Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement defaultArmor option #595

Closed
7 tasks
daemon1024 opened this issue Feb 7, 2022 · 4 comments · Fixed by #630
Closed
7 tasks

Implement defaultArmor option #595

daemon1024 opened this issue Feb 7, 2022 · 4 comments · Fixed by #630
Labels
bug Something isn't working enhancement New feature or request important

Comments

@daemon1024
Copy link
Member

daemon1024 commented Feb 7, 2022
edited
Loading

Feature Request

Implement defaultPosture option in CLI and CRD

Is your feature request related to a problem? Please describe the use case.

Bug:
KubeArmor doesn't have a default posture in global context in case we only have from Source based policies.
Feature:
Add an option to audit events instead of blocking in case of whitelisting policies.

Describe the solution you'd like

Add options in KubeArmor to have a configurable default posture.

Initial Goals

  • -defaultArmor CLI option
    • Allow ( Current Behaviour )
    • Block
    • Audit
  • defaultFileArmor - default position for both files/processes
  • defaultNetworkArmor
  • Discuss on how to handle in CRD

cc @nyrahul @nam-jaehyun
@daemon1024 daemon1024 added bug Something isn't working enhancement New feature or request important labels Feb 7, 2022
@nyrahul
Copy link
Contributor

nyrahul commented Feb 7, 2022

SGTM, handling in CRD can be kept in different issue altogether and can be done later.

@nam-jaehyun
Copy link
Collaborator

@nyrahul as Rahul said we can handle the CRD part later.
let's use defaultFileAction and defaultNetworkAction rather than xxxArmor.
what is the purpose of "-defaultArmor"?

@daemon1024
Copy link
Member Author

daemon1024 commented Feb 7, 2022
edited
Loading

Just noted the CRD Part so as keep it as a later action item.

what is the purpose of "-defaultArmor"?

@nam-jaehyun A global option, if someone doesn't want to individually configure file/network/future more options like caps maybe.

@nyrahul
Copy link
Contributor

nyrahul commented Feb 7, 2022

Just noted the CRD Part so as keep it as a later action item.

what is the purpose of "-defaultArmor"?

@nam-jaehyun A global option, if someone doesn't want to individually configure file/network/future more options like caps maybe.

@daemon1024, do we need a global option if we have specific options for file, network? If we have multiple option then we need to add conditions around it. We can simply keep file, network options. Maybe I miscommunicated this during our design call.

@daemon1024 daemon1024 mentioned this issue Feb 8, 2022
Merged
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 12, 2022
@daemon1024
introduce configurable default armor mode
75e2df2 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default armor mode as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 12, 2022
@daemon1024
redirect logs to alerts based on defaultArmor mode
92abd1b 
When KubeArmor is equipped with default armor block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the default armor mode.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
introduce configurable default posture
bb0b735 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
redirect logs to alerts based on default posture
f064183 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
redirect logs to alerts based on default posture
ca80078 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
redirect logs to alerts based on default posture
0794a75 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
introduce configurable default posture
9646332 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
redirect logs to alerts based on default posture
b609ff0 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
introduce configurable default posture
f6115a4 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 14, 2022
@daemon1024
redirect logs to alerts based on default posture
61280ab 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 21, 2022
@daemon1024
introduce configurable default posture
e652f87 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Feb 21, 2022
@daemon1024
redirect logs to alerts based on default posture
54e7262 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
@daemon1024 daemon1024 mentioned this issue Feb 26, 2022
Merged
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 1, 2022
@daemon1024
introduce configurable default posture
0b6708b 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 1, 2022
@daemon1024
redirect logs to alerts based on default posture
e77bf2e 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 1, 2022
@daemon1024
introduce configurable default posture
c21b552 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 1, 2022
@daemon1024
redirect logs to alerts based on default posture
8b66898 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 2, 2022
@daemon1024
introduce configurable default posture
61b9bdc 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 2, 2022
@daemon1024
redirect logs to alerts based on default posture
624d55f 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 7, 2022
@daemon1024
introduce configurable default posture
57abac4 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Mar 7, 2022
@daemon1024
redirect logs to alerts based on default posture
84323cc 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request important
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle per namespace default posture implementation daemon1024/KubeArmor
3 participants
@nyrahul @daemon1024 @nam-jaehyun