkg/adapter/nimbus-kyverno/clusterrole.yaml +++ b/pkg/adapter/nimbus-kyverno/clusterrole.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/pkg/adapter/nimbus-kyverno/go.mod b/pkg/adapter/nimbus-kyverno/go.mod index 2bb608a3..8627bb36 100644 --- a/pkg/adapter/nimbus-kyverno/go.mod +++ b/pkg/adapter/nimbus-kyverno/go.mod @@ -6,16 +6,23 @@ toolchain go1.22.1 require github.com/kyverno/kyverno v1.11.4 +require ( + cloud.google.com/go/kms v1.15.7 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/stretchr/objx v0.5.2 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect +) + replace github.com/5GSEC/nimbus => ../../../../nimbus require ( github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad - github.com/go-logr/logr v1.4.1 - github.com/google/flatbuffers v2.0.8+incompatible // indirect + github.com/go-logr/logr v1.4.2 + github.com/google/flatbuffers v23.5.26+incompatible // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - k8s.io/apimachinery v0.30.0 - k8s.io/client-go v0.30.0 - sigs.k8s.io/controller-runtime v0.18.2 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + sigs.k8s.io/controller-runtime v0.18.3 ) require ( @@ -94,7 +101,7 @@ require ( github.com/djherbis/times v1.5.0 // indirect github.com/docker/cli v24.0.7+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v24.0.7+incompatible // indirect + github.com/docker/docker v27.1.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/ebitengine/purego v0.6.0-alpha // indirect @@ -235,13 +242,13 @@ require ( github.com/zeebo/errs v1.3.0 // indirect go.mongodb.org/mongo-driver v1.12.1 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/otel v1.20.0 // indirect - go.opentelemetry.io/otel/metric v1.20.0 // indirect - go.opentelemetry.io/otel/sdk v1.20.0 // indirect - go.opentelemetry.io/otel/trace v1.20.0 // indirect + go.opentelemetry.io/otel v1.22.0 // indirect + go.opentelemetry.io/otel/metric v1.22.0 // indirect + go.opentelemetry.io/otel/sdk v1.21.0 // indirect + go.opentelemetry.io/otel/trace v1.22.0 // indirect go.step.sm/crypto v0.36.1 // indirect go.uber.org/atomic v1.11.0 // indirect - go.uber.org/multierr v1.11.0 // indirect + go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 // indirect go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect @@ -257,9 +264,9 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.21.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect - google.golang.org/api v0.149.0 // indirect + google.golang.org/api v0.162.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect - google.golang.org/grpc v1.59.0 // indirect + google.golang.org/grpc v1.63.2 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/DataDog/dd-trace-go.v1 v1.56.1 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect @@ -269,11 +276,11 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a // indirect - k8s.io/api v0.30.0 // indirect - k8s.io/apiextensions-apiserver v0.30.0 // indirect - k8s.io/component-base v0.30.0 // indirect + k8s.io/api v0.30.3 + k8s.io/apiextensions-apiserver v0.30.1 + k8s.io/component-base v0.30.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect k8s.io/kubectl v0.28.4 // indirect k8s.io/pod-security-admission v0.30.0 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect diff --git a/pkg/adapter/nimbus-kyverno/go.sum b/pkg/adapter/nimbus-kyverno/go.sum index f6930d77..10acb72c 100644 --- a/pkg/adapter/nimbus-kyverno/go.sum +++ b/pkg/adapter/nimbus-kyverno/go.sum @@ -32,10 +32,10 @@ cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1h cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/iam v1.1.4 h1:K6n/GZHFTtEoKT5aUG3l9diPi0VduZNQ1PfdnpkkIFk= -cloud.google.com/go/iam v1.1.4/go.mod h1:l/rg8l1AaA+VFMho/HYx2Vv6xinPSLMF8qfhRPIZ0L8= -cloud.google.com/go/kms v1.15.4 h1:gEZzC54ZBI+aeW8/jg9tgz9KR4Aa+WEDPbdGIV3iJ7A= -cloud.google.com/go/kms v1.15.4/go.mod h1:L3Sdj6QTHK8dfwK5D1JLsAyELsNMnd3tAIwGS4ltKpc= +cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= +cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= +cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM= +cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -387,8 +387,8 @@ github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1x