From 1d7776ecf021c20992d9c6bdd2cb1b64afbd3359 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Tue, 8 Mar 2022 13:00:29 +0000 Subject: [PATCH 1/5] update deployment yamls (#641) Signed-off-by: Jaehyun Nam --- deployments/EKS/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/GKE/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/docker/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/generic/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/k3s/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/microk8s/kubearmor.yaml | 44 ++++++++++++++--------------- deployments/minikube/kubearmor.yaml | 44 ++++++++++++++--------------- 7 files changed, 154 insertions(+), 154 deletions(-) diff --git a/deployments/EKS/kubearmor.yaml b/deployments/EKS/kubearmor.yaml index 12e10177e3..be689564d0 100644 --- a/deployments/EKS/kubearmor.yaml +++ b/deployments/EKS/kubearmor.yaml @@ -386,7 +386,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -435,13 +435,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -478,7 +478,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -487,7 +487,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -566,7 +566,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -618,13 +618,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -659,7 +659,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -668,7 +668,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -745,12 +745,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -870,7 +870,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -920,13 +920,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -963,7 +963,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -972,7 +972,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1051,7 +1051,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1111,13 +1111,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1152,7 +1152,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1161,7 +1161,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/GKE/kubearmor.yaml b/deployments/GKE/kubearmor.yaml index 12e10177e3..be689564d0 100644 --- a/deployments/GKE/kubearmor.yaml +++ b/deployments/GKE/kubearmor.yaml @@ -386,7 +386,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -435,13 +435,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -478,7 +478,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -487,7 +487,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -566,7 +566,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -618,13 +618,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -659,7 +659,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -668,7 +668,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -745,12 +745,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -870,7 +870,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -920,13 +920,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -963,7 +963,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -972,7 +972,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1051,7 +1051,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1111,13 +1111,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1152,7 +1152,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1161,7 +1161,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/docker/kubearmor.yaml b/deployments/docker/kubearmor.yaml index a530818a1a..4303fb7e30 100644 --- a/deployments/docker/kubearmor.yaml +++ b/deployments/docker/kubearmor.yaml @@ -379,7 +379,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -428,13 +428,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -471,7 +471,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -480,7 +480,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -559,7 +559,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -611,13 +611,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -652,7 +652,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -661,7 +661,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -738,12 +738,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -863,7 +863,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -913,13 +913,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -956,7 +956,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -965,7 +965,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1044,7 +1044,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1104,13 +1104,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1145,7 +1145,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1154,7 +1154,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml index 12e10177e3..be689564d0 100644 --- a/deployments/generic/kubearmor.yaml +++ b/deployments/generic/kubearmor.yaml @@ -386,7 +386,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -435,13 +435,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -478,7 +478,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -487,7 +487,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -566,7 +566,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -618,13 +618,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -659,7 +659,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -668,7 +668,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -745,12 +745,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -870,7 +870,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -920,13 +920,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -963,7 +963,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -972,7 +972,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1051,7 +1051,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1111,13 +1111,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1152,7 +1152,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1161,7 +1161,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/k3s/kubearmor.yaml b/deployments/k3s/kubearmor.yaml index 1df1b3c9ca..a97af52cbd 100644 --- a/deployments/k3s/kubearmor.yaml +++ b/deployments/k3s/kubearmor.yaml @@ -379,7 +379,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -428,13 +428,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -471,7 +471,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -480,7 +480,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -559,7 +559,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -611,13 +611,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -652,7 +652,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -661,7 +661,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -738,12 +738,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -863,7 +863,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -913,13 +913,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -956,7 +956,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -965,7 +965,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1044,7 +1044,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1104,13 +1104,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1145,7 +1145,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1154,7 +1154,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/microk8s/kubearmor.yaml b/deployments/microk8s/kubearmor.yaml index e1cd2ff49c..7a5bce27be 100644 --- a/deployments/microk8s/kubearmor.yaml +++ b/deployments/microk8s/kubearmor.yaml @@ -379,7 +379,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -428,13 +428,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -471,7 +471,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -480,7 +480,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -559,7 +559,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -611,13 +611,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -652,7 +652,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -661,7 +661,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -738,12 +738,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -863,7 +863,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -913,13 +913,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -956,7 +956,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -965,7 +965,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1044,7 +1044,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1104,13 +1104,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1145,7 +1145,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1154,7 +1154,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 diff --git a/deployments/minikube/kubearmor.yaml b/deployments/minikube/kubearmor.yaml index 5594a96a75..55036d8efd 100644 --- a/deployments/minikube/kubearmor.yaml +++ b/deployments/minikube/kubearmor.yaml @@ -378,7 +378,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -427,13 +427,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -470,7 +470,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -479,7 +479,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -558,7 +558,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -610,13 +610,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -651,7 +651,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -660,7 +660,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 @@ -737,12 +737,12 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string message: type: string path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -862,7 +862,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -912,13 +912,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -955,7 +955,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -964,7 +964,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean @@ -1043,7 +1043,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1103,13 +1103,13 @@ spec: - Block type: string dir: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)+\/$ + pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1144,7 +1144,7 @@ spec: items: properties: path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string type: object type: array @@ -1153,7 +1153,7 @@ spec: ownerOnly: type: boolean path: - pattern: ^\/([A-z0-9-_.]+\/)*([A-z0-9-_.]+)$ + pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 From ffcb95780fdf9c591bd6e3737cb9558cbcd638d5 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Tue, 8 Mar 2022 13:31:07 +0000 Subject: [PATCH 2/5] update documents Signed-off-by: Jaehyun Nam --- .github/workflows/ci-test.yml | 1 - .github/workflows/release.yml | 4 +++ CONTRIBUTING.md | 19 ++++++++--- README.md | 28 +++++++-------- SECURITY.md | 17 +++++----- SUMMARY.md | 6 ++-- contribution/contribution_guide.md | 8 ++--- contribution/development_guide.md | 10 ++---- contribution/k3s/README.md | 2 +- contribution/microk8s/README.md | 2 +- contribution/minikube/README.md | 2 +- .../self-managed-k8s-selinux/README.md | 2 +- contribution/testing_guide.md | 10 +++--- getting-started/deployment_guide.md | 34 ++++++++++--------- .../host_security_policy_examples.md | 2 +- .../host_security_policy_specification.md | 2 +- getting-started/kubearmor_vm.md | 32 ++++++++++------- getting-started/security_policy_examples.md | 2 +- .../security_policy_specification.md | 2 +- 19 files changed, 100 insertions(+), 85 deletions(-) diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index f34cc368c2..4d8e6562a6 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -44,7 +44,6 @@ jobs: sudo apt-get update sudo apt-get -y install build-essential cmake bison flex git python3 python3-pip clang-9 libllvm9 llvm-9-dev libclang-9-dev zlib1g-dev libelf-dev libedit-dev libfl-dev pushd /tmp - # fetch latest bcc release git clone --branch v0.24.0 --depth 1 https://github.com/iovisor/bcc.git mkdir -p bcc/build; cd bcc/build sudo ln -s /usr/lib/llvm-9 /usr/local/llvm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fec8225b0..2c73f6afe3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,7 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Build bcc run: | set -x @@ -29,13 +30,16 @@ jobs: make -j$(nproc) sudo make install popd + - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1. + - name: Installing Karmor run: curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b . working-directory: KubeArmor + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f8d0ef91ea..c5c99710dd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,15 +1,24 @@ # How to Contribute to KubeArmor? -1. Pick [issue](https://github.com/issues?q=is%3Aopen+is%3Aissue+user%3Akubearmor+sort%3Aupdated-desc) to work on. For first-time contributors, best would be to pick issue [tagged good-first-issue](https://github.com/issues?q=is%3Aopen+is%3Aissue+user%3Akubearmor+label%3A%22good+first+issue%22+sort%3Aupdated-desc). +1. Pick an [issue](https://github.com/issues?q=is%3Aopen+is%3Aissue+user%3Akubearmor+sort%3Aupdated-desc) to work on. For first-time contributors, the best would be to pick an issue [tagged good-first-issue](https://github.com/issues?q=is%3Aopen+is%3Aissue+user%3Akubearmor+label%3A%22good+first+issue%22+sort%3Aupdated-desc). + 2. If you feel adventurous and would like to take a challenging issue, we would love to have you contribute on issues [tagged help-wanted](https://github.com/issues?q=is%3Aopen+is%3Aissue+user%3Akubearmor+label%3A%22help+wanted%22+sort%3Aupdated-desc). + 3. There is a [Contribution Guide](contribution/contribution_guide.md) that explains how to create a fork and raise PR on GitHub. + 4. If the issue involves code changes you need to install development env using this [Development Guide](contribution/development_guide.md). -Last but not the least, contributions are not necessarily in the form of code changes. Kubearmor community can benefit for contributions such as: -1. [Policy-Templates](https://github.com/kubearmor/policy-templates): Users are welcome to contribute policy-templates for their workloads. The workloads have to be generic enough such that it benefits the wider community. For e.g., if someone brings up a system policy restricting access of nginx process that would be useful in multiple scenarios and for wider community then coming up with a policy-template that is specific to your proprietary application. +# Scope of contribution + +Contributions are not necessarily in the form of code changes. Kubearmor community can benefit from contributions such as: + +1. [Policy-Templates](https://github.com/kubearmor/policy-templates): Users are welcome to contribute policy-templates for their workloads. The workloads have to be generic enough such that it benefits the wider community. E.g., if someone brings up a system policy restricting access to nginx process that would be useful in multiple scenarios and for the wider community then come up with a policy-template that is specific to your proprietary application. + 2. Blogs - a. explaining feature use (KVMService, Event Auditor, Visibility etc) + a. explaining feature use (KVMService, Event Auditor, Visibility, etc) b. How to use Kubearmor to protect your workload? Specific use-cases you may have. Please do not shy away from getting as technical as you can. c. ... put your topic of interest here ... + 3. Feedback to the community. Just helping advance any discussion on KubeArmor Slack, Community meetings, office hours will make a big difference. -4. Talking about Kubearmor in meetups. We would certainly encourage users or devs of kubearmor to talk about it in open/closed forums. Community can help with logistics such as compiling/feedback on slide-decks, technical diagrams etc. + +4. Talking about Kubearmor in meetups. We would certainly encourage users or devs of kubearmor to talk about it in open/closed forums. The community can help with logistics such as compiling/feedback on slide-decks, technical diagrams, etc. diff --git a/README.md b/README.md index a91c8acadf..20a2507bae 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ [![Slack](https://kubearmor.herokuapp.com/badge.svg)](https://kubearmor.herokuapp.com) [![Discussions](https://img.shields.io/badge/Got%20Questions%3F-Chat-Violet)](https://github.com/kubearmor/KubeArmor/discussions) -KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \(such as process execution, file access, and networking operation\) of containers and nodes at the system level. +KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \(such as process execution, file access, and networking operation\) of containers and nodes (VMs) at the system level. KubeArmor operates with [Linux security modules \(LSMs\)](https://en.wikipedia.org/wiki/Linux_Security_Modules), meaning that it can work on top of any Linux platforms \(such as Alpine, Ubuntu, and Container-optimized OS from Google\) if Linux security modules \(e.g., [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://lwn.net/Articles/808048/)\) are enabled in the Linux Kernel. KubeArmor will use the appropriate LSMs to enforce the required policies. -KubeArmor allows operators to define security policies and apply them to Kubernetes. Then, KubeArmor will automatically detect the changes in security policies from Kubernetes and enforce them to the corresponding containers and nodes. +KubeArmor allows operators to define security policies and apply them to Kubernetes. Then, KubeArmor will automatically detect the changes in security policies from Kubernetes and enforce them to the corresponding containers and nodes. Also, KubeArmor provides [KVMService](https://github.com/kubearmor/kvm-service) that allows orchestrating security