Skip to content

Commit 26e02ec

Browse files
author
Anurag Rajawat
committed
feat: Add DiscoveredPolicy adapter
Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
1 parent 89835e7 commit 26e02ec

File tree

11 files changed

+1063
-0
lines changed

11 files changed

+1063
-0
lines changed

examples/namespaced/net-segment.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# SPDX-License-Identifier: Apache-2.0
2+
# Copyright 2023 Authors of Nimbus
3+
4+
apiVersion: intent.security.nimbus.com/v1alpha1
5+
kind: SecurityIntent
6+
metadata:
7+
name: network-segmentation
8+
spec:
9+
intent:
10+
id: netSegment
11+
action: Block # Audit action has no effect here
12+
severity: Medium
13+
tags:
14+
- 5G
15+
---
16+
apiVersion: intent.security.nimbus.com/v1alpha1
17+
kind: SecurityIntentBinding
18+
metadata:
19+
name: network-segmentation-for-ns
20+
spec:
21+
intents:
22+
- name: network-segmentation
23+
selector:
24+
workloadSelector:
25+
matchLabels:
26+
app: httpd

pkg/adapter/idpool/idpool.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ const (
1919
CocoWorkload = "cocoWorkload"
2020
EnsureTLS = "ensureTLS"
2121
DenyENAccess = "denyExternalNetworkAccess"
22+
NetworkSegmentation = "netSegment"
2223
)
2324

2425
// KaIds are IDs supported by KubeArmor.

pkg/adapter/nimbus-de/.dockerignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
bin/

pkg/adapter/nimbus-de/Dockerfile

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# SPDX-License-Identifier: Apache-2.0
2+
# Copyright 2023 Authors of Nimbus
3+
4+
FROM golang:1.22 as builder
5+
ARG TARGETOS
6+
ARG TARGETARCH
7+
8+
WORKDIR /nimbus
9+
10+
# relative deps requried by the adapter
11+
ADD api/ api/
12+
ADD pkg/ pkg/
13+
ADD go.mod go.mod
14+
ADD go.sum go.sum
15+
16+
ARG ADAPTER_DIR=pkg/adapter/nimbus-de
17+
WORKDIR /nimbus/$ADAPTER_DIR
18+
19+
COPY $ADAPTER_DIR/go.mod go.mod
20+
# cache deps before building and copying source so that we don't need to re-download as much
21+
# and so that source changes don't invalidate our downloaded layer
22+
RUN go mod download
23+
24+
COPY $ADAPTER_DIR/manager manager
25+
COPY $ADAPTER_DIR/watcher watcher
26+
COPY $ADAPTER_DIR/main.go main.go
27+
28+
# Build
29+
# the GOARCH has not a default value to allow the binary be built according to the host where the command
30+
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
31+
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
32+
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
33+
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-s" -o bin/nimbus-de main.go
34+
35+
FROM gcr.io/distroless/static:nonroot
36+
WORKDIR /
37+
COPY --from=builder /nimbus/pkg/adapter/nimbus-de/bin/nimbus-de .
38+
USER 65532:65532
39+
40+
ENTRYPOINT ["/nimbus-de"]

