Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add cobra cli #1

Merged
merged 4 commits into from
Sep 15, 2023
Merged

feat: add cobra cli #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6f6cad5
feat: implement cobra cli
xunholy Sep 12, 2023
a49fccb
chore: add all files
xunholy Sep 12, 2023
6be6655
feat: added client portforward, imrpoved netpol generatior, api to th…
xunholy Sep 13, 2023
e091886
feat: push changes relating to label selectors
xunholy Sep 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# ARX: Advisor for Kubernetes

ARX is a powerful kubectl plugin designed to enhance the security of your Kubernetes clusters. The Advisor component allows users to automatically generate crucial security resources like Network Policies, Seccomp Profiles, and more for Kubernetes pods or services.

## Table of Contents
- [ARX: Advisor for Kubernetes](#arx-advisor-for-kubernetes)
- [Table of Contents](#table-of-contents)
- [🌟 Features](#-features)
- [🛠️ Prequisites](#️-prequisites)
- [📦 Installation](#-installation)
- [🔨 Usage](#-usage)
- [🔒 Generate Network Policies](#-generate-network-policies)
- [🛡️ Generate Seccomp Profiles](#️-generate-seccomp-profiles)
- [🤝 Contributing](#-contributing)
- [📄 License](#-license)
- [🙏 Acknowledgments](#-acknowledgments)

## 🌟 Features

WIP

## 🛠️ Prequisites

- Kubernetes cluster v1.18+
- kubectl v1.18+

## 📦 Installation

You can install ARX via Krew, the plugin manager for kubectl:

```bash
kubectl krew install arx
```

Or manually download the release and place it in your PATH:

```bash
# Download the release and set it as executable
wget https://github.com/arx-inc/advisor/releases/download/v1.0.0/arx
chmod +x arx
mv arx /usr/local/bin/
```

## 🔨 Usage

### 🔒 Generate Network Policies

```bash
kubectl arx gen networkpolicy [pod-name] --namespace [namespace-name]
```

### 🛡️ Generate Seccomp Profiles

```bash
kubectl arx gen seccomp [pod-name] --namespace [namespace-name]
```

For more details on the commands:

```bash
kubectl arx --help
```

## 🤝 Contributing

Contributions are welcome! Please read the contributing guide to get started.

## 📄 License

This project is licensed under the [PLACEHOLDER] License - see the [LICENSE.md](LICENSE.md) file for details.

## 🙏 Acknowledgments

Thanks to the Kubernetes community for the excellent tools and libraries.
52 changes: 34 additions & 18 deletions advisor/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,6 @@
Sudo Filter Logic
=================

type PodTraffic struct {
UUID string
SrcPodName string
SrcIP string
SrcNamespace string
DstPodName string
DstIP string
DstNamespace string
TimeStamp string
}

type PodSpec struct {
UUID string
Name string
Namespace string
Spec map[string]interface{}
}

For Pod get all the traffic relating to it
Get the PodSpec for the Pod
Iterate all Ingress for each Source Pod
Expand All @@ -39,3 +21,37 @@ Day 2?
- Potentially split ingress and egress into separate policies?
- Support CIDR ranges and external to cluster traffic
- All protocol types








NetPol

type PodTraffic struct {
UUID string `yaml:"uuid" json:"uuid"`
SrcPodName string `yaml:"pod_name" json:"pod_name"`
SrcIP string `yaml:"pod_ip" json:"pod_ip"`
SrcNamespace string `yaml:"pod_namespace" json:"pod_namespace"`
SrcPodPort string `yaml:"pod_port" json:"pod_port"`
TrafficType string `yaml:"traffic_type" json:"traffic_type"`
DstIP string `yaml:"traffic_in_out_ip" json:"traffic_in_out_ip"`
DstPort string `yaml:"traffic_in_out_port" json:"traffic_in_out_port"`
Protocol v1.Protocol `yaml:"ip_protocol" json:"ip_protocol"`
}

type PodDetail struct {
UUID string `yaml:"uuid" json:"uuid"`
PodIP string `yaml:"pod_ip" json:"pod_ip"`
Name string `yaml:"pod_name" json:"pod_name"`
Namespace string `yaml:"pod_namespace" json:"pod_namespace"`
Pod v1.Pod `yaml:"pod_obj" json:"pod_obj"`
}


When [POD] receives INGRESS the network policy for INGRESS should use DstIP to get the PodDetails for that PodIP. The SrcPodPort is the port the INGRESS traffic came through.

When [POD] receives EGRESS the network policy for EGRESS should use DstIP to get the PodDetails for that PodIP. The DstPort is the port the EGRESS traffic left through.
60 changes: 60 additions & 0 deletions advisor/cmd/gen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
package cmd

import (
"fmt"
"log"
"os"

"github.com/arx-inc/advisor/pkg/k8s"
"github.com/spf13/cobra"
)

var genCmd = &cobra.Command{
Use: "gen",
Short: "Generate resources",
}

var networkPolicyCmd = &cobra.Command{
Use: "networkpolicy [pod-name]",
Aliases: []string{"netpol"},
Short: "Generate network policy",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {

kubeconfig, _ := cmd.Flags().GetString("kubeconfig")
namespace, _ := cmd.Flags().GetString("namespace")

config, err := k8s.NewConfig(kubeconfig, namespace)
if err != nil {
fmt.Println("Error initializing Kubernetes client:", err)
os.Exit(1)
}

fmt.Printf("Using kubeconfig file: %s\n", config.Kubeconfig)
fmt.Printf("Using namespace: %s\n", config.Namespace)

podName := args[0]

stopChan, errChan, done := k8s.PortForward(config)
<-done // Block until we receive a notification from the goroutine that port-forwarding has been set up
go func() {
for err := range errChan {
log.Fatalf("Failed to start port-forwarding: %v", err)
}
}()
fmt.Println("Port forwarding set up successfully.")
k8s.GenerateNetworkPolicy(podName, config)
close(stopChan)
},
}

var seccompCmd = &cobra.Command{
Use: "seccomp [pod-name]",
Aliases: []string{"sc"},
Short: "Generate seccomp profile",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
podName := args[0]
fmt.Printf("Generating seccomp profile for pod: %s\n", podName)
},
}
134 changes: 0 additions & 134 deletions advisor/cmd/main.go
View file
Open in desktop

This file was deleted.

33 changes: 33 additions & 0 deletions advisor/cmd/root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package cmd

import (
"fmt"
"os"

"github.com/spf13/cobra"
)

func init() {
genCmd.AddCommand(networkPolicyCmd, seccompCmd)
genCmd.PersistentFlags().String("kubeconfig", "", "Path to the kubeconfig file to use for CLI requests.")
genCmd.PersistentFlags().String("namespace", "", "If present, the namespace scope for this CLI request")

rootCmd.AddCommand(genCmd)
}

var rootCmd = &cobra.Command{
Use: "arx",
Short: "Arx is a security tool for enhancing Kubernetes application profiles",
Long: `Arx is designed to improve the security profile of applications running in
Kubernetes clusters. It provides various functionalities like generating network
policies, seccomp profiles, and more to ensure that your applications meet
best security practices.
Complete documentation is available at [Your Documentation URL]`,
}

func Execute() {
if err := rootCmd.Execute(); err != nil {
fmt.Println(err)
os.Exit(1)
}
}
Loading