Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Equip KubeArmor with Default Armors #602

Merged
merged 6 commits into from
Mar 21, 2022
Merged

Equip KubeArmor with Default Armors #602

merged 6 commits into from
Mar 21, 2022

Conversation

daemon1024
Copy link
Member

Ref #595

@codecov-commenter
Copy link

codecov-commenter commented Feb 8, 2022
edited
Loading

Codecov Report

Merging #602 (9a5952d) into main (1b4c3a9) will increase coverage by 0.73%.
The diff coverage is 82.43%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #602      +/-   ##
==========================================
+ Coverage   43.55%   44.28%   +0.73%     
==========================================
  Files          24       24              
  Lines        8482     8536      +54     
==========================================
+ Hits         3694     3780      +86     
+ Misses       4336     4299      -37     
- Partials      452      457       +5
Impacted Files Coverage Δ
KubeArmor/feeder/policyMatcher.go 44.31% <75.60%> (+3.66%) ⬆️
KubeArmor/enforcer/appArmorProfile.go 40.55% <85.71%> (+2.20%) ⬆️
KubeArmor/config/config.go 85.85% <100.00%> (+1.95%) ⬆️
KubeArmor/monitor/hostProcessTree.go 69.23% <0.00%> (+7.69%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b4c3a9...9a5952d. Read the comment docs.

@daemon1024 daemon1024 changed the title [WIP] initial default posture implementation Equip KubeArmor with Default Armors Feb 12, 2022
@daemon1024 daemon1024 marked this pull request as ready for review February 12, 2022 06:10
@daemon1024 daemon1024 requested review from nyrahul and nam-jaehyun and removed request for nyrahul February 12, 2022 06:10
nyrahul
nyrahul requested changes Feb 12, 2022
View reviewed changes
KubeArmor/config/config.go Outdated Show resolved Hide resolved
KubeArmor/enforcer/appArmorEnforcer.go Outdated Show resolved Hide resolved
KubeArmor/feeder/feeder.go Outdated Show resolved Hide resolved
KubeArmor/feeder/policyMatcher.go Outdated Show resolved Hide resolved
KubeArmor/feeder/policyMatcher.go Outdated Show resolved Hide resolved
KubeArmor/feeder/policyMatcher.go Outdated Show resolved Hide resolved
@daemon1024 daemon1024 force-pushed the default-armor-opt branch 5 times, most recently from b609ff0 to 61280ab Compare February 14, 2022 15:16
@daemon1024 daemon1024 requested a review from nyrahul February 15, 2022 16:12
@daemon1024 daemon1024 marked this pull request as draft February 16, 2022 14:51
@daemon1024 daemon1024 force-pushed the default-armor-opt branch 2 times, most recently from ef2ddce to be477f5 Compare February 17, 2022 13:52
@daemon1024 daemon1024 marked this pull request as ready for review February 17, 2022 15:59
@daemon1024 daemon1024 mentioned this pull request Feb 26, 2022
Merged
@daemon1024 daemon1024 force-pushed the default-armor-opt branch 2 times, most recently from f30506c to e945d83 Compare March 1, 2022 16:31
nyrahul
nyrahul approved these changes Mar 2, 2022
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@daemon1024 daemon1024 force-pushed the default-armor-opt branch 2 times, most recently from a3ce1d4 to b61add4 Compare March 2, 2022 14:30
@daemon1024 daemon1024 requested a review from nyrahul March 2, 2022 14:32
nam-jaehyun
nam-jaehyun reviewed Mar 7, 2022
View reviewed changes
Copy link
Collaborator

@nam-jaehyun nam-jaehyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update this PR on the latest code and merge it.
By the way, it would be better if we have a document that explains how the default posture works in specific cases.

@daemon1024
introduce configurable default posture
57abac4 
KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
@daemon1024
redirect logs to alerts based on default posture
84323cc 
When KubeArmor is equipped with default posture block/audit each of the telemetry events generated needs to be an alert. This commit introduces changes to the policy matcher to update our logs to implicit block/audit alerts based on the configured default posture.

Ref kubearmor#595

Signed-off-by: daemon1024 <[email protected]>
@daemon1024 daemon1024 force-pushed the default-armor-opt branch 2 times, most recently from 3ebb49f to b699495 Compare March 7, 2022 13:09
@daemon1024
Copy link
Member Author

it would be better if we have a document that explains how the default posture works in specific cases.

Let's document it as part of #630 since will also need to document how to exactly to apply default postures... WDYT?

@daemon1024 daemon1024 requested a review from nam-jaehyun March 7, 2022 13:56
nyrahul
nyrahul approved these changes Mar 10, 2022
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nyrahul
Copy link
Contributor

nyrahul commented Mar 12, 2022

@nam-jaehyun , can you please review/approve/merge? Thanks

nam-jaehyun
nam-jaehyun reviewed Mar 20, 2022
View reviewed changes
Copy link
Collaborator

@nam-jaehyun nam-jaehyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some comments. Please check them.

@daemon1024
consider default posture if fromsourceallowpolicy exists
f383637 
This commit also fixes the bug where default deny didn't work if we only had fromSource based Allow Policies

Signed-off-by: daemon1024 <[email protected]>
@daemon1024
check policy list to consider posture or not
d2d04cb 
Signed-off-by: daemon1024 <[email protected]>
@daemon1024
consider default posture when atleast one allow policy OR from source…
3db6618 
… allow policy

Signed-off-by: daemon1024 <[email protected]>
@daemon1024
add default posture block test case based fromsourceallow
dbfb5cc 
Modified test script to accomodate DefaultPosture logs

Signed-off-by: daemon1024 <[email protected]>
nam-jaehyun
nam-jaehyun approved these changes Mar 21, 2022
View reviewed changes
Copy link
Collaborator

@nam-jaehyun nam-jaehyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge it.

@nam-jaehyun nam-jaehyun merged commit 0971f72 into kubearmor:main Mar 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nam-jaehyun nam-jaehyun nam-jaehyun approved these changes

@nyrahul nyrahul nyrahul approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@daemon1024 @codecov-commenter @nyrahul @nam-jaehyun