├── .dockerignore ├── .github ├── dependabot.yml ├── pull_request_template.md └── workflows │ ├── latest-release.yaml │ ├── pr-checks.yaml │ ├── release-helm-charts.yaml │ ├── release-image.yaml │ └── stable-release.yaml ├── .gitignore ├── .licenserc.yaml ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── Makefile ├── PROJECT ├── README.md ├── api └── v1alpha1 │ ├── clusternimbuspolicy_types.go │ ├── clustersecurityintentbinding_types.go │ ├── groupversion_info.go │ ├── nimbuspolicy_types.go │ ├── securityintent_types.go │ ├── securityintentbinding_types.go │ └── zz_generated.deepcopy.go ├── cmd └── main.go ├── config ├── crd │ ├── bases │ │ ├── intent.security.nimbus.com_clusternimbuspolicies.yaml │ │ ├── intent.security.nimbus.com_clustersecurityintentbindings.yaml │ │ ├── intent.security.nimbus.com_nimbuspolicies.yaml │ │ ├── intent.security.nimbus.com_securityintentbindings.yaml │ │ └── intent.security.nimbus.com_securityintents.yaml │ ├── kustomization.yaml │ └── kustomizeconfig.yaml ├── default │ └── kustomization.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── prometheus │ ├── kustomization.yaml │ └── monitor.yaml ├── rbac │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── role.yaml │ ├── role_binding.yaml │ └── service_account.yaml └── samples │ ├── intent_v1_clusternimbuspolicy.yaml │ ├── intent_v1_clustersecurityintentbinding.yaml │ ├── intent_v1_nimbuspolicy.yaml │ ├── intent_v1_securityintent.yaml │ ├── intent_v1_securityintentbinding.yaml │ └── kustomization.yaml ├── deployments ├── nimbus-k8tls │ ├── .helmignore │ ├── Chart.yaml │ ├── Readme.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── k8tls-role.yaml │ │ ├── namespace.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ ├── secret.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── nimbus-kubearmor │ ├── .helmignore │ ├── Chart.yaml │ ├── Readme.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── nimbus-kyverno │ ├── .helmignore │ ├── Chart.yaml │ ├── Readme.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── deployment.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── nimbus-netpol │ ├── .helmignore │ ├── Chart.yaml │ ├── Readme.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ └── serviceaccount.yaml │ └── values.yaml └── nimbus │ ├── .helmignore │ ├── Chart.yaml │ ├── Readme.md │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── crds.yaml │ ├── deployment.yaml │ ├── rolebindings.yaml │ ├── roles.yaml │ └── serviceaccount.yaml │ └── values.yaml ├── docs ├── adapters.md ├── assets │ ├── 1.jpg │ ├── 2.jpg │ ├── 3.jpg │ └── 4.jpg ├── attack-emulation │ ├── README.md │ ├── dns-manipulation │ │ ├── README.md │ │ └── images │ │ │ ├── create-adversary.png │ │ │ ├── create-nginx-pod.png │ │ │ ├── delete-nginx-pod.png │ │ │ ├── edit-dns-info.png │ │ │ ├── emulation.png │ │ │ ├── operation.png │ │ │ └── print-resolv.png │ ├── escape-to-host │ │ ├── README.md │ │ └── images │ │ │ ├── create-adversary.png │ │ │ ├── create-test-pod.png │ │ │ ├── delete-test-pod.png │ │ │ ├── emulation.png │ │ │ ├── get-pod.png │ │ │ ├── make-changes.png │ │ │ └── operation.png │ ├── exploit-pfa │ │ ├── README.md │ │ └── images │ │ │ ├── clone-repo.png │ │ │ ├── create-adversary.png │ │ │ ├── create-test-pod.png │ │ │ ├── delete-test-pod.png │ │ │ ├── emulation.png │ │ │ ├── get-pod.png │ │ │ ├── install-git.png │ │ │ ├── move-git.png │ │ │ └── operation.png │ ├── images │ │ ├── agent-running.png │ │ └── agent.png │ └── pod.yaml ├── crd │ ├── Readme.md │ └── v1alpha1 │ │ ├── clustersecurityintentbinding.md │ │ ├── securityintent.md │ │ └── securityintentbinding.md ├── getting-started.md ├── intents │ ├── assess-tls.md │ ├── coco-workload.md │ ├── deny-external-network-access.md │ ├── dns-manipulation.md │ ├── escape-to-host.md │ ├── exploit-pfa.md │ ├── pkg-mgr-execution.md │ └── supportedIntents.md ├── nimbus.png └── quick-tutorials.md ├── examples ├── clusterscoped │ ├── assesstls-default.yaml │ ├── assesstls-with-external-addresses.yaml │ ├── assesstls-with-schedule.yaml │ ├── coco-workload-si-sib.yaml │ ├── csib-1-all-ns-selector.yaml │ ├── csib-2-match-names.yaml │ ├── csib-3-exclude-names.yaml │ ├── deny-external-network-access.yaml │ └── escape-to-host-si-csib-with-params.yaml ├── env │ ├── httpd-deploy.yaml │ └── nginx-deploy.yaml └── namespaced │ ├── cel-multi-si-sib-namespaced.yaml │ ├── coco-workload-si-sib.yaml │ ├── dns-manipulation-si-sib.yaml │ ├── escape-to-host-si-sib.yaml │ ├── escape-to-host-with-params.yaml │ ├── exploit-pfa-si-sib.yaml │ ├── multiple-si-sib-namespaced.yaml │ ├── pkg-mgr-exec-si-sib.yaml │ └── virtual-patch-si-sib.yaml ├── go.mod ├── go.sum ├── hack └── boilerplate.go.txt ├── internal └── controller │ ├── clustersecurityintentbinding_controller.go │ ├── securityintent_controller.go │ ├── securityintentbinding_controller.go │ └── util.go ├── pkg ├── adapter │ ├── common │ │ └── common.go │ ├── idpool │ │ └── idpool.go │ ├── k8s │ │ └── client.go │ ├── nimbus-k8tls │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── Makefile │ │ ├── builder │ │ │ └── builder.go │ │ ├── go.mod │ │ ├── go.sum │ │ ├── main.go │ │ ├── manager │ │ │ ├── cronjob.go │ │ │ ├── k8tls.go │ │ │ └── manager.go │ │ └── watcher │ │ │ └── watcher.go │ ├── nimbus-kubearmor │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── Makefile │ │ ├── go.mod │ │ ├── go.sum │ │ ├── main.go │ │ ├── manager │ │ │ └── manager.go │ │ ├── processor │ │ │ └── kspbuilder.go │ │ └── watcher │ │ │ └── kspwatcher.go │ ├── nimbus-kyverno │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── Makefile │ │ ├── clusterrole.yaml │ │ ├── go.mod │ │ ├── go.sum │ │ ├── main.go │ │ ├── manager │ │ │ └── manager.go │ │ ├── processor │ │ │ ├── kcpbuilder.go │ │ │ └── kpbuilder.go │ │ ├── utils │ │ │ └── utils.go │ │ └── watcher │ │ │ ├── kcpwatcher.go │ │ │ └── kpwatcher.go │ ├── nimbus-netpol │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── Makefile │ │ ├── go.mod │ │ ├── go.sum │ │ ├── main.go │ │ ├── manager │ │ │ └── netpols_manager.go │ │ ├── processor │ │ │ └── netpol_builder.go │ │ └── watcher │ │ │ └── netpolwatcher.go │ ├── util │ │ ├── clusternimbuspolicy.go │ │ ├── nimbuspolicy.go │ │ └── watcher.go │ └── watcher │ │ ├── clusternimbuspolicy.go │ │ ├── nimbuspolicy.go │ │ └── watcher.go ├── processor │ ├── errors │ │ └── errors.go │ ├── intentbinder │ │ └── intent_binder.go │ └── policybuilder │ │ ├── clusternimbuspolicy_builder.go │ │ ├── common.go │ │ └── nimbuspolicy_builder.go └── util │ └── util.go ├── scripts ├── add-license-header.sh ├── license.header └── update-image-tag.sh ├── tests ├── chainsaw-config.yaml ├── controllers │ ├── clustersecurityintentbinding │ │ ├── excludename │ │ │ ├── README.md │ │ │ ├── chainsaw-test.yaml │ │ │ ├── cluster-nimbus-policy-assert.yaml │ │ │ ├── escape-to-host-csib.yaml │ │ │ ├── escape-to-host-dev-prod-regional-csib.yaml │ │ │ ├── nimbus-policy-assert-dev.yaml │ │ │ ├── nimbus-policy-assert-management.yaml │ │ │ ├── nimbus-policy-assert-prod.yaml │ │ │ ├── nimbus-policy-assert-staging.yaml │ │ │ ├── nimbus-policy-assert.yaml │ │ │ ├── ns-regional-mgmt.yaml │ │ │ └── ns.yaml │ │ ├── matchall │ │ │ ├── README.md │ │ │ ├── chainsaw-test.yaml │ │ │ ├── cluster-nimbus-policy-assert.yaml │ │ │ ├── dns-manipulation-csib.yaml │ │ │ ├── nimbus-policy-assert-dev.yaml │ │ │ ├── nimbus-policy-assert-prod.yaml │ │ │ ├── nimbus-policy-assert-staging.yaml │ │ │ ├── nimbus-policy-assert.yaml │ │ │ └── ns.yaml │ │ └── matchname │ │ │ ├── README.md │ │ │ ├── chainsaw-test.yaml │ │ │ ├── cluster-nimbus-policy-assert.yaml │ │ │ ├── escape-to-host-csib.yaml │ │ │ ├── escape-to-host-dev-prod-csib.yaml │ │ │ ├── nimbus-policy-assert-dev.yaml │ │ │ ├── nimbus-policy-assert-prod.yaml │ │ │ ├── nimbus-policy-assert-staging.yaml │ │ │ ├── nimbus-policy-assert.yaml │ │ │ └── ns.yaml │ ├── nimbuspolicy │ │ ├── delete │ │ │ ├── README.md │ │ │ └── chainsaw-test.yaml │ │ ├── nimbus-policy-assert.yaml │ │ ├── update │ │ │ ├── README.md │ │ │ └── chainsaw-test.yaml │ │ └── updated-nimbus-policy.yaml │ ├── resources │ │ └── namespaced │ │ │ ├── dns-manipulation-si.yaml │ │ │ ├── dns-manipulation-sib.yaml │ │ │ ├── escape-to-host-si.yaml │ │ │ ├── multiple-sis.yaml │ │ │ └── sib-for-multiple-sis.yaml │ ├── securityintent │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ └── si-status-assert.yaml │ ├── securityintentbinding │ │ ├── create │ │ │ ├── README.md │ │ │ └── chainsaw-test.yaml │ │ ├── delete │ │ │ ├── README.md │ │ │ └── chainsaw-test.yaml │ │ ├── nimbus-policy-assert.yaml │ │ ├── np-status-assert.yaml │ │ ├── sib-status-assert.yaml │ │ ├── update │ │ │ ├── README.md │ │ │ └── chainsaw-test.yaml │ │ ├── updated-np.yaml │ │ └── updated-sib.yaml │ └── sis-and-sibs │ │ ├── create │ │ ├── README.md │ │ └── chainsaw-test.yaml │ │ ├── delete │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ └── sib-status-after-si-deletion-assert.yaml │ │ ├── nimbus-policy-assert.yaml │ │ ├── np-status-assert.yaml │ │ ├── si-status-assert.yaml │ │ ├── sib-status-assert.yaml │ │ └── update │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── nimbus-policy-after-deleting-one-si.yaml │ │ ├── nimbus-policy-after-updating-one-si.yaml │ │ ├── nimbus-policy-for-multiple-sis.yaml │ │ ├── sib-status-after-si-deletion-assert.yaml │ │ ├── updated-sib.yaml │ │ └── updated-unauth-sa-si.yaml └── e2e │ ├── dns-manipulation │ ├── create │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── delete │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── ksp.yaml │ ├── netpol.yaml │ ├── nimbus-policy-assert.yaml │ ├── np-status-assert.yaml │ ├── sib-status-assert.yaml │ ├── update │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── updated-ksp.yaml │ └── updated-netpol.yaml │ ├── escape-to-host-clusterscoped-matchall │ ├── cluster-kyverno-policy.yaml │ ├── create │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── csib-assert.yaml │ ├── cwnp-assert.yaml │ ├── nimbus-policy-assert-ns-default.yaml │ ├── nimbus-policy-assert-ns-dev.yaml │ ├── nimbus-policy-assert-ns-staging.yaml │ └── ns.yaml │ ├── escape-to-host │ ├── create │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── delete │ │ ├── README.md │ │ └── chainsaw-test.yaml │ ├── kyverno-policy.yaml │ ├── nimbus-policy-assert.yaml │ ├── np-status-assert.yaml │ ├── sib-status-assert.yaml │ ├── update │ │ ├── README.md │ │ └── chainsaw-test.yaml │ └── updated-kyverno-policy.yaml │ └── resources │ ├── clusterscoped │ └── escape-to-host-csib-match-all.yaml │ └── namespaced │ ├── dns-manipulation-si.yaml │ ├── dns-manipulation-sib.yaml │ ├── escape-to-host-si.yaml │ └── escape-to-host-sib.yaml ├── virtual_patch_si.yaml ├── virtual_patch_sib.yaml └── vp.json /.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | go.work* 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Please see the documentation for all configuration options: 2 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 3 | 4 | version: 2 5 | updates: 6 | - package-ecosystem: "github-actions" 7 | directory: "/" 8 | schedule: 9 | interval: "weekly" 10 | 11 | - package-ecosystem: "gomod" 12 | directory: "/" 13 | schedule: 14 | interval: "weekly" 15 | 16 | - package-ecosystem: "gomod" 17 | directory: "/pkg/adapter/nimbus-kubearmor" 18 | schedule: 19 | interval: "weekly" 20 | 21 | - package-ecosystem: "gomod" 22 | directory: "/pkg/adapter/nimbus-netpol" 23 | schedule: 24 | interval: "weekly" 25 | 26 | - package-ecosystem: "gomod" 27 | directory: "/pkg/adapter/nimbus-kyverno" 28 | schedule: 29 | interval: "weekly" 30 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | 7 | 8 | Fixes # (issue) 9 | 10 | **Does this PR introduce a breaking change?** 11 | 12 | ## Checklist 13 | 14 | - [ ] PR title follows the `: ` convention 15 | - [ ] I use [conventional commits](https://www.conventionalcommits.org/) in my commit messages 16 | - [ ] I have updated the [documentation](../docs) accordingly 17 | - [ ] I Keep It Small and Simple: The smaller the PR is, the easier it is to review and have it merged 18 | - [ ] I have performed a self-review of my code 19 | - [ ] I have added tests that prove my fix is effective or that my feature works 20 | - [ ] New and existing unit tests pass locally with my changes 21 | 22 | ## Additional information for reviewer 23 | 24 | #### Mention if this PR is part of any design or a continuation of previous PRs 25 | 26 | 40 | 41 | 44 | -------------------------------------------------------------------------------- /.github/workflows/latest-release.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | name: Latest release 5 | on: 6 | push: 7 | branches: 8 | - main 9 | 10 | permissions: read-all 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | files-changed: 18 | name: Detect what files changed 19 | runs-on: ubuntu-latest 20 | timeout-minutes: 5 21 | outputs: 22 | nimbus: ${{ steps.filter.outputs.nimbus}} 23 | adapters: ${{ steps.filter.outputs.adapters }} 24 | steps: 25 | - uses: actions/checkout@v4 26 | - uses: dorny/paths-filter@v3.0.2 27 | id: filter 28 | with: 29 | filters: | 30 | nimbus: 31 | - 'cmd/**' 32 | - 'internal/**' 33 | - 'pkg/processor/**' 34 | - 'Dockerfile' 35 | - 'Makefile' 36 | adapters: 37 | - 'pkg/adapter/**' 38 | 39 | release-nimbus-image: 40 | needs: files-changed 41 | if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.nimbus == 'true' }} 42 | name: Build and push nimbus image 43 | uses: ./.github/workflows/release-image.yaml 44 | with: 45 | WORKING_DIRECTORY: . 46 | NAME: nimbus 47 | secrets: inherit 48 | 49 | release-adapters-image: 50 | needs: files-changed 51 | if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.adapters == 'true' }} 52 | strategy: 53 | matrix: 54 | adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno", "nimbus-k8tls" ] 55 | name: Build and push ${{ matrix.adapters }} adapter's image 56 | uses: ./.github/workflows/release-image.yaml 57 | with: 58 | WORKING_DIRECTORY: ./pkg/adapter/${{ matrix.adapters }} 59 | NAME: ${{ matrix.adapters }} 60 | secrets: inherit 61 | -------------------------------------------------------------------------------- /.github/workflows/release-helm-charts.yaml: -------------------------------------------------------------------------------- 1 | name: Release Helm charts 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | tag: 7 | description: "Release tag which has to be updated" 8 | type: "string" 9 | required: true 10 | 11 | jobs: 12 | release_helm_charts: 13 | if: github.repository == '5GSEC/nimbus' 14 | permissions: 15 | contents: write 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout source code 19 | uses: actions/checkout@v4 20 | 21 | - name: Install Helm 22 | uses: azure/setup-helm@v4 23 | 24 | - name: Generate a token 25 | id: generate-token 26 | uses: actions/create-github-app-token@v1 27 | with: 28 | app-id: ${{ vars.ACTIONS_APP_ID }} 29 | private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} 30 | repositories: charts 31 | 32 | - name: Publish Helm chart 33 | uses: stefanprodan/helm-gh-pages@master 34 | with: 35 | # Access token which can push to a different repo in the same org 36 | token: ${{ steps.generate-token.outputs.token }} 37 | charts_dir: deployments/ 38 | # repo where charts would be published 39 | owner: 5GSEC 40 | repository: charts 41 | branch: gh-pages 42 | charts_url: https://5gsec.github.io/charts/ 43 | commit_username: "github-actions[bot]" 44 | commit_email: "github-actions[bot]@users.noreply.github.com" 45 | dependencies: nimbus-kubearmor,https://5gsec.github.io/charts/;nimbus-netpol,https://5gsec.github.io/charts/;nimbus-kyverno,https://5gsec.github.io/charts/;nimbus-k8tls,https://5gsec.github.io/charts/ 46 | -------------------------------------------------------------------------------- /.github/workflows/release-image.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | name: release image 5 | permissions: read-all 6 | 7 | on: 8 | workflow_call: 9 | inputs: 10 | WORKING_DIRECTORY: 11 | description: 'current working directory' 12 | required: true 13 | type: string 14 | NAME: 15 | description: 'app name' 16 | required: true 17 | type: string 18 | 19 | jobs: 20 | release-image: 21 | timeout-minutes: 30 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout source code 25 | uses: actions/checkout@v4 26 | 27 | - name: Set up QEMU 28 | uses: docker/setup-qemu-action@v3 29 | 30 | - name: Set up Docker Buildx 31 | uses: docker/setup-buildx-action@v3 32 | 33 | - name: Login to Docker Hub 34 | uses: docker/login-action@v3 35 | with: 36 | username: ${{ secrets.DOCKERHUB_USERNAME }} 37 | password: ${{ secrets.DOCKERHUB_TOKEN }} 38 | 39 | - name: Get tag 40 | id: tag 41 | run: | 42 | if [ ${{ github.ref }} == "refs/heads/main" ]; then 43 | echo "tag=latest" >> $GITHUB_OUTPUT 44 | else 45 | echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT 46 | fi 47 | 48 | - name: Build image 49 | run: make docker-build TAG=${{ steps.tag.outputs.tag }} 50 | working-directory: ${{ inputs.WORKING_DIRECTORY }} 51 | 52 | - name: Scan image 53 | uses: anchore/scan-action@v4 54 | with: 55 | image: '5gsec/${{ inputs.NAME }}:${{ steps.tag.outputs.tag }}' 56 | severity-cutoff: critical 57 | output-format: sarif 58 | 59 | - name: Build and push image 60 | working-directory: ${{ inputs.WORKING_DIRECTORY }} 61 | run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} 62 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | bin 9 | Dockerfile.cross 10 | 11 | # Test binary, built with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Go workspace file 18 | go.work 19 | go.work.sum 20 | 21 | # editor and IDE paraphernalia 22 | .idea 23 | .vscode 24 | *.swp 25 | *.swo 26 | *~ 27 | 28 | ### macOS 29 | .DS_Store 30 | -------------------------------------------------------------------------------- /.licenserc.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | header: 5 | license: 6 | spdx-id: Apache-2.0 7 | copyright-owner: Nimbus 8 | content: | 9 | SPDX-License-Identifier: Apache-2.0 10 | 11 | paths: 12 | - "**/*.go" 13 | - "**/*.sh" 14 | - "**/Dockerfile" 15 | - "**/Makefile" 16 | 17 | comment: on-failure 18 | 19 | dependency: 20 | files: 21 | - go.mod 22 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | FROM golang:1.22 AS builder 5 | ARG TARGETOS 6 | ARG TARGETARCH 7 | 8 | # Required to embed build info into binary. 9 | COPY .git /.git 10 | 11 | WORKDIR /workspace 12 | 13 | COPY . . 14 | 15 | # Build 16 | # the GOARCH has not a default value to allow the binary be built according to the host where the command 17 | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 18 | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 19 | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 20 | RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build 21 | 22 | # Use distroless as minimal base image to package the manager binary 23 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 24 | FROM gcr.io/distroless/static:nonroot 25 | WORKDIR / 26 | COPY --from=builder /workspace/bin/nimbus . 