policies to VMs for non-k8s environments. If there are any violations against security policies, KubeArmor immediately generates alerts with container identities. If operators have any logging systems, it automatically sends the alerts to their systems as well. @@ -20,29 +20,29 @@ If there are any violations against security policies, KubeArmor immediately gen ## Functionality Overview -* Restrict the behavior of containers and nodes at the system level +* Restrict the behavior of containers and nodes (VMs) at the system level -Traditional container security solutions \(e.g., Cilium\) protect containers by determining their inter-container relations \(i.e., service flows\) at the network level. In contrast, KubeArmor prevents malicious or unknown behaviors in containers by specifying their desired actions \(e.g., a specific process should only be allowed to access a sensitive file\). KubeArmor also allows operators to restrict the behaviors of nodes based on node identities. + Traditional container security solutions \(e.g., Cilium\) protect containers by determining their inter-container relations \(i.e., service flows\) at the network level. In contrast, KubeArmor prevents malicious or unknown behaviors in containers by specifying their desired actions \(e.g., a specific process should only be allowed to access a sensitive file\). KubeArmor also allows operators to restrict the behaviors of nodes (VMs) based on node identities. -* Enforce security policies to containers in runtime +* Enforce security policies to containers and nodes (VMs) in runtime -In general, security policies \(e.g., Seccomp and AppArmor profiles\) are statically defined within pod definitions for Kubernetes, and they are applied to containers at creation time. Then, the security policies are not allowed to be updated in runtime. + In general, security policies \(e.g., Seccomp and AppArmor profiles\) are statically defined within pod definitions for Kubernetes, and they are applied to containers at creation time. Then, the security policies are not allowed to be updated in runtime. In addition, there is no way to define security policies for nodes in Kubernetes. -To avoid this problem, KubeArmor maintains security policies separately, which means that security policies are no longer tightly coupled with containers. Then, KubeArmor directly applies the security policies into Linux security modules \(LSMs\) for each container according to the labels of given containers and security policies. + To address those problems, KubeArmor maintains security policies separately; security policies are no longer tightly coupled with containers. Then, KubeArmor directly applies the security policies into Linux security modules \(LSMs\) for each container according to the labels of given containers and security policies. Similiarly, KubeArmor directly enforces security policies to nodes (VMs) as well. * Produce container-aware alerts and system logs -LSMs do not have any container-related information; thus, they generate alerts and system logs only based on system metadata \(e.g., User ID, Group ID, and process ID\). Therefore, it is hard to figure out what containers cause policy violations. + LSMs do not have any container-related information; thus, they generate alerts and system logs only based on system metadata \(e.g., User ID, Group ID, and process ID\). Therefore, it is hard to figure out what containers cause policy violations. -To address this problem, KubeArmor uses an eBPF-based system monitor, which keeps track of process life cycles in containers, and converts system metadata to container identities when LSMs generate alerts and system logs for any policy violations from containers. + For this reason, KubeArmor uses an eBPF-based system monitor, which keeps track of process life cycles in containers and even nodes, and converts system metadata to container/node identities when LSMs generate alerts and system logs for any policy violations from containers and nodes (VMs). * Provide easy-to-use semantics for policy definitions -KubeArmor provides the ability to monitor the life cycles of containers' processes and take policy decisions based on them. In general, it is much easier to deny a specific action but it is more difficult to allow only specific actions while denying all. KubeArmor manages internal complexities associated with handling such policy decisions and provides easy semantics towards policy language. + KubeArmor provides the ability to monitor the life cycles of containers' processes and take policy decisions based on them. In general, it is much easier to deny a specific action, but it is more difficult to allow only specific actions while denying all. KubeArmor manages internal complexities associated with handling such policy decisions and provides easy semantics towards policy language. * Support network security enforcement among containers -KubeArmor aims to protect containers themselves rather than interactions among containers. However, using KubeArmor a user can add policies that could apply policy settings at the level of network system calls \(e.g., bind\(\), listen\(\), accept\(\), and connect\(\)\), thus somewhat controlling interactions among containers. + KubeArmor aims to protect containers and nodes (VMs) themselves rather than inter-container/inter-node communications. However, using KubeArmor a user can add policies that could apply policy settings at the level of network system calls \(e.g., bind\(\), listen\(\), accept\(\), and connect\(\)\), thus somewhat controlling interactions among containers and nodes (VMs). ## Getting Started @@ -51,14 +51,14 @@ Please take a look at the following documents. 1. [Getting Started](getting-started/deployment_guide.md) 2. [Security Policy Specification for Containers](getting-started/security_policy_specification.md) 3. [Security Policy Examples for Containers](getting-started/security_policy_examples.md) -4. [Security Policy Specification for Nodes](getting-started/host_security_policy_specification.md) -5. [Security Policy Examples for Nodes](getting-started/host_security_policy_examples.md) +4. [Security Policy Specification for Nodes (VMs)](getting-started/host_security_policy_specification.md) +5. [Security Policy Examples for Nodes (VMs)](getting-started/host_security_policy_examples.md) If you want to make a contribution, please refer to the following documents too. 1. [Contribution Guide](contribution/contribution_guide.md) 2. [Development Guide](contribution/development_guide.md) -3. [Technical Roadmap](contribution/technical_roadmap.md) +3. [Testing Guide](contribution/testing_guide.md) ## Community diff --git a/SECURITY.md b/SECURITY.md index bb4f3950d7..fb4cace630 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy The Maintainers and contributors to KubeArmor take the security of our software seriously. -The KubeArmor community has adopted the below security disclosures and response policy to promptly respond to critical issues +The KubeArmor community has adopted the below security disclosures and response policy to promptly respond to critical issues. Please do not report security vulnerabilities through public GitHub issues. @@ -11,7 +11,7 @@ For information regarding the security of this project please join our [slack ch ### When you should? - You think you discovered a potential security vulnerability in KubeArmor. - You are unsure how a vulnerability affects KubeArmor. -- You think you discovered a vulnerability in dependency of KubeArmor. For those projects, please leverage their reporting policy. +- You think you discovered a vulnerability in the dependency of KubeArmor. For those projects, please leverage their reporting policy. ### When you should not? - You need assistance in configuring KubeArmor for security - please discuss this is in the [slack channel](https://kubearmor.herokuapp.com/). @@ -21,18 +21,19 @@ For information regarding the security of this project please join our [slack ch ### Please use the below process to report a vulnerability to the project: 1. Email the **KubeArmor security group at support@accuknox.com** - * Emails should contain: - * Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + * Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - * Full paths of source file(s) related to the manifestation of the issue - * The location of the affected source code (tag/branch/commit or direct URL) + * Full paths of the source file(s) related to the manifestation of the issue + * Location of the affected source code (tag/branch/commit or direct URL) * Any special configuration required to reproduce the issue * Step-by-step instructions to