github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= -github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= +github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= @@ -433,8 +433,8 @@ github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= -github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= -github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= @@ -480,8 +480,8 @@ github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTg github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU= @@ -615,8 +615,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= -github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= +github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -672,8 +672,8 @@ github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.7 h1:IASD+NtgSTJLPdzkthwvAG1ZVbF2WtFg4IvoA68XGSw= github.com/google/certificate-transparency-go v1.1.7/go.mod h1:FSSBo8fyMVgqptbfF6j5p/XNdgQftAhSmXcIxV9iphE= -github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= -github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v23.5.26+incompatible h1:M9dgRyhJemaM4Sw8+66GHBu8ioaQmyPLg1b8VwK5WJg= +github.com/google/flatbuffers v23.5.26+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -1351,8 +1351,8 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0= -github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -1484,20 +1484,22 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= -go.opentelemetry.io/otel v1.20.0 h1:vsb/ggIY+hUjD/zCAQHpzTmndPqv/ml2ArbsbfBYTAc= -go.opentelemetry.io/otel v1.20.0/go.mod h1:oUIGj3D77RwJdM6PPZImDpSZGDvkD9fhesHny69JFrs= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= +go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= +go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0 h1:DeFD0VgTZ+Cj6hxravYYZE2W4GlneVH81iAOPjZkzk8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0/go.mod h1:GijYcYmNpX1KazD5JmWGsi4P7dDTTTnfv1UbGn84MnU= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0 h1:gvmNvqrPYovvyRmCSygkUDyL8lC5Tl845MLEwqpxhEU= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0/go.mod h1:vNUq47TGFioo+ffTSnKNdob241vePmtNZnAODKapKd0= -go.opentelemetry.io/otel/metric v1.20.0 h1:ZlrO8Hu9+GAhnepmRGhSU7/VkpjrNowxRN9GyKR4wzA= -go.opentelemetry.io/otel/metric v1.20.0/go.mod h1:90DRw3nfK4D7Sm/75yQ00gTJxtkBxX+wu6YaNymbpVM= -go.opentelemetry.io/otel/sdk v1.20.0 h1:5Jf6imeFZlZtKv9Qbo6qt2ZkmWtdWx/wzcCbNUlAWGM= -go.opentelemetry.io/otel/sdk v1.20.0/go.mod h1:rmkSx1cZCm/tn16iWDn1GQbLtsW/LvsdEEFzCSRM6V0= -go.opentelemetry.io/otel/trace v1.20.0 h1:+yxVAPZPbQhbC3OfAkeIVTky6iTFpcr4SiY9om7mXSQ= -go.opentelemetry.io/otel/trace v1.20.0/go.mod h1:HJSK7F/hA5RlzpZ0zKDCHCDHm556LCDtKaAo6JmBFUU= +go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= +go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= +go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8= +go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E= +go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0= +go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.step.sm/crypto v0.36.1 h1:hrHIc0qVcOowJB/r1SgPGu10d59onUw3czYeMLJluBc= @@ -1978,8 +1980,8 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY= -google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= +google.golang.org/api v0.162.0 h1:Vhs54HkaEpkMBdgGdOT2P6F0csGG/vxDS0hWHJzmmps= +google.golang.org/api v0.162.0/go.mod h1:6SulDkfoBIg4NFmCuZ39XeeAgSHCPecfSUuDyYlAHs0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2034,8 +2036,8 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA= -google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No= google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas= google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA= @@ -2064,8 +2066,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= -google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= +google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -2147,28 +2149,28 @@ inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a h1:1XCVEdxrvL6c0TGOhecLuB7U9z inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a/go.mod