27 | USER 65532:65532 28 | 29 | ENTRYPOINT ["/nimbus"] 30 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | # Code generated by tool. DO NOT EDIT. 2 | # This file is used to track the info used to scaffold your project 3 | # and allow the plugins properly work. 4 | # More info: https://book.kubebuilder.io/reference/project-config.html 5 | domain: security.nimbus.com 6 | layout: 7 | - go.kubebuilder.io/v4 8 | projectName: nimbus 9 | repo: github.com/5GSEC/nimbus 10 | resources: 11 | - api: 12 | crdVersion: v1 13 | controller: true 14 | domain: security.nimbus.com 15 | group: intent 16 | kind: SecurityIntent 17 | path: github.com/5GSEC/nimbus/api/v1alpha1 18 | version: v1alpha1 19 | - api: 20 | crdVersion: v1 21 | namespaced: true 22 | controller: true 23 | domain: security.nimbus.com 24 | group: intent 25 | kind: SecurityIntentBinding 26 | path: github.com/5GSEC/nimbus/api/v1alpha1 27 | version: v1alpha1 28 | - api: 29 | crdVersion: v1 30 | namespaced: true 31 | domain: security.nimbus.com 32 | group: intent 33 | kind: NimbusPolicy 34 | path: github.com/5GSEC/nimbus/api/v1alpha1 35 | version: v1alpha1 36 | - api: 37 | crdVersion: v1 38 | domain: security.nimbus.com 39 | group: intent 40 | kind: ClusterNimbusPolicy 41 | path: github.com/5GSEC/nimbus/api/v1alpha1 42 | version: v1alpha1 43 | - api: 44 | crdVersion: v1 45 | controller: true 46 | domain: security.nimbus.com 47 | group: intent 48 | kind: ClusterSecurityIntentBinding 49 | path: github.com/5GSEC/nimbus/api/v1alpha1 50 | version: v1alpha1 51 | version: "3" 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nimbus: Intent Driven Security Operator 2 | 3 | > The aim for any organization should be to state its security 4 | > goal/intents and the underlying tooling/operator should be able to convert 5 | > these goals/intents into actionable elements such as policies/rules. 6 | 7 | Nimbus aims to decouple security intents from its actual implementation i.e., 8 | use of policy engines and corresponding policies and rules. This pattern exists 9 | commonly in Kubernetes world and the best example is a storage operator, 10 | wherein the user specifies the persistent volume claims with appropriate SLA 11 | (disk space, R/W, speed) and the operator figures out the appropriate volume to 12 | bind. Nimbus intends to bring in similar abstraction for security intents 13 | wherein the user specifies the security intent and the operator figures out the 14 | best implementation method available given the deployment. 15 | 16 | * An Intent might get translated into a set of policies and not necessarily a 17 | single policy thus providing multi-layer defense. For example, an intent such 18 | as "Do not allow privilege escalation" could get translated in to admission 19 | controller policy and system policy as handled by runtime security engines 20 | such as [KubeArmor](https://www.kubearmor.io). 21 | * An intent could take into consideration runtime behavior and then handle 22 | intent implementation. For e.g., an intent could be "Do not allow privilege 23 | flags for pods that are publicly reachable". 24 | * An intent might get fully or partially satisfied and the bindings clearly 25 | shows that status. 26 | * An organization can provide a blueprint of intents given a deployment and the 27 | operator could go an try to satisfy those intents in best-effort or strict mode. 28 | 29 | ![](docs/nimbus.png) 30 | 31 | * [Getting Started](docs/getting-started.md) 32 | * [Quick Tutorials](docs/quick-tutorials.md) 33 | * [Contribution guide](CONTRIBUTING.md) 34 | 35 | # Credits 36 | 37 | This project is funded by NSF grant ... 38 | -------------------------------------------------------------------------------- /api/v1alpha1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | // Package v1alpha1 contains API Schema definitions for the intent v1 API group 5 | // +kubebuilder:object:generate=true 6 | // +groupName=intent.security.nimbus.com 7 | package v1alpha1 8 | 9 | import ( 10 | "k8s.io/apimachinery/pkg/runtime/schema" 11 | "sigs.k8s.io/controller-runtime/pkg/scheme" 12 | ) 13 | 14 | var ( 15 | // GroupVersion is group version used to register these objects 16 | GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1alpha1"} 17 | 18 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 19 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 20 | 21 | // AddToScheme adds the types in this group-version to the given scheme. 22 | AddToScheme = SchemeBuilder.AddToScheme 23 | ) 24 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/intent.security.nimbus.com_securityintents.yaml 6 | - bases/intent.security.nimbus.com_securityintentbindings.yaml 7 | - bases/intent.security.nimbus.com_nimbuspolicies.yaml 8 | - bases/intent.security.nimbus.com_clusternimbuspolicies.yaml 9 | - bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml 10 | #+kubebuilder:scaffold:crdkustomizeresource 11 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | version: v1 8 | group: apiextensions.k8s.io 9 | path: spec/conversion/webhook/clientConfig/service/name 10 | 11 | namespace: 12 | - kind: CustomResourceDefinition 13 | version: v1 14 | group: apiextensions.k8s.io 15 | path: spec/conversion/webhook/clientConfig/service/namespace 16 | create: false 17 | 18 | varReference: 19 | - path: metadata/annotations 20 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: nimbus 5 | 6 | resources: 7 | - ../crd 8 | - ../rbac 9 | - ../manager 10 | 11 | # Labels to add to all resources and selectors. 12 | labels: 13 | - includeSelectors: true 14 | pairs: 15 | app.kubernetes.io/name: nimbus-operator 16 | app.kubernetes.io/component: controller 17 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | 4 | images: 5 | - name: controller 6 | newName: 5gsec/nimbus 7 | apiVersion: kustomize.config.k8s.io/v1beta1 8 | kind: Kustomization 9 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: nimbus 6 | name: nimbus 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: nimbus-operator 12 | spec: 13 | selector: 14 | matchLabels: 15 | replicas: 1 16 | template: 17 | metadata: 18 | labels: 19 | spec: 20 | securityContext: 21 | runAsNonRoot: true 22 | seccompProfile: 23 | type: RuntimeDefault 24 | containers: 25 | - name: nimbus-operator 26 | command: 27 | - /manager 28 | args: 29 | - --leader-elect 30 | image: controller:latest 31 | securityContext: 32 | allowPrivilegeEscalation: false 33 | livenessProbe: 34 | httpGet: 35 | path: /healthz 36 | port: 8081 37 | initialDelaySeconds: 15 38 | periodSeconds: 20 39 | readinessProbe: 40 | httpGet: 41 | path: /readyz 42 | port: 8081 43 | initialDelaySeconds: 5 44 | periodSeconds: 10 45 | serviceAccountName: nimbus-operator 46 | terminationGracePeriodSeconds: 10 47 | -------------------------------------------------------------------------------- /config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | # Prometheus Monitor Service (Metrics) 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: nimbus-operator-metrics-monitor 7 | app.kubernetes.io/component: metrics 8 | name: nimbus-operator-metrics-monitor 9 | spec: 10 | endpoints: 11 | - path: /metrics 12 | port: https 13 | scheme: https 14 | bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 15 | tlsConfig: 16 | insecureSkipVerify: true 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: metrics 20 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - service_account.yaml 3 | - role.yaml 4 | - role_binding.yaml 5 | - leader_election_role.yaml 6 | - leader_election_role_binding.yaml 7 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: nimbus-operator-leader-election-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - configmaps 10 | verbs: 11 | - get 12 | - list 13 | - watch 14 | - create 15 | - update 16 | - patch 17 | - delete 18 | - apiGroups: 19 | - coordination.k8s.io 20 | resources: 21 | - leases 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - create 27 | - update 28 | - patch 29 | - delete 30 | - apiGroups: 31 | - "" 32 | resources: 33 | - events 34 | verbs: 35 | - create 36 | - patch 37 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: nimbus-operator-leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: nimbus-operator-leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: nimbus-operator 12 | namespace: nimbus 13 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: nimbus-operator 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: nimbus-operator 9 | subjects: 10 | - kind: ServiceAccount 11 | name: nimbus-operator 12 | -------------------------------------------------------------------------------- /config/rbac/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: nimbus-operator 5 | -------------------------------------------------------------------------------- /config/samples/intent_v1_clusternimbuspolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1 2 | kind: ClusterNimbusPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: clusternimbuspolicy 6 | app.kubernetes.io/instance: clusternimbuspolicy-sample 7 | app.kubernetes.io/part-of: nimbus 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: nimbus 10 | name: clusternimbuspolicy-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /config/samples/intent_v1_clustersecurityintentbinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1 2 | kind: ClusterSecurityIntentBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: clustersecurityintentbinding 6 | app.kubernetes.io/instance: clustersecurityintentbinding-sample 7 | app.kubernetes.io/part-of: nimbus 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: nimbus 10 | name: clustersecurityintentbinding-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /config/samples/intent_v1_nimbuspolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1 2 | kind: NimbusPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: nimbuspolicy 6 | app.kubernetes.io/instance: nimbuspolicy-sample 7 | app.kubernetes.io/part-of: nimbus 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: nimbus 10 | name: nimbuspolicy-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /config/samples/intent_v1_securityintent.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1 2 | kind: SecurityIntent 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: securityintent 6 | app.kubernetes.io/instance: securityintent-sample 7 | app.kubernetes.io/part-of: nimbus 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: nimbus 10 | name: securityintent-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /config/samples/intent_v1_securityintentbinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1 2 | kind: SecurityIntentBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: securityintentbinding 6 | app.kubernetes.io/instance: securityintentbinding-sample 7 | app.kubernetes.io/part-of: nimbus 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: nimbus 10 | name: securityintentbinding-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /config/samples/kustomization.yaml: -------------------------------------------------------------------------------- 1 | ## Append samples of your project ## 2 | resources: 3 | - intent_v1_securityintent.yaml 4 | - intent_v1_securityintentbinding.yaml 5 | - intent_v1_nimbuspolicy.yaml 6 | - intent_v1_clusternimbuspolicy.yaml 7 | - intent_v1_clustersecurityintentbinding.yaml 8 | #+kubebuilder:scaffold:manifestskustomizesamples 9 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | type: application 3 | name: nimbus-k8tls 4 | version: 0.1.1 5 | appVersion: "0.1.1" 6 | description: Nimbus adapter for k8tls 7 | sources: 8 | - https://github.com/5GSEC/nimbus 9 | kubeVersion: ">=1.25.0-0" 10 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing nimbus-k8tls. 2 | 3 | Your release is named '{{ include "nimbus-k8tls.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. 4 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "nimbus-k8tls.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "nimbus-k8tls.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "nimbus-k8tls.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "nimbus-k8tls.labels" -}} 37 | helm.sh/chart: {{ include "nimbus-k8tls.chart" . }} 38 | {{ include "nimbus-k8tls.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "nimbus-k8tls.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "nimbus-k8tls.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "nimbus-k8tls.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "nimbus-k8tls.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "nimbus-k8tls.fullname" . }} 5 | labels: 6 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | selector: 10 | matchLabels: 11 | {{- include "nimbus-k8tls.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "nimbus-k8tls.labels" . | nindent 8 }} 16 | spec: 17 | serviceAccountName: {{ include "nimbus-k8tls.serviceAccountName" . }} 18 | containers: 19 | - name: {{ .Values.fullnameOverride }} 20 | securityContext: 21 | {{- toYaml .Values.securityContext | nindent 12 }} 22 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 23 | imagePullPolicy: {{ .Values.image.pullPolicy }} 24 | {{- if .Values.output.elasticsearch.enabled }} 25 | env: 26 | - name: TTLSECONDSAFTERFINISHED 27 | value: "{{ .Values.output.elasticsearch.ttlsecondsafterfinished }}" 28 | {{- end }} 29 | resources: 30 | {{- toYaml .Values.resources | nindent 12 }} 31 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/k8tls-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: k8tls 5 | labels: 6 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - services 12 | verbs: 13 | - get 14 | - list 15 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: {{ include "nimbus-k8tls.fullname" . }}-env 5 | labels: 6 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 7 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: nimbus-k8tls 6 | labels: 7 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - configmaps 13 | verbs: 14 | - create 15 | - delete 16 | - get 17 | - update 18 | - apiGroups: 19 | - "" 20 | resources: 21 | - namespaces 22 | - serviceaccounts 23 | verbs: 24 | - get 25 | - apiGroups: 26 | - batch 27 | resources: 28 | - cronjobs 29 | verbs: 30 | - create 31 | - delete 32 | - get 33 | - list 34 | - update 35 | - watch 36 | - apiGroups: 37 | - intent.security.nimbus.com 38 | resources: 39 | - clusternimbuspolicies 40 | verbs: 41 | - get 42 | - list 43 | - watch 44 | - apiGroups: 45 | - intent.security.nimbus.com 46 | resources: 47 | - clusternimbuspolicies/status 48 | verbs: 49 | - get 50 | - patch 51 | - update 52 | {{- if .Values.output.elasticsearch.enabled }} 53 | - apiGroups: [ "" ] 54 | resources: [ "secrets" ] 55 | resourceNames: [ "elasticsearch-password" ] 56 | verbs: [ "get" ] 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "nimbus-k8tls.fullname" . }} 5 | labels: 6 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: {{ include "nimbus-k8tls.fullname" . }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ include "nimbus-k8tls.serviceAccountName" . }} 14 | namespace: {{ .Release.Namespace }} 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: ClusterRoleBinding 18 | metadata: 19 | name: k8tls 20 | labels: 21 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: ClusterRole 25 | name: k8tls 26 | subjects: 27 | - kind: ServiceAccount 28 | name: k8tls 29 | namespace: {{ include "nimbus-k8tls.fullname" . }}-env 30 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.output.elasticsearch.enabled -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: elasticsearch-password 6 | namespace: {{ include "nimbus-k8tls.fullname" . }}-env 7 | labels: 8 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | es_password: {{ .Values.output.elasticsearch.password }} 12 | {{- end }} -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nimbus-k8tls.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 9 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 10 | {{- end }} 11 | --- 12 | apiVersion: v1 13 | kind: ServiceAccount 14 | metadata: 15 | name: k8tls 16 | namespace: {{ include "nimbus-k8tls.fullname" . }}-env 17 | labels: 18 | {{- include "nimbus-k8tls.labels" . | nindent 4 }} 19 | -------------------------------------------------------------------------------- /deployments/nimbus-k8tls/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: 5gsec/nimbus-k8tls 3 | pullPolicy: Always 4 | tag: "v0.4" 5 | nameOverride: "" 6 | fullnameOverride: "nimbus-k8tls" 7 | serviceAccount: 8 | create: true 9 | automount: true 10 | name: "nimbus-k8tls" 11 | podSecurityContext: 12 | fsGroup: 2000 13 | securityContext: 14 | capabilities: 15 | drop: 16 | - ALL 17 | readOnlyRootFilesystem: true 18 | runAsNonRoot: true 19 | runAsUser: 1000 20 | resources: 21 | limits: 22 | cpu: 50m 23 | memory: 64Mi 24 | requests: 25 | cpu: 50m 26 | memory: 64Mi 27 | output: 28 | elasticsearch: 29 | enabled: false 30 | host: "localhost" 31 | user: elastic 32 | port: 9200 33 | index: "findings" 34 | password: "" # Password in base64 encoded format 35 | ttlsecondsafterfinished: "10" # Amount of time to keep the pod around after job has been completed 36 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nimbus-kubearmor 3 | description: KubeArmor adapter's chart for Nimbus. 4 | type: application 5 | 6 | # This is the chart version. This version number should be incremented each time you make changes 7 | # to the chart and its templates, including the app version. 8 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 9 | version: 0.1.4 10 | 11 | # This is the version number of the application being deployed. This version number should be 12 | # incremented each time you make changes to the application. Versions are not expected to 13 | # follow Semantic Versioning. They should reflect the version the application is using. 14 | # It is recommended to use it with quotes. 15 | appVersion: "0.1.2" 16 | 17 | dependencies: 18 | - name: kubearmor-operator 19 | version: ">= 1.4.3" 20 | repository: https://kubearmor.github.io/charts 21 | condition: autoDeploy 22 | 23 | kubeVersion: ">= 1.25" 24 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/Readme.md: -------------------------------------------------------------------------------- 1 | # Install KubeArmor adapter 2 | 3 | Install `nimbus-kubearmor` adapter using the official 5GSEC Helm charts. 4 | 5 | ```shell 6 | helm repo add 5gsec https://5gsec.github.io/charts 7 | helm repo update 5gsec 8 | helm upgrade --dependency-update --install nimbus-kubearmor 5gsec/nimbus-kubearmor -n nimbus 9 | ``` 10 | 11 | Install `nimbus-kubearmor` adapter using Helm charts locally (for testing) 12 | 13 | ```bash 14 | cd deployments/nimbus-kubearmor/ 15 | helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus 16 | ``` 17 | 18 | ## Values 19 | 20 | | Key | Type | Default | Description | 21 | |------------------|--------|------------------------|----------------------------------------------------------------------------| 22 | | image.repository | string | 5gsec/nimbus-kubearmor | Image repository from which to pull the `nimbus-kubearmor` adapter's image | 23 | | image.pullPolicy | string | Always | `nimbus-kubearmor` adapter image pull policy | 24 | | image.tag | string | latest | `nimbus-kubearmor` adapter image tag | 25 | | autoDeploy | bool | true | Auto deploy [KubeArmor](https://kubearmor.io/) with default configurations | 26 | 27 | ## Uninstall the KubeArmor adapter 28 | 29 | To uninstall, just run: 30 | 31 | ```bash 32 | helm uninstall nimbus-kubearmor -n nimbus 33 | ``` 34 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing nimbus-kubearmor. 2 | 3 | Your release is named '{{ include "nimbus-kubearmor.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. 4 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "nimbus-kubearmor.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "nimbus-kubearmor.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "nimbus-kubearmor.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "nimbus-kubearmor.labels" -}} 37 | helm.sh/chart: {{ include "nimbus-kubearmor.chart" . }} 38 | {{ include "nimbus-kubearmor.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "nimbus-kubearmor.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "nimbus-kubearmor.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "nimbus-kubearmor.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "nimbus-kubearmor.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "nimbus-kubearmor.fullname" . }} 5 | labels: 6 | {{- include "nimbus-kubearmor.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | selector: 10 | matchLabels: 11 | {{- include "nimbus-kubearmor.