reproduce the issue * Proof-of-concept or exploit code (if possible) * Impact of the issue, including how an attacker might exploit the issue -This information will help us triage your report more quickly. + * These information will help us triage your report more quickly. + 2. The project security team will send an initial response to the disclosure in 3-5 days. Once the vulnerability and fix are confirmed, the team will plan to release the fix in 7 to 28 days based on the severity and complexity. + 3. You may be contacted by a project maintainer to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present. ## Supported Versions @@ -41,4 +42,4 @@ KubeArmor versions follow [Semantic Versioning](https://semver.org/) terminology - y is the minor version - and z is the patch version -Security fixes, may be backported to a number of recent minor releases, depending on severity and feasibility. Patch releases are cut from those branches periodically, plus additional urgent releases, when required. +Security fixes may be backported to some recent minor releases, depending on severity and feasibility. Patch releases are cut from those branches periodically, plus additional urgent releases, when required. diff --git a/SUMMARY.md b/SUMMARY.md index 30da95e671..41c6ea8f50 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -7,16 +7,14 @@ * [Deployment Guide](getting-started/deployment_guide.md) * [Security Policy Specification for Containers](getting-started/security_policy_specification.md) * [Security Policy Examples for Containers](getting-started/security_policy_examples.md) -* [Security Policy Specification for Hosts](getting-started/host_security_policy_specification.md) -* [Security Policy Examples for Hosts](getting-started/host_security_policy_examples.md) -* [Consideration in Policy Action](getting-started/consideration_in_policy_action.md) +* [Security Policy Specification for Nodes/VMs](getting-started/host_security_policy_specification.md) +* [Security Policy Examples for Nodes/VMs](getting-started/host_security_policy_examples.md) ## Contribution * [Contribution Guide](contribution/contribution_guide.md) * [Development Guide](contribution/development_guide.md) * [Testing Guide](contribution/testing_guide.md) -* [Technical Roadmap](contribution/technical_roadmap.md) ## Reference diff --git a/contribution/contribution_guide.md b/contribution/contribution_guide.md index b00995c350..dd59013eaf 100644 --- a/contribution/contribution_guide.md +++ b/contribution/contribution_guide.md @@ -1,6 +1,6 @@ # Contribution Guide -KubeArmor maintainers welcome individuals and organizations from across the Cloud security landscape (creators and implementers alike) to make contributions to the project. We equally value the addition of technical contributions and enhancements of documentation that helps us grow the community and strengthen the value of KubeArmor. We invite members of the community to contribute to the project! +KubeArmor maintainers welcome individuals and organizations from across the cloud security landscape (creators and implementers alike) to make contributions to the project. We equally value the addition of technical contributions and enhancements of documentation that helps us grow the community and strengthen the value of KubeArmor. We invite members of the community to contribute to the project! To make a contribution, please follow the steps below. @@ -59,7 +59,7 @@ To make a contribution, please follow the steps below. Then, commit the changes using the "git commit" command. ```text - ~/KubeArmor$ git commit -m "Add a new feature by [your name]" + ~/KubeArmor$ git commit -s -m "Add a new feature by [your name]" ``` Please make sure that your changes are properly tested on your machine. @@ -86,7 +86,7 @@ To make a contribution, please follow the steps below. ![open pull request](../.gitbook/assets/open_pull_request.png) - A pull request should contain the details of all commits as specific as possible. Also, please make sure that you have "Fixes: \#\(issue number\)". + A pull request should contain the details of all commits as specific as possible, including "Fixes: \#\(issue number\)". Finally, click the "Create pull request" button. @@ -102,6 +102,6 @@ To make a contribution, please follow the steps below. Signed-off-by: FirstName LastName ``` - This can easily be done with the `--signoff` option to `git commit`. + This can easily be done with the `-s` or `--signoff` option to `git commit`. By doing this you state that you can certify the following (from https://developercertificate.org/): diff --git a/contribution/development_guide.md b/contribution/development_guide.md index 4551c2b0ff..afcb7b1725 100644 --- a/contribution/development_guide.md +++ b/contribution/development_guide.md @@ -158,7 +158,7 @@ * Please Note: - You could skip vagrant step completely if you're directly compiling Kubearmor on any Linux distro, or using Virtualbox. + You could skip the steps for the vagrant setup completely if you're directly compiling Kubearmor on any Linux distro, or using Virtualbox. Please ensure that the steps to setup K8s are followed so as to resolve any open dependencies. @@ -179,7 +179,7 @@ * Alternative Setup - Minikube - MiniKube does not support LSMs by default; thus, you cannot test KubeArmor on Minikube. However, we provide the custom ISO image for testing KubeArmor on Minikube. + MiniKube does not support LSMs by default; thus, we provide the custom ISO image for testing KubeArmor on Minikube. Please follow the instructions in [Minikube installation guide](minikube/README.md). * Alternative Setup - K3s @@ -263,12 +263,6 @@ Here, we briefly give you an overview of KubeArmor's directories. pkg/KubeArmorHostPolicy/ - KubeArmorHostPolicy CRD generated by Kube-Builder ``` -* Scripts for GKE - - ```text - GKE/ - scripts to set up the enforcer in a container-optimized OS (COS) - ``` - * Files for testing ```text diff --git a/contribution/k3s/README.md b/contribution/k3s/README.md index 6601796898..86c54c288e 100644 --- a/contribution/k3s/README.md +++ b/contribution/k3s/README.md @@ -1,6 +1,6 @@ # K3s Installation -Instead of self-managed Kubernetes, you can set up K3s by running the following command. +If you want to use K3s to set up Kubernetes, please run the following command. ```text $ cd KubeArmor/contribution/k3s diff --git a/contribution/microk8s/README.md b/contribution/microk8s/README.md index 921c7c6f2b..8aebf8ed49 100644 --- a/contribution/microk8s/README.md +++ b/contribution/microk8s/README.md @@ -1,6 +1,6 @@ # MicroK8s Installation -Instead of self-managed Kubernetes, you can set up MicroK8s by running the following command. +If you want to use MicroK8s to set up Kubernetes, please run the following command. ```text $ cd KubeArmor/contribution/microk8s diff --git a/contribution/minikube/README.md b/contribution/minikube/README.md index f3c54d4910..aca745c906 100644 --- a/contribution/minikube/README.md +++ b/contribution/minikube/README.md @@ -1,6 +1,6 @@ # Minikube Installation -KubeArmor basically requires LSMs. However, if you want to use Minikube instead of self-managed Kubernetes or MicroK8s, please run the following commands. +If virtualbox and vagrant are not installed on your machine, please the following commands in advance. ```text $ cd KubeArmor/contribution/minikube diff --git a/contribution/self-managed-k8s-selinux/README.md b/contribution/self-managed-k8s-selinux/README.md index ad111780ab..9d38ea05e1 100644 --- a/contribution/self-managed-k8s-selinux/README.md +++ b/contribution/self-managed-k8s-selinux/README.md @@ -2,7 +2,7 @@ * Requirements - CentOS 8 or above. + You can install Docker and Kubernetes on CentOS 8 or above. * Prerequisites diff --git a/contribution/testing_guide.md b/contribution/testing_guide.md index a62dfc51e2..bb3ca72933 100644 --- a/contribution/testing_guide.md +++ b/contribution/testing_guide.md @@ -1,6 +1,6 @@ # Testing Guide -In order to check the functionalities of KubeArmor, there are two options: testing kubeArmor in manual and running the auto-testing framework. +There are two ways to check the functionalities of KubeArmor: 1) testing kubeArmor in manual and 2) using the testing framework. # 1. Test KubeArmor in manual @@ -56,7 +56,7 @@ $ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command] ## 1.6. Check generated alerts -- Log using [kArmor](https://github.com/kubearmor/kubearmor-client) cli tool +- Watch alerts using [kArmor](https://github.com/kubearmor/kubearmor-client) cli tool ```text $ karmor log [flags] @@ -73,7 +73,7 @@ $ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command] --msgPath string Output location for