Skip to content

Commit

Permalink
Merge pull request #685 from DelusionalOptimist/DelusionalOptimist/fe…
Browse files Browse the repository at this point in the history 
…at/raw-support

feat: add support for matching `raw` protcol in policy
  • Loading branch information
@nam-jaehyun
nam-jaehyun authored May 12, 2022
2 parents e53fac7 + b21fd7f commit 7410c1c
Show file tree
Hide file tree
Showing 28 changed files with 112 additions and 30 deletions.
4 changes: 2 additions & 2 deletions KubeArmor/build/kubearmor-test-containerd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -829,7 +829,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions KubeArmor/build/kubearmor-test-docker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -822,7 +822,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions KubeArmor/build/kubearmor-test-k3s.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -822,7 +822,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
2 changes: 2 additions & 0 deletions KubeArmor/feeder/policyMatcher.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ func getProtocolFromName(proto string) string {
return "protocol=UDP"
case "icmp":
return "protocol=ICMP"
case "raw":
return "type=SOCK_RAW"
default:
return "unknown"
}
Expand Down
2 changes: 1 addition & 1 deletion deployments/CRD/KubeArmorHostPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
2 changes: 1 addition & 1 deletion deployments/CRD/KubeArmorPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/EKS/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1008,7 +1008,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/GKE/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1008,7 +1008,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/docker/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -566,7 +566,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1001,7 +1001,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/generic/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1008,7 +1008,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/helm/templates/crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -918,4 +918,4 @@ spec:
served: true
storage: true
subresources:
status: {}
status: {}
4 changes: 2 additions & 2 deletions deployments/k3s/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -566,7 +566,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1001,7 +1001,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/microk8s/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -566,7 +566,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1001,7 +1001,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
4 changes: 2 additions & 2 deletions deployments/minikube/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,7 +565,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down Expand Up @@ -1000,7 +1000,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
21 changes: 21 additions & 0 deletions examples/multiubuntu/security-policies/ksp-ubuntu-1-net-raw-block.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-1-net-raw-block
namespace: multiubuntu
spec:
severity: 1
selector:
matchLabels:
container: ubuntu-1
network:
matchProtocols:
- protocol: raw
action:
Block

# multiubuntu_test_28

# test
# $ ping -c 1 127.0.0.1
# ping: can't create raw socket: Permission denied
2 changes: 1 addition & 1 deletion pkg/KubeArmorHostPolicy/api/security.kubearmor.com/v1/kubearmorhostpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ type FileType struct {
Action ActionType `json:"action,omitempty"`
}

// +kubebuilder:validation:Pattern=(icmp|ICMP|tcp|TCP|udp|UDP)$
// +kubebuilder:validation:Pattern=(icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type MatchNetworkProtocolStringType string

type MatchNetworkProtocolType struct {
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorHostPolicy/config/crd/bases/security.kubearmor.com_kubearmorhostpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorHostPolicy/crd/KubeArmorHostPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorPolicy/api/security.kubearmor.com/v1/kubearmorpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ type FileType struct {
Action ActionType `json:"action,omitempty"`
}

// +kubebuilder:validation:Pattern=(icmp|ICMP|tcp|TCP|udp|UDP)$
// +kubebuilder:validation:Pattern=(icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type MatchNetworkProtocolStringType string

type MatchNetworkProtocolType struct {
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorPolicy/config/crd/bases/security.kubearmor.com_kubearmorpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorPolicy/crd/KubeArmorPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ spec:
message:
type: string
protocol:
pattern: (icmp|ICMP|tcp|TCP|udp|UDP)$
pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$
type: string
severity:
maximum: 10
Expand Down
7 changes: 7 additions & 0 deletions tests/scenarios/github_test_13/cmd1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: ubuntu-1-deployment
cmd: arping -c 1 127.0.0.1
result: passed
---
operation: Network
condition: SOCK_RAW
action: Audit
15 changes: 15 additions & 0 deletions tests/scenarios/github_test_13/ksp-ubuntu-1-net-raw-audit.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-1-net-raw-audit
namespace: github
spec:
severity: 8
selector:
matchLabels:
container: ubuntu-1
network:
matchProtocols:
- protocol: raw
action:
Audit
7 changes: 7 additions & 0 deletions tests/scenarios/github_test_14/cmd1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: ubuntu-1-deployment
cmd: ping -c 1 127.0.0.1
result: failed
---
operation: Network
condition: SOCK_RAW
action: Block
7 changes: 7 additions & 0 deletions tests/scenarios/github_test_14/cmd2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: ubuntu-1-deployment
cmd: curl www.accuknox.com
result: passed
---
operation: Network
condition: SOCK_STREAM
action: Block
15 changes: 15 additions & 0 deletions tests/scenarios/github_test_14/ksp-ubuntu-1-net-raw-block.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-1-net-raw-block
namespace: github
spec:
severity: 8
selector:
matchLabels:
container: ubuntu-1
network:
matchProtocols:
- protocol: raw
action:
Block
7 changes: 7 additions & 0 deletions tests/scenarios/multiubuntu_test_28/cmd1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: ubuntu-1-deployment
cmd: ping -c 1 127.0.0.1
result: failed
---
operation: Network
condition: SOCK_RAW
action: Block
1 change: 1 addition & 0 deletions tests/scenarios/multiubuntu_test_28/ksp-ubuntu-1-net-raw-block.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../examples/multiubuntu/security-policies/ksp-ubuntu-1-net-raw-block.yaml

0 comments on commit 7410c1c

Please sign in to comment.