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "nimbus-kubearmor.labels" . | nindent 8 }} 16 | spec: 17 | serviceAccountName: {{ include "nimbus-kubearmor.serviceAccountName" . }} 18 | containers: 19 | - name: {{ .Values.fullnameOverride }} 20 | securityContext: 21 | {{- toYaml .Values.securityContext | nindent 12 }} 22 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 23 | imagePullPolicy: {{ .Values.image.pullPolicy }} 24 | resources: 25 | {{- toYaml .Values.resources | nindent 12 }} 26 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "nimbus-kubearmor.fullname" . }}-clusterrole 5 | rules: 6 | - apiGroups: 7 | - intent.security.nimbus.com 8 | resources: 9 | - nimbuspolicies 10 | - clusternimbuspolicies 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - intent.security.nimbus.com 17 | resources: 18 | - nimbuspolicies/status 19 | - clusternimbuspolicies/status 20 | verbs: 21 | - get 22 | - patch 23 | - update 24 | - apiGroups: 25 | - security.kubearmor.com 26 | resources: 27 | - kubearmorpolicies 28 | verbs: 29 | - create 30 | - list 31 | - get 32 | - update 33 | - watch 34 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "nimbus-kubearmor.fullname" . }}-clusterrole-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: {{ include "nimbus-kubearmor.fullname" . }}-clusterrole 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "nimbus-kubearmor.serviceAccountName" . }} 12 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nimbus-kubearmor.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nimbus-kubearmor.labels" . | nindent 4 }} 9 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /deployments/nimbus-kubearmor/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: 5gsec/nimbus-kubearmor 3 | pullPolicy: Always 4 | # Overrides the image tag whose default is the chart appVersion. 5 | tag: "v0.4" 6 | nameOverride: "" 7 | fullnameOverride: "nimbus-kubearmor" 8 | serviceAccount: 9 | # Specifies whether a service account should be created 10 | create: true 11 | # Automatically mount a ServiceAccount's API credentials? 12 | automount: true 13 | # The name of the service account to use. 14 | # If not set and create is true, a name is generated using the fullname template 15 | name: "nimbus-kubearmor" 16 | podSecurityContext: 17 | fsGroup: 2000 18 | securityContext: 19 | capabilities: 20 | drop: 21 | - ALL 22 | readOnlyRootFilesystem: true 23 | runAsNonRoot: true 24 | runAsUser: 1000 25 | resources: 26 | limits: 27 | cpu: 50m 28 | memory: 64Mi 29 | requests: 30 | cpu: 50m 31 | memory: 64Mi 32 | # Deploy engine 33 | autoDeploy: true 34 | kubearmor-operator: 35 | autoDeploy: true 36 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nimbus-kyverno 3 | description: Kyverno adapter's chart for Nimbus. 4 | type: application 5 | kubeVersion: ">= 1.25" 6 | 7 | # This is the chart version. This version number should be incremented each time you make changes 8 | # to the chart and its templates, including the app version. 9 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 10 | version: 0.1.2 11 | 12 | # This is the version number of the application being deployed. This version number should be 13 | # incremented each time you make changes to the application. Versions are not expected to 14 | # follow Semantic Versioning. They should reflect the version the application is using. 15 | # It is recommended to use it with quotes. 16 | appVersion: "0.1.0" 17 | 18 | dependencies: 19 | - name: kyverno 20 | version: ">= 3.2.6" 21 | repository: https://kyverno.github.io/kyverno/ 22 | condition: autoDeploy 23 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/Readme.md: -------------------------------------------------------------------------------- 1 | # Install Kyverno adapter 2 | 3 | Install `nimbus-kyverno` adapter using the official 5GSEC Helm charts. 4 | 5 | ```shell 6 | helm repo add 5gsec https://5gsec.github.io/charts 7 | helm repo update 5gsec 8 | helm upgrade --dependency-update --install nimbus-kyverno 5gsec/nimbus-kyverno -n nimbus 9 | ``` 10 | 11 | Install `nimbus-kyverno` adapter using Helm charts locally (for testing) 12 | 13 | ```bash 14 | cd deployments/nimbus-kyverno/ 15 | helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus 16 | ``` 17 | 18 | ## Values 19 | 20 | | Key | Type | Default | Description | 21 | |------------------|--------|----------------------|---------------------------------------------------------------------------------------------------------------------------| 22 | | image.repository | string | 5gsec/nimbus-kyverno | Image repository from which to pull the `nimbus-kyverno` adapter's image | 23 | | image.pullPolicy | string | Always | `nimbus-kyverno` adapter image pull policy | 24 | | image.tag | string | latest | `nimbus-kyverno` adapter image tag | 25 | | autoDeploy | bool | true | Auto deploy [Kyverno](https://kyverno.io/) in [Standalone](https://kyverno.io/docs/installation/methods/#standalone) mode | 26 | 27 | ## Uninstall the Kyverno adapter 28 | 29 | To uninstall, just run: 30 | 31 | ```bash 32 | helm uninstall nimbus-kyverno -n nimbus 33 | ``` 34 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing nimbus-kyverno. 2 | 3 | Your release is named '{{ include "nimbus-kyverno.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. 4 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | {{- include "nimbus-kyverno.clusterRoleSelectorLabels" . | nindent 4 }} 6 | name: nimbus-kyverno:update-resources 7 | rules: 8 | - apiGroups: 9 | - '*' 10 | resources: 11 | - '*' 12 | verbs: 13 | - update 14 | - patch 15 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "nimbus-kyverno.fullname" . }} 5 | labels: 6 | {{- include "nimbus-kyverno.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | selector: 10 | matchLabels: 11 | {{- include "nimbus-kyverno.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "nimbus-kyverno.labels" . | nindent 8 }} 16 | spec: 17 | serviceAccountName: {{ include "nimbus-kyverno.serviceAccountName" . }} 18 | containers: 19 | - name: {{ .Values.fullnameOverride }} 20 | securityContext: 21 | {{- toYaml .Values.securityContext | nindent 12 }} 22 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 23 | imagePullPolicy: {{ .Values.image.pullPolicy }} 24 | resources: 25 | {{- toYaml .Values.resources | nindent 12 }} 26 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "nimbus-kyverno.fullname" . }}-clusterrole 5 | rules: 6 | - apiGroups: 7 | - intent.security.nimbus.com 8 | resources: 9 | - nimbuspolicies 10 | - clusternimbuspolicies 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - "apps" 17 | resources: 18 | - deployments 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | - apiGroups: 24 | - "" 25 | resources: 26 | - configmaps 27 | verbs: 28 | - create 29 | - delete 30 | - get 31 | - list 32 | - apiGroups: 33 | - intent.security.nimbus.com 34 | resources: 35 | - nimbuspolicies/status 36 | - clusternimbuspolicies/status 37 | verbs: 38 | - get 39 | - patch 40 | - update 41 | - apiGroups: 42 | - kyverno.io 43 | resources: 44 | - clusterpolicies 45 | - policies 46 | verbs: 47 | - create 48 | - list 49 | - get 50 | - update 51 | - watch 52 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "nimbus-kyverno.fullname" . }}-clusterrole-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: {{ include "nimbus-kyverno.fullname" . }}-clusterrole 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "nimbus-kyverno.serviceAccountName" . }} 12 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nimbus-kyverno.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nimbus-kyverno.labels" . | nindent 4 }} 9 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /deployments/nimbus-kyverno/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: 5gsec/nimbus-kyverno 3 | pullPolicy: Always 4 | # Overrides the image tag whose default is the chart appVersion. 5 | tag: "v0.4" 6 | nameOverride: "" 7 | fullnameOverride: "nimbus-kyverno" 8 | serviceAccount: 9 | # Specifies whether a service account should be created 10 | create: true 11 | # Automatically mount a ServiceAccount's API credentials? 12 | automount: true 13 | # The name of the service account to use. 14 | # If not set and create is true, a name is generated using the fullname template 15 | name: "nimbus-kyverno" 16 | podSecurityContext: 17 | fsGroup: 2000 18 | securityContext: 19 | capabilities: 20 | drop: 21 | - ALL 22 | readOnlyRootFilesystem: true 23 | runAsNonRoot: true 24 | runAsUser: 1000 25 | resources: 26 | limits: 27 | cpu: 50m 28 | memory: 64Mi 29 | requests: 30 | cpu: 50m 31 | memory: 64Mi 32 | # Deploy engine 33 | autoDeploy: true 34 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nimbus-netpol 3 | description: A Helm chart for Kubernetes NetworkPolicy as an adapter for Nimbus. 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.3 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "0.1.2" 25 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing nimbus-netpol. 2 | 3 | Your release is named '{{ include "nimbus-netpol.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. 4 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "nimbus-netpol.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "nimbus-netpol.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "nimbus-netpol.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "nimbus-netpol.labels" -}} 37 | helm.sh/chart: {{ include "nimbus-netpol.chart" . }} 38 | {{ include "nimbus-netpol.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "nimbus-netpol.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "nimbus-netpol.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "nimbus-netpol.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "nimbus-netpol.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "nimbus-netpol.fullname" . }} 5 | labels: 6 | {{- include "nimbus-netpol.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | selector: 10 | matchLabels: 11 | {{- include "nimbus-netpol.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "nimbus-netpol.labels" . | nindent 8 }} 16 | spec: 17 | serviceAccountName: {{ include "nimbus-netpol.serviceAccountName" . }} 18 | containers: 19 | - name: {{ .Values.fullnameOverride }} 20 | securityContext: 21 | {{- toYaml .Values.securityContext | nindent 12 }} 22 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 23 | imagePullPolicy: {{ .Values.image.pullPolicy }} 24 | resources: 25 | {{- toYaml .Values.resources | nindent 12 }} 26 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "nimbus-netpol.fullname" . }}-clusterrole 5 | rules: 6 | - apiGroups: 7 | - intent.security.nimbus.com 8 | resources: 9 | - nimbuspolicies 10 | - clusternimbuspolicies 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - intent.security.nimbus.com 17 | resources: 18 | - nimbuspolicies/status 19 | - clusternimbuspolicies/status 20 | verbs: 21 | - get 22 | - patch 23 | - update 24 | - apiGroups: 25 | - networking.k8s.io 26 | resources: 27 | - networkpolicies 28 | verbs: 29 | - create 30 | - list 31 | - get 32 | - update 33 | - watch 34 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "nimbus-netpol.fullname" . }}-clusterrole-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: {{ include "nimbus-netpol.fullname" . }}-clusterrole 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "nimbus-netpol.serviceAccountName" . }} 12 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /deployments/nimbus-netpol/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nimbus-netpol.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nimbus-netpol.labels" . | nindent 4 }} 9 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /deployments/nimbus-netpol/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for nimbus-netpol. 2 | 3 | image: 4 | repository: 5gsec/nimbus-netpol 5 | pullPolicy: Always 6 | # Overrides the image tag whose default is the chart appVersion. 7 | tag: "v0.4" 8 | nameOverride: "" 9 | fullnameOverride: "nimbus-netpol" 10 | serviceAccount: 11 | # Specifies whether a service account should be created 12 | create: true 13 | # Automatically mount a ServiceAccount's API credentials? 14 | automount: true 15 | # The name of the service account to use. 16 | # If not set and create is true, a name is generated using the fullname template 17 | name: "nimbus-netpol" 18 | podSecurityContext: 19 | fsGroup: 2000 20 | securityContext: 21 | capabilities: 22 | drop: 23 | - ALL 24 | readOnlyRootFilesystem: true 25 | runAsNonRoot: true 26 | runAsUser: 1000 27 | resources: 28 | limits: 29 | cpu: 50m 30 | memory: 64Mi 31 | requests: 32 | cpu: 50m 33 | memory: 64Mi 34 | -------------------------------------------------------------------------------- /deployments/nimbus/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/nimbus/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nimbus 3 | description: A Helm chart for Nimbus operator. 4 | type: application 5 | kubeVersion: ">= 1.25" 6 | # This is the chart version. This version number should be incremented each time you make changes 7 | # to the chart and its templates, including the app version. 8 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 9 | 10 | version: "0.1.2" 11 | # This is the version number of the application being deployed. This version number should be 12 | # incremented each time you make changes to the application. Versions are not expected to 13 | # follow Semantic Versioning. They should reflect the version the application is using. 14 | # It is recommended to use it with quotes. 15 | 16 | appVersion: "0.1.1" 17 | 18 | dependencies: 19 | - name: nimbus-kubearmor 20 | version: ">= 0.1.2" 21 | repository: https://5gsec.github.io/charts 22 | condition: autoDeploy.kubearmor 23 | 24 | - name: nimbus-netpol 25 | version: ">= 0.1.2" 26 | repository: https://5gsec.github.io/charts 27 | condition: autoDeploy.netpol 28 | 29 | - name: nimbus-kyverno 30 | version: ">= 0.1.0" 31 | repository: https://5gsec.github.io/charts 32 | condition: autoDeploy.kyverno 33 | 34 | - name: nimbus-k8tls 35 | version: ">= 0.1.0" 36 | repository: https://5gsec.github.io/charts 37 | condition: autoDeploy.k8tls 38 | -------------------------------------------------------------------------------- /deployments/nimbus/Readme.md: -------------------------------------------------------------------------------- 1 | # Install Nimbus 2 | 3 | Install Nimbus operator using the official 5GSEC Helm charts. 4 | 5 | ```shell 6 | helm repo add 5gsec https://5gsec.github.io/charts 7 | helm repo update 5gsec 8 | helm upgrade --dependency-update --install nimbus-operator 5gsec/nimbus -n nimbus --create-namespace 9 | ``` 10 | 11 | Install Nimbus using Helm charts locally (for testing) 12 | 13 | ```bash 14 | cd deployments/nimbus/ 15 | helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace 16 | ``` 17 | 18 | ## Values 19 | 20 | | Key | Type | Default | Description | 21 | |----------------------|--------|--------------|---------------------------------------------------------------------------------------------------------------------------| 22 | | image.repository | string | 5gsec/nimbus | Image repository from which to pull the operator image | 23 | | image.pullPolicy | string | Always | Operator image pull policy | 24 | | image.tag | string | latest | Operator image tag | 25 | | autoDeploy.kubearmor | bool | true | Auto deploy [KubeArmor](https://kubearmor.io/) adapter | 26 | | autoDeploy.netpol | bool | true | Auto deploy [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) adapter | 27 | | autoDeploy.kyverno | bool | true | Auto deploy [Kyverno](https://kyverno.io/) adapter | 28 | 29 | ## Uninstall the Operator 30 | 31 | To uninstall, just run: 32 | 33 | ```bash 34 | helm uninstall nimbus-operator -n nimbus 35 | ``` 36 | -------------------------------------------------------------------------------- /deployments/nimbus/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing Nimbus suite. 2 | 3 | Your release is named '{{ include "nimbus.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace. 4 | {{printf "" }} 5 | 6 | {{- if .Values.autoDeploy.kubearmor }} 7 | Deployed nimbus-kubearmor adapter along with KubeArmor security engine in '{{ .Release.Namespace }}' namespace. 8 | {{ printf "" }} 9 | {{- end}} 10 | 11 | {{- if .Values.autoDeploy.kyverno }} 12 | Deployed nimbus-kyverno adapter along with Kyverno security engine in '{{ .Release.Namespace }}' namespace. 13 | {{ printf "" }} 14 | {{- end}} 15 | 16 | {{- if .Values.autoDeploy.k8tls }} 17 | Deployed nimbus-k8tls adapter in '{{ .Release.Namespace }}' namespace. 18 | {{ printf "" }} 19 | {{- end}} 20 | 21 | {{- if .Values.autoDeploy.netpol }} 22 | Deployed nimbus-netpol adapter in '{{ .Release.Namespace }}' namespace. 23 | {{- end}} 24 | -------------------------------------------------------------------------------- /deployments/nimbus/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "nimbus.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "nimbus.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "nimbus.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "nimbus.labels" -}} 37 | helm.sh/chart: {{ include "nimbus.chart" . }} 38 | {{ include "nimbus.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "nimbus.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "nimbus.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "nimbus.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "nimbus.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /deployments/nimbus/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "nimbus.fullname" . }} 5 | labels: 6 | {{- include "nimbus.labels" . | nindent 4 }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | replicas: {{ .Values.replicaCount }} 10 | selector: 11 | matchLabels: 12 | {{- include "nimbus.selectorLabels" . | nindent 6 }} 13 | template: 14 | metadata: 15 | labels: 16 | {{- include "nimbus.labels" . | nindent 8 }} 17 | spec: 18 | serviceAccountName: {{ include "nimbus.serviceAccountName" . }} 19 | containers: 20 | - name: {{ .Values.fullnameOverride }} 21 | securityContext: 22 | {{- toYaml .Values.securityContext | nindent 12 }} 23 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 24 | imagePullPolicy: {{ .Values.image.pullPolicy }} 25 | livenessProbe: 26 | {{- toYaml .Values.livenessProbe | nindent 12 }} 27 | readinessProbe: 28 | {{- toYaml .Values.readinessProbe | nindent 12 }} 29 | resources: 30 | {{- toYaml .Values.resources | nindent 12 }} 31 | -------------------------------------------------------------------------------- /deployments/nimbus/templates/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ include "nimbus.fullname" . }}-election-rolebinding 5 | namespace: {{ .Release.Namespace }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: {{ include "nimbus.fullname" . }}-leader-election-role 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "nimbus.serviceAccountName" . }} 13 | namespace: {{ .Release.Namespace }} 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRoleBinding 17 | metadata: 18 | name: {{ include "nimbus.fullname" . }} 19 | roleRef: 20 | apiGroup: rbac.authorization.k8s.io 21 | kind: ClusterRole 22 | name: nimbus-operator 23 | subjects: 24 | - kind: ServiceAccount 25 | name: nimbus-operator 26 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /deployments/nimbus/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nimbus.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nimbus.labels" . | nindent 4 }} 9 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /deployments/nimbus/values.yaml: -------------------------------------------------------------------------------- 1 | # Deploy adapters 2 | autoDeploy: 3 | kubearmor: true 4 | netpol: true 5 | kyverno: true 6 | k8tls: true 7 | replicaCount: 1 8 | image: 9 | repository: 5gsec/nimbus 10 | pullPolicy: Always 11 | # Overrides the image tag whose default is the chart appVersion. 