messages, {path|stdout|none} (default "none") ``` - Note: Messages, alerts, and logs will be generated right after the karmor runs logs, to avoid any kind of interference, run the above command in other terminal to see logs live and in an interactive way. + Note that you will see alerts and logs generated right after `karmor` runs logs; thus, we recommend to run the above command in other terminal to see logs live and in an interactive way to avoid any kind of interference. # 2. Test KubeArmor using the auto-testing framework @@ -150,7 +150,7 @@ The auto-testing framework operates based on two things: microservices and testc ## 2.2. Test KubeArmor -- KubeArmor running in a host +- The case that KubeArmor is directly running in a host Compile KubeArmor @@ -172,7 +172,7 @@ The auto-testing framework operates based on two things: microservices and testc ~/KubeArmor/tests$ cat /tmp/kubearmor.test ``` -- KubeArmor running as a daemonset +- The case that KubeArmor is running as a daemonset in Kubernetes Run the auto-testing framework diff --git a/getting-started/deployment_guide.md b/getting-started/deployment_guide.md index 7481414be9..7a364d07cb 100644 --- a/getting-started/deployment_guide.md +++ b/getting-started/deployment_guide.md @@ -1,8 +1,8 @@ # Getting Started Guide -If you do not already have a k8s cluster, check the [pre-requisites](#prerequisites) to setup one. +If you do not have a k8s cluster, check the [pre-requisites](#prerequisites) to setup one. -If you want to try KubeArmor directly on the host without k8s, [use kubearmor in systemd mode](kubearmor_vm.md). +If you want to try KubeArmor directly on the host without k8s, [run KubeArmor in systemd mode](kubearmor_vm.md). ## Deployment Steps @@ -70,13 +70,13 @@ karmor log ``` ## Manual YAML based [KubeArmor deployment](https://github.com/kubearmor/KubeArmor/tree/main/deployments) -1. [EKS](https://github.com/kubearmor/KubeArmor/tree/main/deployments/EKS) -2. [GKE](https://github.com/kubearmor/KubeArmor/tree/main/deployments/GKE) -3. [docker](https://github.com/kubearmor/KubeArmor/tree/main/deployments/docker) -4. [generic](https://github.com/kubearmor/KubeArmor/tree/main/deployments/generic) -5. [k3s](https://github.com/kubearmor/KubeArmor/tree/main/deployments/k3s) -6. [microk8s](https://github.com/kubearmor/KubeArmor/tree/main/deployments/microk8s) -7. [minikube](https://github.com/kubearmor/KubeArmor/tree/main/deployments/minikube) +1. [generic](https://github.com/kubearmor/KubeArmor/tree/main/deployments/generic) +2. [docker](https://github.com/kubearmor/KubeArmor/tree/main/deployments/docker) +3. [k3s](https://github.com/kubearmor/KubeArmor/tree/main/deployments/k3s) +4. [microk8s](https://github.com/kubearmor/KubeArmor/tree/main/deployments/microk8s) +5. [minikube](https://github.com/kubearmor/KubeArmor/tree/main/deployments/minikube) +6. [GKE](https://github.com/kubearmor/KubeArmor/tree/main/deployments/GKE) +7. [EKS](https://github.com/kubearmor/KubeArmor/tree/main/deployments/EKS) --- **NOTE** @@ -85,13 +85,15 @@ karmor log --- ## K8s platforms tested -1. Google Kubernetes Engine (GKE) with Container Optimized OS (COS) -2. GKE with Ubuntu image -3. [Amazon Elastic Kubernetes Service (EKS)](../deployments/EKS) -4. Self-managed (on-prem) k8s -5. Local k8s engines (k3s, microk8s, and minikube) +1. Self-managed (on-prem) k8s +2. Local k8s engines (k3s, microk8s, and minikube) +3. Google Kubernetes Engine (GKE) with Container Optimized OS (COS) +4. GKE with Ubuntu image +5. [Amazon Elastic Kubernetes Service (EKS)](../deployments/EKS) ## Prerequisites -1. [k3s](../deployments/k3s) -2. [Amazon Elastic Kubernetes Service (EKS)](../deployments/EKS#prerequisite-for-the-deployment) +1. [K3s](../deployments/k3s) +2. [MicroK8s](../contribution/microk8s) 3. [Minikube](../contribution/minikube#minikube-installation) +4. [Self-managed K8s](../contribution/self-managed-k8s) +5. [Amazon Elastic Kubernetes Service (EKS)](../deployments/EKS#prerequisite-for-the-deployment) diff --git a/getting-started/host_security_policy_examples.md b/getting-started/host_security_policy_examples.md index fd2032e51e..384c810faf 100644 --- a/getting-started/host_security_policy_examples.md +++ b/getting-started/host_security_policy_examples.md @@ -1,4 +1,4 @@ -# Security Policy Examples +# Examples of Host Security Policy Here, we demonstrate how to define host security policies. diff --git a/getting-started/host_security_policy_specification.md b/getting-started/host_security_policy_specification.md index 2e0b1d9b26..c3fc0864f3 100644 --- a/getting-started/host_security_policy_specification.md +++ b/getting-started/host_security_policy_specification.md @@ -1,4 +1,4 @@ -# Security Policy Specification for Hosts +# Specification of Host Security Policy for Nodes/VMs ## Policy Specification diff --git a/getting-started/kubearmor_vm.md b/getting-started/kubearmor_vm.md index 0986e39920..f7ee2f7319 100644 --- a/getting-started/kubearmor_vm.md +++ b/getting-started/kubearmor_vm.md @@ -1,28 +1,34 @@ # KubeArmor on VM/Bare-Metal -This recipe explains how to use KubeArmor directly on VM/Bare-Metal host and was tested on Ubuntu hosts. The recipe installs `kubearmor` as systemd process and `karmor` cli tool to manage policies and show alerts/telemetry. +This recipe explains how to use KubeArmor directly on a VM/Bare-Metal machine, and we tested the following steps on Ubuntu hosts. + +The recipe installs `kubearmor` as systemd process and `karmor` cli tool to manage policies and show alerts/telemetry. ## Download and Install KubeArmor -1. Download the [latest release of KubeArmor](https://github.com/kubearmor/KubeArmor/releases) -2. Install KubeArmor `sudo apt install ./kubearmor_${VER}_linux-amd64.deb` ... where VER is the kubearmor release version. This will automatically install the required dependencies. +1. Download the [latest release](https://github.com/kubearmor/KubeArmor/releases) or KubeArmor. +2. Install KubeArmor (VER is the kubearmor release version) + ``` + sudo apt install ./kubearmor_${VER}_linux-amd64.deb + ``` -> Note: We automatically install `bpfcc-tools` with our package, your distribution might have an older version of BCC so consider installing BCC from [source](https://github.com/iovisor/bcc/blob/master/INSTALL.md#source) in case of errors. + > Note that the above automatically installs `bpfcc-tools` with our package, but your distribution might have an older version of BCC. In case of errors, consider installing `bcc` from [source](https://github.com/iovisor/bcc/blob/master/INSTALL.md#source).
For distributions other than Ubuntu/Debian

1. Refer [Installing BCC](https://github.com/iovisor/bcc/blob/master/INSTALL.md#installing-bcc) to install pre-requisites. + 2. Download release tarball from KubeArmor releases for the version you want + ``` + wget https://github.com/daemon1024/KubeArmor/releases/download/v${VER}/kubearmor_${VER}_linux-amd64.tar.gz + ``` -``` -wget https://github.com/daemon1024/KubeArmor/releases/download/v${VER}/kubearmor_${VER}_linux-amd64.tar.gz -``` 3. Unpack the tarball to the root directory: -``` -sudo tar --no-overwrite-dir -C / -xzf kubearmor_${VER}_linux-amd64.tar.gz -sudo systemctl daemon-reload -``` + ``` + sudo tar --no-overwrite-dir -C / -xzf kubearmor_${VER}_linux-amd64.tar.gz + sudo systemctl daemon-reload + ```

@@ -32,7 +38,7 @@ sudo systemctl daemon-reload sudo systemctl start kubearmor ``` -Check kubearmor status using `sudo systemctl status kubearmor` or use `sudo journalctl -u kubearmor -f` to continuously monitor kubearmor logs. +Check the status of KubeArmor using `sudo systemctl status kubearmor` or use `sudo journalctl -u kubearmor -f` to continuously monitor kubearmor logs. ## Apply sample policy @@ -58,6 +64,8 @@ karmor vm policy add hostpolicy.yaml **Now if you run `sleep` command, the process would be denied execution.