nimbus
nimbus copied to clipboard
Published
20 hours ago •
5GSEC
5GSEC
feat: Feature to select namespaces (match or exclude), resources within a namespace, and nodes in ClusterIntentBinding
trafficstars
Description
This pull request implements the design described in https://docs.google.com/document/d/1-zxAMBpX-ZdpmDTjS0qzmFk5pueOCtLaGa970KJLTNc/edit#heading=h.yr2q844nprgt
Fixes # https://github.com/5GSEC/nimbus/issues/105
BREAKING CHANGE:
- The Nimbus API has changed since the CRD is modified. The API version is set to v1alpha1
Checklist
- [x] PR title follows the
<type>: <description>convention - [x] I use conventional commits in my commit messages
- [ ] I have updated the documentation accordingly
- [x] I Keep It Small and Simple: The smaller the PR is, the easier it is to review and have it merged
- [x] I have performed a self-review of my code
- [x] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
Additional information for reviewer
Mention if this PR is part of any design or a continuation of previous PRs
Please resolve conflicts.
Done.
The nimbus-kyverno adapter build is failing, because of which the e2e tests (escape-to-host) does not run. But the dns-manipulation checks run successfully.
chainsaw test --test-dir=tests/e2e/dns-manipulation --config tests/chainsaw-config.yaml PASS Tests Summary...
- Passed tests 3
- Failed tests 0
- Skipped tests 0
chainsaw test --test-dir=tests/controllers --config tests/chainsaw-config.yaml
PASS Tests Summary...
- Passed tests 12
- Failed tests 0
- Skipped tests 0 Done.
After applying csib-1-all-ns-selector.yaml, I observed the following issues
- NimbusPolicy status was not updated.
$ kubectl get si,sib,np,csib,cwnp,ksp,netpol,pol,cpol -A
NAME STATUS AGE
securityintent.intent.security.nimbus.com/escape-to-host Created 17m
NAMESPACE NAME STATUS AGE POLICIES
chainsaw-hardy-boar nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
default nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
istio-system nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
k0s-autopilot nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-node-lease nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kube-public nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kubearmor nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
kyverno nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
nimbus nimbuspolicy.intent.security.nimbus.com/nimbus-ctlr-gen-escape-to-host-binding 17m
NAMESPACE NAME STATUS AGE INTENTS CLUSTERNIMBUSPOLICY
clustersecurityintentbinding.intent.security.nimbus.com/escape-to-host-binding Created 17m 1 escape-to-host-binding
NAMESPACE NAME STATUS AGE POLICIES
clusternimbuspolicy.intent.security.nimbus.com/escape-to-host-binding Created 17m 0
- KubeArmor adapterdid not create any policies for any nimbuspolicy even though it supports
escape-to-hostsecurityintent:
https://github.com/5GSEC/nimbus/blob/5a4217460ea4adb01a0a1afab9e4634b7b924e1a/pkg/adapter/idpool/idpool.go#L27
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmor adapter started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"KubeArmorPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:51:59+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
No-op for ClusterNimbusPolicy
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"istio-system"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kyverno"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"nimbus"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kubearmor"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"chainsaw-hardy-boar"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"default"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"k0s-autopilot"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-node-lease"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"nimbus-ctlr-gen-escape-to-host-binding","NimbusPolicy.Namespace":"kube-public"}
- Kyverno adapter failed to create its KyvernoClusterPolicy. Additionally, it did not create any policies, including KyvernoPolicies (namespace-scoped) or KyvernoClusterPolicies (global-scoped). Again it also supports
escape-to-hostsecurityintent.
https://github.com/5GSEC/nimbus/blob/5a4217460ea4adb01a0a1afab9e4634b7b924e1a/pkg/adapter/idpool/idpool.go#L44-L47
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"Kyverno adapter started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoClusterPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"KyvernoPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"ClusterNimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:09+05:30","msg":"NimbusPolicy watcher started"}
{"level":"info","ts":"2024-06-04T14:52:55+05:30","msg":"ClusterNimbusPolicy found","ClusterNimbusPolicy.Name":"escape-to-host-binding"}
{"level":"error","ts":"2024-06-04T14:52:56+05:30","msg":"failed to create KyvernoClusterPolicy","KyvernoClusterPolicy.Name":"escape-to-host-binding-escapetohost","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: spec.rules[0].match.any[0].selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string(nil), MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: The requirements are not specified in selector","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKcp\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:220\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:75\nmain.main\n\t/Users/anurag/Projects/work/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/opt/homebrew/opt/go/libexec/src/runtime/proc.go:271"}
@VedRatan the e2e-tests are passing, but I'm little surprised given the recent changes. Is there something I might be missing?