12 | tag: "v0.4" 13 | nameOverride: "" 14 | fullnameOverride: "nimbus-operator" 15 | serviceAccount: 16 | # Specifies whether a service account should be created 17 | create: true 18 | # Automatically mount a ServiceAccount's API credentials? 19 | automount: true 20 | # The name of the service account to use. 21 | # If not set and create is true, a name is generated using the fullname template 22 | name: "nimbus-operator" 23 | podSecurityContext: 24 | fsGroup: 2000 25 | securityContext: 26 | capabilities: 27 | drop: 28 | - ALL 29 | readOnlyRootFilesystem: true 30 | runAsNonRoot: true 31 | runAsUser: 1000 32 | resources: 33 | limits: 34 | cpu: 100m 35 | memory: 128Mi 36 | requests: 37 | cpu: 100m 38 | memory: 128Mi 39 | livenessProbe: 40 | httpGet: 41 | path: /healthz 42 | port: 8081 43 | readinessProbe: 44 | httpGet: 45 | path: /readyz 46 | port: 8081 47 | -------------------------------------------------------------------------------- /docs/assets/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/assets/1.jpg -------------------------------------------------------------------------------- /docs/assets/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/assets/2.jpg -------------------------------------------------------------------------------- /docs/assets/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/assets/3.jpg -------------------------------------------------------------------------------- /docs/assets/4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/assets/4.jpg -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/create-adversary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/create-adversary.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/create-nginx-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/create-nginx-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/delete-nginx-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/delete-nginx-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/edit-dns-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/edit-dns-info.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/emulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/emulation.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/operation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/operation.png -------------------------------------------------------------------------------- /docs/attack-emulation/dns-manipulation/images/print-resolv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/dns-manipulation/images/print-resolv.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Defining Abilities 3 | 4 | Since dns-manipulation doesn't pre-exist in caldera abilities so we need to define the abilities by ourselves. 5 | 6 | ### Create abilities 7 | 8 | Commands 9 | 10 | 11 | ```bash 12 | kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/pod.yaml 13 | ``` 14 | 15 | ```bash 16 | kubectl get pods nginx 17 | ``` 18 | 19 | ```bash 20 | kubectl exec nginx -- bash -c "echo 'hello world!' >> /test-pd/hello.txt" 21 | ``` 22 | 23 | ```bash 24 | kubectl delete pod nginx 25 | ``` 26 | 27 | ### Create test pod 28 | 29 | ![alt text](images/create-test-pod.png) 30 | 31 | ### Get the pod 32 | 33 | ![alt text](images/get-pod.png) 34 | 35 | ### Make changes in hostpath 36 | 37 | ![alt text](images/make-changes.png) 38 | 39 | ### Delete test pod 40 | 41 | ![alt text](images/delete-test-pod.png) 42 | 43 | 44 | ## Create Adversary 45 | 46 | - `+` New Profile 47 | - `+` Add Ability 48 | 49 | ![alt text](images/create-adversary.png) 50 | 51 | ## Create Operation 52 | 53 | - `+` New Operation 54 | - set Adversary 55 | 56 | ![alt text](images/operation.png) 57 | 58 | 59 | ## Attack Emulation 60 | 61 | After creating the operation click on start to start the attack, optionally you can also check locally in your terminal that whether the caldera agent is working as expected or not. 62 | 63 | ![alt text](images/emulation.png) 64 | 65 | 66 | 67 | ## Mitigation 68 | 69 | For the mitigation of `Escape-to-host` we need nimbus-kyverno adapter to be in-place: 70 | - First we need to install nimbus, you can do so by following the steps over [here](../../docs/getting-started.md#nimbus). 71 | - Now you can follow the guide [here](../../docs/getting-started.md#nimbus-kyverno) to install nimbus-kyverno adapter. 72 | - Now apply the escape-host-intent in your cluster as defined [here](../../examples/clusterscoped/escape-to-host-si-sib.yaml) and then try to re-run the attack, you'll see that now the agent will not be able to create a vulnerable pod. Resulting the failure in step-1 as defined above. -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/create-adversary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/create-adversary.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/create-test-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/create-test-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/delete-test-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/delete-test-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/emulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/emulation.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/get-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/get-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/make-changes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/make-changes.png -------------------------------------------------------------------------------- /docs/attack-emulation/escape-to-host/images/operation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/escape-to-host/images/operation.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/clone-repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/clone-repo.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/create-adversary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/create-adversary.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/create-test-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/create-test-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/delete-test-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/delete-test-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/emulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/emulation.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/get-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/get-pod.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/install-git.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/install-git.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/move-git.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/move-git.png -------------------------------------------------------------------------------- /docs/attack-emulation/exploit-pfa/images/operation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/exploit-pfa/images/operation.png -------------------------------------------------------------------------------- /docs/attack-emulation/images/agent-running.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/images/agent-running.png -------------------------------------------------------------------------------- /docs/attack-emulation/images/agent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/attack-emulation/images/agent.png -------------------------------------------------------------------------------- /docs/attack-emulation/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx 5 | labels: 6 | app: nginx 7 | spec: 8 | containers: 9 | - image: nginx 10 | name: test-container 11 | volumeMounts: 12 | - mountPath: /test-pd 13 | name: test-volume 14 | volumes: 15 | - name: test-volume 16 | hostPath: 17 | path: /test-data 18 | type: DirectoryOrCreate -------------------------------------------------------------------------------- /docs/crd/Readme.md: -------------------------------------------------------------------------------- 1 | # Nimbus API 2 | 3 | This document provides guidance on extending and maintaining the [Nimbus API](../../api) 4 | 5 | ## Concepts 6 | 7 | * https://kubernetes.io/docs/reference/using-api/api-concepts/ 8 | * https://kubernetes.io/docs/reference/using-api/ 9 | * https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/ 10 | * https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md 11 | 12 | ## API Groups 13 | 14 | All Nimbus resources are currently defined in the `intent.security.nimbus.com` API group. 15 | 16 | ## API Versions 17 | 18 | This `intent.security.nimbus.com` has the following versions: 19 | 20 | * v1alpha1 21 | 22 | ## Adding a new attribute 23 | 24 | New attributes can be added to existing resources without impacting compatibility. They do not require a new version. 25 | 26 | ## Deleting an attribute 27 | 28 | Attributes cannot be deleted in a version. They should be marked for deprecation and removed after 3 releases. 29 | 30 | ## Modifying an attribute 31 | 32 | Attributes cannot be modified in a version. The existing attribute should be marked for deprecation and a new attribute 33 | should be added following version compatibility guidelines. 34 | -------------------------------------------------------------------------------- /docs/intents/coco-workload.md: -------------------------------------------------------------------------------- 1 | ## Objective 2 | 3 | The coco-workload intent likely aims to enhance security by ensuring that sensitive workloads are executed in environments that provide confidentiality and isolation. This could involve leveraging technologies like Confidential VMs, which are designed to protect data in use, thereby reducing the risk of data exposure or leakage. 4 | 5 | 6 | **Note** : For the escapeToHost intent one needs to have either [nimbus-kyverno](../../deployments/nimbus-kyverno/Readme.md) adapter running in their cluster. To install the complete suite with all the adapters pls follow the steps mentioned [here](../getting-started.md#nimbus) 7 | 8 | ## Policy Creation 9 | 10 | ### Kyverno Policy 11 | 12 | #### Prereq 13 | 14 | - K8s cluster nodes need to have nested virtualization enabled for the confidential containers intent. Additionally kvm needs to be installed ([ubuntu-kvm](https://help.ubuntu.com/community/KVM/Installation)). 15 | 16 | - One should have [ConfidentialContainers](../getting-started.md#confidential-containers) runner installed in their cluster. 17 | 18 | #### Policy Description 19 | 20 | - The policy is designed to operate during the admission phase (admission: true), meaning it will enforce rules when workloads (like Deployments) are created. The background: true setting indicates that the policy can also apply to existing resources in the background, ensuring compliance over time. Apply on existing resource means that the policy will can generate policy reports for the resources which are ommitting the compliance defined by the policy. 21 | 22 | - The key action in this policy is to mutate the workload by adding a runtimeClassName: kata-clh to the Deployment's spec. This is crucial because kata-clh likely refers to a runtime class configured to use Confidential VMs. By ensuring that the workload runs under this runtime, the policy enforces that the deployment is secured within a Confidential VM. User can apply any runtimeClassName by specifying it as a intent param. 23 | 24 | 25 | ``` 26 | params: 27 | runtimeClass: ["kata-qemu"] 28 | ``` 29 | 30 | 31 | -------------------------------------------------------------------------------- /docs/intents/pkg-mgr-execution.md: -------------------------------------------------------------------------------- 1 | ## Objective 2 | 3 | - The `pkg-mgr-execution` intent likely aims to prevent unauthorized or potentially harmful package management operations. This is critical in a Kubernetes environment, where package managers can be exploited by adversaries to install malicious software or manipulate existing applications. 4 | 5 | **Note** : For the exploit-pfa intent one needs to have [nimbus-kubearmor](../../deployments/nimbus-kubearmor/Readme.md) adapter running in their cluster. To install the complete suite with all the adapters pls follow the steps mentioned [here](../getting-started.md#nimbus) 6 | 7 | ## Policy Creation 8 | 9 | The exploit-pfa intent results in `KubeArmorPolicy`. Below is the behaviour of intent in terms of policy: 10 | 11 | ### KubeArmorPolicy 12 | 13 | #### Prereq 14 | 15 | - For the `KubeArmorPolicy` to work, one should have a [BPF-LSM](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/FAQ.md#checking-and-enabling-support-for-bpf-lsm) enabled for each node in their cluster. 16 | 17 | #### Policy Description 18 | 19 | - The KubeArmorPolicy created here specifies that any attempt to execute certain package management commands will be blocked. This is a proactive security measure to prevent unauthorized changes to the system. 20 | 21 | - By blocking execution of these critical pkg-mgmt tools, the policy significantly reduces the attack surface for the application. This prevents attackers from executing potentially malicious scripts or binaries that could lead to data breaches or further compromises. -------------------------------------------------------------------------------- /docs/nimbus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5GSEC/nimbus/67712a9f02b4464c4d50e6f915c9323d30d1f879/docs/nimbus.png -------------------------------------------------------------------------------- /examples/clusterscoped/assesstls-default.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: assess-tls-default 8 | spec: 9 | intent: 10 | id: assessTLS 11 | action: Audit 12 | description: | 13 | Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version, 14 | certificate validity and FIPS-140-3 approved cipher suites. 15 | Reference: MITRE ATT&CK Technique: FGT5011 https://fight.mitre.org/techniques/FGT5011 16 | --- 17 | apiVersion: intent.security.nimbus.com/v1alpha1 18 | kind: ClusterSecurityIntentBinding 19 | metadata: 20 | name: assess-tls-default 21 | spec: 22 | intents: 23 | - name: assess-tls-default 24 | selector: 25 | nsSelector: 26 | matchNames: 27 | - '*' 28 | -------------------------------------------------------------------------------- /examples/clusterscoped/assesstls-with-external-addresses.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: assess-tls-external-addresses 8 | spec: 9 | intent: 10 | id: assessTLS 11 | action: Audit 12 | severity: "medium" 13 | description: | 14 | Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version, 15 | certificate validity and FIPS-140-3 approved cipher suites. 16 | Reference: MITRE ATT&CK Technique: FGT5011 https://fight.mitre.org/techniques/FGT5011 17 | params: 18 | # Specify domain name with its port 19 | external_addresses: [ "dh480.badssl.com:443", "google.com:443", "accuknox.com:443", "apigateway-fips.us-east-1.amazonaws.com:443" ] 20 | --- 21 | apiVersion: intent.security.nimbus.com/v1alpha1 22 | kind: ClusterSecurityIntentBinding 23 | metadata: 24 | name: assess-tls-external-addresses 25 | spec: 26 | intents: 27 | - name: assess-tls-external-addresses 28 | selector: 29 | nsSelector: 30 | matchNames: 31 | - '*' 32 | -------------------------------------------------------------------------------- /examples/clusterscoped/assesstls-with-schedule.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: assess-tls-scheduled 8 | spec: 9 | intent: 10 | id: assessTLS 11 | action: Audit 12 | severity: "medium" 13 | description: | 14 | Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version, 15 | certificate validity and FIPS-140-3 approved cipher suites. 16 | Reference: MITRE ATT&CK Technique: FGT5011 https://fight.mitre.org/techniques/FGT5011 17 | params: 18 | schedule: [ "* * * * *" ] 19 | --- 20 | apiVersion: intent.security.nimbus.com/v1alpha1 21 | kind: ClusterSecurityIntentBinding 22 | metadata: 23 | name: assess-tls-scheduled 24 | spec: 25 | intents: 26 | - name: assess-tls-scheduled 27 | selector: 28 | nsSelector: 29 | matchNames: 30 | - '*' 31 | -------------------------------------------------------------------------------- /examples/clusterscoped/coco-workload-si-sib.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1alpha1 2 | kind: SecurityIntent 3 | metadata: 4 | name: coco-workload 5 | spec: 6 | intent: 7 | id: cocoWorkload 8 | description: "Ensure workload is encryted by running the specified workload in a Confidential VM" 9 | action: Block 10 | --- 11 | apiVersion: intent.security.nimbus.com/v1alpha1 12 | kind: ClusterSecurityIntentBinding 13 | metadata: 14 | name: coco-workload-binding 15 | spec: 16 | intents: 17 | - name: coco-workload 18 | selector: 19 | nsSelector: 20 | matchNames: 21 | - "*" 22 | workloadSelector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /examples/clusterscoped/csib-1-all-ns-selector.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | --- 14 | apiVersion: intent.security.nimbus.com/v1alpha1 15 | kind: ClusterSecurityIntentBinding 16 | metadata: 17 | name: escape-to-host-binding 18 | spec: 19 | intents: 20 | - name: escape-to-host 21 | selector: 22 | nsSelector: 23 | matchNames: 24 | - "*" 25 | -------------------------------------------------------------------------------- /examples/clusterscoped/csib-2-match-names.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | --- 14 | apiVersion: intent.security.nimbus.com/v1alpha1 15 | kind: ClusterSecurityIntentBinding 16 | metadata: 17 | name: escape-to-host-binding 18 | spec: 19 | intents: 20 | - name: escape-to-host 21 | selector: 22 | nsSelector: 23 | matchNames: 24 | - ns-1 25 | - ns-2 26 | -------------------------------------------------------------------------------- /examples/clusterscoped/csib-3-exclude-names.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | --- 14 | apiVersion: intent.security.nimbus.com/v1alpha1 15 | kind: ClusterSecurityIntentBinding 16 | metadata: 17 | name: escape-to-host-binding 18 | spec: 19 | intents: 20 | - name: escape-to-host 21 | selector: 22 | nsSelector: 23 | matchNames: 24 | - "*" 25 | excludeNames: 26 | - ns-2 27 | - ns-3 28 | -------------------------------------------------------------------------------- /examples/clusterscoped/deny-external-network-access.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1alpha1 2 | kind: SecurityIntent 3 | metadata: 4 | name: deny-ext-nw-access 5 | spec: 6 | intent: 7 | id: denyExternalNetworkAccess 8 | description: "Deny external network access to prevent data exfiltration" 9 | action: Block 10 | 11 | --- 12 | 13 | apiVersion: intent.security.nimbus.com/v1alpha1 14 | kind: ClusterSecurityIntentBinding 15 | metadata: 16 | name: deny-ext-nw-access-foo-binding 17 | spec: 18 | intents: 19 | - name: deny-ext-nw-access 20 | selector: 21 | nsSelector: 22 | matchNames: 23 | - default 24 | workloadSelector: 25 | matchLabels: 26 | app: nginx -------------------------------------------------------------------------------- /examples/clusterscoped/escape-to-host-si-csib-with-params.