** +> Note that `sleep` may not blocked if you run it in the same terminal where you apply the above policy. In that case, please open a new terminal and run `sleep` again to see if the command is blocked. + ## Get Alerts for policies and telemetry ``` diff --git a/getting-started/security_policy_examples.md b/getting-started/security_policy_examples.md index 6628561001..fb67fa045c 100644 --- a/getting-started/security_policy_examples.md +++ b/getting-started/security_policy_examples.md @@ -1,4 +1,4 @@ -# Security Policy Examples +# Examples of Security Policy Here, we demonstrate how to define security policies using our example microservice \(multiubuntu\). diff --git a/getting-started/security_policy_specification.md b/getting-started/security_policy_specification.md index bf901b69e1..5cb2ed1145 100644 --- a/getting-started/security_policy_specification.md +++ b/getting-started/security_policy_specification.md @@ -1,4 +1,4 @@ -# Security Policy Specification for Containers +# Specification of Security Policy for Containers ## Policy Specification From e8f4352a010cc360aefd657151b3f6f799e491a4 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Tue, 8 Mar 2022 14:12:02 +0000 Subject: [PATCH 3/5] update setup scripts Signed-off-by: Jaehyun Nam --- .github/workflows/latest-release.yml | 4 ++-- KubeArmor/build/push_kubearmor.sh | 13 ++++++------ .../self-managed-k8s-selinux/setup.sh | 20 ++++++++++++++++++- contribution/vagrant/Vagrantfile | 5 ++++- 4 files changed, 32 insertions(+), 10 deletions(-) diff --git a/.github/workflows/latest-release.yml b/.github/workflows/latest-release.yml index 5c2baaf19b..ed2bb719ee 100644 --- a/.github/workflows/latest-release.yml +++ b/.github/workflows/latest-release.yml @@ -10,7 +10,7 @@ on: - 'tests/**' - 'protobuf/**' - create: + create: branches: - 'v*' @@ -30,7 +30,7 @@ jobs: run: | if [ ${{ github.ref }} == "refs/heads/main" ]; then echo ::set-output name=tag::latest - else + else echo ::set-output name=tag::${GITHUB_REF#refs/*/} fi diff --git a/KubeArmor/build/push_kubearmor.sh b/KubeArmor/build/push_kubearmor.sh index f3926c242e..2dc11bbd88 100755 --- a/KubeArmor/build/push_kubearmor.sh +++ b/KubeArmor/build/push_kubearmor.sh @@ -3,17 +3,18 @@ # Copyright 2021 Authors of KubeArmor [[ "$REPO" == "" ]] && REPO="kubearmor/kubearmor" -unset VERSION + +VERSION=latest # check version if [ ! -z $1 ]; then - VERSION=":$1" + VERSION="$1" fi # push $REPO -echo "[INFO] Pushing $REPO$VERSION" -docker push $REPO$VERSION +echo "[INFO] Pushing $REPO:$VERSION" +docker push $REPO:$VERSION -[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO$VERSION" && exit 1 -echo "[PASSED] Pushed $REPO$VERSION" +[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO:$VERSION" && exit 1 +echo "[PASSED] Pushed $REPO:$VERSION" exit 0 diff --git a/contribution/self-managed-k8s-selinux/setup.sh b/contribution/self-managed-k8s-selinux/setup.sh index 5b49901819..3f4094c1c2 100755 --- a/contribution/self-managed-k8s-selinux/setup.sh +++ b/contribution/self-managed-k8s-selinux/setup.sh @@ -2,6 +2,10 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2021 Authors of KubeArmor +# update repo +sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* +sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Linux-* + # make a directory to build bcc mkdir -p /tmp/build; cd /tmp/build @@ -25,6 +29,20 @@ fi # install dependencies for selinux sudo dnf -y install policycoreutils-devel setools-console +if [[ $(hostname) = kubearmor-dev* ]]; then + echo >> /home/vagrant/.bashrc + echo "alias lz='ls -lZ'" >> /home/vagrant/.bashrc + echo >> /home/vagrant/.bashrc + mkdir -p /home/vagrant/go; chown -R vagrant:vagrant /home/vagrant/go +elif [ -z "$GOPATH" ]; then + echo >> ~/.bashrc + echo "alias lz='ls -lZ'" >> ~/.bashrc + echo >> ~/.bashrc +fi + +# enable audit mode +sudo semanage dontaudit off + # install golang echo "Installing golang binaries..." goBinary=$(curl -s https://go.dev/dl/ | grep linux | head -n 1 | cut -d'"' -f4 | cut -d"/" -f3) @@ -48,7 +66,7 @@ fi # download protoc mkdir -p /tmp/build/protoc; cd /tmp/build/protoc -wget https://github.com/protocolbuffers/protobuf/releases/download/v3.14.0/protoc-3.14.0-linux-x86_64.zip -O /tmp/build/protoc/protoc-3.14.0-linux-x86_64.zip +wget --quiet https://github.com/protocolbuffers/protobuf/releases/download/v3.14.0/protoc-3.14.0-linux-x86_64.zip -O /tmp/build/protoc/protoc-3.14.0-linux-x86_64.zip # install protoc unzip protoc-3.14.0-linux-x86_64.zip diff --git a/contribution/vagrant/Vagrantfile b/contribution/vagrant/Vagrantfile index 47098fc1ff..d3dacf8388 100644 --- a/contribution/vagrant/Vagrantfile +++ b/contribution/vagrant/Vagrantfile @@ -1,7 +1,7 @@ Vagrant.require_version ">= 2.0.0" if ENV['OS'] == "centos" then - VM_IMG = "generic/centos8" + VM_IMG = "bento/centos-8" VM_NAME = "kubearmor-dev" else # ubuntu if ENV['NETNEXT'] == "1" then @@ -74,6 +74,9 @@ Vagrant.configure("2") do |config| # initialize Kubernetes config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/k8s/initialize_kubernetes.sh" + + # enable SELinux + config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/enable_selinux.sh" else # ubuntu if ENV['NETNEXT'] == "1" then # install the latest kernel From 36e2f75f902e9842763863172bf51c8fe0339eca Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Tue, 8 Mar 2022 14:12:53 +0000 Subject: [PATCH 4/5] add hostppid field Signed-off-by: Jaehyun Nam --- KubeArmor/feeder/feeder.go | 4 + KubeArmor/monitor/hostLogUpdate.go | 128 ++++++++++++++----------- KubeArmor/monitor/logUpdate.go | 128 ++++++++++++++----------- protobuf/kubearmor.pb.go | 147 ++++++++++++++++------------- protobuf/kubearmor.proto | 4 + 5 files changed, 235 insertions(+), 176 deletions(-) diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index dfc0419248..dea039131b 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -551,7 +551,9 @@ func (fd *Feeder) PushLog(log tp.Log) { pbAlert.ContainerName = log.ContainerName pbAlert.ContainerImage = log.ContainerImage + pbAlert.HostPPID = log.HostPPID pbAlert.HostPID = log.HostPID + pbAlert.PPID = log.PPID pbAlert.PID = log.PID pbAlert.UID = log.UID @@ -611,7 +613,9 @@ func (fd *Feeder) PushLog(log tp.Log) { pbLog.ContainerName = log.ContainerName pbLog.ContainerImage = log.ContainerImage + pbLog.HostPPID = log.HostPPID pbLog.HostPID = log.HostPID + pbLog.PPID = log.PPID pbLog.PID = log.PID pbLog.UID = log.UID diff --git a/KubeArmor/monitor/hostLogUpdate.go b/KubeArmor/monitor/hostLogUpdate.go index fdc4bb22fb..984747576c 100644 --- a/KubeArmor/monitor/hostLogUpdate.go +++ b/KubeArmor/monitor/hostLogUpdate.go @@ -29,16 +29,18 @@ func (mon *SystemMonitor) UpdateHostLogs() { switch msg.ContextSys.EventID { case SysOpen: + if len(msg.ContextArgs) != 2 { + continue + } + var fileName string var fileOpenFlags string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(string); ok { - fileName = val - } - if val, ok := msg.ContextArgs[1].(string); ok { - fileOpenFlags = val - } + if val, ok := msg.ContextArgs[0].(string); ok { + fileName = val + } + if val, ok := msg.ContextArgs[1].(string); ok { + fileOpenFlags = val } log.Operation = "File" @@ -46,20 +48,22 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " flags=" + fileOpenFlags case SysOpenAt: + if len(msg.ContextArgs) != 3 { + continue + } + var fd string var fileName string var fileOpenFlags string - if len(msg.ContextArgs) == 3 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(string); ok { - fileName = val - } - if val, ok := msg.ContextArgs[2].(string); ok { - fileOpenFlags = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(string); ok { + fileName = val + } + if val, ok := msg.ContextArgs[2].(string); ok { + fileOpenFlags = val } log.Operation = "File" @@ -67,12 +71,14 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd + " flags=" + fileOpenFlags case SysClose: + if len(msg.ContextArgs) != 1 { + continue + } + var fd string - if len(msg.ContextArgs) == 1 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) } log.Operation = "File" @@ -80,20 +86,22 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysSocket: // domain, type, proto + if len(msg.ContextArgs) != 3 { + continue + } + var sockDomain string var sockType string var sockProtocol string - if len(msg.ContextArgs) == 3 { - if val, ok := msg.ContextArgs[0].(string); ok { - sockDomain = val - } - if val, ok := msg.ContextArgs[1].(string); ok { - sockType = val - } - if val, ok := msg.ContextArgs[2].(int32); ok { - sockProtocol = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(string); ok { + sockDomain = val + } + if val, ok := msg.ContextArgs[1].(string); ok { + sockType = val + } + if val, ok := msg.ContextArgs[2].(int32); ok { + sockProtocol = strconv.Itoa(int(val)) } log.Operation = "Network" @@ -101,16 +109,18 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) case SysConnect: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -127,16 +137,18 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysAccept: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -152,16 +164,18 @@ func (mon *SystemMonitor) UpdateHostLogs() { } case SysBind: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -178,12 +192,14 @@ func (mon *SystemMonitor) UpdateHostLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysListen: // fd + if len(msg.ContextArgs) == 2 { + continue + } + var fd string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) } log.Operation = "Network" diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go index d0117ff15e..f288646468 100644 --- a/KubeArmor/monitor/logUpdate.go +++ b/KubeArmor/monitor/logUpdate.go @@ -114,16 +114,18 @@ func (mon *SystemMonitor) UpdateLogs() { switch msg.ContextSys.EventID { case SysOpen: + if len(msg.ContextArgs) != 2 { + continue + } + var fileName string var fileOpenFlags string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(string); ok { - fileName = val - } - if val, ok := msg.ContextArgs[1].