pkg/adapter/nimbus-de/Makefile

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
# SPDX-License-Identifier: Apache-2.0
2+
# Copyright 2023 Authors of Nimbus
3+
4+
# Image URL to use all building/pushing image targets
5+
IMG ?= 5gsec/nimbus-de
6+
# Image Tag to use all building/pushing image targets
7+
TAG ?= latest
8+
9+
CONTAINER_TOOL ?= docker
10+
BINARY ?= bin/nimbus-de
11+
CONTROLLER_TOOLS_VERSION ?= v0.14.0
12+
LOCALBIN ?= $(shell pwd)/bin
13+
$(LOCALBIN):
14+
mkdir -p $(LOCALBIN)
15+
CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
16+
17+
.PHONY: help
18+
help: ## Display this help.
19+
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
20+
21+
build: ## Build nimbus-de executable.
22+
@go build -ldflags="-s" -o ${BINARY} main.go
23+
24+
run: build ## Run nimbus-de.
25+
@./${BINARY}
26+
27+
.PHONY: docker-build
28+
docker-build: ## Build nimbus-de container image.
29+
$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
30+
31+
.PHONY: docker-push
32+
docker-push: ## Push nimbus-de container image.
33+
$(CONTAINER_TOOL) push ${IMG}:${TAG}
34+
35+
PLATFORMS ?= linux/arm64,linux/amd64
36+
.PHONY: docker-buildx
37+
docker-buildx: ## Build and push container image for cross-platform support
38+
sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
39+
- $(CONTAINER_TOOL) buildx create --name project-v3-builder
40+
$(CONTAINER_TOOL) buildx use project-v3-builder
41+
- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; }
42+
- $(CONTAINER_TOOL) buildx rm project-v3-builder
43+
rm Dockerfile.cross
44+
45+
.PHONY: manifests
46+
manifests: controller-gen ## Generate ClusterRole.
47+
$(CONTROLLER_GEN) rbac:roleName=nimbus-de-clusterrole paths="./..." output:dir=../../../deployments/nimbus-de/templates/
48+
49+
.PHONY: controller-gen
50+
controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten.
51+
$(CONTROLLER_GEN): $(LOCALBIN)
52+
test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
53+
GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)