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | params: 14 | psaLevel: ["restricted"] 15 | --- 16 | apiVersion: intent.security.nimbus.com/v1alpha1 17 | kind: ClusterSecurityIntentBinding 18 | metadata: 19 | name: escape-to-host-binding 20 | spec: 21 | intents: 22 | - name: escape-to-host 23 | selector: 24 | nsSelector: 25 | matchNames: 26 | - default 27 | workloadSelector: 28 | matchLabels: 29 | app: nginx 30 | env: dev -------------------------------------------------------------------------------- /examples/env/httpd-deploy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app: httpd 9 | name: httpd 10 | spec: 11 | replicas: 1 12 | selector: 13 | matchLabels: 14 | app: httpd 15 | template: 16 | metadata: 17 | labels: 18 | app: httpd 19 | spec: 20 | containers: 21 | - image: httpd 22 | imagePullPolicy: Always 23 | name: httpd 24 | -------------------------------------------------------------------------------- /examples/env/nginx-deploy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app: nginx 9 | name: nginx 10 | spec: 11 | replicas: 1 12 | selector: 13 | matchLabels: 14 | app: nginx 15 | template: 16 | metadata: 17 | labels: 18 | app: nginx 19 | spec: 20 | containers: 21 | - image: nginx 22 | imagePullPolicy: Always 23 | name: nginx 24 | -------------------------------------------------------------------------------- /examples/namespaced/coco-workload-si-sib.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1alpha1 2 | kind: SecurityIntent 3 | metadata: 4 | name: coco-workload 5 | spec: 6 | intent: 7 | id: cocoWorkload 8 | description: "Ensure workload is encryted by running the specified workload in a Confidential VM" 9 | action: Block 10 | params: 11 | runtimeClass: ["kata-qemu"] 12 | --- 13 | apiVersion: intent.security.nimbus.com/v1alpha1 14 | kind: SecurityIntentBinding 15 | metadata: 16 | name: coco-workload-binding 17 | spec: 18 | intents: 19 | - name: coco-workload 20 | selector: 21 | workloadSelector: 22 | matchLabels: 23 | app: nginx 24 | app1: test -------------------------------------------------------------------------------- /examples/namespaced/dns-manipulation-si-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: dns-manipulation 8 | spec: 9 | intent: 10 | id: dnsManipulation 11 | description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." 12 | action: Block 13 | --- 14 | apiVersion: intent.security.nimbus.com/v1alpha1 15 | kind: SecurityIntentBinding 16 | metadata: 17 | name: dns-manipulation-binding 18 | spec: 19 | intents: 20 | - name: dns-manipulation 21 | selector: 22 | workloadSelector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /examples/namespaced/escape-to-host-si-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | 14 | --- 15 | 16 | apiVersion: intent.security.nimbus.com/v1alpha1 17 | kind: SecurityIntentBinding 18 | metadata: 19 | name: escape-to-host-binding 20 | spec: 21 | intents: 22 | - name: escape-to-host 23 | selector: 24 | workloadSelector: 25 | matchLabels: 26 | app: nginx 27 | -------------------------------------------------------------------------------- /examples/namespaced/escape-to-host-with-params.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | params: 14 | psaLevel: ["restricted"] 15 | --- 16 | apiVersion: intent.security.nimbus.com/v1alpha1 17 | kind: SecurityIntentBinding 18 | metadata: 19 | name: escape-to-host-binding 20 | spec: 21 | intents: 22 | - name: escape-to-host 23 | selector: 24 | workloadSelector: 25 | matchLabels: 26 | app: nginx 27 | -------------------------------------------------------------------------------- /examples/namespaced/exploit-pfa-si-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: exploit-pfa 8 | spec: 9 | intent: 10 | id: preventExecutionFromTempOrLogsFolders 11 | description: "Mitigate the execution of harmful binaries which may result in exploiting public facing application" 12 | action: Block 13 | --- 14 | apiVersion: intent.security.nimbus.com/v1alpha1 15 | kind: SecurityIntentBinding 16 | metadata: 17 | name: exploit-pfa-binding 18 | spec: 19 | intents: 20 | - name: exploit-pfa 21 | selector: 22 | workloadSelector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /examples/namespaced/multiple-si-sib-namespaced.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: pkg-mgr-exec-multiple-nsscoped 8 | spec: 9 | intent: 10 | id: swDeploymentTools 11 | action: Block 12 | --- 13 | apiVersion: intent.security.nimbus.com/v1alpha1 14 | kind: SecurityIntent 15 | metadata: 16 | name: unauthorized-sa-token-access-multiple-nsscoped 17 | spec: 18 | intent: 19 | id: unAuthorizedSaTokenAccess 20 | action: Block 21 | --- 22 | apiVersion: intent.security.nimbus.com/v1alpha1 23 | kind: SecurityIntent 24 | metadata: 25 | name: dns-manipulation-multiple-nsscoped 26 | spec: 27 | intent: 28 | id: dnsManipulation 29 | action: Block 30 | --- 31 | apiVersion: intent.security.nimbus.com/v1alpha1 32 | kind: SecurityIntentBinding 33 | metadata: 34 | name: multiple-sis-nsscoped-binding 35 | spec: 36 | intents: 37 | - name: pkg-mgr-exec-multiple-nsscoped 38 | - name: unauthorized-sa-token-access-multiple-nsscoped 39 | - name: dns-manipulation-multiple-nsscoped 40 | selector: 41 | workloadSelector: 42 | matchLabels: 43 | app: nginx 44 | -------------------------------------------------------------------------------- /examples/namespaced/pkg-mgr-exec-si-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: pkg-mgr-execution 8 | spec: 9 | intent: 10 | id: swDeploymentTools 11 | description: > 12 | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, 13 | and deployment systems, to move laterally through the network. 14 | action: Block 15 | --- 16 | apiVersion: intent.security.nimbus.com/v1alpha1 17 | kind: SecurityIntentBinding 18 | metadata: 19 | name: pkg-mgr-execution-binding 20 | spec: 21 | intents: 22 | - name: pkg-mgr-execution 23 | selector: 24 | workloadSelector: 25 | matchLabels: 26 | app: nginx 27 | -------------------------------------------------------------------------------- /examples/namespaced/virtual-patch-si-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: virtual-patch 8 | spec: 9 | intent: 10 | id: virtualPatch 11 | description: > 12 | There might exist CVE's associated with certain images, adversaries might exploit these CVE and can cause potential threat, 13 | to any production server. Check and apply virtual patch for a given set of CVEs as per a schedule 14 | action: Block 15 | params: 16 | cveList: 17 | - "CVE-2024-4439" 18 | - "CVE-2024-27268" 19 | schedule: ["0 23 * * SUN"] 20 | 21 | --- 22 | 23 | apiVersion: intent.security.nimbus.com/v1alpha1 24 | kind: SecurityIntentBinding 25 | metadata: 26 | name: virtual-patch-binding 27 | spec: 28 | intents: 29 | - name: virtual-patch 30 | selector: 31 | workloadSelector: 32 | matchLabels: 33 | app: prod -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | -------------------------------------------------------------------------------- /pkg/adapter/common/common.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package common 5 | 6 | type Request struct { 7 | Name string 8 | Namespace string 9 | } 10 | 11 | type ContextKey string 12 | 13 | const ( 14 | K8sClientKey ContextKey = "k8sClient" 15 | NamespaceNameKey ContextKey = "K8tlsNamespace" 16 | ) 17 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-k8tls/.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-k8tls/Dockerfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | FROM golang:1.22 AS builder 5 | ARG TARGETOS 6 | ARG TARGETARCH 7 | 8 | # Required to embed build info into binary. 9 | COPY .git /.git 10 | 11 | WORKDIR /nimbus 12 | 13 | # relative deps requried by the adapter 14 | ADD api/ api/ 15 | ADD pkg/ pkg/ 16 | ADD go.mod go.mod 17 | ADD go.sum go.sum 18 | 19 | ARG ADAPTER_DIR=pkg/adapter/nimbus-k8tls 20 | WORKDIR /nimbus/$ADAPTER_DIR 21 | 22 | COPY $ADAPTER_DIR/go.mod go.mod 23 | # cache deps before building and copying source so that we don't need to re-download as much 24 | # and so that source changes don't invalidate our downloaded layer 25 | RUN go mod download 26 | 27 | COPY $ADAPTER_DIR/manager manager 28 | COPY $ADAPTER_DIR/builder builder 29 | COPY $ADAPTER_DIR/watcher watcher 30 | COPY $ADAPTER_DIR/main.go main.go 31 | COPY $ADAPTER_DIR/Makefile Makefile 32 | 33 | # Build 34 | # the GOARCH has not a default value to allow the binary be built according to the host where the command 35 | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 36 | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 37 | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 38 | RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build 39 | 40 | FROM gcr.io/distroless/static:nonroot 41 | WORKDIR / 42 | COPY --from=builder /nimbus/pkg/adapter/nimbus-k8tls/bin/nimbus-k8tls . 43 | USER 65532:65532 44 | 45 | ENTRYPOINT ["/nimbus-k8tls"] 46 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-k8tls/main.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package main 5 | 6 | import ( 7 | "context" 8 | "github.com/5GSEC/nimbus/pkg/util" 9 | "os" 10 | "os/signal" 11 | "syscall" 12 | 13 | ctrl "sigs.k8s.io/controller-runtime" 14 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 15 | 16 | "github.com/5GSEC/nimbus/pkg/adapter/nimbus-k8tls/manager" 17 | ) 18 | 19 | func main() { 20 | ctrl.SetLogger(zap.New()) 21 | logger := ctrl.Log 22 | util.LogBuildInfo(logger) 23 | 24 | ctx, cancelFunc := context.WithCancel(context.Background()) 25 | ctrl.LoggerInto(ctx, logger) 26 | 27 | go func() { 28 | termChan := make(chan os.Signal) 29 | signal.Notify(termChan, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT) 30 | <-termChan 31 | logger.Info("Shutdown signal received, waiting for all workers to finish") 32 | cancelFunc() 33 | logger.Info("All workers finished, shutting down") 34 | }() 35 | 36 | logger.Info("K8TLS adapter started") 37 | manager.Run(ctx) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-k8tls/manager/k8tls.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package manager 5 | 6 | import ( 7 | "context" 8 | 9 | corev1 "k8s.io/api/core/v1" 10 | "sigs.k8s.io/controller-runtime/pkg/client" 11 | "sigs.k8s.io/controller-runtime/pkg/log" 12 | ) 13 | 14 | func k8tlsEnvExist(ctx context.Context, k8sClient client.Client) bool { 15 | logger := log.FromContext(ctx) 16 | 17 | ns := &corev1.Namespace{} 18 | if err := k8sClient.Get(ctx, client.ObjectKey{Name: K8tlsNamespace}, ns); err != nil { 19 | logger.Error(err, "'k8tls' namespace not found") 20 | return false 21 | } 22 | 23 | sa := &corev1.ServiceAccount{} 24 | if err := k8sClient.Get(ctx, client.ObjectKey{Name: k8tls, Namespace: K8tlsNamespace}, sa); err != nil { 25 | logger.Error(err, "'k8tls' serviceaccount not found") 26 | return false 27 | } 28 | 29 | // If the required ClusterRole and ClusterRoleBinding resources don't exist, the 30 | // job itself will describe/log that error. 31 | return true 32 | } 33 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kubearmor/.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kubearmor/Dockerfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Build the nimbus-kubearmor binary 5 | FROM golang:1.22 AS builder 6 | ARG TARGETOS 7 | ARG TARGETARCH 8 | 9 | # Required to embed build info into binary. 10 | COPY .git /.git 11 | 12 | WORKDIR /nimbus 13 | 14 | # relative deps requried by the adapter 15 | ADD api/ api/ 16 | ADD pkg/ pkg/ 17 | ADD go.mod go.mod 18 | ADD go.sum go.sum 19 | 20 | # nimbus-kubearmor directory 21 | ARG ADAPTER_DIR=pkg/adapter/nimbus-kubearmor 22 | WORKDIR /nimbus/$ADAPTER_DIR 23 | 24 | # # Copy Go modules and manifests 25 | COPY $ADAPTER_DIR/go.mod go.mod 26 | COPY $ADAPTER_DIR/go.sum go.sum 27 | 28 | # cache deps before building and copying source so that we don't need to re-download as much 29 | # and so that source changes don't invalidate our downloaded layer 30 | RUN go mod download 31 | 32 | COPY $ADAPTER_DIR/manager manager 33 | COPY $ADAPTER_DIR/processor processor 34 | COPY $ADAPTER_DIR/watcher watcher 35 | COPY $ADAPTER_DIR/main.go main.go 36 | COPY $ADAPTER_DIR/Makefile Makefile 37 | 38 | # Build 39 | # the GOARCH has not a default value to allow the binary be built according to the host where the command 40 | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 41 | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 42 | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 43 | RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build 44 | 45 | FROM gcr.io/distroless/static:nonroot 46 | WORKDIR / 47 | COPY --from=builder /nimbus/pkg/adapter/nimbus-kubearmor/bin/nimbus-kubearmor . 48 | USER 65532:65532 49 | 50 | ENTRYPOINT ["/nimbus-kubearmor"] 51 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kubearmor/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Image URL to use all building/pushing image targets 5 | IMG ?= 5gsec/nimbus-kubearmor 6 | # Image Tag to use all building/pushing image targets 7 | TAG ?= latest 8 | 9 | CONTAINER_TOOL ?= docker 10 | BINARY ?= bin/nimbus-kubearmor 11 | 12 | .PHONY: help 13 | help: ## Display this help. 14 | @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) 15 | 16 | .DEFAULT_GOAL := help 17 | 18 | .PHONY: build 19 | build: ## Build nimbus-kubearmor executable. 20 | @go build -ldflags="-w" -o ${BINARY} . 21 | 22 | .PHONY: run 23 | run: build ## Run nimbus-kubearmor locally. 24 | @./${BINARY} 25 | 26 | .PHONY: docker-build 27 | docker-build: ## Build nimbus-kubearmor container image. 28 | $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ 29 | 30 | .PHONY: docker-push 31 | docker-push: ## Push nimbus-kubearmor container image. 32 | $(CONTAINER_TOOL) push ${IMG}:${TAG} 33 | 34 | PLATFORMS ?= linux/arm64,linux/amd64 35 | .PHONY: docker-buildx 36 | docker-buildx: ## Build and push container image for cross-platform support 37 | # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile 38 | sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross 39 | - $(CONTAINER_TOOL) buildx create --name project-v3-builder 40 | $(CONTAINER_TOOL) buildx use project-v3-builder 41 | - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; } 42 | - $(CONTAINER_TOOL) buildx rm project-v3-builder 43 | rm Dockerfile.cross 44 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kubearmor/main.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package main 5 | 6 | import ( 7 | "context" 8 | "github.com/5GSEC/nimbus/pkg/util" 9 | "os" 10 | "os/signal" 11 | "syscall" 12 | 13 | ctrl "sigs.k8s.io/controller-runtime" 14 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 15 | 16 | "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kubearmor/manager" 17 | ) 18 | 19 | func main() { 20 | ctrl.SetLogger(zap.New()) 21 | logger := ctrl.Log 22 | util.LogBuildInfo(logger) 23 | 24 | ctx, cancelFunc := context.WithCancel(context.Background()) 25 | ctrl.LoggerInto(ctx, logger) 26 | 27 | go func() { 28 | termChan := make(chan os.Signal) 29 | signal.Notify(termChan, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT) 30 | <-termChan 31 | logger.Info("Shutdown signal received, waiting for all workers to finish") 32 | cancelFunc() 33 | logger.Info("All workers finished, shutting down") 34 | }() 35 | 36 | logger.Info("KubeArmor adapter started") 37 | manager.Run(ctx) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kyverno/.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kyverno/Dockerfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Build the nimbus-kubearmor binary 5 | FROM golang:1.22 AS builder 6 | ARG TARGETOS 7 | ARG TARGETARCH 8 | 9 | # Required to embed build info into binary. 10 | COPY .git /.git 11 | 12 | WORKDIR /nimbus 13 | 14 | # relative deps requried by the adapter 15 | ADD api/ api/ 16 | ADD pkg/ pkg/ 17 | ADD go.mod go.mod 18 | ADD go.sum go.sum 19 | 20 | # nimbus-kubearmor directory 21 | ARG ADAPTER_DIR=pkg/adapter/nimbus-kyverno 22 | WORKDIR /nimbus/$ADAPTER_DIR 23 | 24 | # # Copy Go modules and manifests 25 | COPY $ADAPTER_DIR/go.mod go.mod 26 | COPY $ADAPTER_DIR/go.sum go.sum 27 | 28 | # cache deps before building and copying source so that we don't need to re-download as much 29 | # and so that source changes don't invalidate our downloaded layer 30 | RUN go mod download 31 | 32 | COPY $ADAPTER_DIR/manager manager 33 | COPY $ADAPTER_DIR/processor processor 34 | COPY $ADAPTER_DIR/watcher watcher 35 | COPY $ADAPTER_DIR/utils utils 36 | COPY $ADAPTER_DIR/main.go main.go 37 | COPY $ADAPTER_DIR/Makefile Makefile 38 | 39 | # Build 40 | # the GOARCH has not a default value to allow the binary be built according to the host where the command 41 | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 42 | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 43 | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 44 | RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build 45 | 46 | FROM gcr.io/distroless/static:nonroot 47 | WORKDIR / 48 | COPY --from=builder /nimbus/pkg/adapter/nimbus-kyverno/bin/nimbus-kyverno . 49 | USER 65532:65532 50 | 51 | ENTRYPOINT ["/nimbus-kyverno"] 52 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kyverno/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Image URL to use all building/pushing image targets 5 | IMG ?= 5gsec/nimbus-kyverno 6 | # Image Tag to use all building/pushing image targets 7 | TAG ?= latest 8 | 9 | CONTAINER_TOOL ?= docker 10 | BINARY ?= bin/nimbus-kyverno 11 | 12 | .PHONY: help 13 | help: ## Display this help. 14 | @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) 15 | 16 | .DEFAULT_GOAL := help 17 | 18 | .PHONY: build 19 | build: ## Build nimbus-kyverno executable. 20 | @go build -ldflags="-w" -o ${BINARY} . 21 | 22 | .PHONY: run 23 | run: build ## Run nimbus-kyverno locally. 24 | @./${BINARY} 25 | 26 | .PHONY: docker-build 27 | docker-build: ## Build nimbus-kyverno container image. 28 | $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ 29 | 30 | .PHONY: docker-push 31 | docker-push: ## Push nimbus-kyverno container image. 32 | $(CONTAINER_TOOL) push ${IMG}:${TAG} 33 | 34 | PLATFORMS ?= linux/arm64,linux/amd64 35 | .PHONY: docker-buildx 36 | docker-buildx: ## Build and push container image for cross-platform support 37 | # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile 38 | sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross 39 | - $(CONTAINER_TOOL) buildx create --name project-v3-builder 40 | $(CONTAINER_TOOL) buildx use project-v3-builder 41 | - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; } 42 | - $(CONTAINER_TOOL) buildx rm project-v3-builder 43 | rm Dockerfile.cross 44 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kyverno/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | labels: 8 | app.kubernetes.io/component: background-controller 9 | app.kubernetes.io/instance: kyverno 10 | app.kubernetes.io/part-of: kyverno 11 | name: kyverno:update-resources 12 | rules: 13 | - apiGroups: 14 | - '*' 15 | resources: 16 | - '*' 17 | verbs: 18 | - update 19 | - patch 20 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-kyverno/main.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package main 5 | 6 | import ( 7 | "context" 8 | "github.com/5GSEC/nimbus/pkg/util" 9 | "os" 10 | "os/signal" 11 | "syscall" 12 | 13 | "github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager" 14 | ctrl "sigs.k8s.io/controller-runtime" 15 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 16 | ) 17 | 18 | func main() { 19 | ctrl.SetLogger(zap.New()) 20 | logger := ctrl.Log 21 | util.LogBuildInfo(logger) 22 | 23 | ctx, cancelFunc := context.WithCancel(context.Background()) 24 | ctrl.LoggerInto(ctx, logger) 25 | 26 | go func() { 27 | termChan := make(chan os.Signal) 28 | signal.Notify(termChan, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT) 29 | <-termChan 30 | logger.Info("Shutdown signal received, waiting for all workers to finish") 31 | cancelFunc() 32 | logger.Info("All workers finished, shutting down") 33 | }() 34 | 35 | logger.Info("Kyverno adapter started") 36 | manager.Run(ctx) 37 | } 38 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-netpol/.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-netpol/Dockerfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Build the nimbus-netpol binary 5 | FROM golang:1.22 AS builder 6 | ARG TARGETOS 7 | ARG TARGETARCH 8 | 9 | # Required to embed build info into binary. 