h1:e83i32mAQOW1LAqEIweALsuK2Uw4mhQadA5r7b0Wobo= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= -k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk= k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs= -k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= -k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= +k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= -k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= -k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0= -k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o= -k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ= +k8s.io/component-base v0.30.1 h1:bvAtlPh1UrdaZL20D9+sWxsJljMi0QZ3Lmw+kmZAaxQ= +k8s.io/component-base v0.30.1/go.mod h1:e/X9kDiOebwlI41AvBHuWdqFriSRrX50CdwA9TFaHLI= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= @@ -2179,8 +2181,8 @@ k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/kubectl v0.28.4 h1:gWpUXW/T7aFne+rchYeHkyB8eVDl5UZce8G4X//kjUQ= k8s.io/kubectl v0.28.4/go.mod h1:CKOccVx3l+3MmDbkXtIUtibq93nN2hkDR99XDCn7c/c= k8s.io/pod-security-admission v0.30.0 h1:C8J/zbrA3hVR7jatN+mN/ymUWxwU6KceS5HsEEt6rTY= @@ -2199,8 +2201,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/controller-runtime v0.8.2/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= sigs.k8s.io/controller-runtime v0.8.3/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= -sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= -sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= +sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU= diff --git a/pkg/adapter/nimbus-kyverno/main.go b/pkg/adapter/nimbus-kyverno/main.go index e7736f23..33708465 100644 --- a/pkg/adapter/nimbus-kyverno/main.go +++ b/pkg/adapter/nimbus-kyverno/main.go @@ -5,6 +5,7 @@ package main import ( "context" + "github.com/5GSEC/nimbus/pkg/util" "os" "os/signal" "syscall" @@ -17,6 +18,7 @@ import ( func main() { ctrl.SetLogger(zap.New()) logger := ctrl.Log + util.LogBuildInfo(logger) ctx, cancelFunc := context.WithCancel(context.Background()) ctrl.LoggerInto(ctx, logger) diff --git a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go index d92ae2ec..8a559ad3 100644 --- a/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go +++ b/pkg/adapter/nimbus-kyverno/processor/kpbuilder.go @@ -34,7 +34,6 @@ func BuildKpsFrom(logger logr.Logger, np *v1alpha1.NimbusPolicy) []kyvernov1.Pol var allkps []kyvernov1.Policy admission := true background := true - skipBackgroundAdmissionReq := true for _, nimbusRule := range np.Spec.NimbusRules { id := nimbusRule.ID if idpool.IsIdSupportedBy(id, "kyverno") { @@ -51,8 +50,7 @@ func BuildKpsFrom(logger logr.Logger, np *v1alpha1.NimbusPolicy) []kyvernov1.Pol kp.Annotations["policies.kyverno.io/description"] = nimbusRule.Description kp.Spec.Admission = &admission kp.Spec.Background = &background - kp.Spec.Rules[0].SkipBackgroundRequests = skipBackgroundAdmissionReq - + if nimbusRule.Rule.RuleAction == "Block" { kp.Spec.ValidationFailureAction = kyvernov1.ValidationFailureAction("Enforce") } else { @@ -92,11 +90,16 @@ func cocoRuntimeAddition(np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error) var mutateTargetResourceSpecs []kyvernov1.TargetResourceSpec var matchResourceFilters []kyvernov1.ResourceFilter labels := np.Spec.Selector.MatchLabels + runtimeClass := "kata-clh" + params := np.Spec.NimbusRules[0].Rule.Params["runtimeClass"] + if params != nil { + runtimeClass = params[0] + } patchStrategicMerge := map[string]interface{}{ "spec": map[string]interface{}{ "template": map[string]interface{}{ "spec": map[string]interface{}{ - "runtimeClassName": "kata-clh", + "runtimeClassName": runtimeClass, }, }, }, @@ -114,17 +117,17 @@ func cocoRuntimeAddition(np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error) if err != nil { errs = append(errs, err) } - var markLabels = make(map[string]string) + var markLabels = make(map[string][]string) for _, d := range deployments.Items { for k, v := range d.GetLabels() { key := k + ":" + v - markLabels[key] = d.GetName() + markLabels[key] = append(markLabels[key], d.GetName()) } } for k, v := range labels { key := k + ":" + v - if markLabels[key] != "" { - deployNames = append(deployNames, markLabels[key]) + if len(markLabels[key]) != 0 { + deployNames = append(deployNames, markLabels[key]...) } } diff --git a/pkg/adapter/nimbus-netpol/Dockerfile b/pkg/adapter/nimbus-netpol/Dockerfile index a163b5cc..9d524b68 100644 --- a/pkg/adapter/nimbus-netpol/Dockerfile +++ b/pkg/adapter/nimbus-netpol/Dockerfile @@ -2,10 +2,13 @@ # Copyright 2023 Authors of Nimbus # Build the nimbus-netpol binary -FROM golang:1.22 as builder +FROM golang:1.22 AS builder ARG TARGETOS ARG TARGETARCH +# Required to embed build info into binary. +COPY .git /.git + WORKDIR /nimbus # relative deps requried by the adapter @@ -30,17 +33,18 @@ COPY $ADAPTER_DIR/manager manager COPY $ADAPTER_DIR/processor processor COPY $ADAPTER_DIR/watcher watcher COPY $ADAPTER_DIR/main.go main.go +COPY $ADAPTER_DIR/Makefile Makefile # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-netpol main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /nimbus/pkg/adapter/nimbus-netpol . +COPY --from=builder /nimbus/pkg/adapter/nimbus-netpol/bin/nimbus-netpol . USER 65532:65532 ENTRYPOINT ["/nimbus-netpol"] diff --git a/pkg/adapter/nimbus-netpol/Makefile b/pkg/adapter/nimbus-netpol/Makefile index 4c169ffa..0d6b2802 100644 --- a/pkg/adapter/nimbus-netpol/Makefile +++ b/pkg/adapter/nimbus-netpol/Makefile @@ -9,23 +9,31 @@ TAG ?= latest CONTAINER_TOOL ?= docker BINARY ?= bin/nimbus-netpol -build: - @go build -ldflags="-w" -o ${BINARY} main.go +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) -run: build +.DEFAULT_GOAL := help + +.PHONY: build +build: ## Build nimbus-netpol executable. + @go build -ldflags="-w" -o ${BINARY} . + +.PHONY: run +run: build ## Run nimbus-netpol locally. @./${BINARY} .PHONY: docker-build -docker-build: +docker-build: ## Build nimbus-netpol container image. $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push -docker-push: +docker-push: ## Push nimbus-netpol container image. $(CONTAINER_TOOL) push ${IMG}:${TAG} PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx -docker-buildx: +docker-buildx: ## Build and push container image for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder diff --git a/pkg/adapter/nimbus-netpol/go.mod b/pkg/adapter/nimbus-netpol/go.mod index 033ee9ec..d059e510 100644 --- a/pkg/adapter/nimbus-netpol/go.mod +++ b/pkg/adapter/nimbus-netpol/go.mod @@ -8,11 +8,11 @@ replace github.com/5GSEC/nimbus => ../../../../nimbus require ( github.com/5GSEC/nimbus v0.0.0-20240503063208-5bd27400462f - github.com/go-logr/logr v1.4.1 - k8s.io/api v0.30.0 - k8s.io/apimachinery v0.30.0 - k8s.io/client-go v0.30.0 - sigs.k8s.io/controller-runtime v0.18.2 + github.com/go-logr/logr v1.4.2 + k8s.io/api v0.30.3 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + sigs.k8s.io/controller-runtime v0.18.3 ) require ( @@ -60,9 +60,9 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/apiextensions-apiserver v0.30.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/pkg/adapter/nimbus-netpol/go.sum b/pkg/adapter/nimbus-netpol/go.sum index 66301cf8..8db39b94 100644 --- a/pkg/adapter/nimbus-netpol/go.sum +++ b/pkg/adapter/nimbus-netpol/go.sum @@ -14,8 +14,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= @@ -154,22 +154,22 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= -k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= -k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= -k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= -k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= -k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= -k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= +k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= +k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= -sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= +sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/adapter/nimbus-netpol/main.go b/pkg/adapter/nimbus-netpol/main.go index 931ec12a..24410260 100644 --- a/pkg/adapter/nimbus-netpol/main.go +++ b/pkg/adapter/nimbus-netpol/main.go @@ -5,6 +5,7 @@ package main import ( "context" + "github.com/5GSEC/nimbus/pkg/util" "os" "os/signal" "syscall" @@ -18,6 +19,7 @@ import ( func main() { ctrl.SetLogger(zap.New()) logger := ctrl.Log + util.LogBuildInfo(logger) ctx, cancelFunc := context.WithCancel(context.Background()) ctrl.LoggerInto(ctx, logger) diff --git