(string); ok { - fileOpenFlags = val - } + if val, ok := msg.ContextArgs[0].(string); ok { + fileName = val + } + if val, ok := msg.ContextArgs[1].(string); ok { + fileOpenFlags = val } log.Operation = "File" @@ -131,20 +133,22 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " flags=" + fileOpenFlags case SysOpenAt: + if len(msg.ContextArgs) != 3 { + continue + } + var fd string var fileName string var fileOpenFlags string - if len(msg.ContextArgs) == 3 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(string); ok { - fileName = val - } - if val, ok := msg.ContextArgs[2].(string); ok { - fileOpenFlags = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(string); ok { + fileName = val + } + if val, ok := msg.ContextArgs[2].(string); ok { + fileOpenFlags = val } log.Operation = "File" @@ -152,12 +156,14 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd + " flags=" + fileOpenFlags case SysClose: + if len(msg.ContextArgs) != 1 { + continue + } + var fd string - if len(msg.ContextArgs) == 1 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) } log.Operation = "File" @@ -165,20 +171,22 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysSocket: // domain, type, proto + if len(msg.ContextArgs) != 3 { + continue + } + var sockDomain string var sockType string var sockProtocol string - if len(msg.ContextArgs) == 3 { - if val, ok := msg.ContextArgs[0].(string); ok { - sockDomain = val - } - if val, ok := msg.ContextArgs[1].(string); ok { - sockType = val - } - if val, ok := msg.ContextArgs[2].(int32); ok { - sockProtocol = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(string); ok { + sockDomain = val + } + if val, ok := msg.ContextArgs[1].(string); ok { + sockType = val + } + if val, ok := msg.ContextArgs[2].(int32); ok { + sockProtocol = strconv.Itoa(int(val)) } log.Operation = "Network" @@ -186,16 +194,18 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) case SysConnect: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -212,16 +222,18 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysAccept: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -237,16 +249,18 @@ func (mon *SystemMonitor) UpdateLogs() { } case SysBind: // fd, sockaddr + if len(msg.ContextArgs) != 2 { + continue + } + var fd string var sockAddr map[string]string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } - if val, ok := msg.ContextArgs[1].(map[string]string); ok { - sockAddr = val - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) + } + if val, ok := msg.ContextArgs[1].(map[string]string); ok { + sockAddr = val } log.Operation = "Network" @@ -263,12 +277,14 @@ func (mon *SystemMonitor) UpdateLogs() { log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) + " fd=" + fd case SysListen: // fd + if len(msg.ContextArgs) != 2 { + continue + } + var fd string - if len(msg.ContextArgs) == 2 { - if val, ok := msg.ContextArgs[0].(int32); ok { - fd = strconv.Itoa(int(val)) - } + if val, ok := msg.ContextArgs[0].(int32); ok { + fd = strconv.Itoa(int(val)) } log.Operation = "Network" diff --git a/protobuf/kubearmor.pb.go b/protobuf/kubearmor.pb.go index 337f265e01..e5414dbea0 100644 --- a/protobuf/kubearmor.pb.go +++ b/protobuf/kubearmor.pb.go @@ -208,6 +208,7 @@ type Alert struct { ContainerImage string `protobuf:"bytes,24,opt,name=ContainerImage,proto3" json:"ContainerImage,omitempty"` ParentProcessName string `protobuf:"bytes,25,opt,name=ParentProcessName,proto3" json:"ParentProcessName,omitempty"` ProcessName string `protobuf:"bytes,26,opt,name=ProcessName,proto3" json:"ProcessName,omitempty"` + HostPPID int32 `protobuf:"varint,27,opt,name=HostPPID,proto3" json:"HostPPID,omitempty"` } func (x *Alert) Reset() { @@ -424,6 +425,13 @@ func (x *Alert) GetProcessName() string { return "" } +func (x *Alert) GetHostPPID() int32 { + if x != nil { + return x.HostPPID + } + return 0 +} + // log struct type Log struct { state protoimpl.MessageState @@ -451,6 +459,7 @@ type Log struct { ContainerImage string `protobuf:"bytes,19,opt,name=ContainerImage,proto3" json:"ContainerImage,omitempty"` ParentProcessName string `protobuf:"bytes,20,opt,name=ParentProcessName,proto3" json:"ParentProcessName,omitempty"` ProcessName string `protobuf:"bytes,21,opt,name=ProcessName,proto3" json:"ProcessName,omitempty"` + HostPPID int32 `protobuf:"varint,22,opt,name=HostPPID,proto3" json:"HostPPID,omitempty"` } func (x *Log) Reset() { @@ -632,6 +641,13 @@ func (x *Log) GetProcessName() string { return "" } +func (x *Log) GetHostPPID() int32 { + if x != nil { + return x.HostPPID + } + return 0 +} + // request message type RequestMessage struct { state protoimpl.MessageState @@ -749,7 +765,7 @@ var file_kubearmor_proto_rawDesc = []byte{ 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x18, 0x0a, 0x07, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0xeb, 0x05, 0x0a, 0x05, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x12, + 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x87, 0x06, 0x0a, 0x05, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x20, 0x0a, 0x0b, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, @@ -796,69 +812,72 @@ var file_kubearmor_proto_rawDesc = []byte{ 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, - 0x61, 0x6d, 0x65, 0x22, 0xe7, 0x04, 0x0a, 0x03, 0x4c, 0x6f, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, - 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x20, 0x0a, 0x0b, 0x55, 0x70, 0x64, - 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, - 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x43, - 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0b, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, - 0x08, 0x48, 0x6f, 0x73, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x08, 0x48, 0x6f, 0x73, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x4e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0d, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x18, 0x0a, 0x07, 0x50, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x07, 0x50, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x43, 0x6f, 0x6e, - 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, - 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x12, 0x24, 0x0a, 0x0d, 0x43, - 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4e, 0x61, 0x6d, - 0x65, 0x12, 0x18, 0x0a, 0x07, 0x48, 0x6f, 0x73, 0x74, 0x50, 0x49, 0x44, 0x18, 0x09, 0x20, 0x01, - 0x28, 0x05, 0x52, 0x07, 0x48, 0x6f, 0x73, 0x74, 0x50, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x50, - 0x50, 0x49, 0x44, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x50, 0x50, 0x49, 0x44, 0x12, - 0x10, 0x0a, 0x03, 0x50, 0x49, 0x44, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x50, 0x49, - 0x44, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x49, 0x44, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, - 0x55, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, - 0x1c, 0x0a, 0x09, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x09, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, - 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x44, 0x61, 0x74, - 0x61, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x44, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, - 0x06, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x52, - 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x18, 0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x43, - 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x12, 0x2c, 0x0a, - 0x11, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, - 0x6d, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, - 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x50, - 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0b, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x28, 0x0a, - 0x0e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, - 0x16, 0x0a, 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x22, 0x26, 0x0a, 0x0c, 0x52, 0x65, 0x70, 0x6c, 0x79, - 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, - 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x32, - 0xef, 0x01, 0x0a, 0x0a, 0x4c, 0x6f, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, - 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x14, 0x2e, - 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4e, 