nimbus icon indicating copy to clipboard operation
nimbus copied to clipboard
verified publisher icon 5GSEC

Virtual Patch: Exploit Public Facing Applications

Open shivaccuknox opened this issue 1 year ago • 10 comments

M1051 is "Update Software Regularly". Virtual Patch is an intermediate step before the actual update.

There is a set of annotations (CVEs) on the pods

Nimbus can look at the CVEs, and then attempt a live patch on these pods to mitigate the CVE

As part of live patch, Also, Nimbus can also create NetPol in case of workloads exposed to Public INternet

Design Doc for the intent: https://docs.google.com/document/d/1CoooyoEG8NKXOpfrsnV8PHCqYk7OUbZYbPtQRD7lr5k/edit#heading=h.18eqtrsy88hg

shivaccuknox avatar Apr 23 '24 09:04 shivaccuknox

Design/Architecture Discussion needed.

nandhued avatar May 28 '24 03:05 nandhued

Moving to backlog till demo on June 20.

nandhued avatar Jun 13 '24 03:06 nandhued

Document under review. @VedRatan Can you link the design doc please?

nandhued avatar Aug 01 '24 03:08 nandhued

The design doc is in the description of the issue itself @nandhued

VedRatan avatar Aug 01 '24 04:08 VedRatan

WIP on generate policy approach.

nandhued avatar Aug 14 '24 03:08 nandhued

List the assumptions on the design doc with sample JSON and confirm w KA team.

nandhued avatar Aug 16 '24 03:08 nandhued

WIP

nandhued avatar Aug 19 '24 03:08 nandhued

Done w KA generator policies. Kyverno and netpol WIP.

nandhued avatar Aug 21 '24 03:08 nandhued

Adding scheduling for CVEs.

nandhued avatar Sep 02 '24 03:09 nandhued

PR to be raised today.

nandhued avatar Sep 04 '24 03:09 nandhued