a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go index 78d52864..2a66d307 100644 --- a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go +++ b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go @@ -9,6 +9,7 @@ import ( "github.com/go-logr/logr" netv1 "k8s.io/api/networking/v1" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -36,6 +37,7 @@ var ( func init() { utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(netv1.AddToScheme(scheme)) + utilruntime.Must(corev1.AddToScheme(scheme)) k8sClient = k8s.NewOrDie(scheme) } @@ -104,7 +106,7 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string } deleteDanglingNetpols(ctx, np, logger) - netPols := processor.BuildNetPolsFrom(logger, np) + netPols := processor.BuildNetPolsFrom(logger, np, k8sClient) // Iterate using a separate index variable to avoid aliasing for idx := range netPols { netpol := netPols[idx] diff --git a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go index aabdcebc..dc237ae4 100644 --- a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go +++ b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go @@ -4,26 +4,27 @@ package processor import ( + "context" "strings" + v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" + "github.com/5GSEC/nimbus/pkg/adapter/idpool" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - - v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" - "github.com/5GSEC/nimbus/pkg/adapter/idpool" + "sigs.k8s.io/controller-runtime/pkg/client" ) -func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.NetworkPolicy { +func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy, k8sClient client.Client) []netv1.NetworkPolicy { // Build netpols based on given IDs var netpols []netv1.NetworkPolicy for _, nimbusRule := range np.Spec.NimbusRules { id := nimbusRule.ID logger.Info(id) if idpool.IsIdSupportedBy(id, "netpol") { - netpol := buildNetPolFor(id) + netpol := buildNetPolFor(id, k8sClient, logger) netpol.Name = np.Name + "-" + strings.ToLower(id) netpol.Namespace = np.Namespace netpol.Spec.PodSelector.MatchLabels = np.Spec.Selector.MatchLabels @@ -37,80 +38,76 @@ func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.Netw return netpols } -func buildNetPolFor(id string) netv1.NetworkPolicy { +func buildNetPolFor(id string, k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy { switch id { case idpool.DNSManipulation: - return dnsManipulationNetpol() + return dnsManipulationNetpol(k8sClient, logger) case idpool.DenyENAccess: - return denyExternalNetworkAcessNetpol() + return denyExternalNetworkAcessNetpol(k8sClient, logger) default: return netv1.NetworkPolicy{} } } -func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy { +func denyExternalNetworkAcessNetpol(k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy { udpProtocol := corev1.ProtocolUDP tcpProtocol := corev1.ProtocolTCP dnsPort := &intstr.IntOrString{ Type: 0, IntVal: 53, } + froNetpolPeers, err := getPODCIDRs(k8sClient) + if err != nil { + logger.Error(err, "Failed to get pod CIDRs") + } + staticCIDRs := []netv1.NetworkPolicyPeer{ + { + IPBlock: &netv1.IPBlock{ + CIDR: "10.0.0.0/8", + }, + }, + { + IPBlock: &netv1.IPBlock{ + CIDR: "172.16.0.0/12", + }, + }, + { + IPBlock: &netv1.IPBlock{ + CIDR: "192.168.0.0/16", + }, + }, + } + + froNetpolPeers = append(froNetpolPeers, staticCIDRs...) + + toNetPolPeers := []netv1.NetworkPolicyPeer{} + + selector := netv1.NetworkPolicyPeer{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "k8s-app": "kube-dns", + }, + }, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "kubernetes.io/metadata.name": "kube-system", + }, + }, + } + + toNetPolPeers = append(toNetPolPeers, selector) + toNetPolPeers = append(toNetPolPeers, froNetpolPeers...) return netv1.NetworkPolicy{ Spec: netv1.NetworkPolicySpec{ Ingress: []netv1.NetworkPolicyIngressRule{ { - From: []netv1.NetworkPolicyPeer{ - { - IPBlock: &netv1.IPBlock{ - CIDR: "10.0.0.0/8", - }, - }, - { - IPBlock: &netv1.IPBlock{ - CIDR: "172.16.0.0/12", - }, - }, - { - IPBlock: &netv1.IPBlock{ - CIDR: "192.168.0.0/16", - }, - }, - }, + From: froNetpolPeers, }, }, Egress: []netv1.NetworkPolicyEgressRule{ { - To: []netv1.