0x6f, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, - 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x3a, 0x0a, 0x0d, 0x57, 0x61, 0x74, - 0x63, 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, - 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x1a, 0x0f, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x30, 0x01, 0x12, 0x36, 0x0a, 0x0b, 0x57, 0x61, 0x74, 0x63, 0x68, 0x41, 0x6c, - 0x65, 0x72, 0x74, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0d, 0x2e, 0x66, - 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x30, 0x01, 0x12, 0x32, 0x0a, - 0x09, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x6f, 0x67, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, - 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, - 0x67, 0x65, 0x1a, 0x0b, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x67, 0x30, - 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, - 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x48, 0x6f, 0x73, 0x74, 0x50, 0x50, 0x49, 0x44, 0x18, + 0x1b, 0x20, 0x01, 0x28, 0x05, 0x52, 0x08, 0x48, 0x6f, 0x73, 0x74, 0x50, 0x50, 0x49, 0x44, 0x22, + 0x83, 0x05, 0x0a, 0x03, 0x4c, 0x6f, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x54, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x20, 0x0a, 0x0b, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, + 0x54, 0x69, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x43, 0x6c, 0x75, 0x73, 0x74, + 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x43, 0x6c, + 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x48, 0x6f, 0x73, + 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x48, 0x6f, 0x73, + 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x4e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x50, + 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x50, 0x6f, + 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, + 0x65, 0x72, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x43, 0x6f, 0x6e, 0x74, + 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x12, 0x24, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x74, 0x61, + 0x69, 0x6e, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, + 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, + 0x07, 0x48, 0x6f, 0x73, 0x74, 0x50, 0x49, 0x44, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, + 0x48, 0x6f, 0x73, 0x74, 0x50, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x50, 0x49, 0x44, 0x18, + 0x0a, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x50, 0x50, 0x49, 0x44, 0x12, 0x10, 0x0a, 0x03, 0x50, + 0x49, 0x44, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x50, 0x49, 0x44, 0x12, 0x10, 0x0a, + 0x03, 0x55, 0x49, 0x44, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x55, 0x49, 0x44, 0x12, + 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x0e, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x06, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x4f, + 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, + 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x52, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x52, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x44, 0x61, 0x74, 0x61, 0x18, 0x11, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x44, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, 0x06, 0x52, 0x65, 0x73, + 0x75, 0x6c, 0x74, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x52, 0x65, 0x73, 0x75, 0x6c, + 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x6d, + 0x61, 0x67, 0x65, 0x18, 0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x43, 0x6f, 0x6e, 0x74, 0x61, + 0x69, 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x12, 0x2c, 0x0a, 0x11, 0x50, 0x61, 0x72, + 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x14, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x63, + 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x63, 0x65, + 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x50, 0x72, + 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x48, 0x6f, 0x73, + 0x74, 0x50, 0x50, 0x49, 0x44, 0x18, 0x16, 0x20, 0x01, 0x28, 0x05, 0x52, 0x08, 0x48, 0x6f, 0x73, + 0x74, 0x50, 0x50, 0x49, 0x44, 0x22, 0x28, 0x0a, 0x0e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65, + 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x22, + 0x26, 0x0a, 0x0c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, + 0x16, 0x0a, 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, + 0x06, 0x52, 0x65, 0x74, 0x76, 0x61, 0x6c, 0x32, 0xef, 0x01, 0x0a, 0x0a, 0x4c, 0x6f, 0x67, 0x53, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, + 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x14, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x4e, + 0x6f, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x14, 0x2e, 0x66, 0x65, + 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, + 0x65, 0x12, 0x3a, 0x0a, 0x0d, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, + 0x65, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0f, 0x2e, 0x66, 0x65, 0x65, + 0x64, 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x30, 0x01, 0x12, 0x36, 0x0a, + 0x0b, 0x57, 0x61, 0x74, 0x63, 0x68, 0x41, 0x6c, 0x65, 0x72, 0x74, 0x73, 0x12, 0x16, 0x2e, 0x66, + 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, + 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0d, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x41, 0x6c, + 0x65, 0x72, 0x74, 0x30, 0x01, 0x12, 0x32, 0x0a, 0x09, 0x57, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x6f, + 0x67, 0x73, 0x12, 0x16, 0x2e, 0x66, 0x65, 0x65, 0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0b, 0x2e, 0x66, 0x65, 0x65, + 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x67, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x61, 0x72, 0x6d, 0x6f, + 0x72, 0x2f, 0x4b, 0x75, 0x62, 0x65, 0x41, 0x72, 0x6d, 0x6f, 0x72, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/protobuf/kubearmor.proto b/protobuf/kubearmor.proto index 9eea9332ec..c8593a2ba7 100644 --- a/protobuf/kubearmor.proto +++ b/protobuf/kubearmor.proto @@ -62,6 +62,8 @@ message Alert { string ParentProcessName = 25; string ProcessName = 26; + + int32 HostPPID = 27; } // log struct @@ -95,6 +97,8 @@ message Log { string ParentProcessName = 20; string ProcessName = 21; + + int32 HostPPID = 22; } // request message From a97df0d0436cda2e80985052202a29c8f92e26a8 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Fri, 11 Mar 2022 08:17:49 +0000 Subject: [PATCH 5/5] update documents Signed-off-by: Jaehyun Nam --- contribution/testing_guide.md | 8 ++++---- getting-started/kubearmor_vm.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/contribution/testing_guide.md b/contribution/testing_guide.md index bb3ca72933..702b472fd9 100644 --- a/contribution/testing_guide.md +++ b/contribution/testing_guide.md @@ -1,8 +1,8 @@ # Testing Guide -There are two ways to check the functionalities of KubeArmor: 1) testing kubeArmor in manual and 2) using the testing framework. +There are two ways to check the functionalities of KubeArmor: 1) testing kubeArmor manually and 2) using the testing framework. -# 1. Test KubeArmor in manual +# 1. Test KubeArmor manually ## 1.1. Run 'kubectl proxy' in background @@ -73,7 +73,7 @@ $ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command] --msgPath string Output location for messages, {path|stdout|none} (default "none") ``` - Note that you will see alerts and logs generated right after `karmor` runs logs; thus, we recommend to run the above command in other terminal to see logs live and in an interactive way to avoid any kind of interference. + Note that you will see alerts and logs generated right after `karmor` runs logs; thus, we recommend to run the above command in other terminal to see logs live. # 2. Test KubeArmor using the auto-testing framework @@ -174,7 +174,7 @@ The auto-testing framework operates based on two things: microservices and testc - The case that KubeArmor is running as a daemonset in Kubernetes - Run the auto-testing framework + Run the testing framework ```text $ cd KubeArmor/tests diff --git a/getting-started/kubearmor_vm.md b/getting-started/kubearmor_vm.md index f7ee2f7319..c16970e6d3 100644 --- a/getting-started/kubearmor_vm.md +++ b/getting-started/kubearmor_vm.md @@ -21,7 +21,7 @@ The recipe installs `kubearmor` as systemd process and `karmor` cli tool to mana 2. Download release tarball from KubeArmor releases for the version you want ``` - wget https://github.com/daemon1024/KubeArmor/releases/download/v${VER}/kubearmor_${VER}_linux-amd64.tar.gz + wget https://github.com/KubeArmor/KubeArmor/releases/download/v${VER}/kubearmor_${VER}_linux-amd64.tar.gz ``` 3. Unpack the tarball to the root directory: