Skip to content

Commit

Permalink
introduce configurable default posture
Browse files Browse the repository at this point in the history
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
  • Loading branch information
daemon1024 committed Feb 14, 2022
1 parent 567631a commit bb0b735
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 3 deletions.
25 changes: 25 additions & 0 deletions KubeArmor/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ type KubearmorConfig struct {
KVMAgent bool // Enable/Disable KVM Agent
K8sEnv bool // Is k8s env ?

DefaultFilePosture string // Default Enforcement Action in Global File Context
DefaultNetworkPosture string // Default Enforcement Action in Global Network Context
DefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context

CoverageTest bool // Enable/Disable Coverage Test
}

Expand Down Expand Up @@ -65,6 +69,15 @@ const ConfigKubearmorHostPolicy string = "enableKubeArmorHostPolicy"
// ConfigKubearmorVM Kubearmor VM key
const ConfigKubearmorVM string = "enableKubeArmorVm"

// ConfigDefaultFilePosture KubeArmor Default Global File Posture key
const ConfigDefaultFilePosture string = "defaultFilePosture"

// ConfigDefaultNetworkPosture KubeArmor Default Global Network Posture key
const ConfigDefaultNetworkPosture string = "defaultNetworkPosture"

// ConfigDefaultCapabilitiesPosture KubeArmor Default Global Capabilities Posture key
const ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture"

// ConfigCoverageTest Coverage Test key
const ConfigCoverageTest string = "coverageTest"

Expand All @@ -88,6 +101,10 @@ func readCmdLineParams() {
kvmAgentB := flag.Bool(ConfigKubearmorVM, false, "enabling KubeArmorVM")
k8sEnvB := flag.Bool(ConfigK8sEnv, true, "is k8s env?")

defaultFilePosture := flag.String(ConfigDefaultFilePosture, "allow", "configuring default enforcement action in global file context [audit,block]")
defaultNetworkPosture := flag.String(ConfigDefaultNetworkPosture, "allow", "configuring default enforcement action in global network context [audit,block]")
defaultCapabilitiesPosture := flag.String(ConfigDefaultCapabilitiesPosture, "allow", "configuring default enforcement action in global capability context [audit,block]")

coverageTestB := flag.Bool(ConfigCoverageTest, false, "enabling CoverageTest")

flag.Parse()
Expand All @@ -107,6 +124,10 @@ func readCmdLineParams() {
viper.Set(ConfigKubearmorVM, *kvmAgentB)
viper.Set(ConfigK8sEnv, *k8sEnvB)

viper.Set(ConfigDefaultFilePosture, *defaultFilePosture)
viper.Set(ConfigDefaultNetworkPosture, *defaultNetworkPosture)
viper.Set(ConfigDefaultCapabilitiesPosture, *defaultCapabilitiesPosture)

viper.Set(ConfigCoverageTest, *coverageTestB)
}

Expand Down Expand Up @@ -152,6 +173,10 @@ func LoadConfig() error {
}
GlobalCfg.K8sEnv = viper.GetBool(ConfigK8sEnv)

GlobalCfg.DefaultFilePosture = viper.GetString(ConfigDefaultFilePosture)
GlobalCfg.DefaultNetworkPosture = viper.GetString(ConfigDefaultNetworkPosture)
GlobalCfg.DefaultCapabilitiesPosture = viper.GetString(ConfigDefaultCapabilitiesPosture)

if GlobalCfg.HostVisibility == "" {
if GlobalCfg.KVMAgent || GlobalCfg.HostPolicy {
GlobalCfg.HostVisibility = "process,file,network,capabilities"
Expand Down
7 changes: 4 additions & 3 deletions KubeArmor/enforcer/appArmorProfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"strings"

kl "github.com/kubearmor/KubeArmor/KubeArmor/common"
cfg "github.com/kubearmor/KubeArmor/KubeArmor/config"
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
)

Expand Down Expand Up @@ -1133,15 +1134,15 @@ func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList,
profileHead := " #include <abstractions/base>\n"
profileHead = profileHead + " umount,\n"

if len(processWhiteList) == 0 && len(fileWhiteList) == 0 {
if len(processWhiteList) == 0 && len(fileWhiteList) == 0 && cfg.GlobalCfg.DefaultFilePosture != "block" {
profileHead = profileHead + " file,\n"
}

if len(networkWhiteList) == 0 {
if len(networkWhiteList) == 0 && cfg.GlobalCfg.DefaultNetworkPosture != "block" {
profileHead = profileHead + " network,\n"
}

if len(capabilityWhiteList) == 0 {
if len(capabilityWhiteList) == 0 && cfg.GlobalCfg.DefaultCapabilitiesPosture != "block" {
profileHead = profileHead + " capability,\n"
}

Expand Down

0 comments on commit bb0b735

Please sign in to comment.