pkg/adapter/nimbus-de/go.mod

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
module github.com/5GSEC/nimbus/pkg/adapter/nimbus-de
2+
3+
go 1.22.3
4+
5+
require (
6+
github.com/5GSEC/nimbus v1.0.1
7+
github.com/accuknox/dev2/dsp/pkg/DiscoveredPolicy v1.28.0
8+
github.com/cilium/cilium v1.15.7
9+
github.com/go-logr/logr v1.4.2
10+
github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240109175053-214237906794
11+
k8s.io/api v0.30.1
12+
k8s.io/apimachinery v0.30.1
13+
k8s.io/client-go v0.30.1
14+
sigs.k8s.io/controller-runtime v0.18.4
15+
)
16+
17+
require (
18+
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
19+
github.com/beorn7/perks v1.0.1 // indirect
20+
github.com/blang/semver/v4 v4.0.0 // indirect
21+
github.com/cespare/xxhash/v2 v2.3.0 // indirect
22+
github.com/cilium/ebpf v0.12.3 // indirect
23+
github.com/cilium/proxy v0.0.0-20231202123106-38b645b854f3 // indirect
24+
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
25+
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
26+
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
27+
github.com/fsnotify/fsnotify v1.7.0 // indirect
28+
github.com/go-logr/stdr v1.2.2 // indirect
29+
github.com/go-logr/zapr v1.3.0 // indirect
30+
github.com/go-ole/go-ole v1.2.6 // indirect
31+
github.com/go-openapi/analysis v0.21.4 // indirect
32+
github.com/go-openapi/errors v0.20.4 // indirect
33+
github.com/go-openapi/jsonpointer v0.21.0 // indirect
34+
github.com/go-openapi/jsonreference v0.21.0 // indirect
35+
github.com/go-openapi/loads v0.21.2 // indirect
36+
github.com/go-openapi/runtime v0.26.2 // indirect
37+
github.com/go-openapi/spec v0.20.11 // indirect
38+
github.com/go-openapi/strfmt v0.21.9 // indirect
39+
github.com/go-openapi/swag v0.23.0 // indirect
40+
github.com/go-openapi/validate v0.22.3 // indirect
41+
github.com/gogo/protobuf v1.3.2 // indirect
42+
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
43+
github.com/golang/protobuf v1.5.4 // indirect
44+
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
45+
github.com/google/go-cmp v0.6.0 // indirect
46+
github.com/google/gofuzz v1.2.0 // indirect
47+
github.com/google/gopacket v1.1.19 // indirect
48+
github.com/google/uuid v1.6.0 // indirect
49+
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
50+
github.com/hashicorp/hcl v1.0.0 // indirect
51+
github.com/imdario/mergo v0.3.16 // indirect
52+
github.com/inconshreveable/mousetrap v1.1.0 // indirect
53+
github.com/josharian/intern v1.0.0 // indirect
54+
github.com/json-iterator/go v1.1.12 // indirect
55+
github.com/kr/pretty v0.3.1 // indirect
56+
github.com/kr/text v0.2.0 // indirect
57+
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
58+
github.com/magiconair/properties v1.8.7 // indirect
59+
github.com/mailru/easyjson v0.7.7 // indirect
60+
github.com/mitchellh/mapstructure v1.5.0 // indirect
61+
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
62+
github.com/modern-go/reflect2 v1.0.2 // indirect
63+
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
64+
github.com/oklog/ulid v1.3.1 // indirect
65+
github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
66+
github.com/pelletier/go-toml/v2 v2.1.0 // indirect
67+
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
68+
github.com/pkg/errors v0.9.1 // indirect
69+
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
70+
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
71+
github.com/prometheus/client_golang v1.19.1 // indirect
72+
github.com/prometheus/client_model v0.6.1 // indirect
73+
github.com/prometheus/common v0.53.0 // indirect
74+
github.com/prometheus/procfs v0.15.0 // indirect
75+
github.com/rogpeppe/go-internal v1.11.0 // indirect
76+
github.com/sagikazarmark/locafero v0.4.0 // indirect
77+
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
78+
github.com/sasha-s/go-deadlock v0.3.1 // indirect
79+
github.com/shirou/gopsutil/v3 v3.23.5 // indirect
80+
github.com/sirupsen/logrus v1.9.3 // indirect
81+
github.com/sourcegraph/conc v0.3.0 // indirect
82+
github.com/spf13/afero v1.11.0 // indirect
83+
github.com/spf13/cast v1.6.0 // indirect
84+
github.com/spf13/cobra v1.8.0 // indirect
85+
github.com/spf13/pflag v1.0.5 // indirect
86+
github.com/spf13/viper v1.18.1 // indirect
87+
github.com/subosito/gotenv v1.6.0 // indirect
88+
github.com/tklauser/go-sysconf v0.3.11 // indirect
89+
github.com/tklauser/numcpus v0.6.0 // indirect
90+
github.com/vishvananda/netlink v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 // indirect
91+
github.com/vishvananda/netns v0.0.4 // indirect
92+
github.com/yusufpapurcu/wmi v1.2.3 // indirect
93+
go.mongodb.org/mongo-driver v1.13.1 // indirect
94+
go.opentelemetry.io/otel v1.21.0 // indirect
95+
go.opentelemetry.io/otel/metric v1.21.0 // indirect
96+
go.opentelemetry.io/otel/trace v1.21.0 // indirect
97+
go.uber.org/dig v1.17.1 // indirect
98+
go.uber.org/multierr v1.11.0 // indirect
99+
go.uber.org/zap v1.27.0 // indirect
100+
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
101+
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
102+
golang.org/x/net v0.25.0 // indirect
103+
golang.org/x/oauth2 v0.20.0 // indirect
104+
golang.org/x/sync v0.7.0 // indirect
105+
golang.org/x/sys v0.20.0 // indirect
106+
golang.org/x/term v0.20.0 // indirect
107+
golang.org/x/text v0.15.0 // indirect
108+
golang.org/x/time v0.5.0 // indirect
109+
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
110+
google.golang.org/protobuf v1.34.1 // indirect
111+
gopkg.in/inf.v0 v0.9.1 // indirect
112+
gopkg.in/ini.v1 v1.67.0 // indirect
113+
gopkg.in/yaml.v2 v2.4.0 // indirect
114+
gopkg.in/yaml.v3 v3.0.1 // indirect
115+
k8s.io/apiextensions-apiserver v0.30.1 // indirect
116+
k8s.io/klog/v2 v2.120.1 // indirect
117+
k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect
118+
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
119+
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
120+
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
121+
sigs.k8s.io/yaml v1.4.0 // indirect
122+
)

0 commit comments

Comments
 (0)