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k8s-app": "kube-dns", - }, - }, - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "kubernetes.io/metadata.name": "kube-system", - }, - }, - }, - - { - IPBlock: &netv1.IPBlock{ - CIDR: "10.0.0.0/8", - }, - }, - { - IPBlock: &netv1.IPBlock{ - CIDR: "172.16.0.0/12", - }, - }, - { - IPBlock: &netv1.IPBlock{ - CIDR: "192.168.0.0/16", - }, - }, - }, + To: toNetPolPeers, Ports: []netv1.NetworkPolicyPort{ { Protocol: &udpProtocol, @@ -131,7 +128,7 @@ func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy { } } -func dnsManipulationNetpol() netv1.NetworkPolicy { +func dnsManipulationNetpol(k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy { udpProtocol := corev1.ProtocolUDP tcpProtocol := corev1.ProtocolTCP dnsPort := &intstr.IntOrString{ @@ -139,24 +136,31 @@ func dnsManipulationNetpol() netv1.NetworkPolicy { IntVal: 53, } + netpolPeers, err := getPODCIDRs(k8sClient) + if err != nil { + logger.Error(err, "Failed to get pod CIDRs") + } + + selector := netv1.NetworkPolicyPeer{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "k8s-app": "kube-dns", + }, + }, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "kubernetes.io/metadata.name": "kube-system", + }, + }, + } + + netpolPeers = append(netpolPeers, selector) + return netv1.NetworkPolicy{ Spec: netv1.NetworkPolicySpec{ Egress: []netv1.NetworkPolicyEgressRule{ { - To: []netv1.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k8s-app": "kube-dns", - }, - }, - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "kubernetes.io/metadata.name": "kube-system", - }, - }, - }, - }, + To: netpolPeers, Ports: []netv1.NetworkPolicyPort{ { Protocol: &udpProtocol, @@ -180,3 +184,24 @@ func addManagedByAnnotation(netpol *netv1.NetworkPolicy) { netpol.Annotations = make(map[string]string) netpol.Annotations["app.kubernetes.io/managed-by"] = "nimbus-netpol" } + +func getPODCIDRs(k8sClient client.Client) ([]netv1.NetworkPolicyPeer, error) { + podCIDRs := []netv1.NetworkPolicyPeer{} + ctx := context.Background() + nodes := &corev1.NodeList{} + if err := k8sClient.List(ctx, nodes); err != nil { + return nil, err + } + for _, node := range nodes.Items { + netPolPeer := netv1.NetworkPolicyPeer{ + IPBlock: &netv1.IPBlock{ + CIDR: node.Spec.PodCIDR, + }, + } + + podCIDRs = append(podCIDRs, netPolPeer) + + } + + return podCIDRs, nil +} diff --git a/pkg/util/util.go b/pkg/util/util.go new file mode 100644 index 00000000..f8cc5a6c --- /dev/null +++ b/pkg/util/util.go @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package util + +import ( + "github.com/go-logr/logr" + "runtime" + "runtime/debug" +) + +func LogBuildInfo(logger logr.Logger) { + info, _ := debug.ReadBuildInfo() + vcsRev := "" + vcsTime := "" + for _, s := range info.Settings { + if s.Key == "vcs.revision" { + vcsRev = s.Value + } else if s.Key == "vcs.time" { + vcsTime = s.Value + } + } + logger.Info("Build info", "git.revision", vcsRev, + "build.time", vcsTime, + "build.version", runtime.Version(), + "GOOS", runtime.GOOS, + "GOARCH", runtime.GOARCH, + ) +} diff --git a/scripts/update-image-tag.sh b/scripts/update-image-tag.sh new file mode 100755 index 00000000..f8fdf1d0 --- /dev/null +++ b/scripts/update-image-tag.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +if ! command -v yq >/dev/null; then + echo "Installing yq..." + go install github.com/mikefarah/yq/v4@latest +fi + +TAG=$1 +DEPLOYMENT_ROOT_DIR="deployments" +DIRECTORIES=("${DEPLOYMENT_ROOT_DIR}/nimbus" "${DEPLOYMENT_ROOT_DIR}/nimbus-k8tls" \ + "${DEPLOYMENT_ROOT_DIR}/nimbus-kubearmor" "${DEPLOYMENT_ROOT_DIR}/nimbus-kyverno" "${DEPLOYMENT_ROOT_DIR}/nimbus-netpol") + +echo "Updating tag to $TAG" +for directory in "${DIRECTORIES[@]}"; do + yq -i ".image.tag = \"$TAG\"" "${directory}/values.yaml" +done diff --git a/tests/controllers/sis-and-sibs/update/updated-sib.yaml b/tests/controllers/sis-and-sibs/update/updated-sib.yaml index 2f1f6cd4..018a3e8e 100644 --- a/tests/controllers/sis-and-sibs/update/updated-sib.yaml +++ b/tests/controllers/sis-and-sibs/update/updated-sib.yaml @@ -10,5 +10,6 @@ spec: - name: unauthorized-sa-token-access-multiple - name: dns-manipulation-multiple selector: - matchLabels: - app: nginx + workloadSelector: + matchLabels: + app: nginx