10 | COPY .git /.git 11 | 12 | WORKDIR /nimbus 13 | 14 | # relative deps requried by the adapter 15 | ADD api/ api/ 16 | ADD pkg/ pkg/ 17 | ADD go.mod go.mod 18 | ADD go.sum go.sum 19 | 20 | # nimbus-kubearmor directory 21 | ARG ADAPTER_DIR=pkg/adapter/nimbus-netpol 22 | WORKDIR /nimbus/$ADAPTER_DIR 23 | 24 | # # Copy Go modules and manifests 25 | COPY $ADAPTER_DIR/go.mod go.mod 26 | COPY $ADAPTER_DIR/go.sum go.sum 27 | 28 | # cache deps before building and copying source so that we don't need to re-download as much 29 | # and so that source changes don't invalidate our downloaded layer 30 | RUN go mod download 31 | 32 | COPY $ADAPTER_DIR/manager manager 33 | COPY $ADAPTER_DIR/processor processor 34 | COPY $ADAPTER_DIR/watcher watcher 35 | COPY $ADAPTER_DIR/main.go main.go 36 | COPY $ADAPTER_DIR/Makefile Makefile 37 | 38 | # Build 39 | # the GOARCH has not a default value to allow the binary be built according to the host where the command 40 | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO 41 | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, 42 | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. 43 | RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build 44 | 45 | FROM gcr.io/distroless/static:nonroot 46 | WORKDIR / 47 | COPY --from=builder /nimbus/pkg/adapter/nimbus-netpol/bin/nimbus-netpol . 48 | USER 65532:65532 49 | 50 | ENTRYPOINT ["/nimbus-netpol"] 51 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-netpol/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | # Image URL to use all building/pushing image targets 5 | IMG ?= 5gsec/nimbus-netpol 6 | # Image Tag to use all building/pushing image targets 7 | TAG ?= latest 8 | 9 | CONTAINER_TOOL ?= docker 10 | BINARY ?= bin/nimbus-netpol 11 | 12 | .PHONY: help 13 | help: ## Display this help. 14 | @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) 15 | 16 | .DEFAULT_GOAL := help 17 | 18 | .PHONY: build 19 | build: ## Build nimbus-netpol executable. 20 | @go build -ldflags="-w" -o ${BINARY} . 21 | 22 | .PHONY: run 23 | run: build ## Run nimbus-netpol locally. 24 | @./${BINARY} 25 | 26 | .PHONY: docker-build 27 | docker-build: ## Build nimbus-netpol container image. 28 | $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ 29 | 30 | .PHONY: docker-push 31 | docker-push: ## Push nimbus-netpol container image. 32 | $(CONTAINER_TOOL) push ${IMG}:${TAG} 33 | 34 | PLATFORMS ?= linux/arm64,linux/amd64 35 | .PHONY: docker-buildx 36 | docker-buildx: ## Build and push container image for cross-platform support 37 | # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile 38 | sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross 39 | - $(CONTAINER_TOOL) buildx create --name project-v3-builder 40 | $(CONTAINER_TOOL) buildx use project-v3-builder 41 | - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; } 42 | - $(CONTAINER_TOOL) buildx rm project-v3-builder 43 | rm Dockerfile.cross 44 | -------------------------------------------------------------------------------- /pkg/adapter/nimbus-netpol/main.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package main 5 | 6 | import ( 7 | "context" 8 | "github.com/5GSEC/nimbus/pkg/util" 9 | "os" 10 | "os/signal" 11 | "syscall" 12 | 13 | ctrl "sigs.k8s.io/controller-runtime" 14 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 15 | 16 | "github.com/5GSEC/nimbus/pkg/adapter/nimbus-netpol/manager" 17 | ) 18 | 19 | func main() { 20 | ctrl.SetLogger(zap.New()) 21 | logger := ctrl.Log 22 | util.LogBuildInfo(logger) 23 | 24 | ctx, cancelFunc := context.WithCancel(context.Background()) 25 | ctrl.LoggerInto(ctx, logger) 26 | 27 | go func() { 28 | termChan := make(chan os.Signal) 29 | signal.Notify(termChan, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT) 30 | <-termChan 31 | logger.Info("Shutdown signal received, waiting for all workers to finish") 32 | cancelFunc() 33 | logger.Info("All workers finished, shutting down") 34 | }() 35 | 36 | logger.Info("NetworkPolicy adapter started") 37 | manager.Run(ctx) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/adapter/util/watcher.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package util 5 | 6 | import ( 7 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 8 | ) 9 | 10 | func IsOrphan(ownerRefs []metav1.OwnerReference, ownerKind ...string) bool { 11 | if len(ownerRefs) == 0 { 12 | return true 13 | } 14 | for _, oKind := range ownerKind { 15 | if ownerRefs[0].Kind == oKind { 16 | return false 17 | } 18 | } 19 | return true 20 | } 21 | -------------------------------------------------------------------------------- /pkg/adapter/watcher/watcher.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package watcher 5 | 6 | import ( 7 | "time" 8 | 9 | "k8s.io/apimachinery/pkg/runtime/schema" 10 | "k8s.io/client-go/dynamic/dynamicinformer" 11 | "k8s.io/client-go/tools/cache" 12 | 13 | "github.com/5GSEC/nimbus/pkg/adapter/k8s" 14 | ) 15 | 16 | var factory dynamicinformer.DynamicSharedInformerFactory 17 | 18 | func init() { 19 | k8sClient := k8s.NewDynamicClient() 20 | factory = dynamicinformer.NewDynamicSharedInformerFactory(k8sClient, time.Minute) 21 | } 22 | 23 | func npInformer() cache.SharedIndexInformer { 24 | nimbusPolicyGvr := schema.GroupVersionResource{ 25 | Group: "intent.security.nimbus.com", 26 | Version: "v1alpha1", 27 | Resource: "nimbuspolicies", 28 | } 29 | nimbusPolicyInformer := factory.ForResource(nimbusPolicyGvr).Informer() 30 | return nimbusPolicyInformer 31 | } 32 | 33 | func clusterNpInformer() cache.SharedIndexInformer { 34 | clusterNpGvr := schema.GroupVersionResource{ 35 | Group: "intent.security.nimbus.com", 36 | Version: "v1alpha1", 37 | Resource: "clusternimbuspolicies", 38 | } 39 | clusterNimbusPolicyInformer := factory.ForResource(clusterNpGvr).Informer() 40 | return clusterNimbusPolicyInformer 41 | } 42 | -------------------------------------------------------------------------------- /pkg/processor/errors/errors.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package errors 5 | 6 | import ( 7 | "errors" 8 | ) 9 | 10 | var ( 11 | ErrSecurityIntentsNotFound = errors.New("no SecurityIntents found") 12 | ) 13 | -------------------------------------------------------------------------------- /pkg/processor/intentbinder/intent_binder.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package intentbinder 5 | 6 | import ( 7 | "context" 8 | 9 | apierrors "k8s.io/apimachinery/pkg/api/errors" 10 | "k8s.io/apimachinery/pkg/types" 11 | "sigs.k8s.io/controller-runtime/pkg/client" 12 | "sigs.k8s.io/controller-runtime/pkg/log" 13 | 14 | v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1" 15 | ) 16 | 17 | // ExtractIntents extract the SecurityIntent from the given SecurityIntentBinding 18 | // or ClusterSecurityIntentBinding objects. 19 | func ExtractIntents(ctx context.Context, c client.Client, object client.Object) []v1alpha1.SecurityIntent { 20 | logger := log.FromContext(ctx) 21 | var intents []v1alpha1.SecurityIntent 22 | var givenIntents []v1alpha1.MatchIntent 23 | 24 | switch obj := object.(type) { 25 | case *v1alpha1.SecurityIntentBinding: 26 | givenIntents = obj.Spec.Intents 27 | case *v1alpha1.ClusterSecurityIntentBinding: 28 | givenIntents = obj.Spec.Intents 29 | } 30 | 31 | for _, intent := range givenIntents { 32 | var si v1alpha1.SecurityIntent 33 | if err := c.Get(ctx, types.NamespacedName{Name: intent.Name}, &si); err != nil && apierrors.IsNotFound(err) { 34 | logger.V(2).Info("failed to fetch SecurityIntent", "SecurityIntent.Name", intent.Name) 35 | continue 36 | } 37 | intents = append(intents, si) 38 | } 39 | 40 | return intents 41 | } 42 | -------------------------------------------------------------------------------- /pkg/util/util.go: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: Apache-2.0 2 | // Copyright 2023 Authors of Nimbus 3 | 4 | package util 5 | 6 | import ( 7 | "github.com/go-logr/logr" 8 | "runtime" 9 | "runtime/debug" 10 | ) 11 | 12 | func LogBuildInfo(logger logr.Logger) { 13 | info, _ := debug.ReadBuildInfo() 14 | vcsRev := "" 15 | vcsTime := "" 16 | for _, s := range info.Settings { 17 | if s.Key == "vcs.revision" { 18 | vcsRev = s.Value 19 | } else if s.Key == "vcs.time" { 20 | vcsTime = s.Value 21 | } 22 | } 23 | logger.Info("Build info", "git.revision", vcsRev, 24 | "build.time", vcsTime, 25 | "build.version", runtime.Version(), 26 | "GOOS", runtime.GOOS, 27 | "GOARCH", runtime.GOARCH, 28 | ) 29 | } 30 | -------------------------------------------------------------------------------- /scripts/add-license-header.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: Apache-2.0 3 | # Copyright 2023 Authors of Nimbus 4 | 5 | if ! command -v addlicense >/dev/null; then 6 | echo "Installing addlicense..." 7 | go install github.com/google/addlicense@latest 8 | fi 9 | 10 | GIT_ROOT=$(git rev-parse --show-toplevel) 11 | LICENSE_HEADER=${GIT_ROOT}/scripts/license.header 12 | 13 | if [ -z $1 ]; then 14 | echo "No Argument Supplied, Checking and Fixing all files from project root" 15 | addlicense -f ${LICENSE_HEADER} -v ${GIT_ROOT}/**/*.sh ${GIT_ROOT}/**/*.go 16 | echo "Done" 17 | else 18 | addlicense -f ${LICENSE_HEADER} -v $1 19 | echo "Done" 20 | fi -------------------------------------------------------------------------------- /scripts/license.header: -------------------------------------------------------------------------------- 1 | SPDX-License-Identifier: Apache-2.0 2 | Copyright 2023 Authors of Nimbus 3 | -------------------------------------------------------------------------------- /scripts/update-image-tag.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: Apache-2.0 3 | # Copyright 2023 Authors of Nimbus 4 | 5 | if ! command -v yq >/dev/null; then 6 | echo "Installing yq..." 7 | go install github.com/mikefarah/yq/v4@latest 8 | fi 9 | 10 | TAG=$1 11 | DEPLOYMENT_ROOT_DIR="deployments" 12 | DIRECTORIES=("${DEPLOYMENT_ROOT_DIR}/nimbus" "${DEPLOYMENT_ROOT_DIR}/nimbus-k8tls" \ 13 | "${DEPLOYMENT_ROOT_DIR}/nimbus-kubearmor" "${DEPLOYMENT_ROOT_DIR}/nimbus-kyverno" "${DEPLOYMENT_ROOT_DIR}/nimbus-netpol") 14 | 15 | echo "Updating tag to $TAG" 16 | for directory in "${DIRECTORIES[@]}"; do 17 | yq -i ".image.tag = \"$TAG\"" "${directory}/values.yaml" 18 | done 19 | -------------------------------------------------------------------------------- /tests/chainsaw-config.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Configuration 6 | metadata: 7 | name: configuration 8 | spec: 9 | parallel: 1 10 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/cluster-nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterNimbusPolicy 6 | metadata: 7 | name: escape-to-host 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: escape-to-host 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access to the 17 | host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block 21 | 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-csib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | excludeNames: 14 | - dev 15 | - staging 16 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | excludeNames: 14 | - dev 15 | - prod 16 | - regional 17 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-dev.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: dev 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-management.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: management 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-prod.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: prod 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert-staging.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: staging 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access to 17 | the host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/ns-regional-mgmt.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: management 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: regional -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/excludename/ns.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: dev 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: staging 13 | --- 14 | apiVersion: v1 15 | kind: Namespace 16 | metadata: 17 | name: prod -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/cluster-nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterNimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: An adversary can manipulate DNS requests to redirect network traffic 17 | and potentially reveal end user activity. 18 | id: dnsManipulation 19 | rule: 20 | action: Block 21 | 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/dns-manipulation-csib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | spec: 9 | intents: 10 | - name: dns-manipulation 11 | selector: 12 | nsSelector: 13 | matchNames: 14 | - "*" 15 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-dev.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | namespace: dev 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: dns-manipulation-binding 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-prod.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | namespace: prod 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: dns-manipulation-binding 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert-staging.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | namespace: staging 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: dns-manipulation-binding 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: An adversary can manipulate DNS requests to redirect network traffic 17 | and potentially reveal end user activity. 18 | id: dnsManipulation 19 | rule: 20 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchall/ns.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: dev 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: staging 13 | --- 14 | apiVersion: v1 15 | kind: Namespace 16 | metadata: 17 | name: prod -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/cluster-nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterNimbusPolicy 6 | metadata: 7 | name: escape-to-host 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: escape-to-host 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access to the 17 | host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block 21 | 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-csib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | matchNames: 14 | - dev 15 | - staging 16 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/escape-to-host-dev-prod-csib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | matchNames: 14 | - dev 15 | - prod 16 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-dev.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: dev 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-prod.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: prod 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert-staging.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host 8 | namespace: staging 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access to 18 | the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access to 17 | the host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block -------------------------------------------------------------------------------- /tests/controllers/clustersecurityintentbinding/matchname/ns.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: dev 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: staging 13 | --- 14 | apiVersion: v1 15 | kind: Namespace 16 | metadata: 17 | name: prod -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/delete/README.md: -------------------------------------------------------------------------------- 1 | # Test: `nimbuspolicy-deletion` 2 | 3 | This test validates that when a NimbusPolicy is directly deleted, nimbus automatically re-creates the deleted NimbusPolicy or not. 4 | 5 | 6 | ## Steps 7 | 8 | | # | Name | Bindings | Try | Catch | Finally | 9 | |:-:|---|:-:|:-:|:-:|:-:| 10 | | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | 11 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | 12 | | 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | 13 | | 4 | [Delete existing NimbusPolicy](#step-Delete existing NimbusPolicy) | 0 | 1 | 0 | 0 | 14 | | 5 | [Verify NimbusPolicy recreation](#step-Verify NimbusPolicy recreation) | 0 | 1 | 0 | 0 | 15 | 16 | ### Step: `Create a SecurityIntent` 17 | 18 | *No description* 19 | 20 | #### Try 21 | 22 | | # | Operation | Bindings | Outputs | Description | 23 | |:-:|---|:-:|:-:|---| 24 | | 1 | `apply` | 0 | 0 | *No description* | 25 | 26 | ### Step: `Create a SecurityIntentBinding` 27 | 28 | *No description* 29 | 30 | #### Try 31 | 32 | | # | Operation | Bindings | Outputs | Description | 33 | |:-:|---|:-:|:-:|---| 34 | | 1 | `apply` | 0 | 0 | *No description* | 35 | 36 | ### Step: `Verify NimbusPolicy creation` 37 | 38 | *No description* 39 | 40 | #### Try 41 | 42 | | # | Operation | Bindings | Outputs | Description | 43 | |:-:|---|:-:|:-:|---| 44 | | 1 | `assert` | 0 | 0 | *No description* | 45 | 46 | ### Step: `Delete existing NimbusPolicy` 47 | 48 | *No description* 49 | 50 | #### Try 51 | 52 | | # | Operation | Bindings | Outputs | Description | 53 | |:-:|---|:-:|:-:|---| 54 | | 1 | `delete` | 0 | 0 | *No description* | 55 | 56 | ### Step: `Verify NimbusPolicy recreation` 57 | 58 | *No description* 59 | 60 | #### Try 61 | 62 | | # | Operation | Bindings | Outputs | Description | 63 | |:-:|---|:-:|:-:|---| 64 | | 1 | `assert` | 0 | 0 | *No description* | 65 | 66 | --- 67 | 68 | -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: nimbuspolicy-deletion 8 | spec: 9 | description: > 10 | This test validates that when a NimbusPolicy is directly deleted, nimbus automatically re-creates the 11 | deleted NimbusPolicy or not. 12 | steps: 13 | - name: "Create a SecurityIntent" 14 | try: 15 | - apply: 16 | file: ../../resources/namespaced/dns-manipulation-si.yaml 17 | 18 | - name: "Create a SecurityIntentBinding" 19 | try: 20 | - apply: 21 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 22 | 23 | - name: "Verify NimbusPolicy creation" 24 | try: 25 | - assert: 26 | file: ../nimbus-policy-assert.yaml 27 | 28 | - name: "Delete existing NimbusPolicy" 29 | try: 30 | - delete: 31 | ref: 32 | apiVersion: intent.security.nimbus.com/v1alpha1 33 | kind: NimbusPolicy 34 | name: dns-manipulation-binding 35 | expect: 36 | - match: 37 | apiVersion: intent.security.nimbus.com/v1alpha1 38 | kind: NimbusPolicy 39 | name: dns-manipulation-binding 40 | check: 41 | ($error != null): true 42 | 43 | - name: "Verify NimbusPolicy recreation" 44 | try: 45 | - assert: 46 | file: ../nimbus-policy-assert.yaml 47 | -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: An adversary can manipulate DNS requests to redirect network traffic 17 | and potentially reveal end user activity. 18 | id: dnsManipulation 19 | rule: 20 | action: Block 21 | selector: 22 | matchLabels: 23 | app: nginx 24 | -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/update/README.md: -------------------------------------------------------------------------------- 1 | # Test: `nimbuspolicy-update` 2 | 3 | This test validates that direct updates to a NimbusPolicy resource are ignored, to maintain consistency and prevent unintended modifications. 