feat: virtual-patch intent (#245)

* feat: virtual-patch initial commit

Signed-off-by: VedRatan <vedratan8@gmail.com>

* feat: added kyverno, karmor, netpol policy creation, deletion, and updation logic

Signed-off-by: VedRatan <vedratan8@gmail.com>

* feat: added support for network policy

Signed-off-by: VedRatan <vedratan8@gmail.com>

* feat: added scheduled fetching of latest CVE data

Signed-off-by: VedRatan <vedratan8@gmail.com>

* chore: resolved all the review comments

Signed-off-by: VedRatan <vedratan8@gmail.com>

* (docs): added intent description (#265)

* fix: Fix CRDs version in PROJECT file

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>

* doc: Add Intent and CRDs spec docs

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>

* feat: added intent description

Signed-off-by: VedRatan <vedratan8@gmail.com>

* docs: added pkg-mgr-execution intent desc

Signed-off-by: VedRatan <vedratan8@gmail.com>

* docs: added coco-workload intent details

Signed-off-by: VedRatan <vedratan8@gmail.com>

* docs: update exploit-pfa

Signed-off-by: VedRatan <vedratan8@gmail.com>

* update command

Signed-off-by: VedRatan <vedratan8@gmail.com>

* doc: Update docs

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>

* refactored the docs

Signed-off-by: VedRatan <vedratan8@gmail.com>

* updated quick-tutorials

Signed-off-by: VedRatan <vedratan8@gmail.com>

---------

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
Signed-off-by: VedRatan <vedratan8@gmail.com>
Co-authored-by: Anurag Rajawat <anurag@accuknox.com>

* chore: handled error gracefully, update slice search command

Signed-off-by: VedRatan <vedratan8@gmail.com>

* fix: tests

Signed-off-by: VedRatan <vedratan8@gmail.com>

* fix: error handling and review comments

Signed-off-by: VedRatan <vedratan8@gmail.com>

---------

Signed-off-by: VedRatan <vedratan8@gmail.com>
Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Co-authored-by: Anurag Rajawat <anurag@accuknox.com>

Author: VedRatan

docs/intents/escape-to-host.md

@@ -30,7 +30,7 @@ The escapeToHost intent results in `KyvernoPolicy` and a couple of `KubearmorPol
 
    ```
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
    ```
 
 - The `escapeToHost` intent and corresponding policy work together to establish a strong security posture for the application. By enforcing pod security standards, the policy reduces the risk of container escape, which is critical for maintaining the integrity of the host system.

examples/clusterscoped/escape-to-host-si-csib-with-params.yaml

@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding

examples/namespaced/escape-to-host-with-params.yaml

@@ -11,7 +11,7 @@ spec:
     description: "A attacker can breach container boundaries and can gain access to the host machine"
     action: Block
     params:
-      psa_level: ["restricted"]
+      psaLevel: ["restricted"]
 ---
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntentBinding

examples/namespaced/virtual-patch-si-sib.yaml

@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: virtual-patch
+spec: 
+  intent:
+    id: virtualPatch
+    description: >
+      There might exist CVE's associated with certain images, adversaries might exploit these CVE and can cause potential threat,
+      to any production server. Check and apply virtual patch for a given set of CVEs as per a schedule
+    action: Block
+    params: 
+      cveList:
+        - "CVE-2024-4439"
+        - "CVE-2024-27268"
+      schedule: ["0 23 * * SUN"]
+
+---
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: virtual-patch-binding
+spec:
+  intents:
+    - name: virtual-patch
+  selector:
+    workloadSelector:
+      matchLabels:
+        app: prod

pkg/adapter/idpool/idpool.go

@@ -19,6 +19,7 @@ const (
 	CocoWorkload              = "cocoWorkload"
 	AssessTLS                 = "assessTLS"
 	DenyENAccess              = "denyExternalNetworkAccess"
+	VirtualPatch              = "virtualPatch"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -45,6 +46,7 @@ var NetPolIDs = []string{
 var KyvIds = []string{
 	EscapeToHost,
 	CocoWorkload,
+	VirtualPatch,
 }
 
 // k8tlsIds are IDs supported by k8tls.

pkg/adapter/nimbus-kyverno/go.mod

@@ -202,6 +202,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
 	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect

pkg/adapter/nimbus-kyverno/go.sum

@@ -1225,6 +1225,9 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA=
 github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052/go.mod h1:uvX/8buq8uVeiZiFht+0lqSLBHF+uGV8BrTv8W/SIwk=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

pkg/adapter/nimbus-kyverno/manager/manager.go

@@ -59,6 +59,7 @@ func Run(ctx context.Context) {
 	deletedKpCh := make(chan common.Request)
 	go watcher.WatchKps(ctx, updatedKpCh, deletedKpCh)
 
+
 	for {
 		select {
 		case <-ctx.Done():
@@ -431,6 +432,9 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nameNamespace.Name + "-trigger-configmap",
 			Namespace: nameNamespace.Namespace,
+			Labels: map[string]string {
+				"trigger" : "configmap",
+			},
 		},
 		Data: map[string]string{
 			"data": "dummy",

pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go

@@ -121,7 +121,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 			}
 			matchFilters = append(matchFilters, resourceFilter)
 		}
-	} else if namespaces[0] == "*" && len(labels) == 0  {
+	} else if namespaces[0] == "*" && len(labels) == 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
 				ResourceDescription: kyvernov1.ResourceDescription{
@@ -167,7 +167,7 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 					},
 					Mutation: kyvernov1.Mutation{
 						Targets: []kyvernov1.TargetResourceSpec{
-							kyvernov1.TargetResourceSpec{
+							{
 								ResourceSpec: kyvernov1.ResourceSpec{
 									APIVersion: "apps/v1",
 									Kind:       "Deployment",
@@ -185,16 +185,16 @@ func clusterCocoRuntimeAddition(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1
 }
 
 func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy {
-	var psa_level api.Level = api.LevelBaseline
+	var psaLevel api.Level = api.LevelBaseline
 
-	if rule.Params["psa_level"] != nil {
+	if rule.Params["psaLevel"] != nil {
 
-		switch rule.Params["psa_level"][0] {
+		switch rule.Params["psaLevel"][0] {
 		case "restricted":
-			psa_level = api.LevelRestricted
+			psaLevel = api.LevelRestricted
 
 		default:
-			psa_level = api.LevelBaseline
+			psaLevel = api.LevelBaseline
 		}
 
 	}
@@ -241,7 +241,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 	} else if namespaces[0] == "*" && len(labels) > 0 {
 		if len(excludeNamespaces) > 0 {
 			resourceFilter = kyvernov1.ResourceFilter{
-				ResourceDescription: kyvernov1.ResourceDescription {
+				ResourceDescription: kyvernov1.ResourceDescription{
 					Namespaces: excludeNamespaces,
 				},
 			}
@@ -296,7 +296,7 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule)
 					},
 					Validation: kyvernov1.Validation{
 						PodSecurity: &kyvernov1.PodSecurity{
-							Level:   psa_level,
+							Level:   psaLevel,
 							Version: "latest",
 						},
 					},