4 | 5 | 6 | ## Steps 7 | 8 | | # | Name | Bindings | Try | Catch | Finally | 9 | |:-:|---|:-:|:-:|:-:|:-:| 10 | | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | 11 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | 12 | | 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | 13 | | 4 | [Update existing NimbusPolicy](#step-Update existing NimbusPolicy) | 0 | 1 | 0 | 0 | 14 | | 5 | [Verify discarding of changes to NimbusPolicy](#step-Verify discarding of changes to NimbusPolicy) | 0 | 1 | 0 | 0 | 15 | 16 | ### Step: `Create a SecurityIntent` 17 | 18 | *No description* 19 | 20 | #### Try 21 | 22 | | # | Operation | Bindings | Outputs | Description | 23 | |:-:|---|:-:|:-:|---| 24 | | 1 | `apply` | 0 | 0 | *No description* | 25 | 26 | ### Step: `Create a SecurityIntentBinding` 27 | 28 | *No description* 29 | 30 | #### Try 31 | 32 | | # | Operation | Bindings | Outputs | Description | 33 | |:-:|---|:-:|:-:|---| 34 | | 1 | `apply` | 0 | 0 | *No description* | 35 | 36 | ### Step: `Verify NimbusPolicy creation` 37 | 38 | *No description* 39 | 40 | #### Try 41 | 42 | | # | Operation | Bindings | Outputs | Description | 43 | |:-:|---|:-:|:-:|---| 44 | | 1 | `assert` | 0 | 0 | *No description* | 45 | 46 | ### Step: `Update existing NimbusPolicy` 47 | 48 | *No description* 49 | 50 | #### Try 51 | 52 | | # | Operation | Bindings | Outputs | Description | 53 | |:-:|---|:-:|:-:|---| 54 | | 1 | `apply` | 0 | 0 | *No description* | 55 | 56 | ### Step: `Verify discarding of changes to NimbusPolicy` 57 | 58 | *No description* 59 | 60 | #### Try 61 | 62 | | # | Operation | Bindings | Outputs | Description | 63 | |:-:|---|:-:|:-:|---| 64 | | 1 | `assert` | 0 | 0 | *No description* | 65 | 66 | --- 67 | 68 | -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/update/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: nimbuspolicy-update 8 | spec: 9 | description: > 10 | This test validates that direct updates to a NimbusPolicy resource are ignored, to maintain consistency and 11 | prevent unintended modifications. 12 | steps: 13 | - name: "Create a SecurityIntent" 14 | try: 15 | - apply: 16 | file: ../../resources/namespaced/dns-manipulation-si.yaml 17 | 18 | - name: "Create a SecurityIntentBinding" 19 | try: 20 | - apply: 21 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 22 | 23 | - name: "Verify NimbusPolicy creation" 24 | try: 25 | - assert: 26 | file: ../nimbus-policy-assert.yaml 27 | 28 | - name: "Update existing NimbusPolicy" 29 | try: 30 | - apply: 31 | file: ../updated-nimbus-policy.yaml 32 | 33 | - name: "Verify discarding of changes to NimbusPolicy" 34 | try: 35 | - assert: 36 | file: ../nimbus-policy-assert.yaml 37 | -------------------------------------------------------------------------------- /tests/controllers/nimbuspolicy/updated-nimbus-policy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | spec: 9 | rules: 10 | - description: An adversary can manipulate DNS requests to redirect network traffic 11 | and potentially reveal end user activity. 12 | id: dnsManipulation 13 | rule: 14 | action: Allow 15 | selector: 16 | matchLabels: 17 | app: frontend 18 | -------------------------------------------------------------------------------- /tests/controllers/resources/namespaced/dns-manipulation-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: dns-manipulation 8 | spec: 9 | intent: 10 | id: dnsManipulation 11 | description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." 12 | action: Block 13 | severity: Medium 14 | -------------------------------------------------------------------------------- /tests/controllers/resources/namespaced/dns-manipulation-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | spec: 9 | intents: 10 | - name: dns-manipulation 11 | selector: 12 | workloadSelector: 13 | matchLabels: 14 | app: nginx 15 | -------------------------------------------------------------------------------- /tests/controllers/resources/namespaced/escape-to-host-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | -------------------------------------------------------------------------------- /tests/controllers/resources/namespaced/multiple-sis.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: pkg-mgr-exec-multiple 8 | spec: 9 | intent: 10 | id: swDeploymentTools 11 | action: Block 12 | --- 13 | apiVersion: intent.security.nimbus.com/v1alpha1 14 | kind: SecurityIntent 15 | metadata: 16 | name: unauthorized-sa-token-access-multiple 17 | spec: 18 | intent: 19 | id: unAuthorizedSaTokenAccess 20 | action: Audit 21 | --- 22 | apiVersion: intent.security.nimbus.com/v1alpha1 23 | kind: SecurityIntent 24 | metadata: 25 | name: dns-manipulation-multiple 26 | spec: 27 | intent: 28 | id: dnsManipulation 29 | action: Block 30 | -------------------------------------------------------------------------------- /tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: multiple-sis-binding 8 | spec: 9 | intents: 10 | - name: pkg-mgr-exec-multiple 11 | - name: unauthorized-sa-token-access-multiple 12 | - name: dns-manipulation-multiple 13 | selector: 14 | workloadSelector: 15 | matchLabels: 16 | app: nginx 17 | -------------------------------------------------------------------------------- /tests/controllers/securityintent/README.md: -------------------------------------------------------------------------------- 1 | # Test: `securityintent-creation` 2 | 3 | This test validates that the created SecurityIntent status subresource contains the ID and action fields with the corresponding intent values. 4 | 5 | 6 | ## Steps 7 | 8 | | # | Name | Bindings | Try | Catch | Finally | 9 | |:-:|---|:-:|:-:|:-:|:-:| 10 | | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | 11 | | 2 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 0 | 1 | 0 | 0 | 12 | 13 | ### Step: `Create a SecurityIntent` 14 | 15 | *No description* 16 | 17 | #### Try 18 | 19 | | # | Operation | Bindings | Outputs | Description | 20 | |:-:|---|:-:|:-:|---| 21 | | 1 | `apply` | 0 | 0 | *No description* | 22 | 23 | ### Step: `Verify status of created SecurityIntent` 24 | 25 | *No description* 26 | 27 | #### Try 28 | 29 | | # | Operation | Bindings | Outputs | Description | 30 | |:-:|---|:-:|:-:|---| 31 | | 1 | `assert` | 0 | 0 | *No description* | 32 | 33 | --- 34 | 35 | -------------------------------------------------------------------------------- /tests/controllers/securityintent/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintent-creation 8 | spec: 9 | description: > 10 | This test validates that the created SecurityIntent status subresource contains the ID and action 11 | fields with the corresponding intent values. 12 | steps: 13 | - name: "Create a SecurityIntent" 14 | try: 15 | - apply: 16 | file: ../resources/namespaced/dns-manipulation-si.yaml 17 | 18 | - name: "Verify status of created SecurityIntent" 19 | try: 20 | - assert: 21 | file: si-status-assert.yaml 22 | -------------------------------------------------------------------------------- /tests/controllers/securityintent/si-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: dns-manipulation 8 | status: 9 | action: Block 10 | id: dnsManipulation 11 | status: Created 12 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/create/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintentbinding-creation 8 | spec: 9 | description: > 10 | This test validates the automated creation of a NimbusPolicy resource when a corresponding SecurityIntent 11 | and SecurityIntentBinding are created. 12 | steps: 13 | - name: "Create a SecurityIntent" 14 | try: 15 | - apply: 16 | file: ../../resources/namespaced/dns-manipulation-si.yaml 17 | 18 | - name: "Create a SecurityIntentBinding" 19 | try: 20 | - apply: 21 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 22 | 23 | - name: "Verify NimbusPolicy creation" 24 | try: 25 | - assert: 26 | file: ../nimbus-policy-assert.yaml 27 | 28 | - name: "Verify status of created SecurityIntentBinding" 29 | description: > 30 | Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, 31 | along with the generated NimbusPolicy name. 32 | try: 33 | - assert: 34 | file: ../sib-status-assert.yaml 35 | 36 | - name: "Verify status of created NimbusPolicy" 37 | try: 38 | - assert: 39 | file: ../np-status-assert.yaml 40 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/delete/README.md: -------------------------------------------------------------------------------- 1 | # Test: `securityintentbinding-deletion` 2 | 3 | This test validates the expected behavior of NimbusPolicy deletion upon the removal of a corresponding SecurityIntentBinding resource. 4 | 5 | 6 | ## Steps 7 | 8 | | # | Name | Bindings | Try | Catch | Finally | 9 | |:-:|---|:-:|:-:|:-:|:-:| 10 | | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | 11 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | 12 | | 3 | [Delete existing SecurityIntentBinding](#step-Delete existing SecurityIntentBinding) | 0 | 1 | 0 | 0 | 13 | | 4 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 0 | 1 | 0 | 0 | 14 | 15 | ### Step: `Create a SecurityIntent` 16 | 17 | *No description* 18 | 19 | #### Try 20 | 21 | | # | Operation | Bindings | Outputs | Description | 22 | |:-:|---|:-:|:-:|---| 23 | | 1 | `apply` | 0 | 0 | *No description* | 24 | 25 | ### Step: `Create a SecurityIntentBinding` 26 | 27 | *No description* 28 | 29 | #### Try 30 | 31 | | # | Operation | Bindings | Outputs | Description | 32 | |:-:|---|:-:|:-:|---| 33 | | 1 | `apply` | 0 | 0 | *No description* | 34 | 35 | ### Step: `Delete existing SecurityIntentBinding` 36 | 37 | *No description* 38 | 39 | #### Try 40 | 41 | | # | Operation | Bindings | Outputs | Description | 42 | |:-:|---|:-:|:-:|---| 43 | | 1 | `delete` | 0 | 0 | *No description* | 44 | 45 | ### Step: `Verify the NimbusPolicy deletion` 46 | 47 | *No description* 48 | 49 | #### Try 50 | 51 | | # | Operation | Bindings | Outputs | Description | 52 | |:-:|---|:-:|:-:|---| 53 | | 1 | `script` | 0 | 0 | *No description* | 54 | 55 | --- 56 | 57 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/delete/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintentbinding-deletion 8 | spec: 9 | description: > 10 | This test validates the expected behavior of NimbusPolicy deletion upon the removal of a corresponding 11 | SecurityIntentBinding resource. 12 | steps: 13 | - name: "Create a SecurityIntent" 14 | try: 15 | - apply: 16 | file: ../../resources/namespaced/dns-manipulation-si.yaml 17 | 18 | - name: "Create a SecurityIntentBinding" 19 | try: 20 | - apply: 21 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 22 | # This resource is intentionally left undeleted by chainsaw to avoid unnecessary errors during its cleanup phase, as it will be explicitly deleted in the following step. 23 | skipDelete: true 24 | 25 | - name: "Delete existing SecurityIntentBinding" 26 | try: 27 | - delete: 28 | ref: 29 | apiVersion: intent.security.nimbus.com/v1alpha1 30 | kind: SecurityIntentBinding 31 | name: dns-manipulation-binding 32 | expect: 33 | - match: 34 | apiVersion: intent.security.nimbus.com/v1alpha1 35 | kind: SecurityIntentBinding 36 | name: dns-manipulation-binding 37 | check: 38 | ($error != null): true 39 | 40 | - name: "Verify the NimbusPolicy deletion" 41 | try: 42 | - script: 43 | content: kubectl get np dns-manipulation-binding 44 | check: 45 | ($error != null): true 46 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | # Since UID is not predictable so ignore it. 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/np-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | status: 15 | numberOfAdapterPolicies: 0 16 | status: Created 17 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/sib-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | status: 9 | boundIntents: 10 | - dns-manipulation 11 | nimbusPolicy: dns-manipulation-binding 12 | numberOfBoundIntents: 1 13 | status: Created 14 | 15 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/update/README.md: -------------------------------------------------------------------------------- 1 | # Test: `securityintentbinding-update` 2 | 3 | This test validates the propagation of changes from a SecurityIntentBinding to the corresponding NimbusPolicy. 4 | 5 | ## Steps 6 | 7 | | # | Name | Bindings | Try | Catch | Finally | 8 | |:-:|---|:-:|:-:|:-:|:-:| 9 | | 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | 10 | | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | 11 | | 3 | [Update existing SecurityIntentBinding](#step-Update existing SecurityIntentBinding) | 0 | 1 | 0 | 0 | 12 | | 4 | [Verify the NimbusPolicy update](#step-Verify the NimbusPolicy update) | 0 | 1 | 0 | 0 | 13 | 14 | ### Step: `Create a SecurityIntent` 15 | 16 | *No description* 17 | 18 | #### Try 19 | 20 | | # | Operation | Bindings | Outputs | Description | 21 | |:-:|---|:-:|:-:|---| 22 | | 1 | `apply` | 0 | 0 | *No description* | 23 | 24 | ### Step: `Create a SecurityIntentBinding` 25 | 26 | *No description* 27 | 28 | #### Try 29 | 30 | | # | Operation | Bindings | Outputs | Description | 31 | |:-:|---|:-:|:-:|---| 32 | | 1 | `apply` | 0 | 0 | *No description* | 33 | 34 | ### Step: `Update existing SecurityIntentBinding` 35 | 36 | *No description* 37 | 38 | #### Try 39 | 40 | | # | Operation | Bindings | Outputs | Description | 41 | |:-:|---|:-:|:-:|---| 42 | | 1 | `apply` | 0 | 0 | *No description* | 43 | 44 | ### Step: `Verify the NimbusPolicy update` 45 | 46 | *No description* 47 | 48 | #### Try 49 | 50 | | # | Operation | Bindings | Outputs | Description | 51 | |:-:|---|:-:|:-:|---| 52 | | 1 | `assert` | 0 | 0 | *No description* | 53 | 54 | --- 55 | 56 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/update/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintentbinding-update 8 | spec: 9 | description: This test validates the propagation of changes from a SecurityIntentBinding to the corresponding NimbusPolicy. 10 | steps: 11 | - name: "Create a SecurityIntent" 12 | try: 13 | - apply: 14 | file: ../../resources/namespaced/dns-manipulation-si.yaml 15 | 16 | - name: "Create a SecurityIntentBinding" 17 | try: 18 | - apply: 19 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 20 | 21 | - name: "Update existing SecurityIntentBinding" 22 | try: 23 | - apply: 24 | file: ../updated-sib.yaml 25 | 26 | - name: "Verify the NimbusPolicy update" 27 | try: 28 | - assert: 29 | file: ../updated-np.yaml 30 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/updated-np.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | generation: 2 8 | name: dns-manipulation-binding 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: SecurityIntentBinding 14 | name: dns-manipulation-binding 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | env: prod 26 | -------------------------------------------------------------------------------- /tests/controllers/securityintentbinding/updated-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | spec: 9 | intents: 10 | - name: dns-manipulation 11 | selector: 12 | workloadSelector: 13 | matchLabels: 14 | app: nginx 15 | env: prod 16 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/create/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintentbinding-and-securityintent-independent-creation 8 | spec: 9 | description: > 10 | This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources. 11 | It ensures users can create these custom resources individually without requiring one to exist beforehand. 12 | 13 | steps: 14 | - name: "Create a SecurityIntentBinding" 15 | try: 16 | - apply: 17 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 18 | 19 | - name: "Create a SecurityIntent" 20 | try: 21 | - apply: 22 | file: ../../resources/namespaced/dns-manipulation-si.yaml 23 | 24 | - name: "Verity NimbusPolicy creation" 25 | try: 26 | - assert: 27 | file: ../nimbus-policy-assert.yaml 28 | 29 | - name: "Verify status of created SecurityIntentBinding" 30 | description: > 31 | Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, 32 | along with the generated NimbusPolicy name. 33 | try: 34 | - assert: 35 | file: ../sib-status-assert.yaml 36 | 37 | - name: "Verify status of created SecurityIntent" 38 | try: 39 | - assert: 40 | file: ../si-status-assert.yaml 41 | 42 | - name: "Verify status of created NimbusPolicy" 43 | try: 44 | - assert: 45 | file: ../np-status-assert.yaml 46 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: securityintent-deletion-after-creation-of-nimbuspolicy 8 | spec: 9 | description: > 10 | This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that 11 | SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted. 12 | 13 | steps: 14 | - name: "Create a SecurityIntentBinding" 15 | try: 16 | - apply: 17 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 18 | 19 | - name: "Create a SecurityIntent" 20 | try: 21 | - apply: 22 | file: ../../resources/namespaced/dns-manipulation-si.yaml 23 | skipDelete: true 24 | 25 | - name: "Verify NimbusPolicy creation" 26 | try: 27 | - assert: 28 | file: ../nimbus-policy-assert.yaml 29 | 30 | - name: "Delete previously created SecurityIntent" 31 | try: 32 | - delete: 33 | ref: 34 | apiVersion: intent.security.nimbus.com/v1alpha1 35 | kind: SecurityIntent 36 | name: dns-manipulation 37 | expect: 38 | - match: 39 | apiVersion: intent.security.nimbus.com/v1alpha1 40 | kind: SecurityIntent 41 | name: dns-manipulation 42 | check: 43 | ($error != null): true 44 | 45 | - name: "Verify the NimbusPolicy deletion" 46 | try: 47 | - script: 48 | content: kubectl get np dns-manipulation-binding 49 | check: 50 | ($error != null): true 51 | 52 | - name: "Verify status of SecurityIntentBinding" 53 | description: > 54 | This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is 55 | updated to reflect the current information. 56 | try: 57 | - assert: 58 | file: sib-status-after-si-deletion-assert.yaml 59 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | status: 9 | nimbusPolicy: "" 10 | numberOfBoundIntents: 0 11 | status: Created 12 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | # Since UID is not predictable so ignore it. 15 | spec: 16 | rules: 17 | - description: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | id: dnsManipulation 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/np-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | status: 9 | numberOfAdapterPolicies: 0 10 | status: Created 11 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/si-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: dns-manipulation 8 | status: 9 | action: Block 10 | id: dnsManipulation 11 | status: Created 12 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/sib-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | status: 9 | boundIntents: 10 | - dns-manipulation 11 | nimbusPolicy: dns-manipulation-binding 12 | numberOfBoundIntents: 1 13 | status: Created 14 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: multiple-sis-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: multiple-sis-binding 14 | spec: 15 | rules: 16 | - id: unAuthorizedSaTokenAccess 17 | rule: 18 | action: Block 19 | - id: dnsManipulation 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: multiple-sis-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: multiple-sis-binding 14 | spec: 15 | rules: 16 | - id: swDeploymentTools 17 | rule: 18 | action: Block 19 | - id: unAuthorizedSaTokenAccess 20 | rule: 21 | action: Block 22 | - id: dnsManipulation 23 | rule: 24 | action: Block 25 | selector: 26 | matchLabels: 27 | app: nginx 28 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: multiple-sis-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: multiple-sis-binding 14 | spec: 15 | rules: 16 | - id: swDeploymentTools 17 | rule: 18 | action: Block 19 | - id: unAuthorizedSaTokenAccess 20 | rule: 21 | action: Audit 22 | - id: dnsManipulation 23 | rule: 24 | action: Block 25 | selector: 26 | matchLabels: 27 | app: nginx 28 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: multiple-sis-binding 8 | status: 9 | boundIntents: 10 | - unauthorized-sa-token-access-multiple 11 | - dns-manipulation-multiple 12 | nimbusPolicy: multiple-sis-binding 13 | numberOfBoundIntents: 2 14 | status: Created 15 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/updated-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: multiple-sis-binding 8 | spec: 9 | intents: 10 | - name: unauthorized-sa-token-access-multiple 11 | - name: dns-manipulation-multiple 12 | selector: 13 | workloadSelector: 14 | matchLabels: 15 | app: nginx 16 | -------------------------------------------------------------------------------- /tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: unauthorized-sa-token-access-multiple 8 | spec: 9 | intent: 10 | id: unAuthorizedSaTokenAccess 11 | action: Block 12 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/ksp.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: security.kubearmor.com/v1 5 | kind: KubeArmorPolicy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-kubearmor 9 | name: dns-manipulation-binding-dnsmanipulation 10 | ownerReferences: 11 | - apiVersion: intent.security.nimbus.com/v1alpha1 12 | blockOwnerDeletion: true 13 | controller: true 14 | kind: NimbusPolicy 15 | spec: 16 | action: Block 17 | capabilities: {} 18 | file: 19 | matchPaths: 20 | - path: /etc/resolv.conf 21 | readOnly: true 22 | message: An adversary can manipulate DNS requests to redirect network traffic 23 | and potentially reveal end user activity. 24 | network: {} 25 | process: {} 26 | selector: 27 | matchLabels: 28 | app: nginx 29 | syscalls: {} 30 | 31 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/netpol.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-netpol 9 | name: dns-manipulation-binding-dnsmanipulation 10 | ownerReferences: 11 | - apiVersion: intent.security.nimbus.com/v1alpha1 12 | blockOwnerDeletion: true 13 | controller: true 14 | kind: NimbusPolicy 15 | name: dns-manipulation-binding 16 | spec: 17 | egress: 18 | - ports: 19 | - port: 53 20 | protocol: UDP 21 | - port: 53 22 | protocol: TCP 23 | to: 24 | - namespaceSelector: 25 | matchLabels: 26 | kubernetes.io/metadata.name: kube-system 27 | podSelector: 28 | matchLabels: 29 | k8s-app: kube-dns 30 | podSelector: 31 | matchLabels: 32 | app: nginx 33 | policyTypes: 34 | - Egress 35 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | spec: 15 | rules: 16 | - description: An adversary can manipulate DNS requests to redirect network traffic 17 | and potentially reveal end user activity. 18 | id: dnsManipulation 19 | rule: 20 | action: Block 21 | selector: 22 | matchLabels: 23 | app: nginx 24 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/np-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: dns-manipulation-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: dns-manipulation-binding 14 | status: 15 | numberOfAdapterPolicies: 2 16 | status: Created 17 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/sib-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | status: 9 | boundIntents: 10 | - dns-manipulation 11 | nimbusPolicy: dns-manipulation-binding 12 | numberOfBoundIntents: 1 13 | status: Created 14 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/update/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: netpol-kubearmor-adapter-policy-updation 8 | spec: 9 | description: > 10 | This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. 11 | steps: 12 | - name: "Create a SecurityIntent" 13 | try: 14 | - apply: 15 | file: ../../resources/namespaced/dns-manipulation-si.yaml 16 | 17 | - name: "Create a SecurityIntentBinding" 18 | try: 19 | - apply: 20 | file: ../../resources/namespaced/dns-manipulation-sib.yaml 21 | 22 | - name: "Verify NimbusPolicy creation" 23 | try: 24 | - assert: 25 | file: ../nimbus-policy-assert.yaml 26 | 27 | - name: "Verify NetworkPolicy creation" 28 | try: 29 | - assert: 30 | file: ../netpol.yaml 31 | 32 | - name: "Verify KubearmorPolicy creation" 33 | try: 34 | - assert: 35 | file: ../ksp.yaml 36 | 37 | - name: "Update existing NetworkPolicy" 38 | try: 39 | - apply: 40 | file: ../updated-netpol.yaml 41 | 42 | - name: "Verify discarding of the changes made in NetworkPolicy" 43 | try: 44 | - assert: 45 | file: ../netpol.yaml 46 | 47 | 48 | - name: "Update existing KubearmorPolicy" 49 | try: 50 | - apply: 51 | file: ../updated-ksp.yaml 52 | 53 | - name: "Verify discarding of the changes made in KubeArmorPolicy" 54 | try: 55 | - assert: 56 | file: ../ksp.yaml 57 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/updated-ksp.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: security.kubearmor.com/v1 5 | kind: KubeArmorPolicy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-kubearmor 9 | name: dns-manipulation-binding-dnsmanipulation 10 | spec: 11 | action: Block 12 | capabilities: {} 13 | file: 14 | matchPaths: 15 | - path: /etc/resolv.conf 16 | readOnly: true 17 | message: An adversary can manipulate DNS requests to redirect network traffic 18 | and potentially reveal end user activity. 19 | network: {} 20 | process: {} 21 | selector: 22 | matchLabels: 23 | env: backend 24 | syscalls: {} 25 | -------------------------------------------------------------------------------- /tests/e2e/dns-manipulation/updated-netpol.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-netpol 9 | name: dns-manipulation-binding-dnsmanipulation 10 | spec: 11 | egress: 12 | - ports: 13 | - port: 53 14 | protocol: UDP 15 | - port: 53 16 | protocol: TCP 17 | to: 18 | - namespaceSelector: 19 | matchLabels: 20 | kubernetes.io/metadata.name: kube-system 21 | podSelector: 22 | matchLabels: 23 | k8s-app: kube-dns 24 | podSelector: 25 | matchLabels: 26 | env: backend 27 | policyTypes: 28 | - Egress -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/cluster-kyverno-policy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: kyverno.io/v1 5 | kind: ClusterPolicy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-kyverno 9 | policies.kyverno.io/description: A attacker can breach container boundaries and 10 | can gain access to the host machine 11 | name: escape-to-host-binding-escapetohost 12 | ownerReferences: 13 | - apiVersion: intent.security.nimbus.com/v1alpha1 14 | blockOwnerDeletion: true 15 | controller: true 16 | kind: ClusterNimbusPolicy 17 | name: escape-to-host-binding 18 | spec: 19 | admission: true 20 | background: true 21 | rules: 22 | - exclude: 23 | any: 24 | - resources: 25 | namespaces: 26 | - kube-system 27 | resources: {} 28 | generate: 29 | clone: {} 30 | cloneList: {} 31 | match: 32 | any: 33 | - resources: 34 | kinds: 35 | - v1/Pod 36 | selector: 37 | matchLabels: 38 | app: nginx 39 | resources: {} 40 | mutate: {} 41 | name: pod-security-standard 42 | skipBackgroundRequests: true 43 | validate: 44 | podSecurity: 45 | level: baseline 46 | version: latest 47 | validationFailureAction: Enforce -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/csib-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host-binding 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | matchNames: 14 | - '*' 15 | workloadSelector: 16 | matchLabels: 17 | app: nginx 18 | status: 19 | boundIntents: 20 | - escape-to-host 21 | clusterNimbusPolicy: escape-to-host-binding 22 | numberOfBoundIntents: 1 23 | status: Created 24 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/cwnp-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterNimbusPolicy 6 | metadata: 7 | name: escape-to-host-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: ClusterSecurityIntentBinding 13 | name: escape-to-host-binding 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access to 17 | the host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block 21 | nodeSelector: {} 22 | nsSelector: 23 | matchNames: 24 | - '*' 25 | workloadSelector: 26 | matchLabels: 27 | app: nginx 28 | status: 29 | adapterPolicies: 30 | - KyvernoClusterPolicy/escape-to-host-binding-escapetohost 31 | numberOfAdapterPolicies: 1 32 | status: Created 33 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-default.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host-binding 8 | namespace: default 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host-binding 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access 18 | to the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | status: 26 | adapterPolicies: 27 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot 28 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities 29 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools 30 | numberOfAdapterPolicies: 3 31 | status: Created -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-dev.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host-binding 8 | namespace: dev 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host-binding 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access 18 | to the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | status: 26 | adapterPolicies: 27 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot 28 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities 29 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools 30 | numberOfAdapterPolicies: 3 31 | status: Created 32 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-staging.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: nimbus-ctlr-gen-escape-to-host-binding 8 | namespace: staging 9 | ownerReferences: 10 | - apiVersion: intent.security.nimbus.com/v1alpha1 11 | blockOwnerDeletion: true 12 | controller: true 13 | kind: ClusterSecurityIntentBinding 14 | name: escape-to-host-binding 15 | spec: 16 | rules: 17 | - description: A attacker can breach container boundaries and can gain access 18 | to the host machine 19 | id: escapeToHost 20 | rule: 21 | action: Block 22 | selector: 23 | matchLabels: 24 | app: nginx 25 | status: 26 | adapterPolicies: 27 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot 28 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities 29 | - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools 30 | numberOfAdapterPolicies: 3 31 | status: Created 32 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host-clusterscoped-matchall/ns.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2024 Authors of Nimbus 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: dev 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: staging -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/create/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: kyverno-adapter-policy-creation 8 | spec: 9 | description: > 10 | This test validates that creating a `escapeToHost` SecurityIntent with SecurityIntentBinding generates the expected Kyverno Policy. 11 | steps: 12 | - name: "Create a SecurityIntent" 13 | try: 14 | - apply: 15 | file: ../../resources/namespaced/escape-to-host-si.yaml 16 | 17 | - name: "Create a SecurityIntentBinding" 18 | try: 19 | - apply: 20 | file: ../../resources/namespaced/escape-to-host-sib.yaml 21 | 22 | - name: "Verify NimbusPolicy creation" 23 | try: 24 | - assert: 25 | file: ../nimbus-policy-assert.yaml 26 | 27 | - name: "Verify KyvernoPolicy creation" 28 | try: 29 | - assert: 30 | file: ../kyverno-policy.yaml 31 | 32 | - name: "Verify status of created SecurityIntentBinding" 33 | description: > 34 | Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, 35 | along with the generated NimbusPolicy name. 36 | try: 37 | - assert: 38 | file: ../sib-status-assert.yaml 39 | 40 | - name: "Verify status of created NimbusPolicy" 41 | try: 42 | - assert: 43 | file: ../np-status-assert.yaml 44 | 45 | - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated Kyverno Policy" 46 | try: 47 | - script: 48 | content: kubectl get np -n $NAMESPACE escape-to-host-binding -o=jsonpath='{.status.adapterPolicies}' 49 | check: 50 | (contains($stdout, 'KyvernoPolicy/escape-to-host-binding-escapetohost')): true 51 | 52 | 53 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/delete/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: kyverno-adapter-policy-deletion 8 | spec: 9 | description: > 10 | This test validates if the adapters re-create their manually deleted generated policies. 11 | steps: 12 | - name: "Create a SecurityIntent" 13 | try: 14 | - apply: 15 | file: ../../resources/namespaced/escape-to-host-si.yaml 16 | 17 | - name: "Create a SecurityIntentBinding" 18 | try: 19 | - apply: 20 | file: ../../resources/namespaced/escape-to-host-sib.yaml 21 | 22 | - name: "Verify NimbusPolicy creation" 23 | try: 24 | - assert: 25 | file: ../nimbus-policy-assert.yaml 26 | 27 | - name: "Verify KyvernoPolicy creation" 28 | try: 29 | - assert: 30 | file: ../kyverno-policy.yaml 31 | 32 | - name: "Delete existing KyvernoPolicy" 33 | try: 34 | - delete: 35 | ref: 36 | apiVersion: kyverno.io/v1 37 | kind: Policy 38 | name: escape-to-host-binding-escapetohost 39 | expect: 40 | - match: 41 | apiVersion: kyverno.io/v1 42 | kind: Policy 43 | name: escape-to-host-binding-escapetohost 44 | check: 45 | ($error != null): true 46 | 47 | - name: "Verify KyvernoPolicy recreation" 48 | try: 49 | - assert: 50 | file: ../kyverno-policy.yaml 51 | 52 | 53 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/kyverno-policy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: kyverno.io/v1 5 | kind: Policy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-kyverno 9 | policies.kyverno.io/description: A attacker can breach container boundaries 10 | and can gain access to the host machine 11 | name: escape-to-host-binding-escapetohost 12 | ownerReferences: 13 | - apiVersion: intent.security.nimbus.com/v1alpha1 14 | blockOwnerDeletion: true 15 | controller: true 16 | kind: NimbusPolicy 17 | name: escape-to-host-binding 18 | spec: 19 | admission: true 20 | background: true 21 | rules: 22 | - exclude: 23 | resources: {} 24 | generate: 25 | clone: {} 26 | cloneList: {} 27 | match: 28 | any: 29 | - resources: 30 | kinds: 31 | - v1/Pod 32 | selector: 33 | matchLabels: 34 | app: nginx 35 | resources: {} 36 | mutate: {} 37 | name: pod-security-standard 38 | skipBackgroundRequests: true 39 | validate: 40 | podSecurity: 41 | level: baseline 42 | version: latest 43 | validationFailureAction: Enforce 44 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/nimbus-policy-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: escape-to-host-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: escape-to-host-binding 14 | spec: 15 | rules: 16 | - description: A attacker can breach container boundaries and can gain access 17 | to the host machine 18 | id: escapeToHost 19 | rule: 20 | action: Block 21 | selector: 22 | matchLabels: 23 | app: nginx 24 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/np-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: NimbusPolicy 6 | metadata: 7 | name: escape-to-host-binding 8 | ownerReferences: 9 | - apiVersion: intent.security.nimbus.com/v1alpha1 10 | blockOwnerDeletion: true 11 | controller: true 12 | kind: SecurityIntentBinding 13 | name: escape-to-host-binding 14 | status: 15 | numberOfAdapterPolicies: 4 16 | status: Created 17 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/sib-status-assert.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: escape-to-host-binding 8 | status: 9 | boundIntents: 10 | - escape-to-host 11 | nimbusPolicy: escape-to-host-binding 12 | numberOfBoundIntents: 1 13 | status: Created 14 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/update/chainsaw-test.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: chainsaw.kyverno.io/v1alpha1 5 | kind: Test 6 | metadata: 7 | name: kyverno-adapter-policy-updation 8 | spec: 9 | description: > 10 | This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. 11 | steps: 12 | - name: "Create a SecurityIntent" 13 | try: 14 | - apply: 15 | file: ../../resources/namespaced/escape-to-host-si.yaml 16 | 17 | - name: "Create a SecurityIntentBinding" 18 | try: 19 | - apply: 20 | file: ../../resources/namespaced/escape-to-host-sib.yaml 21 | 22 | - name: "Verify NimbusPolicy creation" 23 | try: 24 | - assert: 25 | file: ../nimbus-policy-assert.yaml 26 | 27 | - name: "Verify KyvernoPolicy creation" 28 | try: 29 | - assert: 30 | file: ../kyverno-policy.yaml 31 | 32 | 33 | - name: "Update existing KyvernoPolicy" 34 | try: 35 | - apply: 36 | file: ../updated-kyverno-policy.yaml 37 | 38 | - name: "Verify discarding of the changes made in KyvernoPolicy" 39 | try: 40 | - assert: 41 | file: ../kyverno-policy.yaml 42 | 43 | -------------------------------------------------------------------------------- /tests/e2e/escape-to-host/updated-kyverno-policy.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: kyverno.io/v1 5 | kind: Policy 6 | metadata: 7 | annotations: 8 | app.kubernetes.io/managed-by: nimbus-kyverno 9 | policies.kyverno.io/description: A attacker can breach container boundaries 10 | and can gain access to the host machine 11 | name: escape-to-host-binding-escapetohost 12 | spec: 13 | admission: true 14 | background: true 15 | rules: 16 | - exclude: 17 | resources: {} 18 | generate: 19 | clone: {} 20 | cloneList: {} 21 | match: 22 | any: 23 | - resources: 24 | kinds: 25 | - v1/Pod 26 | selector: 27 | matchLabels: 28 | env: prod 29 | resources: {} 30 | mutate: {} 31 | name: restricted 32 | skipBackgroundRequests: true 33 | validate: 34 | podSecurity: 35 | level: baseline 36 | version: latest 37 | validationFailureAction: Enforce -------------------------------------------------------------------------------- /tests/e2e/resources/clusterscoped/escape-to-host-csib-match-all.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: ClusterSecurityIntentBinding 6 | metadata: 7 | name: escape-to-host-binding 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | nsSelector: 13 | matchNames: 14 | - "*" 15 | workloadSelector: 16 | matchLabels: 17 | app: nginx 18 | -------------------------------------------------------------------------------- /tests/e2e/resources/namespaced/dns-manipulation-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: dns-manipulation 8 | spec: 9 | intent: 10 | id: dnsManipulation 11 | description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." 12 | action: Block 13 | severity: Medium 14 | -------------------------------------------------------------------------------- /tests/e2e/resources/namespaced/dns-manipulation-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: dns-manipulation-binding 8 | spec: 9 | intents: 10 | - name: dns-manipulation 11 | selector: 12 | workloadSelector: 13 | matchLabels: 14 | app: nginx 15 | -------------------------------------------------------------------------------- /tests/e2e/resources/namespaced/escape-to-host-si.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntent 6 | metadata: 7 | name: escape-to-host 8 | spec: 9 | intent: 10 | id: escapeToHost 11 | description: "A attacker can breach container boundaries and can gain access to the host machine" 12 | action: Block 13 | -------------------------------------------------------------------------------- /tests/e2e/resources/namespaced/escape-to-host-sib.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 2 | # Copyright 2023 Authors of Nimbus 3 | 4 | apiVersion: intent.security.nimbus.com/v1alpha1 5 | kind: SecurityIntentBinding 6 | metadata: 7 | name: escape-to-host-binding 8 | spec: 9 | intents: 10 | - name: escape-to-host 11 | selector: 12 | workloadSelector: 13 | matchLabels: 14 | app: nginx 15 | -------------------------------------------------------------------------------- /virtual_patch_si.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1alpha1 2 | kind: SecurityIntent 3 | metadata: 4 | name: virtual-patch 5 | spec: 6 | intent: 7 | id: virtualPatch 8 | description: "Check and apply virtual patch for a given set of CVEs as per a schedule" 9 | action: Block 10 | params: 11 | cve_list: 12 | - "CVE-2024-4439" 13 | - "CVE-2024-27268" -------------------------------------------------------------------------------- /virtual_patch_sib.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: intent.security.nimbus.com/v1alpha1 2 | kind: SecurityIntentBinding 3 | metadata: 4 | name: virtual-patch-binding 5 | spec: 6 | intents: 7 | - name: virtual-patch 8 | selector: 9 | workloadSelector: 10 | matchLabels: 11 | app: prod --------------------------------------------------------------------------------