├── demo ├── 70-globalreports │ ├── .gitignore │ ├── cluster-inventory.yaml │ ├── cluster-policy-audit.yaml │ ├── cluster-networkaccess.yaml │ ├── demo-inventory.yaml │ ├── demo-policy-audit.yaml │ ├── demo-networkaccess.yaml │ ├── daily-cis-results.yaml │ └── compliance-reporter-template.yaml ├── 30-tier │ ├── tier-platform.yaml │ ├── tier-security.yaml │ ├── calico.log-access.yaml │ └── calico.allow-kube-dns.yaml ├── 10-k8s-n-calico-policy │ ├── k8s.deny-all.yaml │ ├── calico.deny-all.yaml │ ├── calico.staged.default-deny.yaml │ ├── calico.log-access.yaml │ ├── calico.allow-kube-dns.yaml │ ├── k8s.centos-to-nginx.yaml │ └── calico.netshoot-to-nginx.yaml ├── 40-netsets │ ├── allowed-domains-netset.yaml │ ├── global-threatfeed-ipfeodo.yaml │ ├── calico.deny-public-nets-egress.yaml │ └── calico.public-nets.yaml ├── 50-dns-policy │ ├── calico.pass-traffic.yaml │ └── calico.allow-external-dns-egress.yaml ├── 80-anomaly-detection │ ├── pod-netshoot.yaml │ └── nginx-stack.yaml ├── 60-globalalerts │ ├── calico.dev-to-uat-nginx.yaml │ ├── dns.match.yaml │ ├── globalnetworkset.change.yaml │ └── unsanctioned.lateral.access.yaml └── 20-rbac │ ├── sa.yaml │ ├── ns-dev-roles.yaml │ ├── ns-uat-roles.yaml │ ├── dev-rolebindings.yaml │ ├── uat-rolebindings.yaml │ └── tigera-roles-rolebindings.yaml ├── img ├── global-alerts.png ├── compliance-reports.png └── k8s_rbac_constructs.png ├── app ├── dev │ ├── 00-namespace.yaml │ ├── pod-centos.yaml │ └── nginx-stack.yaml ├── uat │ ├── 00-namespace.yaml │ ├── pod-netshoot.yaml │ └── nginx-stack.yaml └── pod-centos.yaml └── README.md /demo/70-globalreports/.gitignore: -------------------------------------------------------------------------------- 1 | compliance-reporter.yaml -------------------------------------------------------------------------------- /img/global-alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tigera-solutions/calico-security-controls-for-k8s/HEAD/img/global-alerts.png -------------------------------------------------------------------------------- /app/dev/00-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: dev 5 | labels: 6 | compliance: open 7 | -------------------------------------------------------------------------------- /app/uat/00-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: uat 5 | labels: 6 | compliance: enforced 7 | -------------------------------------------------------------------------------- /img/compliance-reports.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tigera-solutions/calico-security-controls-for-k8s/HEAD/img/compliance-reports.png -------------------------------------------------------------------------------- /img/k8s_rbac_constructs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tigera-solutions/calico-security-controls-for-k8s/HEAD/img/k8s_rbac_constructs.png -------------------------------------------------------------------------------- /demo/30-tier/tier-platform.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: Tier 3 | metadata: 4 | name: platform 5 | spec: 6 | order: 700 7 | -------------------------------------------------------------------------------- /demo/30-tier/tier-security.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: Tier 3 | metadata: 4 | name: security 5 | spec: 6 | order: 500 7 | -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/k8s.deny-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: default-deny 5 | namespace: dev 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | -------------------------------------------------------------------------------- /demo/40-netsets/allowed-domains-netset.yaml: -------------------------------------------------------------------------------- 1 | kind: GlobalNetworkSet 2 | apiVersion: projectcalico.org/v3 3 | metadata: 4 | name: allowed-external-domains 5 | labels: 6 | domain: external 7 | spec: 8 | allowedEgressDomains: 9 | - '*.google.com' 10 | - 'google.com' -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/calico.deny-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: default-deny 5 | spec: 6 | order: 2000 7 | selector: "projectcalico.org/namespace in {'dev','uat'}" 8 | types: 9 | - Ingress 10 | - Egress 11 | -------------------------------------------------------------------------------- /demo/70-globalreports/cluster-inventory.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: cluster-inventory 5 | spec: 6 | reportType: inventory 7 | ## every top of hour: 0 * * * * 8 | ## every 5 min: */5 * * * * 9 | ## every 6 hours: 0 */6 * * * 10 | schedule: '0 */12 * * *' -------------------------------------------------------------------------------- /demo/70-globalreports/cluster-policy-audit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: cluster-policy-audit 5 | spec: 6 | reportType: policy-audit 7 | # schedule examples: 8 | ## every top of hour: 0 * * * * 9 | ## every 5 min: */5 * * * * 10 | schedule: '0 */12 * * *' -------------------------------------------------------------------------------- /demo/40-netsets/global-threatfeed-ipfeodo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalThreatFeed 3 | metadata: 4 | name: global.threatfeed.ipfeodo 5 | spec: 6 | pull: 7 | http: 8 | url: https://feodotracker.abuse.ch/downloads/ipblocklist.txt 9 | globalNetworkSet: 10 | labels: 11 | feed: feodo -------------------------------------------------------------------------------- /demo/70-globalreports/cluster-networkaccess.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: cluster-networkaccess 5 | spec: 6 | reportType: network-access 7 | ## every top of hour: 0 * * * * 8 | ## every 5 min: */5 * * * * 9 | ## every 6 hours: 0 */6 * * * 10 | schedule: '0 */12 * * *' -------------------------------------------------------------------------------- /demo/50-dns-policy/calico.pass-traffic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: security.pass-traffic 5 | spec: 6 | tier: security 7 | selector: all() 8 | order: 2000 9 | types: 10 | - Egress 11 | egress: 12 | - action: Pass 13 | source: {} 14 | destination: {} 15 | -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/calico.staged.default-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: StagedGlobalNetworkPolicy 3 | metadata: 4 | name: default-deny 5 | spec: 6 | order: 2000 7 | # target only these namespaces 8 | selector: "projectcalico.org/namespace == 'dev' || projectcalico.org/namespace == 'uat'" 9 | types: 10 | - Ingress 11 | - Egress 12 | -------------------------------------------------------------------------------- /app/pod-centos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: centos 6 | namespace: default 7 | labels: 8 | app: centos 9 | spec: 10 | containers: 11 | - name: centos 12 | image: centos:latest 13 | # Just spin & wait forever 14 | command: [ "/bin/bash", "-c", "--" ] 15 | args: [ "while true; do sleep 60; done;" ] 16 | resources: {} -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/calico.log-access.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: log-nginx-ingress 5 | namespace: dev 6 | spec: 7 | order: 900 8 | selector: "app == 'nginx'" 9 | types: 10 | - Ingress 11 | ingress: 12 | - action: Log 13 | protocol: TCP 14 | source: 15 | selector: "app == 'centos'" 16 | destination: {} 17 | -------------------------------------------------------------------------------- /demo/80-anomaly-detection/pod-netshoot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: netshoot 6 | labels: 7 | app: netshoot 8 | spec: 9 | containers: 10 | - name: netshoot 11 | image: nicolaka/netshoot:latest 12 | imagePullPolicy: IfNotPresent 13 | command: [ "/bin/bash", "-c", "--" ] 14 | args: [ "while true; do sleep 30; done;" ] 15 | resources: {} 16 | -------------------------------------------------------------------------------- /app/dev/pod-centos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: centos 6 | namespace: dev 7 | labels: 8 | app: centos 9 | spec: 10 | containers: 11 | - name: centos 12 | image: centos:latest 13 | # Just spin & wait forever 14 | command: [ "/bin/bash", "-c", "--" ] 15 | args: [ "while true; do curl -m5 http://nginx-svc; sleep 3; done;" ] 16 | resources: {} -------------------------------------------------------------------------------- /app/uat/pod-netshoot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: netshoot 6 | namespace: uat 7 | labels: 8 | app: netshoot 9 | spec: 10 | containers: 11 | - name: netshoot 12 | image: nicolaka/netshoot:latest 13 | # Just spin & wait forever 14 | command: [ "/bin/bash", "-c", "--" ] 15 | args: [ "while true; do curl -m5 http://nginx-svc; sleep 3; done;" ] 16 | resources: {} -------------------------------------------------------------------------------- /demo/70-globalreports/demo-inventory.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: demo-inventory 5 | labels: 6 | deployment: pre-prod 7 | spec: 8 | reportType: inventory 9 | endpoints: 10 | namespaces: 11 | names: ["dev","uat"] 12 | ## every top of hour: 0 * * * * 13 | ## every 5 min: */5 * * * * 14 | ## every 6 hours: 0 */6 * * * 15 | schedule: '0 */8 * * *' -------------------------------------------------------------------------------- /demo/70-globalreports/demo-policy-audit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: demo-policy-audit 5 | labels: 6 | deployment: pre-prod 7 | spec: 8 | reportType: policy-audit 9 | endpoints: 10 | namespaces: 11 | names: ["dev","uat"] 12 | ## every top of hour: 0 * * * * 13 | ## every 5 min: */5 * * * * 14 | ## every 6 hours: 0 */6 * * * 15 | schedule: '0 */8 * * *' -------------------------------------------------------------------------------- /demo/70-globalreports/demo-networkaccess.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: demo-networkaccess 5 | labels: 6 | deployment: pre-prod 7 | spec: 8 | reportType: network-access 9 | endpoints: 10 | namespaces: 11 | names: ["dev","uat"] 12 | ## every top of hour: 0 * * * * 13 | ## every 5 min: */5 * * * * 14 | ## every 6 hours: 0 */6 * * * 15 | schedule: '0 */8 * * *' -------------------------------------------------------------------------------- /demo/70-globalreports/daily-cis-results.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalReport 3 | metadata: 4 | name: daily-cis-results 5 | labels: 6 | deployment: production 7 | spec: 8 | reportType: cis-benchmark 9 | ## every top of hour: 0 * * * * 10 | ## every 5 min: */5 * * * * 11 | schedule: 0 0 * * * 12 | cis: 13 | highThreshold: 100 14 | medThreshold: 50 15 | includeUnscoredTests: true 16 | numFailedTests: 5 -------------------------------------------------------------------------------- /demo/30-tier/calico.log-access.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: security.log-nginx-ingress 5 | spec: 6 | tier: security 7 | order: 100 8 | selector: "app == 'nginx' && security == 'strict'" 9 | types: 10 | - Ingress 11 | ingress: 12 | - action: Log 13 | protocol: TCP 14 | source: 15 | selector: "app == 'centos' || app == 'netshoot'" 16 | destination: {} 17 | - action: Pass -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/calico.allow-kube-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: allow-kube-dns 5 | spec: 6 | order: 100 7 | selector: all() 8 | types: 9 | - Egress 10 | egress: 11 | - action: Allow 12 | protocol: UDP 13 | source: {} 14 | destination: 15 | selector: "k8s-app == 'kube-dns'" 16 | ports: 17 | - '53' 18 | - action: Pass 19 | source: {} 20 | destination: {} 21 | -------------------------------------------------------------------------------- /demo/30-tier/calico.allow-kube-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: platform.allow-kube-dns 5 | spec: 6 | tier: platform 7 | order: 200 8 | selector: 'projectcalico.org/namespace not in {"acme"}' 9 | # selector: all() 10 | types: 11 | - Egress 12 | egress: 13 | - action: Allow 14 | protocol: UDP 15 | source: {} 16 | destination: 17 | selector: "k8s-app == 'kube-dns'" 18 | ports: 19 | - '53' 20 | - action: Pass 21 | source: {} 22 | destination: {} 23 | -------------------------------------------------------------------------------- /app/dev/nginx-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: dev-nginx 6 | namespace: dev 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: nginx 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: nginx 20 | ports: 21 | - containerPort: 80 22 | resources: {} 23 | 24 | --- 25 | apiVersion: v1 26 | kind: Service 27 | metadata: 28 | name: nginx-svc 29 | namespace: dev 30 | labels: 31 | service: nginx 32 | spec: 33 | ports: 34 | - port: 80 35 | targetPort: 80 36 | protocol: TCP 37 | selector: 38 | app: nginx 39 | -------------------------------------------------------------------------------- /demo/80-anomaly-detection/nginx-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: default-nginx 6 | namespace: default 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: nginx 11 | replicas: 1 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: nginx 20 | ports: 21 | - containerPort: 80 22 | resources: {} 23 | 24 | --- 25 | apiVersion: v1 26 | kind: Service 27 | metadata: 28 | name: nginx-svc 29 | namespace: default 30 | labels: 31 | service: nginx 32 | spec: 33 | ports: 34 | - port: 80 35 | targetPort: 80 36 | protocol: TCP 37 | selector: 38 | app: nginx 39 | -------------------------------------------------------------------------------- /app/uat/nginx-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: uat-nginx 6 | namespace: uat 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: nginx 11 | security: strict 12 | replicas: 2 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | security: strict 18 | spec: 19 | containers: 20 | - name: nginx 21 | image: nginx 22 | ports: 23 | - containerPort: 80 24 | resources: {} 25 | 26 | --- 27 | apiVersion: v1 28 | kind: Service 29 | metadata: 30 | name: nginx-svc 31 | namespace: uat 32 | labels: 33 | service: nginx 34 | spec: 35 | ports: 36 | - port: 80 37 | targetPort: 80 38 | protocol: TCP 39 | selector: 40 | app: nginx 41 | -------------------------------------------------------------------------------- /demo/40-netsets/calico.deny-public-nets-egress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: security.deny-public-nets-egress 5 | spec: 6 | tier: security 7 | # label on ns1 namespace 8 | # namespaceSelector: compliance == "open" 9 | selector: "projectcalico.org/namespace == 'default' && app == 'centos'" 10 | order: 100 11 | types: 12 | - Egress 13 | egress: 14 | - action: Deny 15 | protocol: TCP 16 | source: {} 17 | destination: 18 | selector: "type == 'public' && list-type == 'cidr'" 19 | - action: Deny 20 | protocol: ICMP 21 | source: {} 22 | destination: 23 | selector: "type == 'public' && list-type == 'cidr'" 24 | # - action: Pass 25 | # source: {} 26 | # destination: {} 27 | -------------------------------------------------------------------------------- /demo/60-globalalerts/calico.dev-to-uat-nginx.yaml: -------------------------------------------------------------------------------- 1 | # allow egress from centos in dev to nginx in uat 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: security.allow-dev-to-uat-nginx-egress 6 | namespace: dev 7 | spec: 8 | tier: security 9 | order: 205 10 | selector: "app == 'centos'" 11 | types: 12 | - Egress 13 | egress: 14 | - action: Allow 15 | protocol: TCP 16 | source: {} 17 | destination: 18 | selector: "app == 'nginx'" 19 | namespaceSelector: "projectcalico.org/name == 'uat'" 20 | ports: 21 | - '80' 22 | # rule not needed if there is preceeding allow-kube-dns policy 23 | # - action: Allow 24 | # protocol: UDP 25 | # destination: 26 | # ports: 27 | # - '53' 28 | - action: Pass 29 | -------------------------------------------------------------------------------- /demo/20-rbac/sa.yaml: -------------------------------------------------------------------------------- 1 | # secops - has security team access 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: sally 6 | namespace: default 7 | --- 8 | # platform - has infra/platform team access 9 | apiVersion: v1 10 | kind: ServiceAccount 11 | metadata: 12 | name: david 13 | namespace: default 14 | --- 15 | # service owner - has dev team admin access 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: samantha 20 | namespace: default 21 | --- 22 | # dev - has dev team access to default tier 23 | apiVersion: v1 24 | kind: ServiceAccount 25 | metadata: 26 | name: bob 27 | namespace: default 28 | --- 29 | # jacki - has uat team access to default tier 30 | apiVersion: v1 31 | kind: ServiceAccount 32 | metadata: 33 | name: jacki 34 | namespace: default 35 | --- 36 | -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/k8s.centos-to-nginx.yaml: -------------------------------------------------------------------------------- 1 | # allow nginx ingress within dev namespace 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-nginx-ingress 6 | namespace: dev 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app: nginx 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - namespaceSelector: 16 | matchLabels: 17 | compliance: open 18 | --- 19 | 20 | # allow centos egress to nginx app within dev namespace 21 | apiVersion: networking.k8s.io/v1 22 | kind: NetworkPolicy 23 | metadata: 24 | name: allow-centos-egress 25 | namespace: dev 26 | spec: 27 | podSelector: 28 | matchLabels: 29 | app: centos 30 | policyTypes: 31 | - Egress 32 | egress: 33 | - to: 34 | - podSelector: 35 | matchLabels: 36 | app: nginx 37 | -------------------------------------------------------------------------------- /demo/50-dns-policy/calico.allow-external-dns-egress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: security.allow-external-dns-egress 5 | spec: 6 | tier: security 7 | selector: 'projectcalico.org/namespace == "dev" && app == "centos"' 8 | order: 90 9 | types: 10 | - Egress 11 | egress: 12 | - action: Allow 13 | protocol: UDP 14 | source: {} 15 | destination: 16 | ports: 17 | - '53' 18 | # openshift dns port 19 | - '5353' 20 | - action: Allow 21 | source: 22 | selector: app == 'centos' 23 | destination: 24 | domains: 25 | - '*.google.com' 26 | - 'google.com' 27 | # this rule only necessary if there is no policy that would pass all unmatched traffic to the following tier 28 | # - action: Pass 29 | # source: {} 30 | # destination: {} 31 | -------------------------------------------------------------------------------- /demo/10-k8s-n-calico-policy/calico.netshoot-to-nginx.yaml: -------------------------------------------------------------------------------- 1 | # allow ingress into nginx app within uat namespace 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-nginx-ingress 6 | namespace: uat 7 | spec: 8 | order: 1000 9 | selector: "app == 'nginx'" 10 | types: 11 | - Ingress 12 | ingress: 13 | - action: Allow 14 | protocol: TCP 15 | source: {} 16 | destination: 17 | ports: 18 | - '80' 19 | --- 20 | 21 | # allow egress from any pod to nginx app within uat namespace 22 | apiVersion: projectcalico.org/v3 23 | kind: NetworkPolicy 24 | metadata: 25 | name: allow-netshoot-egress 26 | namespace: uat 27 | spec: 28 | order: 1000 29 | selector: "projectcalico.org/namespace == 'uat'" 30 | types: 31 | - Egress 32 | egress: 33 | - action: Allow 34 | protocol: TCP 35 | source: {} 36 | destination: 37 | selector: "app == 'nginx'" 38 | ports: 39 | - '80' 40 | -------------------------------------------------------------------------------- /demo/60-globalalerts/dns.match.yaml: -------------------------------------------------------------------------------- 1 | # alert template to quickly create similar alerts 2 | apiVersion: projectcalico.org/v3 3 | kind: GlobalAlertTemplate 4 | metadata: 5 | name: dns.restricted-dns-access 6 | spec: 7 | description: "Pod attempted to access restricted domain" 8 | summary: "[dns] pod ${client_namespace}/${client_name_aggr} attempted to access '${qname}'" 9 | severity: 100 10 | dataSet: dns 11 | period: 5m 12 | lookback: 5m 13 | query: '(qname = "put.restricted.domain.com" OR qname = "restricted.domain.com")' 14 | aggregateBy: [client_namespace, client_name_aggr, qname] 15 | metric: count 16 | condition: gt 17 | threshold: 0 18 | --- 19 | 20 | apiVersion: projectcalico.org/v3 21 | kind: GlobalAlert 22 | metadata: 23 | name: dns.apple-access 24 | spec: 25 | description: "Pod attempted to access apple.com domain" 26 | summary: "[dns] pod ${client_namespace}/${client_name_aggr} attempted to access '${qname}'" 27 | severity: 100 28 | dataSet: dns 29 | period: 1m 30 | lookback: 1m 31 | query: '(qname = "www.apple.com" OR qname = "apple.com")' 32 | aggregateBy: [client_namespace, client_name_aggr, qname] 33 | metric: count 34 | condition: gt 35 | threshold: 0 36 | --- -------------------------------------------------------------------------------- /demo/60-globalalerts/globalnetworkset.change.yaml: -------------------------------------------------------------------------------- 1 | # alert template to quickly create similar alerts 2 | apiVersion: projectcalico.org/v3 3 | kind: GlobalAlertTemplate 4 | metadata: 5 | name: policy.globalnetworkset 6 | spec: 7 | description: "Alerts on any changes to global network sets" 8 | summary: "[audit] [privileged access] change detected for ${objectRef.resource} ${objectRef.name}" 9 | severity: 100 10 | period: 5m 11 | lookback: 5m 12 | dataSet: audit 13 | query: '(verb=create OR verb=update OR verb=delete OR verb=patch) AND "objectRef.resource"=globalnetworksets' 14 | aggregateBy: [objectRef.resource, objectRef.name] 15 | metric: count 16 | condition: gt 17 | threshold: 0 18 | --- 19 | 20 | apiVersion: projectcalico.org/v3 21 | kind: GlobalAlert 22 | metadata: 23 | name: policy.globalnetworkset 24 | spec: 25 | description: "Alerts on any changes to global network sets" 26 | summary: "[audit] [privileged access] change detected for ${objectRef.resource} ${objectRef.name}" 27 | severity: 100 28 | period: 1m 29 | lookback: 1m 30 | dataSet: audit 31 | # alert is triggered if CRUD operation executed against any globalnetworkset 32 | query: '(verb=create OR verb=update OR verb=delete OR verb=patch) AND "objectRef.resource"=globalnetworksets' 33 | aggregateBy: [objectRef.resource, objectRef.name] 34 | metric: count 35 | condition: gt 36 | threshold: 0 37 | --- 38 | -------------------------------------------------------------------------------- /demo/60-globalalerts/unsanctioned.lateral.access.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalAlertTemplate 3 | metadata: 4 | name: unsanctioned.lateral.access 5 | spec: 6 | description: "Alerts when pods with a specific label (security=strict) accessed by other workloads outside of their namespace" 7 | summary: "[flows] [lateral movement] ${source_namespace}/${source_name_aggr} has accessed ${dest_namespace}/${dest_name_aggr} with label security=strict" 8 | severity: 100 9 | period: 5m 10 | lookback: 5m 11 | dataSet: flows 12 | query: '("dest_labels.labels"="security=strict" AND "dest_namespace"="secured_pod_namespace") AND "source_namespace"!="secured_pod_namespace" AND "proto"="tcp" AND (("action"="allow" AND ("reporter"="dst" OR "reporter"="src")) OR ("action"="deny" AND "reporter"="src"))' 13 | aggregateBy: [source_namespace, source_name_aggr, dest_namespace, dest_name_aggr] 14 | field: num_flows 15 | metric: sum 16 | condition: gt 17 | threshold: 0 18 | --- 19 | 20 | apiVersion: projectcalico.org/v3 21 | kind: GlobalAlert 22 | metadata: 23 | name: uat.lateral.access 24 | spec: 25 | description: "Alerts when pods with a specific label (security=strict) accessed by other workloads outside of their namespace" 26 | summary: "[flows] [lateral movement] ${source_namespace}/${source_name_aggr} has accessed ${dest_namespace}/${dest_name_aggr} with label security=strict" 27 | severity: 100 28 | period: 1m 29 | lookback: 1m 30 | dataSet: flows 31 | query: '("dest_labels.labels"="security=strict" AND "dest_namespace"="uat") AND "source_namespace"!="uat" AND "proto"="tcp" AND (("action"="allow" AND ("reporter"="dst" OR "reporter"="src")) OR ("action"="deny" AND "reporter"="src"))' 32 | aggregateBy: [source_namespace, source_name_aggr, dest_namespace, dest_name_aggr] 33 | field: num_flows 34 | metric: sum 35 | condition: gt 36 | threshold: 0 37 | --- -------------------------------------------------------------------------------- /demo/70-globalreports/compliance-reporter-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: run-reporter-custom 5 | namespace: tigera-compliance 6 | labels: 7 | k8s-app: compliance-reporter 8 | spec: 9 | nodeSelector: 10 | beta.kubernetes.io/os: linux 11 | restartPolicy: OnFailure 12 | serviceAccount: tigera-compliance-reporter 13 | serviceAccountName: tigera-compliance-reporter 14 | tolerations: 15 | - key: node-role.kubernetes.io/master 16 | effect: NoSchedule 17 | imagePullSecrets: 18 | - name: tigera-pull-secret 19 | containers: 20 | - name: reporter 21 | # Modify this image name, if you have re-tagged the image and are using a local 22 | # docker image repository. 23 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 24 | image: quay.io/tigera/compliance-reporter:v3.5.0 25 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 26 | env: 27 | # Modify this value with name of an existing globalreport resource. 28 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 29 | - name: TIGERA_COMPLIANCE_REPORT_NAME 30 | value: hourly-cluster-networkacess 31 | # Modify these values with the start and end time frame that should be reported on. 32 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 33 | # - name: TIGERA_COMPLIANCE_REPORT_START_TIME 34 | # value: "2020-08-19T15:20:00Z" 35 | # - name: TIGERA_COMPLIANCE_REPORT_END_TIME 36 | # value: "2020-08-19T15:35:00Z" 37 | - name: TIGERA_COMPLIANCE_JOB_START_DELAY 38 | value: "5m" 39 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | - name: LOG_LEVEL 41 | value: "warning" 42 | - name: ELASTIC_INDEX_SUFFIX 43 | value: cluster 44 | - name: ELASTIC_SCHEME 45 | value: https 46 | - name: ELASTIC_HOST 47 | value: tigera-secure-es-http.tigera-elasticsearch.svc 48 | - name: ELASTIC_PORT 49 | value: "9200" 50 | - name: ELASTIC_USER 51 | valueFrom: 52 | secretKeyRef: 53 | name: tigera-ee-compliance-reporter-elasticsearch-access 54 | key: username 55 | optional: true 56 | - name: ELASTIC_PASSWORD 57 | valueFrom: 58 | secretKeyRef: 59 | name: tigera-ee-compliance-reporter-elasticsearch-access 60 | key: password 61 | optional: true 62 | - name: ELASTIC_SSL_VERIFY 63 | value: "true" 64 | - name: ELASTIC_CA 65 | value: /etc/ssl/elastic/ca.pem 66 | volumeMounts: 67 | - mountPath: /var/log/calico 68 | name: var-log-calico 69 | - name: elastic-ca-cert-volume 70 | mountPath: /etc/ssl/elastic/ 71 | - name: tigera-compliance-reporter-token 72 | mountPath: /var/run/secrets/kubernetes.io/serviceaccount 73 | livenessProbe: 74 | httpGet: 75 | path: /liveness 76 | port: 9099 77 | host: localhost 78 | volumes: 79 | - name: var-log-calico 80 | hostPath: 81 | path: /var/log/calico 82 | type: DirectoryOrCreate 83 | - name: elastic-ca-cert-volume 84 | secret: 85 | optional: true 86 | items: 87 | - key: tls.crt 88 | path: ca.pem 89 | secretName: tigera-secure-es-http-certs-public 90 | - name: tigera-compliance-reporter-token 91 | secret: 92 | defaultMode: 420 93 | secretName: 94 | -------------------------------------------------------------------------------- /demo/20-rbac/ns-dev-roles.yaml: -------------------------------------------------------------------------------- 1 | # dev namespace RBAC for developer role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: dev-namespace-scoped-user-developer 6 | namespace: dev 7 | labels: 8 | tigera.io/scope: namespace 9 | annotations: 10 | tigera.io/description: "access to resources within dev namespace" 11 | rules: 12 | # [NetworkSets] Read access for Calico NetworkSet resources. 13 | - apiGroups: 14 | - projectcalico.org 15 | resources: 16 | - networksets 17 | verbs: 18 | - get 19 | - watch 20 | - list 21 | # [policies] full access to NetworkPolicy resources 22 | # - apiGroups: 23 | # - projectcalico.org 24 | # resources: 25 | # - tier.networkpolicies 26 | # resourceNames: 27 | # - default.* 28 | # verbs: 29 | # - "*" 30 | # read access for Kubernetes NetworkPolicy resources in the default tier. 31 | - apiGroups: 32 | - networking.k8s.io 33 | - extensions 34 | resources: 35 | - networkpolicies 36 | verbs: 37 | - get 38 | - watch 39 | - list 40 | # read access to (Calico) NetworkPolicy resources in default tier 41 | - apiGroups: 42 | - projectcalico.org 43 | resources: 44 | - tier.networkpolicies 45 | resourceNames: 46 | - default.* 47 | verbs: 48 | - get 49 | - watch 50 | - list 51 | # read access to (Calico) NetworkPolicy resources in security tier 52 | - apiGroups: 53 | - projectcalico.org 54 | resources: 55 | - tier.networkpolicies 56 | resourceNames: 57 | - security.* 58 | verbs: 59 | - get 60 | - watch 61 | - list 62 | # read access to GlobalNetworkPolicy resources in default tier 63 | - apiGroups: 64 | - projectcalico.org 65 | resources: 66 | - tier.globalnetworkpolicies 67 | resourceNames: 68 | - default.* 69 | verbs: 70 | - get 71 | - watch 72 | - list 73 | # read access to GlobalNetworkPolicy resources in security tier 74 | - apiGroups: 75 | - projectcalico.org 76 | resources: 77 | - tier.globalnetworkpolicies 78 | resourceNames: 79 | - security.* 80 | verbs: 81 | - get 82 | - watch 83 | - list 84 | # CRUD access to StagedNetworkPolicy resources in default tier 85 | - apiGroups: 86 | - projectcalico.org 87 | resources: 88 | - tier.stagednetworkpolicies 89 | resourceNames: 90 | - default.* 91 | verbs: 92 | - "*" 93 | # read access to StagedGlobalNetworkPolicy resources in default tier 94 | - apiGroups: 95 | - projectcalico.org 96 | resources: 97 | - tier.stagedglobalnetworkpolicies 98 | resourceNames: 99 | - default.* 100 | verbs: 101 | - get 102 | - watch 103 | - list 104 | # CRUD access to StagedKubernetesNetworkPolicy resources in default tier 105 | - apiGroups: 106 | - projectcalico.org 107 | resources: 108 | - stagedkubernetesnetworkpolicies 109 | verbs: 110 | - "*" 111 | # Read access to resource to allow Flow Viz rendering 112 | - apiGroups: 113 | - "" 114 | resources: 115 | - pods 116 | verbs: 117 | - get 118 | - list 119 | - apiGroups: 120 | - projectcalico.org 121 | resources: 122 | - hostendpoints 123 | verbs: 124 | - get 125 | - list 126 | # # [Tiers] Read access for tiers 127 | # # Requires watch access for tiers to manage policies 128 | # - apiGroups: 129 | # - projectcalico.org 130 | # resources: 131 | # - tiers 132 | # verbs: 133 | # - watch 134 | # - apiGroups: 135 | # - projectcalico.org 136 | # resources: 137 | # - tiers 138 | # # only allow access to listed tiers 139 | # resourceNames: 140 | # # - security 141 | # - default 142 | # verbs: 143 | # - list 144 | # - get 145 | # - watch 146 | --- 147 | 148 | # User bob RBAC bindings for cluster-scoped resources 149 | apiVersion: rbac.authorization.k8s.io/v1 150 | kind: RoleBinding 151 | metadata: 152 | name: dev-namespace-scoped-bindings-user-developer 153 | namespace: dev 154 | subjects: 155 | - kind: ServiceAccount 156 | name: bob 157 | namespace: default 158 | # namespace: dev 159 | roleRef: 160 | kind: Role 161 | name: dev-namespace-scoped-user-developer 162 | apiGroup: rbac.authorization.k8s.io 163 | --- 164 | -------------------------------------------------------------------------------- /demo/20-rbac/ns-uat-roles.yaml: -------------------------------------------------------------------------------- 1 | # uat namespace RBAC for uat role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: uat-namespace-scoped-user-uat 6 | namespace: uat 7 | labels: 8 | tigera.io/scope: namespace 9 | annotations: 10 | tigera.io/description: "access to resources within uat namespace" 11 | rules: 12 | # [NetworkSets] Read access for Calico NetworkSet resources. 13 | - apiGroups: 14 | - projectcalico.org 15 | resources: 16 | - networksets 17 | verbs: 18 | - get 19 | - watch 20 | - list 21 | # [policies] full access to NetworkPolicy resources 22 | # - apiGroups: 23 | # - projectcalico.org 24 | # resources: 25 | # - tier.networkpolicies 26 | # resourceNames: 27 | # - default.* 28 | # verbs: 29 | # - "*" 30 | # read access for Kubernetes NetworkPolicy resources in the default tier. 31 | - apiGroups: 32 | - networking.k8s.io 33 | - extensions 34 | resources: 35 | - networkpolicies 36 | verbs: 37 | - get 38 | - watch 39 | - list 40 | # read access to (Calico) NetworkPolicy resources in default tier 41 | - apiGroups: 42 | - projectcalico.org 43 | resources: 44 | - tier.networkpolicies 45 | resourceNames: 46 | - default.* 47 | verbs: 48 | - get 49 | - watch 50 | - list 51 | # read access to (Calico) NetworkPolicy resources in security tier 52 | - apiGroups: 53 | - projectcalico.org 54 | resources: 55 | - tier.networkpolicies 56 | resourceNames: 57 | - security.* 58 | verbs: 59 | - get 60 | - watch 61 | - list 62 | # read access to GlobalNetworkPolicy resources in default tier 63 | - apiGroups: 64 | - projectcalico.org 65 | resources: 66 | - tier.globalnetworkpolicies 67 | resourceNames: 68 | - default.* 69 | verbs: 70 | - get 71 | - watch 72 | - list 73 | # read access to GlobalNetworkPolicy resources in security tier 74 | - apiGroups: 75 | - projectcalico.org 76 | resources: 77 | - tier.globalnetworkpolicies 78 | resourceNames: 79 | - security.* 80 | verbs: 81 | - get 82 | - watch 83 | - list 84 | # read access to StagedNetworkPolicy resources in default tier 85 | - apiGroups: 86 | - projectcalico.org 87 | resources: 88 | - tier.stagednetworkpolicies 89 | resourceNames: 90 | - default.* 91 | verbs: 92 | - get 93 | - watch 94 | - list 95 | # read access to StagedGlobalNetworkPolicy resources in default tier 96 | - apiGroups: 97 | - projectcalico.org 98 | resources: 99 | - tier.stagedglobalnetworkpolicies 100 | resourceNames: 101 | - default.* 102 | verbs: 103 | - get 104 | - watch 105 | - list 106 | # read access to StagedKubernetesNetworkPolicy resources in default tier 107 | - apiGroups: 108 | - projectcalico.org 109 | resources: 110 | - stagedkubernetesnetworkpolicies 111 | verbs: 112 | - get 113 | - watch 114 | - list 115 | # Read access to resource to allow Flow Viz rendering 116 | - apiGroups: 117 | - "" 118 | resources: 119 | - pods 120 | verbs: 121 | - get 122 | - list 123 | - apiGroups: 124 | - projectcalico.org 125 | resources: 126 | - hostendpoints 127 | verbs: 128 | - get 129 | - list 130 | # # [Tiers] Read access for tiers 131 | # # Requires watch access for tiers to manage policies 132 | # - apiGroups: 133 | # - projectcalico.org 134 | # resources: 135 | # - tiers 136 | # verbs: 137 | # - watch 138 | # - apiGroups: 139 | # - projectcalico.org 140 | # resources: 141 | # - tiers 142 | # # only allow access to listed tiers 143 | # resourceNames: 144 | # # - security 145 | # - default 146 | # verbs: 147 | # - list 148 | # - get 149 | # - watch 150 | --- 151 | 152 | # User jacki RBAC bindings for cluster-scoped resources 153 | apiVersion: rbac.authorization.k8s.io/v1 154 | kind: RoleBinding 155 | metadata: 156 | name: uat-namespace-scoped-bindings-user-uat 157 | namespace: uat 158 | subjects: 159 | - kind: ServiceAccount 160 | name: jacki 161 | namespace: default 162 | # namespace: uat 163 | roleRef: 164 | kind: Role 165 | name: uat-namespace-scoped-user-uat 166 | apiGroup: rbac.authorization.k8s.io 167 | --- 168 | -------------------------------------------------------------------------------- /demo/40-netsets/calico.public-nets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkSet 3 | metadata: 4 | name: public-nets 5 | labels: 6 | type: public 7 | list-type: cidr 8 | spec: 9 | nets: 10 | - 1.0.0.0/8 11 | - 2.0.0.0/8 12 | - 3.0.0.0/8 13 | - 4.0.0.0/8 14 | - 5.0.0.0/8 15 | - 6.0.0.0/8 16 | - 7.0.0.0/8 17 | - 8.0.0.0/8 18 | - 9.0.0.0/8 19 | - 11.0.0.0/8 20 | - 12.0.0.0/8 21 | - 13.0.0.0/8 22 | - 14.0.0.0/8 23 | - 15.0.0.0/8 24 | - 16.0.0.0/8 25 | - 17.0.0.0/8 26 | - 19.0.0.0/8 27 | - 20.0.0.0/8 28 | - 21.0.0.0/8 29 | - 22.0.0.0/8 30 | - 23.0.0.0/8 31 | - 24.0.0.0/8 32 | - 25.0.0.0/8 33 | - 26.0.0.0/8 34 | - 27.0.0.0/8 35 | - 28.0.0.0/8 36 | - 29.0.0.0/8 37 | - 30.0.0.0/8 38 | - 31.0.0.0/8 39 | - 32.0.0.0/8 40 | - 33.0.0.0/8 41 | - 34.0.0.0/8 42 | - 35.0.0.0/8 43 | - 36.0.0.0/8 44 | - 37.0.0.0/8 45 | - 38.0.0.0/8 46 | - 39.0.0.0/8 47 | - 40.0.0.0/8 48 | - 41.0.0.0/8 49 | - 42.0.0.0/8 50 | - 43.0.0.0/8 51 | - 44.0.0.0/8 52 | - 45.0.0.0/8 53 | - 46.0.0.0/8 54 | - 47.0.0.0/8 55 | - 48.0.0.0/8 56 | - 49.0.0.0/8 57 | - 50.0.0.0/8 58 | - 51.0.0.0/8 59 | - 52.0.0.0/8 60 | - 53.0.0.0/8 61 | - 54.0.0.0/8 62 | - 55.0.0.0/8 63 | - 56.0.0.0/8 64 | - 57.0.0.0/8 65 | - 58.0.0.0/8 66 | - 59.0.0.0/8 67 | - 60.0.0.0/8 68 | - 61.0.0.0/8 69 | - 62.0.0.0/8 70 | - 63.0.0.0/8 71 | - 64.0.0.0/8 72 | - 65.0.0.0/8 73 | - 66.0.0.0/8 74 | - 67.0.0.0/8 75 | - 68.0.0.0/8 76 | - 69.0.0.0/8 77 | - 70.0.0.0/8 78 | - 71.0.0.0/8 79 | - 72.0.0.0/8 80 | - 73.0.0.0/8 81 | - 74.0.0.0/8 82 | - 75.0.0.0/8 83 | - 76.0.0.0/8 84 | - 77.0.0.0/8 85 | - 78.0.0.0/8 86 | - 79.0.0.0/8 87 | - 80.0.0.0/8 88 | - 81.0.0.0/8 89 | - 82.0.0.0/8 90 | - 83.0.0.0/8 91 | - 84.0.0.0/8 92 | - 85.0.0.0/8 93 | - 86.0.0.0/8 94 | - 87.0.0.0/8 95 | - 88.0.0.0/8 96 | - 89.0.0.0/8 97 | - 90.0.0.0/8 98 | - 91.0.0.0/8 99 | - 92.0.0.0/8 100 | - 93.0.0.0/8 101 | - 94.0.0.0/8 102 | - 95.0.0.0/8 103 | - 96.0.0.0/8 104 | - 97.0.0.0/8 105 | - 98.0.0.0/8 106 | - 99.0.0.0/8 107 | - 100.0.0.0/8 108 | - 101.0.0.0/8 109 | - 102.0.0.0/8 110 | - 103.0.0.0/8 111 | - 104.0.0.0/8 112 | - 105.0.0.0/8 113 | - 106.0.0.0/8 114 | - 107.0.0.0/8 115 | - 108.0.0.0/8 116 | - 109.0.0.0/8 117 | - 110.0.0.0/8 118 | - 111.0.0.0/8 119 | - 112.0.0.0/8 120 | - 113.0.0.0/8 121 | - 114.0.0.0/8 122 | - 115.0.0.0/8 123 | - 116.0.0.0/8 124 | - 117.0.0.0/8 125 | - 118.0.0.0/8 126 | - 119.0.0.0/8 127 | - 120.0.0.0/8 128 | - 121.0.0.0/8 129 | - 122.0.0.0/8 130 | - 123.0.0.0/8 131 | - 124.0.0.0/8 132 | - 125.0.0.0/8 133 | - 126.0.0.0/8 134 | - 127.0.0.0/8 135 | - 128.0.0.0/8 136 | - 129.0.0.0/8 137 | - 130.0.0.0/8 138 | - 131.0.0.0/8 139 | - 132.0.0.0/8 140 | - 133.0.0.0/8 141 | - 134.0.0.0/8 142 | - 135.0.0.0/8 143 | - 136.0.0.0/8 144 | - 137.0.0.0/8 145 | - 138.0.0.0/8 146 | - 139.0.0.0/8 147 | - 140.0.0.0/8 148 | - 141.0.0.0/8 149 | - 142.0.0.0/8 150 | - 143.0.0.0/8 151 | - 144.0.0.0/8 152 | - 145.0.0.0/8 153 | - 146.0.0.0/8 154 | - 147.0.0.0/8 155 | - 148.0.0.0/8 156 | - 149.0.0.0/8 157 | - 150.0.0.0/8 158 | - 151.0.0.0/8 159 | - 152.0.0.0/8 160 | - 153.0.0.0/8 161 | - 154.0.0.0/8 162 | - 155.0.0.0/8 163 | - 156.0.0.0/8 164 | - 157.0.0.0/8 165 | - 158.0.0.0/8 166 | - 159.0.0.0/8 167 | - 160.0.0.0/8 168 | - 161.0.0.0/8 169 | - 162.0.0.0/8 170 | - 163.0.0.0/8 171 | - 164.0.0.0/8 172 | - 165.0.0.0/8 173 | - 166.0.0.0/8 174 | - 167.0.0.0/8 175 | - 168.0.0.0/8 176 | - 169.0.0.0/8 177 | - 170.0.0.0/8 178 | - 171.0.0.0/8 179 | - 173.0.0.0/8 180 | - 174.0.0.0/8 181 | - 175.0.0.0/8 182 | - 176.0.0.0/8 183 | - 177.0.0.0/8 184 | - 178.0.0.0/8 185 | - 179.0.0.0/8 186 | - 180.0.0.0/8 187 | - 181.0.0.0/8 188 | - 182.0.0.0/8 189 | - 183.0.0.0/8 190 | - 184.0.0.0/8 191 | - 185.0.0.0/8 192 | - 186.0.0.0/8 193 | - 187.0.0.0/8 194 | - 188.0.0.0/8 195 | - 189.0.0.0/8 196 | - 190.0.0.0/8 197 | - 191.0.0.0/8 198 | - 193.0.0.0/8 199 | - 194.0.0.0/8 200 | - 195.0.0.0/8 201 | - 196.0.0.0/8 202 | - 197.0.0.0/8 203 | - 198.0.0.0/8 204 | - 199.0.0.0/8 205 | - 200.0.0.0/8 206 | - 201.0.0.0/8 207 | - 202.0.0.0/8 208 | - 203.0.0.0/8 209 | - 204.0.0.0/8 210 | - 205.0.0.0/8 211 | - 206.0.0.0/8 212 | - 207.0.0.0/8 213 | - 208.0.0.0/8 214 | - 209.0.0.0/8 215 | - 210.0.0.0/8 216 | - 211.0.0.0/8 217 | - 212.0.0.0/8 218 | - 213.0.0.0/8 219 | - 214.0.0.0/8 220 | - 215.0.0.0/8 221 | - 216.0.0.0/8 222 | - 217.0.0.0/8 223 | - 218.0.0.0/8 224 | - 219.0.0.0/8 225 | - 220.0.0.0/8 226 | -------------------------------------------------------------------------------- /demo/20-rbac/dev-rolebindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: tigera-cluster-scoped-user-developer 5 | aggregationRule: 6 | clusterRoleSelectors: 7 | - matchExpressions: 8 | - key: tigera.io/rbac-id 9 | operator: In 10 | values: 11 | # Uncomment to allow: access to the Tigera UI 12 | - ui-access 13 | # Uncomment to allow: view tier default, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier) 14 | - manage-tier-default 15 | # Uncomment to allow: view tier security, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier) 16 | - manage-tier-security 17 | 18 | # Uncomment to allow: read-write access for all globalalerts 19 | # - rdwr-galerts 20 | # Uncomment to allow: read access for all globalalerts 21 | - rd-galerts 22 | 23 | # Uncomment to allow: view all details of cluster and demo compliance reports 24 | - details-rep-demo 25 | # Uncomment to allow: view all summary of cluster, demo, cis benchmarks compliance reports 26 | - summary-rep-demo 27 | # Uncomment to allow: view all details of all compliance reports 28 | #- details-all-rep 29 | # Uncomment to allow: view summary details of all compliance reports, and read access to all GlobalReport resources 30 | #- summary-all-rep 31 | # Uncomment to allow: view summary details of all compliance reports, and read-write access to all GlobalReport resources to manage report scheduling 32 | #- rdwr-rep 33 | # Uncomment to allow: view traffic statistics in the Tigera UI 34 | - rd-traffic-statistics 35 | 36 | # Uncomment to allow: read access for all elasticsearch indices for all-clusters 37 | #- rd-all-es-all-cl 38 | # Uncomment to allow: read access for elasticsearch indices with data for flow logs for all clusters 39 | - rd-es-flows-all-cl 40 | # Uncomment to allow: read access for elasticsearch indices with data for audit logs for all clusters 41 | - rd-es-audits-all-cl 42 | # Uncomment to allow: read access for elasticsearch indices with data for DNS logs for all clusters 43 | - rd-es-dns-all-cl 44 | # Uncomment to allow: read access for elasticsearch indices with data for intrusion detection events for all clusters 45 | - rd-es-events-all-cl 46 | # Uncomment to allow: read access for superuser elasticsearch for all clusters 47 | # - rd-es-superuser-all-cl 48 | # Uncomment to allow: read access for elasticsearch indices with data for L7 logs for all clusters 49 | - rd-es-l7-all-cl 50 | # Uncomment to allow: read access for kibana API for all clusters 51 | - kibana-access-all-cl 52 | 53 | # Uncomment to allow: read GlobalNetworkPolicy resources in Tier default 54 | - rd-gnp-tier-default 55 | # Uncomment to allow: read StagedGlobalNetworkPolicy resources in Tier default 56 | # - rd-sgnp-tier-default 57 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in Tier default 58 | #- rdwr-gnp-tier-default 59 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in Tier default 60 | #- rdwr-sgnp-tier-default 61 | 62 | # Uncomment to allow: read GlobalNetworkPolicy resources in Tier security 63 | - rd-gnp-tier-security 64 | # Uncomment to allow: read StagedGlobalNetworkPolicy resources in Tier security 65 | #- rd-sgnp-tier-security 66 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in Tier security 67 | #- rdwr-gnp-tier-security 68 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in Tier security 69 | #- rdwr-sgnp-tier-security 70 | 71 | # Uncomment to allow: read-write GlobalNetworkSet resources 72 | #- rdwr-gnets 73 | # Uncomment to allow: read-write GlobalNetworkSet resources 74 | #- rdwr-gnets 75 | 76 | # Uncomment to allow: read-write Tier resources 77 | #- rdwr-tier 78 | # Uncomment to allow: read Tier resources 79 | #- rd-tier 80 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in all Tiers 81 | #- rdwr-gnp-all-tier 82 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in all Tiers 83 | #- rdwr-sgnp-all-tier 84 | --- 85 | 86 | # Template for user specific RBAC for UI namespace scoped resources 87 | apiVersion: rbac.authorization.k8s.io/v1 88 | kind: ClusterRole 89 | metadata: 90 | name: tigera-namespace-scoped-user-developer 91 | aggregationRule: 92 | clusterRoleSelectors: 93 | - matchExpressions: 94 | - key: tigera.io/scope 95 | operator: In 96 | values: 97 | - namespace 98 | - key: tigera.io/rbac-id 99 | operator: In 100 | values: 101 | # Uncomment to allow: read (Calico) NetworkPolicy resources in all Tiers 102 | #- rd-np-all-tiers 103 | # Uncomment to allow: read StagedNetworkPolicy resources in all Tiers 104 | #- rd-snp-all-tier 105 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in all Tiers 106 | #- rdwr-np-all-tier 107 | # Uncomment to allow: read-write StagedNetworkPolicy resources in all Tiers 108 | #- rdwr-snp-all-tier 109 | 110 | # Uncomment to allow: read (Kubernetes) NetworkPolicy resources (these are always in Tier default) 111 | #- rd-knp 112 | # Uncomment to allow: read StagedKubernetesNetworkPolicy resources (these are always in Tier default) 113 | #- rd-sknp 114 | # Uncomment to allow: read-write (Kubernetes) NetworkPolicy resources (these are always in Tier default) 115 | #- rdwr-knp 116 | # Uncomment to allow: read-write StagedKubernetesNetworkPolicy resources (these are always in Tier default) 117 | #- rdwr-sknp 118 | 119 | # Uncomment to allow: read (Calico) NetworkPolicy resources in Tier default 120 | - rd-np-tier-default 121 | # Uncomment to allow: read StagedNetworkPolicy resources in Tier default 122 | #- rd-snp-tier-default 123 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in Tier default 124 | #- rdwr-np-tier-default 125 | # Uncomment to allow: read-write StagedNetworkPolicy resources in Tier default 126 | #- rdwr-snp-tier-default 127 | 128 | # Uncomment to allow: read (Calico) NetworkPolicy resources in Tier security 129 | #- rd-np-tier-security 130 | # Uncomment to allow: read StagedNetworkPolicy resources in Tier security 131 | #- rd-snp-tier-security 132 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in Tier security 133 | #- rdwr-np-tier-security 134 | # Uncomment to allow: read-write StagedNetworkPolicy resources in Tier security 135 | #- rdwr-snp-tier-security 136 | 137 | # Uncomment to allow: read NetworkSet resources 138 | # - rd-nets-dev 139 | # Uncomment to allow: read NetworkSet resources 140 | #- rd-nets 141 | # Uncomment to allow: read-write NetworkSet resources 142 | #- rdwr-nets 143 | --- 144 | 145 | # User bob RBAC bindings for cluster-scoped resources 146 | apiVersion: rbac.authorization.k8s.io/v1 147 | kind: ClusterRoleBinding 148 | metadata: 149 | name: tigera-cluster-scoped-bindings-user-developer 150 | subjects: 151 | - kind: ServiceAccount 152 | name: bob 153 | namespace: default 154 | roleRef: 155 | kind: ClusterRole 156 | name: tigera-cluster-scoped-user-developer 157 | apiGroup: rbac.authorization.k8s.io 158 | 159 | --- 160 | 161 | # User bob RBAC bindings for cluster-scoped resources 162 | apiVersion: rbac.authorization.k8s.io/v1 163 | kind: RoleBinding 164 | metadata: 165 | name: tigera-namespace-scoped-bindings-user-developer 166 | namespace: dev 167 | subjects: 168 | - kind: ServiceAccount 169 | name: bob 170 | namespace: default 171 | roleRef: 172 | kind: ClusterRole 173 | name: tigera-namespace-scoped-user-developer 174 | apiGroup: rbac.authorization.k8s.io 175 | --- 176 | -------------------------------------------------------------------------------- /demo/20-rbac/uat-rolebindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: tigera-cluster-scoped-user-uat 5 | aggregationRule: 6 | clusterRoleSelectors: 7 | - matchExpressions: 8 | - key: tigera.io/rbac-id 9 | operator: In 10 | values: 11 | # Uncomment to allow: access to the Tigera UI 12 | - ui-access 13 | # Uncomment to allow: view all tiers, and allow management of policies in all tiers (additional RBAC permissions required to specify which resources can be managed within the tier) 14 | #- manage-all-tier 15 | # Uncomment to allow: view tier default, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier) 16 | - manage-tier-default 17 | # Uncomment to allow: view tier platform, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier) 18 | - manage-tier-platform 19 | # Uncomment to allow: view tier security, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier) 20 | # - manage-tier-security 21 | 22 | # Uncomment to allow: read-write access for all globalalerts 23 | # - rdwr-galerts 24 | # Uncomment to allow: read access for all globalalerts 25 | - rd-galerts 26 | 27 | # Test specific report access. Must deploy corresponding roles. 28 | # - summary-rep-daily-cis-results 29 | # - details-rep-daily-cis-results 30 | # Uncomment to allow: view all details of cluster and demo compliance reports 31 | # - details-rep-cluster-demo 32 | # Uncomment to allow: view all summary of cluster, demo, cis benchmarks compliance reports 33 | - summary-rep-cluster-demo 34 | # Uncomment to allow: view all details of all compliance reports 35 | # - details-all-rep 36 | # Uncomment to allow: view summary details of all compliance reports, and read access to all GlobalReport resources 37 | # - summary-all-rep 38 | # Uncomment to allow: view summary details of all compliance reports, and read-write access to all GlobalReport resources to manage report scheduling 39 | #- rdwr-rep 40 | # Uncomment to allow: view traffic statistics in the Tigera UI 41 | - rd-traffic-statistics 42 | 43 | # Uncomment to allow: read access for all elasticsearch indices for all-clusters 44 | # - rd-all-es-all-cl 45 | # Uncomment to allow: read access for elasticsearch indices with data for flow logs for all clusters 46 | - rd-es-flows-all-cl 47 | # Uncomment to allow: read access for elasticsearch indices with data for audit logs for all clusters 48 | - rd-es-audits-all-cl 49 | # Uncomment to allow: read access for elasticsearch indices with data for DNS logs for all clusters 50 | - rd-es-dns-all-cl 51 | # Uncomment to allow: read access for elasticsearch indices with data for intrusion detection events for all clusters 52 | - rd-es-events-all-cl 53 | # Uncomment to allow: read access for superuser elasticsearch for all clusters 54 | - rd-es-superuser-all-cl 55 | # Uncomment to allow: read access for elasticsearch indices with data for L7 logs for all clusters 56 | - rd-es-l7-all-cl 57 | # Uncomment to allow: read access for kibana API for all clusters 58 | - kibana-access-all-cl 59 | 60 | # Uncomment to allow: read GlobalNetworkPolicy resources in Tier default 61 | - rd-gnp-tier-default 62 | # Uncomment to allow: read StagedGlobalNetworkPolicy resources in Tier default 63 | # - rd-sgnp-tier-default 64 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in Tier default 65 | #- rdwr-gnp-tier-default 66 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in Tier default 67 | #- rdwr-sgnp-tier-default 68 | 69 | # Uncomment to allow: read GlobalNetworkPolicy resources in Tier platform 70 | - rd-gnp-tier-platform 71 | 72 | # Uncomment to allow: read GlobalNetworkPolicy resources in Tier security 73 | # - rd-gnp-tier-security 74 | # Uncomment to allow: read StagedGlobalNetworkPolicy resources in Tier security 75 | #- rd-sgnp-tier-security 76 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in Tier security 77 | #- rdwr-gnp-tier-security 78 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in Tier security 79 | #- rdwr-sgnp-tier-security 80 | 81 | # Uncomment to allow: read-write GlobalNetworkSet resources 82 | #- rdwr-gnets 83 | # Uncomment to allow: read-write GlobalNetworkSet resources 84 | #- rdwr-gnets 85 | 86 | # Uncomment to allow: read-write Tier resources 87 | #- rdwr-tier 88 | # Uncomment to allow: read Tier resources 89 | #- rd-tier 90 | # Uncomment to allow: read-write GlobalNetworkPolicy resources in all Tiers 91 | #- rdwr-gnp-all-tier 92 | # Uncomment to allow: read-write StagedGlobalNetworkPolicy resources in all Tiers 93 | #- rdwr-sgnp-all-tier 94 | --- 95 | 96 | # Template for user specific RBAC for UI namespace scoped resources 97 | apiVersion: rbac.authorization.k8s.io/v1 98 | kind: ClusterRole 99 | metadata: 100 | name: tigera-namespace-scoped-user-uat 101 | aggregationRule: 102 | clusterRoleSelectors: 103 | - matchExpressions: 104 | - key: tigera.io/scope 105 | operator: In 106 | values: 107 | - namespace 108 | - key: tigera.io/rbac-id 109 | operator: In 110 | values: 111 | # Uncomment to allow: read (Calico) NetworkPolicy resources in all Tiers 112 | #- rd-np-all-tiers 113 | # Uncomment to allow: read StagedNetworkPolicy resources in all Tiers 114 | #- rd-snp-all-tier 115 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in all Tiers 116 | #- rdwr-np-all-tier 117 | # Uncomment to allow: read-write StagedNetworkPolicy resources in all Tiers 118 | #- rdwr-snp-all-tier 119 | 120 | # Uncomment to allow: read (Kubernetes) NetworkPolicy resources (these are always in Tier default) 121 | #- rd-knp 122 | # Uncomment to allow: read StagedKubernetesNetworkPolicy resources (these are always in Tier default) 123 | #- rd-sknp 124 | # Uncomment to allow: read-write (Kubernetes) NetworkPolicy resources (these are always in Tier default) 125 | #- rdwr-knp 126 | # Uncomment to allow: read-write StagedKubernetesNetworkPolicy resources (these are always in Tier default) 127 | #- rdwr-sknp 128 | 129 | # Uncomment to allow: read (Calico) NetworkPolicy resources in Tier default 130 | - rd-np-tier-default 131 | # Uncomment to allow: read StagedNetworkPolicy resources in Tier default 132 | #- rd-snp-tier-default 133 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in Tier default 134 | #- rdwr-np-tier-default 135 | # Uncomment to allow: read-write StagedNetworkPolicy resources in Tier default 136 | #- rdwr-snp-tier-default 137 | 138 | # Uncomment to allow: read (Calico) NetworkPolicy resources in Tier security 139 | #- rd-np-tier-security 140 | # Uncomment to allow: read StagedNetworkPolicy resources in Tier security 141 | #- rd-snp-tier-security 142 | # Uncomment to allow: read-write (Calico) NetworkPolicy resources in Tier security 143 | #- rdwr-np-tier-security 144 | # Uncomment to allow: read-write StagedNetworkPolicy resources in Tier security 145 | #- rdwr-snp-tier-security 146 | 147 | # Uncomment to allow: read NetworkSet resources 148 | # - rd-nets-uat 149 | # Uncomment to allow: read NetworkSet resources 150 | #- rd-nets 151 | # Uncomment to allow: read-write NetworkSet resources 152 | #- rdwr-nets 153 | --- 154 | 155 | # User jacki RBAC bindings for cluster-scoped resources 156 | apiVersion: rbac.authorization.k8s.io/v1 157 | kind: ClusterRoleBinding 158 | metadata: 159 | name: tigera-cluster-scoped-bindings-user-uat 160 | subjects: 161 | - kind: ServiceAccount 162 | name: jacki 163 | namespace: default 164 | roleRef: 165 | kind: ClusterRole 166 | name: tigera-cluster-scoped-user-uat 167 | apiGroup: rbac.authorization.k8s.io 168 | 169 | --- 170 | 171 | # User jacki RBAC bindings for cluster-scoped resources 172 | apiVersion: rbac.authorization.k8s.io/v1 173 | kind: RoleBinding 174 | metadata: 175 | name: tigera-namespace-scoped-bindings-user-uat 176 | namespace: dev 177 | subjects: 178 | - kind: ServiceAccount 179 | name: jacki 180 | namespace: default 181 | roleRef: 182 | kind: ClusterRole 183 | name: tigera-namespace-scoped-user-uat 184 | apiGroup: rbac.authorization.k8s.io 185 | --- 186 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # calico-security-controls-for-k8s 2 | 3 | This guide contains example demo scenarios to showcase security controls for Kubernetes using Calico. 4 | 5 | ## High-level topics 6 | 7 | - Kubernetes (k8s) network policies and Calico network policies 8 | - Default deny policy 9 | - Kubernetes RBAC 10 | - Calico security controls: `tiers`, `network policies`, `network sets`, `threat feeds`, `alerts`, `compliance reports` 11 | - Intrusion, anomaly, and threat detection 12 | 13 | ## Configure logging interval for Calico Enterprise 14 | 15 | If using Calico Enterprise, configure logging settings to quicker view the results in demo scenarios. 16 | 17 | ```bash 18 | # set default flush interval for the flow logs (default: 300s) 19 | kubectl patch felixconfiguration.p default -p '{"spec":{"flowLogsFlushInterval":"10s"}}' 20 | # for more detailed logs set flowLogsFileAggregationKindForAllowed=1 (default: 2) 21 | kubectl patch felixconfiguration.p default -p '{"spec":{"flowLogsFileAggregationKindForAllowed":1}}' 22 | # set flush interval for DNS logs 23 | kubectl patch felixconfiguration.p default -p '{"spec":{"dnsLogsFlushInterval":"10s"}}' 24 | ``` 25 | 26 | ## Deploy demo application 27 | 28 | The examples in this guide use demo applications in `./app` directory. Each demo app stack is comprised of `nginx` deployment and a utility pod (e.g. `centos` or `netshoot`) that continuously `curl`s the `nginx` service. 29 | 30 | Deploy the demo app stacks. 31 | 32 | ```bash 33 | kubectl apply -f app/dev/ 34 | kubectl apply -f app/uat/ 35 | ``` 36 | 37 | ## Network policies 38 | 39 | Kubernetes [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) are namespace scoped, support rules to control traffic direction (i.e. `ingress/egress`), and use labels to dynamically apply policies to `Pods`. 40 | 41 | Calico [network policies](https://docs.tigera.io/security/calico-network-policy) extend k8s network policies with additional capabilities like global scope, policy ordering controls, rule actions (i.e. `Allow`, `Deny`, `Log`, `Pass`), DNS policies, policy tiers, policy preview and staging, and other fine-grained policy controls. 42 | 43 | A common security practice is to only open access required by applications and services running in the Kubernetes cluster. This can be achieved by deploying a `default-deny` policy into each namespace when using the Kubernetes network policy or Calico global network policy that enforces rules across the whole cluster. 44 | 45 | Deploy Kubernetes `default-deny` policy that enforces rules for `dev` namespace only. 46 | 47 | >Once you deploy `default-deny` policy, you **must** include both `Ingress` and `Egress` type rules into policies to allow traffic. 48 | 49 | ```bash 50 | # deploy Kubernetes namespaced default-deny policy 51 | kubectl apply -f demo/10-k8s-n-calico-policy/k8s.deny-all.yaml 52 | 53 | # test pod to pod access within namespaces 54 | kubectl -n dev exec -t centos -- sh -c 'SVC=nginx-svc; curl -m 2 -sI http://$SVC 2>/dev/null | grep -i http' 55 | kubectl -n uat exec -t netshoot -- sh -c 'SVC=nginx-svc; curl -m 2 -sI http://$SVC 2>/dev/null | grep -i http' 56 | # test pod to pod access across namespaces 57 | kubectl -n dev exec -t centos -- sh -c 'SVC=nginx-svc; curl -m 2 -sI http://$SVC.uat 2>/dev/null | grep -i http' 58 | kubectl -n uat exec -t netshoot -- sh -c 'SVC=nginx-svc; curl -m 2 -sI http://$SVC.dev 2>/dev/null | grep -i http' 59 | ``` 60 | 61 | Deploy the Kubernetes policy to allow `centos` access `nginx` within `dev` namespace. 62 | 63 | ```bash 64 | # deploy policy 65 | kubectl apply -f demo/10-k8s-n-calico-policy/k8s.centos-to-nginx.yaml 66 | ``` 67 | 68 | Deploy Calico global policy to allow the Kubernetes DNS access. 69 | 70 | >Note that before you deploy the policy to allow access to Kubernetes DNS component, the `centos` pod cannot reach Nginx pods via the Kubernetes service. 71 | 72 | ```bash 73 | # deploy policy 74 | kubectl apply -f demo/10-k8s-n-calico-policy/calico.allow-kube-dns.yaml 75 | ``` 76 | 77 | One of the advantages of Calico policies is the ability to set a `Global` scope for the policy which will ensure its application to all of the namespaces in the Kubernetes cluster. 78 | Deploy Calico staged global `default-deny` policy that applies to both `dev` and `uat` namespaces. 79 | 80 | >Calico staged network policy is deployed in a **permissive** mode and does not affect the traffic. It can be used to observe potential impact of the policy on the traffic before one decides to enforce the policy rules. 81 | 82 | ```bash 83 | # deploy Calico staged global default-deny policy 84 | kubectl apply -f demo/10-k8s-n-calico-policy/calico.staged.default-deny.yaml 85 | ``` 86 | 87 | Deploy Calico global `default-deny` policy to enforce policy rules. 88 | 89 | ```bash 90 | # deploy policy 91 | kubectl apply -f demo/10-k8s-n-calico-policy/calico.deny-all.yaml 92 | 93 | # test nginx access in uat 94 | kubectl -n uat exec -t netshoot -- sh -c 'SVC=nginx-svc; nslookup $SVC; curl -m 5 -sI http://$SVC 2>/dev/null | grep -i http' 95 | ``` 96 | 97 | Deploy Calico policy to allow `netshoot` access to `nginx` service. 98 | 99 | ```bash 100 | # deploy policy 101 | kubectl apply -f demo/10-k8s-n-calico-policy/calico.netshoot-to-nginx.yaml 102 | ``` 103 | 104 | When using Calico one can leverage `Log` action on policy rules to log traffic flows into the system log. This action is not necessary when using Calico Enterprise or Calico Cloud as the commercial offering captures the flow logs by default. 105 | 106 | Deploy logging policy to capture `nginx` pod access. 107 | 108 | ```bash 109 | # deploy logging policy 110 | kubectl apply -f demo/10-k8s-n-calico-policy/calico.log-access.yaml 111 | 112 | # SSH into the host that runs nginx pod from dev namespace 113 | # view access trace for nginx pod 114 | tail -f /var/log/kern.log | grep -i calico 115 | ``` 116 | 117 | ## Policy tiers 118 | 119 | Calico Enterprise provides policy tiers that allow to categorize the policies. For instance, by team function or organizational structure. 120 | 121 | Deploy `security` policy tier and move `log-access` policy into it. 122 | 123 | ```bash 124 | # deploy tiers 125 | kubectl apply -f demo/30-tier/tier-security.yaml 126 | kubectl apply -f demo/30-tier/tier-platform.yaml 127 | 128 | # deploy log-access policy into security tier 129 | kubectl apply -f demo/30-tier/calico.log-access.yaml 130 | 131 | # move allow-kube-dns policy to a higher tier 132 | kubectl delete -f demo/10-k8s-n-calico-policy/calico.allow-kube-dns.yaml 133 | kubectl apply -f demo/30-tier/calico.allow-kube-dns.yaml 134 | ``` 135 | 136 | ## Networks Sets 137 | 138 | Calico offers `NetworkSets` and `GlobalNetworkSets` resources to apply security controls to a group of IPs or DNS names. 139 | 140 | >`NetworkSets` and `GlobalNetworkSets` resources available in both Calico OSS and Calico Enterprise. However, this example uses `tier` attribute of Calico Enterprise network policy. 141 | 142 | Deploy a `GlobalNetworkSet` that represents public networks and policy that targets it. 143 | 144 | ```bash 145 | # deploy pod 146 | kubectl apply -f app/pod-centos.yaml 147 | 148 | # deploy netsets 149 | kubectl apply -f demo/40-netsets/calico.public-nets.yaml 150 | kubectl apply -f demo/40-netsets/allowed-domains-netset.yaml 151 | # deploy policy 152 | kubectl apply -f demo/40-netsets/calico.deny-public-nets-egress.yaml 153 | 154 | # test centos pod access to public IPs 155 | PUB_IP=$(dig +short www.apple.com | tail -n1) 156 | kubectl exec -t centos -- sh -c "ping -c2 $PUB_IP" 157 | kubectl exec -t centos -- sh -c 'curl -m 5 -sI http://www.google.com 2>/dev/null | grep -i http' 158 | ``` 159 | 160 | ## Kubernetes RBAC 161 | 162 | Kubernetes RBAC model uses `subjects` to execute `operations` over `resources`. While `subject` can be a `User`, `Group`, or `Service Account`, the former two are managed outside of Kubernetes and referenced by a string ID. In this guide `Service Account` subjects will be used for RBAC examples. 163 | 164 | ![Kubernetes RBAC model](./img/k8s_rbac_constructs.png) 165 | 166 | Create two `Service Accounts` and configure `Role` and `RoleBinding` for each account 167 | 168 | ```bash 169 | # configure 'paul' service account - has full admin access 170 | kubectl create sa paul 171 | # configure role and rolebinding 172 | kubectl create clusterrolebinding paul-admin-access --clusterrole tigera-network-admin --serviceaccount default:paul 173 | 174 | # configure 'sally' service account - has security team access 175 | kubectl create sa sally 176 | # configure 'david' service account - has infra/platform team access 177 | kubectl create sa david 178 | # configure 'samantha' service account - has dev team admin access 179 | kubectl create sa samantha 180 | # configure 'bob' service account - has limited dev team access 181 | kubectl create sa bob 182 | # configure 'jacki' service account - has uat team access 183 | kubectl create sa jacki 184 | 185 | # configure cluster wide roles and rolebindings 186 | kubectl create -f demo/20-rbac/tigera-roles-rolebindings.yaml 187 | 188 | # configure roles and rolebindings specific to teams 189 | kubectl create -f demo/20-rbac/ns-dev-roles.yaml 190 | kubectl create -f demo/20-rbac/ns-uat-roles.yaml 191 | kubectl create -f demo/20-rbac/dev-rolebindings.yaml 192 | kubectl create -f demo/20-rbac/uat-rolebindings.yaml 193 | ``` 194 | 195 | Retrieve token to login into Calico Enterprise Manager and explore what network policies and other resources a user has access to. 196 | 197 | ```bash 198 | SA='bob' 199 | # get service account token 200 | kubectl get secret $(kubectl get serviceaccount $SA -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep token) -o go-template='{{.data.token | base64decode}}' 201 | ``` 202 | 203 | ### Global ThreatFeeds 204 | 205 | Calico Enterprise provides `GlobalThreatFeed` resource that represents a feed of threat intelligence used for security purposes. The threat feeds can be either a collection of IP prefixes or domain names. 206 | 207 | Deploy a `GlobalThreatFeed` that represents publicly managed list of Feodo IP prefixes. 208 | 209 | ```bash 210 | # deploy global threat feed 211 | kubectl apply -f demo/40-netsets/global-threatfeed-ipfeodo.yaml 212 | ``` 213 | 214 | Navigate to network sets view and review the `GlobalNetworkSet` that is automatically created from the threat feed. 215 | 216 | ## DNS policy 217 | 218 | Calico DNS policies allow to control egress using DNS names. The DNS names could be either directly specified in the policy or in a network set resource. 219 | 220 | Deploy DNS policy. 221 | 222 | ```bash 223 | # deploy dns policy 224 | kubectl apply -f demo/50-dns-policy/calico.allow-external-dns-egress.yaml 225 | # deploy a policy to pass any unmatched traffic downstream to the following tier 226 | kubectl apply -f demo/50-dns-policy/calico.pass-traffic.yaml 227 | 228 | # test centos pod access to google DNS 229 | # egress to Google DNS should be allowed 230 | kubectl -n dev exec -t centos -- sh -c 'curl -m 2 -sI http://www.google.com 2>/dev/null | grep -i http' 231 | # egress to Apple DNS should be denied 232 | kubectl -n dev exec -t centos -- sh -c 'curl -m 2 -sI http://www.apple.com 2>/dev/null | grep -i http' 233 | ``` 234 | 235 | ## Global alerts 236 | 237 | Calico provides alerting capability based on `flow logs`, `audit logs`, and `DNS logs`. 238 | 239 | Deploy a `GlobalAlert` that watches any changes to `NetworkSets`. 240 | 241 | ```bash 242 | # deploy global alerts 243 | # dataset: audit 244 | kubectl apply -f demo/60-globalalerts/globalnetworkset.change.yaml 245 | # dataset: dns 246 | kubectl apply -f demo/60-globalalerts/dns.match.yaml 247 | # dataset: flows 248 | kubectl apply -f demo/60-globalalerts/unsanctioned.lateral.access.yaml 249 | 250 | # change existing global network set, then check alerts UI in Calico Enterprise Manager 251 | sed -e '/1.0.0.0\/8/{d;}' demo/40-netsets/calico.public-nets.yaml | kubectl apply -f - 252 | 253 | # change DNS log flush interval to speed up alert trigger 254 | kubectl patch felixconfiguration.p default -p '{"spec":{"dnsLogsFlushInterval":"10s"}}' 255 | # generate a few requests to www.apple.com domain 256 | for i in {1..3}; do kubectl -n dev exec -t centos -- sh -c 'curl -m 5 -sI http://www.apple.com 2>/dev/null | grep -i http'; done 257 | 258 | # allow centos pod to communicate with nginx pods in uat 259 | kubectl apply -f demo/60-globalalerts/calico.dev-to-uat-nginx.yaml 260 | # access nginx in uat from centos pod 261 | for i in {1..3}; do kubectl -n dev exec -t centos -- sh -c 'curl -m3 -sI http://nginx-svc.uat 2>/dev/null | grep -i http'; done 262 | ``` 263 | 264 | Navigate to Alerts view to see the generated alerts. 265 | 266 | ![Calico global alerts](img/global-alerts.png) 267 | 268 | ## Compliance reports 269 | 270 | Calico Enterprise provides [compliance reports](https://docs.tigera.io/security/compliance-reports/overview) and a dashboard so you can easily assess Kubernetes workloads for regulatory compliance. 271 | This feature uses `GlobalReport` resource to trigger report generation on a scheduled basis. There are predefined types of compliance reports, such as `inventory`, `network-access`, and `policy-audit`. One can specify which nodes to include in the report, as well as manually trigger the report generation. 272 | 273 | Deploy `GlobalReport` resources. 274 | 275 | ```bash 276 | kubectl apply -f demo/70-globalreports/cluster-inventory.yaml 277 | kubectl apply -f demo/70-globalreports/cluster-networkaccess.yaml 278 | kubectl apply -f demo/70-globalreports/cluster-policy-audit.yaml 279 | kubectl apply -f demo/70-globalreports/demo-inventory.yaml 280 | kubectl apply -f demo/70-globalreports/demo-networkaccess.yaml 281 | kubectl apply -f demo/70-globalreports/demo-policy-audit.yaml 282 | kubectl apply -f demo/70-globalreports/daily-cis-results.yaml 283 | ``` 284 | 285 | ### Manually execute a specific report 286 | 287 | To trigger the generation of a particular compliance report on demand, use `demo/70-globalreports/compliance-reporter-template.yaml` file to set the report name in defined `TIGERA_COMPLIANCE_REPORT_NAME` environment variable, then generate the YAML definition for a helper Pod, and deploy the Pod. 288 | 289 | ```bash 290 | # remove compliance-reporter definition if it already exists 291 | rm demo/70-globalreports/compliance-reporter.yaml 292 | 293 | # chahge TIGERA_COMPLIANCE_REPORT_NAME env var in compliance-reporter-template.yaml if you want to copy/paste code below to exec a specific report 294 | COMPLIANCE_REPORTER_TOKEN=$(kubectl get secrets -n tigera-compliance | grep 'tigera-compliance-reporter-token*' | awk '{print $1;}') 295 | sed -e "s??$COMPLIANCE_REPORTER_TOKEN?g" demo/70-globalreports/compliance-reporter-template.yaml > demo/70-globalreports/compliance-reporter.yaml 296 | # deploy helper Pod to generate the report 297 | kubectl apply -f demo/70-globalreports/compliance-reporter.yaml 298 | ``` 299 | 300 | >If you want to repeat manual generation of a compliance report, make sure to remove `run-reporter-custom` pod from `tigera-compliance` namespace. 301 | 302 | ```bash 303 | kubectl -n tigera-compliance delete po run-reporter-custom 304 | ``` 305 | 306 | ## Anomaly detection 307 | 308 | Anomaly detection capabilities are a part of Calico Enterprise. Calico Enterprise comes with several machine learning jobs used in detecting anomalous activity in the cluster. Refer to [enable anomaly detection](https://docs.tigera.io/security/threat-detection-and-prevention/anomaly-detection/enabling) documentation for details on how to enable the feature. 309 | 310 | >In order to start using anomaly detection reliably, you need to have at least 4-6 hours of flow logs data collected. 311 | 312 | To test a few use cases, follow these steps: 313 | 314 | - Open Kibana application and login into it. Default Kibana user is `elastic`. 315 | 316 | ```bash 317 | # get elastic user password 318 | kubectl -n tigera-elasticsearch get secret tigera-secure-es-elastic-user -o go-template='{{.data.elastic | base64decode}}' && echo 319 | ``` 320 | 321 | - Navigate to `Machine Learning` tab in Kibana nav panel. Then click `Manage Jobs` button. 322 | - Start data feed for a few jobs, e.g. `cluster.ip_sweep_pods`, `cluster.port_scan_pods`. 323 | - Once data feed processes all entries and sets the base line, simulate a few activities that would resemble port scan or port sweep attacks in the cluster. 324 | 325 | ```bash 326 | # deploy a utility pod 327 | kubectl apply -f demo/80-anomaly-detection/pod-netshoot.yaml 328 | kubectl apply -f demo/80-anomaly-detection/nginx-stack.yaml 329 | 330 | # get IP address from one of the pods running in the cluster 331 | kubectl get po -owide 332 | POD_IP=$(kubectl get po --selector app=centos -o jsonpath='{.items[*].status.podIP}') 333 | 334 | # open shell into the netshoot pod 335 | kubectl exec -it netshoot -- bash 336 | 337 | ############################ 338 | # simulate pod scan attack 339 | ############################ 340 | # use collected IP address to scan ports of the pod 341 | nmap -p 1-10000 $POD_IP 342 | 343 | ############################ 344 | # simulate pod sweep attack 345 | ############################ 346 | # get IP of one of the pod and set subnet to /24 347 | IP_LIST=$(ip addr | awk '/inet / {print $2}'| cut -d / -f1 |tail -n 1)/24 348 | # get all IPs from the subnet 349 | # if IP_LIST has only one IP, find subnet that has more pods and use that instead 350 | HOST_LIST=$(nmap -n -sn $IP_LIST | awk '/for /{print $5}') 351 | # run IP sweep 352 | PORT_LIST=$(nmap -Pn $HOST_LIST) 353 | echo $PORT_LIST 354 | ``` 355 | 356 | Once you simulate the attacks, run the machine learning jobs again. When they finish review the anomaly scores using `Anomaly Explorer` view in Kibana. If detected anomalies get a score of 75 or higher, an alert will be generated and can be viewed in the Alerts view of Calico Enterprise Manager. 357 | 358 | ## Cleanup 359 | 360 | ```bash 361 | # delete policies 362 | # kubectl delete -f demo/10-k8s-n-calico-policy/calico.allow-kube-dns.yaml 363 | kubectl delete -f demo/10-k8s-n-calico-policy/k8s.deny-all.yaml 364 | kubectl delete -f demo/10-k8s-n-calico-policy/k8s.centos-to-nginx.yaml 365 | kubectl delete -f demo/10-k8s-n-calico-policy/calico.deny-all.yaml 366 | kubectl delete -f demo/10-k8s-n-calico-policy/calico.netshoot-to-nginx.yaml 367 | kubectl delete -f demo/10-k8s-n-calico-policy/calico.log-access.yaml 368 | kubectl delete -f demo/30-tier/calico.log-access.yaml 369 | kubectl delete -f demo/30-tier/calico.allow-kube-dns.yaml 370 | kubectl delete -f demo/40-netsets/calico.deny-public-nets-egress.yaml 371 | kubectl delete -f demo/50-dns-policy/calico.allow-external-dns-egress.yaml 372 | kubectl delete -f demo/50-dns-policy/calico.pass-traffic.yaml 373 | kubectl delete -f demo/60-globalalerts/calico.dev-to-uat-nginx.yaml 374 | 375 | # delete RBAC 376 | kubectl delete sa paul 377 | kubectl delete clusterrolebinding paul-admin-access --clusterrole tigera-network-admin --serviceaccount default:paul 378 | kubectl delete sa sally 379 | kubectl delete sa david 380 | kubectl delete sa samantha 381 | kubectl delete sa bob 382 | kubectl delete -f demo/20-rbac/ns-uat-roles.yaml 383 | kubectl delete -f demo/20-rbac/ns-dev-roles.yaml 384 | kubectl delete -f demo/20-rbac/uat-rolebindings.yaml 385 | kubectl delete -f demo/20-rbac/dev-rolebindings.yaml 386 | kubectl delete -f demo/20-rbac/tigera-roles-rolebindings.yaml 387 | 388 | # delete tier 389 | kubectl delete -f demo/30-tier/tier-security.yaml 390 | kubectl delete -f demo/30-tier/tier-platform.yaml 391 | 392 | # delete Netsets and Threatfeed 393 | kubectl delete -f demo/40-netsets/allowed-domains-netset.yaml 394 | kubectl delete -f demo/40-netsets/calico.public-nets.yaml 395 | kubectl delete -f demo/40-netsets/calico.deny-public-nets-egress.yaml 396 | kubectl delete -f demo/40-netsets/global-threatfeed-ipfeodo.yaml 397 | 398 | # delete Global Alerts 399 | kubectl delete -f demo/60-globalalerts/dns.match.yaml 400 | kubectl delete -f demo/60-globalalerts/globalnetworkset.change.yaml 401 | kubectl delete -f demo/60-globalalerts/unsanctioned.lateral.access.yaml 402 | 403 | # delete global reports 404 | kubectl delete -f demo/70-globalreports/cluster-inventory.yaml 405 | kubectl delete -f demo/70-globalreports/cluster-networkacess.yaml 406 | kubectl delete -f demo/70-globalreports/cluster-policy-audit.yaml 407 | kubectl delete -f demo/70-globalreports/demo-inventory.yaml 408 | kubectl delete -f demo/70-globalreports/demo-networkacess.yaml 409 | kubectl delete -f demo/70-globalreports/demo-policy-audit.yaml 410 | kubectl delete -f demo/70-globalreports/daily-cis-results.yaml 411 | 412 | # delete anomaly detection demo 413 | kubectl delete -f demo/80-anomaly-detection/pod-netshoot.yaml 414 | kubectl delete -f demo/80-anomaly-detection/nginx-stack.yaml 415 | 416 | # delete apps 417 | kubectl delete -f app/dev/ 418 | kubectl delete -f app/uat/ 419 | ``` 420 | -------------------------------------------------------------------------------- /demo/20-rbac/tigera-roles-rolebindings.yaml: -------------------------------------------------------------------------------- 1 | ############### 2 | # ElasticSearch 3 | ############### 4 | # This allows read access to all ElasticSearch resources for all clusters. 5 | kind: ClusterRole 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | metadata: 8 | name: tigera-read-all-elasticsearch-for-all-clusters 9 | labels: 10 | tigera.io/rbac-controller: "true" 11 | tigera.io/resource: elasticsearch 12 | tigera.io/scope: global 13 | tigera.io/access: read 14 | tigera.io/managedcluster: "" 15 | tigera.io/rbac-id: rd-all-es-all-cl 16 | annotations: 17 | tigera.io/description: "read access for all elasticsearch indices for all-clusters" 18 | rules: 19 | - apiGroups: 20 | - lma.tigera.io 21 | resources: 22 | - "*" 23 | verbs: 24 | - get 25 | --- 26 | 27 | # This allows read access to ElasticSearch indexes with flow logs for all clusters. 28 | kind: ClusterRole 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | metadata: 31 | name: tigera-elasticsearch-flows-all-clusters 32 | labels: 33 | tigera.io/rbac-controller: "true" 34 | tigera.io/resource: elasticsearch-flows 35 | tigera.io/scope: global 36 | tigera.io/access: read 37 | tigera.io/managedcluster: "" 38 | tigera.io/rbac-id: rd-es-flows-all-cl 39 | annotations: 40 | tigera.io/description: "read access for elasticsearch indices with data for flow logs for all clusters" 41 | rules: 42 | - apiGroups: 43 | - lma.tigera.io 44 | resources: 45 | - "*" 46 | resourceNames: 47 | - flows 48 | verbs: 49 | - get 50 | --- 51 | 52 | # This allows read access to ElasticSearch indexes with audit logs for all clusters. 53 | kind: ClusterRole 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | metadata: 56 | name: tigera-read-elasticsearch-audits-for-all-clusters 57 | labels: 58 | tigera.io/rbac-controller: "true" 59 | tigera.io/resource: elasticsearch-audit 60 | tigera.io/scope: global 61 | tigera.io/access: read 62 | tigera.io/managedcluster: "" 63 | tigera.io/rbac-id: rd-es-audits-all-cl 64 | annotations: 65 | tigera.io/description: "read access for elasticsearch indices with data for audit logs for all clusters" 66 | rules: 67 | - apiGroups: 68 | - lma.tigera.io 69 | resources: 70 | - "*" 71 | resourceNames: 72 | - "audit*" 73 | verbs: 74 | - get 75 | --- 76 | 77 | # This allows read access to ElasticSearch indexes with event logs for all clusters. 78 | kind: ClusterRole 79 | apiVersion: rbac.authorization.k8s.io/v1 80 | metadata: 81 | name: tigera-read-elasticsearch-events-for-all-clusters 82 | labels: 83 | tigera.io/rbac-controller: "true" 84 | tigera.io/resource: elasticsearch-events 85 | tigera.io/scope: global 86 | tigera.io/access: read 87 | tigera.io/managedcluster: "" 88 | tigera.io/rbac-id: rd-es-events-all-cl 89 | annotations: 90 | tigera.io/description: "read access for elasticsearch indices with data for intrusion detection events for all clusters" 91 | rules: 92 | - apiGroups: 93 | - lma.tigera.io 94 | resources: 95 | - "*" 96 | resourceNames: 97 | - events 98 | verbs: 99 | - get 100 | --- 101 | 102 | # This allows read access to ElasticSearch indexes with dns logs for all clusters. 103 | kind: ClusterRole 104 | apiVersion: rbac.authorization.k8s.io/v1 105 | metadata: 106 | name: tigera-read-elasticsearch-dns-for-all-clusters 107 | labels: 108 | tigera.io/rbac-controller: "true" 109 | tigera.io/resource: elasticsearch-dns 110 | tigera.io/scope: global 111 | tigera.io/access: read 112 | tigera.io/managedcluster: "" 113 | tigera.io/rbac-id: rd-es-dns-all-cl 114 | annotations: 115 | tigera.io/description: "read access for elasticsearch indices with data for DNS logs for all clusters" 116 | rules: 117 | - apiGroups: 118 | - lma.tigera.io 119 | resources: 120 | - "*" 121 | resourceNames: 122 | - dns 123 | verbs: 124 | - get 125 | --- 126 | 127 | kind: ClusterRole 128 | apiVersion: rbac.authorization.k8s.io/v1 129 | metadata: 130 | name: tigera-is-elasticsearch-superuser-for-all-clusters 131 | labels: 132 | tigera.io/rbac-controller: "true" 133 | tigera.io/resource: elasticsearch-superuser 134 | tigera.io/scope: global 135 | tigera.io/access: read 136 | tigera.io/managedcluster: "" 137 | tigera.io/rbac-id: rd-es-superuser-all-cl 138 | annotations: 139 | tigera.io/description: "superuser read access to elasticsearch indices for all clusters" 140 | rules: 141 | - apiGroups: 142 | - lma.tigera.io 143 | resources: 144 | - "*" 145 | resourceNames: 146 | - elasticsearch_superuser 147 | verbs: 148 | - get 149 | --- 150 | 151 | kind: ClusterRole 152 | apiVersion: rbac.authorization.k8s.io/v1 153 | metadata: 154 | name: tigera-read-elasticsearch-l7-for-all-clusters 155 | labels: 156 | tigera.io/rbac-controller: "true" 157 | tigera.io/resource: elasticsearch-l7 158 | tigera.io/scope: global 159 | tigera.io/access: read 160 | tigera.io/managedcluster: "" 161 | tigera.io/rbac-id: rd-es-l7-all-cl 162 | annotations: 163 | tigera.io/description: "read access for elasticsearch indices with data for L7 logs for all clusters" 164 | rules: 165 | - apiGroups: 166 | - lma.tigera.io 167 | resources: 168 | - "*" 169 | resourceNames: 170 | - l7 171 | verbs: 172 | - get 173 | --- 174 | 175 | ############### 176 | # Kibana access 177 | ############### 178 | # This allows access to Kibana to read, discover, visualize ES indices for all clusters. 179 | kind: ClusterRole 180 | apiVersion: rbac.authorization.k8s.io/v1 181 | metadata: 182 | name: tigera-allow-kibana-access-for-all-cluster 183 | labels: 184 | tigera.io/rbac-controller: "true" 185 | tigera.io/resource: elasticsearch-kibana-access 186 | tigera.io/scope: global 187 | tigera.io/access: read 188 | tigera.io/managedcluster: "" 189 | tigera.io/rbac-id: kibana-access-all-cl 190 | annotations: 191 | tigera.io/description: "access to Kibana and read, discover, visualize elasticsearch indices for all clusters" 192 | rules: 193 | - apiGroups: 194 | - lma.tigera.io 195 | resources: 196 | - "*" 197 | resourceNames: 198 | - kibana_login 199 | verbs: 200 | - get 201 | --- 202 | 203 | ############### 204 | # GlobalAlerts 205 | ############### 206 | # This allows read access to Calico GlobalAlert resources. 207 | apiVersion: rbac.authorization.k8s.io/v1 208 | kind: ClusterRole 209 | metadata: 210 | name: tigera-read-globalalerts 211 | labels: 212 | tigera.io/rbac-controller: "true" 213 | tigera.io/resource: globalalerts 214 | tigera.io/access: read 215 | tigera.io/rbac-id: rd-galerts 216 | annotations: 217 | tigera.io/description: "read GlobalAlert resources" 218 | rules: 219 | # Read access for Calico GlobalAlert resources. 220 | - apiGroups: 221 | - projectcalico.org 222 | resources: 223 | - globalalerts 224 | - globalalerts/status 225 | - globalalerttemplates 226 | verbs: 227 | - get 228 | # - watch 229 | - list 230 | --- 231 | 232 | # This allows crud access to Calico GlobalAlert resources. 233 | apiVersion: rbac.authorization.k8s.io/v1 234 | kind: ClusterRole 235 | metadata: 236 | name: read-write-globalalerts 237 | labels: 238 | tigera.io/rbac-controller: "true" 239 | tigera.io/resource: globalalerts 240 | tigera.io/access: read-write 241 | tigera.io/rbac-id: rdwr-galerts 242 | annotations: 243 | tigera.io/description: "read-write GlobalAlert resources in Tier {{ TierName }}" 244 | rules: 245 | # CRUD access for Calico GlobalAlert resources. 246 | - apiGroups: 247 | - projectcalico.org 248 | resources: 249 | - globalalerts 250 | - globalalerts 251 | - globalalerts/status 252 | - globalalerttemplates 253 | verbs: 254 | - "*" 255 | --- 256 | 257 | ############### 258 | # GlobalReports 259 | ############### 260 | # This allows read access to global report summary. 261 | apiVersion: rbac.authorization.k8s.io/v1 262 | kind: ClusterRole 263 | metadata: 264 | name: tigera-read-summary-of-reports-cluster-demo 265 | labels: 266 | tigera.io/rbac-controller: "true" 267 | tigera.io/resource: globalreports.summary 268 | tigera.io/scope: global 269 | tigera.io/access: read 270 | tigera.io/report: cluster-demo 271 | tigera.io/rbac-id: summary-rep-cluster-demo 272 | annotations: 273 | tigera.io/description: "view summary details of compliance reports cluster and demo" 274 | rules: 275 | # To view summary, need get access to the underlying GlobalReport resource. 276 | - apiGroups: 277 | - projectcalico.org 278 | resources: 279 | - globalreports 280 | resourceNames: 281 | - daily-cis-results 282 | - cluster-inventory 283 | - cluster-networkaccess 284 | - cluster-policy-audit 285 | - demo-inventory 286 | - demo-networkaccess 287 | - demo-policy-audit 288 | verbs: 289 | - get 290 | # And list access for all globalreports. 291 | - apiGroups: 292 | - projectcalico.org 293 | resources: 294 | - globalreports 295 | verbs: 296 | - list 297 | --- 298 | 299 | # This allows read access to global report details. 300 | apiVersion: rbac.authorization.k8s.io/v1 301 | kind: ClusterRole 302 | metadata: 303 | name: tigera-read-details-of-reports-cluster-demo 304 | labels: 305 | tigera.io/rbac-controller: "true" 306 | tigera.io/resource: globalreports.content 307 | tigera.io/scope: global 308 | tigera.io/access: read 309 | tigera.io/report: cluster-demo 310 | tigera.io/rbac-id: details-rep-cluster-demo 311 | annotations: 312 | tigera.io/description: "view all details of compliance report cluster-demo" 313 | rules: 314 | # To view full report, need get access to the underlying GlobalReport resource *and* the corresponding 315 | # GlobalReportType. 316 | - apiGroups: 317 | - projectcalico.org 318 | resources: 319 | - globalreports 320 | resourceNames: 321 | - daily-cis-results 322 | - cluster-inventory 323 | - cluster-networkaccess 324 | - cluster-policy-audit 325 | - demo-inventory 326 | - demo-networkaccess 327 | - demo-policy-audit 328 | verbs: 329 | - get 330 | - apiGroups: 331 | - projectcalico.org 332 | resources: 333 | - globalreporttypes 334 | resourceNames: 335 | - cis-benchmark 336 | - inventory 337 | - networkaccess 338 | - policy-audit 339 | verbs: 340 | - get 341 | # And list access for all globalreports. 342 | - apiGroups: 343 | - projectcalico.org 344 | resources: 345 | - globalreports 346 | verbs: 347 | - list 348 | --- 349 | 350 | # This allows read access to global report summary of demo reports only. 351 | apiVersion: rbac.authorization.k8s.io/v1 352 | kind: ClusterRole 353 | metadata: 354 | name: tigera-read-summary-of-reports-demo 355 | labels: 356 | tigera.io/rbac-controller: "true" 357 | tigera.io/resource: globalreports.summary 358 | tigera.io/scope: global 359 | tigera.io/access: read 360 | tigera.io/report: demo 361 | tigera.io/rbac-id: summary-rep-demo 362 | annotations: 363 | tigera.io/description: "view summary details of compliance demo reports" 364 | rules: 365 | # To view summary, need get access to the underlying GlobalReport resource. 366 | - apiGroups: 367 | - projectcalico.org 368 | resources: 369 | - globalreports 370 | resourceNames: 371 | - demo-inventory 372 | - demo-networkaccess 373 | - demo-policy-audit 374 | verbs: 375 | - get 376 | # And list access for all globalreports. 377 | - apiGroups: 378 | - projectcalico.org 379 | resources: 380 | - globalreports 381 | verbs: 382 | - list 383 | --- 384 | 385 | # This allows read access to demo global report details. 386 | apiVersion: rbac.authorization.k8s.io/v1 387 | kind: ClusterRole 388 | metadata: 389 | name: tigera-read-details-of-reports-demo 390 | labels: 391 | tigera.io/rbac-controller: "true" 392 | tigera.io/resource: globalreports.content 393 | tigera.io/scope: global 394 | tigera.io/access: read 395 | tigera.io/report: demo 396 | tigera.io/rbac-id: details-rep-demo 397 | annotations: 398 | tigera.io/description: "view all details of compliance report demo" 399 | rules: 400 | # To view full report, need get access to the underlying GlobalReport resource *and* the corresponding 401 | # GlobalReportType. 402 | - apiGroups: 403 | - projectcalico.org 404 | resources: 405 | - globalreports 406 | resourceNames: 407 | - demo-inventory 408 | - demo-networkaccess 409 | - demo-policy-audit 410 | verbs: 411 | - get 412 | - apiGroups: 413 | - projectcalico.org 414 | resources: 415 | - globalreporttypes 416 | resourceNames: 417 | - inventory 418 | - networkaccess 419 | - policy-audit 420 | verbs: 421 | - get 422 | # And list access for all globalreports. 423 | - apiGroups: 424 | - projectcalico.org 425 | resources: 426 | - globalreports 427 | verbs: 428 | - list 429 | --- 430 | 431 | # This allows view report summary access to all reports. 432 | apiVersion: rbac.authorization.k8s.io/v1 433 | kind: ClusterRole 434 | metadata: 435 | name: tigera-read-summary-of-all-reports 436 | labels: 437 | tigera.io/rbac-controller: "true" 438 | tigera.io/resource: globalreports.summary 439 | tigera.io/scope: global 440 | tigera.io/access: read 441 | tigera.io/report: "" 442 | tigera.io/rbac-id: summary-all-rep 443 | annotations: 444 | tigera.io/description: "view summary details of all compliance reports, and read access to all GlobalReport resources" 445 | rules: 446 | # To view summary, need get access to the underlying GlobalReport resource. 447 | - apiGroups: 448 | - projectcalico.org 449 | resources: 450 | - globalreports 451 | verbs: 452 | - get 453 | - watch 454 | - list 455 | --- 456 | 457 | # This allows view full report access to the daily-cluster-cis-benchmark-report report. 458 | apiVersion: rbac.authorization.k8s.io/v1 459 | kind: ClusterRole 460 | metadata: 461 | name: tigera-read-details-of-all-reports 462 | labels: 463 | tigera.io/rbac-controller: "true" 464 | tigera.io/resource: globalreports.content 465 | tigera.io/scope: global 466 | tigera.io/access: read 467 | tigera.io/report: "" 468 | tigera.io/rbac-id: details-all-rep 469 | annotations: 470 | tigera.io/description: "view all details of all compliance reports" 471 | rules: 472 | # To view full report, need get access to the underlying GlobalReport resource *and* the corresponding 473 | # GlobalReportType. 474 | - apiGroups: 475 | - projectcalico.org 476 | resources: 477 | - globalreports 478 | verbs: 479 | - get 480 | - apiGroups: 481 | - projectcalico.org 482 | resources: 483 | - globalreporttypes 484 | verbs: 485 | - get 486 | --- 487 | 488 | ################################### 489 | # NetworkSets and GlobalNetworkSets 490 | ################################### 491 | # This allows read access to Calico NetworkSet resources. 492 | apiVersion: rbac.authorization.k8s.io/v1 493 | kind: ClusterRole 494 | metadata: 495 | name: tigera-read-networksets 496 | labels: 497 | tigera.io/rbac-controller: "true" 498 | tigera.io/resource: networksets 499 | tigera.io/scope: namespace 500 | tigera.io/access: read 501 | tigera.io/rbac-id: rd-nets 502 | annotations: 503 | tigera.io/description: "read NetworkSet resources" 504 | rules: 505 | # Read access for Calico NetworkSet resources. 506 | - apiGroups: 507 | - projectcalico.org 508 | resources: 509 | - networksets 510 | verbs: 511 | - get 512 | - watch 513 | - list 514 | --- 515 | 516 | # This allows read access to Calico GlobalNetworkSet resources. 517 | apiVersion: rbac.authorization.k8s.io/v1 518 | kind: ClusterRole 519 | metadata: 520 | name: tigera-read-globalnetworksets 521 | labels: 522 | tigera.io/rbac-controller: "true" 523 | tigera.io/resource: globalnetworksets 524 | tigera.io/scope: global 525 | tigera.io/access: read 526 | tigera.io/rbac-id: rdwr-gnets 527 | annotations: 528 | tigera.io/description: "read-write GlobalNetworkSet resources" 529 | rules: 530 | # Read access for Calico GlobalNetworkSet resources. 531 | - apiGroups: 532 | - projectcalico.org 533 | resources: 534 | - globalnetworksets 535 | verbs: 536 | - get 537 | - watch 538 | - list 539 | --- 540 | 541 | #################### 542 | # traffic statistics and Tigera UI 543 | #################### 544 | # This allows read access to traffic statistics in the Tigera UI. 545 | kind: ClusterRole 546 | apiVersion: rbac.authorization.k8s.io/v1 547 | metadata: 548 | name: tigera-read-traffic-statistics 549 | labels: 550 | tigera.io/rbac-controller: "true" 551 | tigera.io/resource: prometheus 552 | tigera.io/scope: global 553 | tigera.io/access: read 554 | tigera.io/rbac-id: rd-traffic-statistics 555 | annotations: 556 | tigera.io/description: "view traffic statistics in the Tigera UI" 557 | rules: 558 | - apiGroups: 559 | - "" 560 | resources: 561 | - services/proxy 562 | resourceNames: 563 | - calico-node-prometheus:9090 564 | verbs: 565 | - get 566 | - create 567 | --- 568 | 569 | # This allows read access to Tigera UI 570 | kind: ClusterRole 571 | apiVersion: rbac.authorization.k8s.io/v1 572 | metadata: 573 | name: tigera-allow-ui-access 574 | labels: 575 | tigera.io/rbac-controller: "true" 576 | tigera.io/resource: ui 577 | tigera.io/scope: global 578 | tigera.io/access: read 579 | tigera.io/rbac-id: ui-access 580 | annotations: 581 | tigera.io/description: "access to the Tigera UI" 582 | rules: 583 | # UI users need access to authorizationreviews, authenticationreviews, clusterinformations. 584 | - apiGroups: 585 | - "" 586 | resources: 587 | - namespaces 588 | verbs: 589 | - watch 590 | - get 591 | - apiGroups: 592 | - projectcalico.org 593 | resources: 594 | - authorizationreviews 595 | - authenticationreviews 596 | verbs: 597 | - create 598 | - apiGroups: 599 | - projectcalico.org 600 | resources: 601 | - clusterinformations 602 | verbs: 603 | - get 604 | - list 605 | - apiGroups: 606 | - "" 607 | resources: 608 | - services/proxy 609 | resourceNames: 610 | - https:tigera-api:8080 611 | verbs: 612 | - get 613 | - create 614 | --- 615 | 616 | ############### 617 | # tiers 618 | ############### 619 | # This allows read to listed tiers. 620 | apiVersion: rbac.authorization.k8s.io/v1 621 | kind: ClusterRole 622 | metadata: 623 | name: tigera-read-tiers 624 | labels: 625 | tigera.io/rbac-controller: "true" 626 | tigera.io/resource: tiers 627 | tigera.io/scope: global 628 | tigera.io/access: read 629 | tigera.io/rbac-id: rd-tier 630 | annotations: 631 | tigera.io/description: "read Tier resources" 632 | rules: 633 | - apiGroups: 634 | - projectcalico.org 635 | resources: 636 | - tiers 637 | # only allow access to listed tiers 638 | resourceNames: 639 | # - security 640 | # - platform 641 | - default 642 | verbs: 643 | - list 644 | - get 645 | - watch 646 | --- 647 | 648 | # This allows access to Calico NetworkPolicy resources in the default tier. 649 | apiVersion: rbac.authorization.k8s.io/v1 650 | kind: ClusterRole 651 | metadata: 652 | name: tigera-manage-policies-in-tier-default 653 | labels: 654 | tigera.io/rbac-controller: "true" 655 | tigera.io/resource: tiers 656 | tigera.io/scope: global 657 | tigera.io/access: read 658 | tigera.io/tier: default 659 | tigera.io/rbac-id: manage-tier-default 660 | annotations: 661 | tigera.io/description: "view tier default, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier)" 662 | rules: 663 | # Requires watch access for tiers to manage policies 664 | - apiGroups: 665 | - projectcalico.org 666 | resources: 667 | - tiers 668 | verbs: 669 | - watch 670 | # Requires get access for tier "default" to view the tier and manage policies in it. 671 | - apiGroups: 672 | - projectcalico.org 673 | resources: 674 | - tiers 675 | resourceNames: 676 | - default 677 | verbs: 678 | - get 679 | --- 680 | 681 | # This allows crud access to Calico NetworkPolicy resources in the security tier. 682 | apiVersion: rbac.authorization.k8s.io/v1 683 | kind: ClusterRole 684 | metadata: 685 | name: tigera-manage-policies-in-tier-security 686 | labels: 687 | tigera.io/rbac-controller: "true" 688 | tigera.io/resource: tiers 689 | tigera.io/scope: global 690 | tigera.io/access: read 691 | tigera.io/tier: security 692 | tigera.io/rbac-id: manage-tier-security 693 | annotations: 694 | tigera.io/description: "view tier security, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier)" 695 | rules: 696 | # Requires watch access for tiers to manage policies 697 | - apiGroups: 698 | - projectcalico.org 699 | resources: 700 | - tiers 701 | verbs: 702 | - watch 703 | # Requires get access for tier "security" to view the tier and manage policies in it. 704 | - apiGroups: 705 | - projectcalico.org 706 | resources: 707 | - tiers 708 | resourceNames: 709 | - security 710 | verbs: 711 | - get 712 | --- 713 | 714 | # This allows crud access to Calico NetworkPolicy resources in the platform tier. 715 | apiVersion: rbac.authorization.k8s.io/v1 716 | kind: ClusterRole 717 | metadata: 718 | name: tigera-manage-policies-in-tier-platform 719 | labels: 720 | tigera.io/rbac-controller: "true" 721 | tigera.io/resource: tiers 722 | tigera.io/scope: global 723 | tigera.io/access: read 724 | tigera.io/tier: platform 725 | tigera.io/rbac-id: manage-tier-platform 726 | annotations: 727 | tigera.io/description: "view tier platform, and allow management of policies in this tier (additional RBAC permissions required to specify which resources can be managed within the tier)" 728 | rules: 729 | # Requires watch access for tiers to manage policies 730 | - apiGroups: 731 | - projectcalico.org 732 | resources: 733 | - tiers 734 | verbs: 735 | - watch 736 | # Requires get access for tier "platform" to view the tier and manage policies in it. 737 | - apiGroups: 738 | - projectcalico.org 739 | resources: 740 | - tiers 741 | resourceNames: 742 | - platform 743 | verbs: 744 | - get 745 | 746 | --- 747 | 748 | ################# 749 | # policies access 750 | ################# 751 | # This allows crud access to Calico NetworkPolicy resources in the default tier. 752 | apiVersion: rbac.authorization.k8s.io/v1 753 | kind: ClusterRole 754 | metadata: 755 | name: tigera-read-write-networkpolicies-in-tier-default 756 | labels: 757 | tigera.io/rbac-controller: "true" 758 | tigera.io/resource: networkpolicies 759 | tigera.io/scope: namespace 760 | tigera.io/access: read-write 761 | tigera.io/tier: default 762 | tigera.io/rbac-id: rdwr-np-tier-default 763 | annotations: 764 | tigera.io/description: "read-write (Calico) NetworkPolicy resources in Tier default" 765 | rules: 766 | - apiGroups: 767 | - projectcalico.org 768 | resources: 769 | - tier.networkpolicies 770 | resourceNames: 771 | - default.* 772 | verbs: 773 | - "*" 774 | --- 775 | 776 | # This allows read access to Calico NetworkPolicy resources in the default tier. 777 | apiVersion: rbac.authorization.k8s.io/v1 778 | kind: ClusterRole 779 | metadata: 780 | name: tigera-read-networkpolicies-in-tier-default 781 | labels: 782 | tigera.io/rbac-controller: "true" 783 | tigera.io/resource: networkpolicies 784 | tigera.io/scope: namespace 785 | tigera.io/access: read 786 | tigera.io/tier: default 787 | tigera.io/rbac-id: rd-np-tier-default 788 | annotations: 789 | tigera.io/description: "read (Calico) NetworkPolicy resources in Tier default" 790 | rules: 791 | - apiGroups: 792 | - projectcalico.org 793 | resources: 794 | - tier.networkpolicies 795 | resourceNames: 796 | - default.* 797 | verbs: 798 | - get 799 | - watch 800 | - list 801 | --- 802 | 803 | # This allows crud access to Calico GlobalNetworkPolicy resources in the default tier. 804 | apiVersion: rbac.authorization.k8s.io/v1 805 | kind: ClusterRole 806 | metadata: 807 | name: tigera-read-write-globalnetworkpolicies-in-tier-default 808 | labels: 809 | tigera.io/rbac-controller: "true" 810 | tigera.io/resource: globalnetworkpolicies 811 | tigera.io/scope: global 812 | tigera.io/access: read-write 813 | tigera.io/tier: default 814 | tigera.io/rbac-id: rdwr-gnp-tier-default 815 | annotations: 816 | tigera.io/description: "read-write GlobalNetworkPolicy resources in Tier default" 817 | rules: 818 | - apiGroups: 819 | - projectcalico.org 820 | resources: 821 | - tier.globalnetworkpolicies 822 | resourceNames: 823 | - default.* 824 | verbs: 825 | - "*" 826 | --- 827 | 828 | # This allows read access to Calico GlobalNetworkPolicy resources in the default tier. 829 | apiVersion: rbac.authorization.k8s.io/v1 830 | kind: ClusterRole 831 | metadata: 832 | name: tigera-read-globalnetworkpolicies-in-tier-default 833 | labels: 834 | tigera.io/rbac-controller: "true" 835 | tigera.io/resource: globalnetworkpolicies 836 | tigera.io/scope: global 837 | tigera.io/access: read 838 | tigera.io/tier: default 839 | tigera.io/rbac-id: rd-gnp-tier-default 840 | annotations: 841 | tigera.io/description: "read GlobalNetworkPolicy resources in Tier default" 842 | rules: 843 | - apiGroups: 844 | - projectcalico.org 845 | resources: 846 | - tier.globalnetworkpolicies 847 | resourceNames: 848 | - default.* 849 | verbs: 850 | - get 851 | - watch 852 | - list 853 | --- 854 | 855 | # This allows crud access to Calico StagedNetworkPolicy resources in the default tier. 856 | apiVersion: rbac.authorization.k8s.io/v1 857 | kind: ClusterRole 858 | metadata: 859 | name: tigera-read-write-stagednetworkpolicies-in-tier-default 860 | labels: 861 | tigera.io/rbac-controller: "true" 862 | tigera.io/resource: stagednetworkpolicies 863 | tigera.io/scope: namespace 864 | tigera.io/access: read-write 865 | tigera.io/tier: default 866 | tigera.io/rbac-id: rdwr-snp-tier-default 867 | annotations: 868 | tigera.io/description: "read-write StagedNetworkPolicy resources in Tier default" 869 | rules: 870 | - apiGroups: 871 | - projectcalico.org 872 | resources: 873 | - tier.stagednetworkpolicies 874 | resourceNames: 875 | - default.* 876 | verbs: 877 | - "*" 878 | --- 879 | 880 | # This allows read access to Calico StagedNetworkPolicy resources in the default tier. 881 | apiVersion: rbac.authorization.k8s.io/v1 882 | kind: ClusterRole 883 | metadata: 884 | name: tigera-read-stagednetworkpolicies-tier-default 885 | labels: 886 | tigera.io/rbac-controller: "true" 887 | tigera.io/resource: stagednetworkpolicies 888 | tigera.io/scope: namespace 889 | tigera.io/access: read 890 | tigera.io/tier: default 891 | tigera.io/rbac-id: rd-snp-tier-default 892 | annotations: 893 | tigera.io/description: "read StagedNetworkPolicy resources in Tier default" 894 | rules: 895 | - apiGroups: 896 | - projectcalico.org 897 | resources: 898 | - tier.stagednetworkpolicies 899 | resourceNames: 900 | - default.* 901 | verbs: 902 | - get 903 | - watch 904 | - list 905 | --- 906 | 907 | # This allows crud access to Calico StagedGlobalNetworkPolicy resources in the default tier. 908 | apiVersion: rbac.authorization.k8s.io/v1 909 | kind: ClusterRole 910 | metadata: 911 | name: tigera-read-write-stagedglobalnetworkpolicies-in-tier-default 912 | labels: 913 | tigera.io/rbac-controller: "true" 914 | tigera.io/resource: stagedglobalnetworkpolicies 915 | tigera.io/scope: global 916 | tigera.io/access: read-write 917 | tigera.io/tier: default 918 | tigera.io/rbac-id: rdwr-sgnp-tier-default 919 | annotations: 920 | tigera.io/description: "read-write StagedGlobalNetworkPolicy resources in Tier default" 921 | rules: 922 | - apiGroups: 923 | - projectcalico.org 924 | resources: 925 | - tier.stagedglobalnetworkpolicies 926 | resourceNames: 927 | - default.* 928 | verbs: 929 | - "*" 930 | --- 931 | 932 | # This allows read access to Calico StagedGlobalNetworkPolicy resources in the default tier. 933 | apiVersion: rbac.authorization.k8s.io/v1 934 | kind: ClusterRole 935 | metadata: 936 | name: tigera-read-stagedglobalnetworkpolicies-in-tier-default 937 | labels: 938 | tigera.io/rbac-controller: "true" 939 | tigera.io/resource: stagedglobalnetworkpolicies 940 | tigera.io/scope: global 941 | tigera.io/access: read 942 | tigera.io/tier: default 943 | tigera.io/rbac-id: rd-sgnp-tier-default 944 | annotations: 945 | tigera.io/description: "read StagedGlobalNetworkPolicy resources in Tier default" 946 | rules: 947 | - apiGroups: 948 | - projectcalico.org 949 | resources: 950 | - tier.stagedglobalnetworkpolicies 951 | resourceNames: 952 | - default.* 953 | verbs: 954 | - get 955 | - watch 956 | - list 957 | --- 958 | 959 | # This allows crud access to Kubernetes NetworkPolicy resources (in the default tier). 960 | apiVersion: rbac.authorization.k8s.io/v1 961 | kind: ClusterRole 962 | metadata: 963 | name: tigera-read-write-kubernetes-networkpolicies 964 | labels: 965 | tigera.io/rbac-controller: "true" 966 | tigera.io/resource: kubernetesnetworkpolicies 967 | tigera.io/scope: namespace 968 | tigera.io/access: read-write 969 | tigera.io/tier: default 970 | tigera.io/rbac-id: rdwr-knp 971 | annotations: 972 | tigera.io/description: "read-write (Kubernetes) NetworkPolicy resources (these are always in Tier default)" 973 | rules: 974 | # CRUD access for Kubernetes NetworkPolicy resources in the default tier. 975 | - apiGroups: 976 | - networking.k8s.io 977 | - extensions 978 | resources: 979 | - networkpolicies 980 | verbs: 981 | - "*" 982 | --- 983 | 984 | # This allows read access to Kubernetes NetworkPolicy resources in the default tier. 985 | apiVersion: rbac.authorization.k8s.io/v1 986 | kind: ClusterRole 987 | metadata: 988 | name: tigera-read-kubernetesnetworkpolicies 989 | labels: 990 | tigera.io/rbac-controller: "true" 991 | tigera.io/resource: kubernetesnetworkpolicies 992 | tigera.io/scope: namespace 993 | tigera.io/access: read 994 | tigera.io/tier: default 995 | tigera.io/rbac-id: rd-knp 996 | annotations: 997 | tigera.io/description: "read (Kubernetes) NetworkPolicy resources (these are always in Tier default)" 998 | rules: 999 | # Read access for Kubernetes NetworkPolicy resources in the default tier. 1000 | - apiGroups: 1001 | - networking.k8s.io 1002 | - extensions 1003 | resources: 1004 | - networkpolicies 1005 | verbs: 1006 | - get 1007 | - watch 1008 | - list 1009 | --- 1010 | 1011 | # This allows crud access to StagedKubernetesNetworkPolicy resources (in the default tier). 1012 | apiVersion: rbac.authorization.k8s.io/v1 1013 | kind: ClusterRole 1014 | metadata: 1015 | name: tigera-read-write-stagedkubernetesnetworkpolicies 1016 | labels: 1017 | tigera.io/rbac-controller: "true" 1018 | tigera.io/resource: stagedkubernetesnetworkpolicies 1019 | tigera.io/scope: namespace 1020 | tigera.io/access: read-write 1021 | tigera.io/tier: default 1022 | tigera.io/rbac-id: rdwr-sknp 1023 | annotations: 1024 | tigera.io/description: "read-write StagedKubernetesNetworkPolicy resources (these are always in Tier default)" 1025 | rules: 1026 | # CRUD access for StagedKubernetesNetworkPolicy resources in the default tier. 1027 | - apiGroups: 1028 | - projectcalico.org 1029 | resources: 1030 | - stagedkubernetesnetworkpolicies 1031 | verbs: 1032 | - "*" 1033 | --- 1034 | 1035 | # This allows read access to StagedKubernetesNetworkPolicy resources in the default tier. 1036 | apiVersion: rbac.authorization.k8s.io/v1 1037 | kind: ClusterRole 1038 | metadata: 1039 | name: tigera-read-stagedkubernetesnetworkpolicies 1040 | labels: 1041 | tigera.io/rbac-controller: "true" 1042 | tigera.io/resource: stagedkubernetesnetworkpolicies 1043 | tigera.io/scope: namespace 1044 | tigera.io/access: read 1045 | tigera.io/tier: default 1046 | tigera.io/rbac-id: rd-sknp 1047 | annotations: 1048 | tigera.io/description: "read StagedKubernetesNetworkPolicy resources (these are always in Tier default)" 1049 | rules: 1050 | # Read access for StagedKubernetesNetworkPolicy resources in the default tier. 1051 | - apiGroups: 1052 | - projectcalico.org 1053 | resources: 1054 | - stagedkubernetesnetworkpolicies 1055 | verbs: 1056 | - get 1057 | - watch 1058 | - list 1059 | --- 1060 | 1061 | ## security tier 1062 | 1063 | # This allows crud access to Calico NetworkPolicy resources in the security tier. 1064 | apiVersion: rbac.authorization.k8s.io/v1 1065 | kind: ClusterRole 1066 | metadata: 1067 | name: tigera-read-write-networkpolicies-in-tier-security 1068 | labels: 1069 | tigera.io/rbac-controller: "true" 1070 | tigera.io/resource: networkpolicies 1071 | tigera.io/scope: namespace 1072 | tigera.io/access: read-write 1073 | tigera.io/tier: security 1074 | tigera.io/rbac-id: rdwr-np-tier-security 1075 | annotations: 1076 | tigera.io/description: "read-write (Calico) NetworkPolicy resources in Tier security" 1077 | rules: 1078 | - apiGroups: 1079 | - projectcalico.org 1080 | resources: 1081 | - tier.networkpolicies 1082 | resourceNames: 1083 | - security.* 1084 | verbs: 1085 | - "*" 1086 | --- 1087 | 1088 | # This allows read access to Calico NetworkPolicy resources in the security tier. 1089 | apiVersion: rbac.authorization.k8s.io/v1 1090 | kind: ClusterRole 1091 | metadata: 1092 | name: tigera-read-networkpolicies-in-tier-security 1093 | labels: 1094 | tigera.io/rbac-controller: "true" 1095 | tigera.io/resource: networkpolicies 1096 | tigera.io/scope: namespace 1097 | tigera.io/access: read 1098 | tigera.io/tier: security 1099 | tigera.io/rbac-id: rd-np-tier-security 1100 | annotations: 1101 | tigera.io/description: "read (Calico) NetworkPolicy resources in Tier security" 1102 | rules: 1103 | - apiGroups: 1104 | - projectcalico.org 1105 | resources: 1106 | - tier.networkpolicies 1107 | resourceNames: 1108 | - security.* 1109 | verbs: 1110 | - get 1111 | - watch 1112 | - list 1113 | --- 1114 | 1115 | # This allows crud access to Calico GlobalNetworkPolicy resources in the security tier. 1116 | apiVersion: rbac.authorization.k8s.io/v1 1117 | kind: ClusterRole 1118 | metadata: 1119 | name: tigera-read-write-globalnetworkpolicies-in-tier-security 1120 | labels: 1121 | tigera.io/rbac-controller: "true" 1122 | tigera.io/resource: globalnetworkpolicies 1123 | tigera.io/scope: global 1124 | tigera.io/access: read-write 1125 | tigera.io/tier: security 1126 | tigera.io/rbac-id: rdwr-gnp-tier-security 1127 | annotations: 1128 | tigera.io/description: "read-write GlobalNetworkPolicy resources in Tier security" 1129 | rules: 1130 | - apiGroups: 1131 | - projectcalico.org 1132 | resources: 1133 | - tier.globalnetworkpolicies 1134 | resourceNames: 1135 | - security.* 1136 | verbs: 1137 | - "*" 1138 | --- 1139 | 1140 | # This allows read access to Calico GlobalNetworkPolicy resources in the security tier. 1141 | apiVersion: rbac.authorization.k8s.io/v1 1142 | kind: ClusterRole 1143 | metadata: 1144 | name: tigera-read-globalnetworkpolicies-in-tier-security 1145 | labels: 1146 | tigera.io/rbac-controller: "true" 1147 | tigera.io/resource: globalnetworkpolicies 1148 | tigera.io/scope: global 1149 | tigera.io/access: read 1150 | tigera.io/tier: security 1151 | tigera.io/rbac-id: rd-gnp-tier-security 1152 | annotations: 1153 | tigera.io/description: "read GlobalNetworkPolicy resources in Tier security" 1154 | rules: 1155 | - apiGroups: 1156 | - projectcalico.org 1157 | resources: 1158 | - tier.globalnetworkpolicies 1159 | resourceNames: 1160 | - security.* 1161 | verbs: 1162 | - get 1163 | - watch 1164 | - list 1165 | --- 1166 | 1167 | # This allows crud access to Calico StagedNetworkPolicy resources in the security tier. 1168 | apiVersion: rbac.authorization.k8s.io/v1 1169 | kind: ClusterRole 1170 | metadata: 1171 | name: tigera-read-write-stagednetworkpolicies-in-tier-security 1172 | labels: 1173 | tigera.io/rbac-controller: "true" 1174 | tigera.io/resource: stagednetworkpolicies 1175 | tigera.io/scope: namespace 1176 | tigera.io/access: read-write 1177 | tigera.io/tier: security 1178 | tigera.io/rbac-id: rdwr-snp-tier-security 1179 | annotations: 1180 | tigera.io/description: "read-write StagedNetworkPolicy resources in Tier security" 1181 | rules: 1182 | - apiGroups: 1183 | - projectcalico.org 1184 | resources: 1185 | - tier.stagednetworkpolicies 1186 | resourceNames: 1187 | - security.* 1188 | verbs: 1189 | - "*" 1190 | --- 1191 | 1192 | # This allows read access to Calico StagedNetworkPolicy resources in the security tier. 1193 | apiVersion: rbac.authorization.k8s.io/v1 1194 | kind: ClusterRole 1195 | metadata: 1196 | name: tigera-read-stagednetworkpolicies-tier-security 1197 | labels: 1198 | tigera.io/rbac-controller: "true" 1199 | tigera.io/resource: stagednetworkpolicies 1200 | tigera.io/scope: namespace 1201 | tigera.io/access: read 1202 | tigera.io/tier: security 1203 | tigera.io/rbac-id: rd-snp-tier-security 1204 | annotations: 1205 | tigera.io/description: "read StagedNetworkPolicy resources in Tier security" 1206 | rules: 1207 | - apiGroups: 1208 | - projectcalico.org 1209 | resources: 1210 | - tier.stagednetworkpolicies 1211 | resourceNames: 1212 | - security.* 1213 | verbs: 1214 | - get 1215 | - watch 1216 | - list 1217 | --- 1218 | 1219 | # This allows crud access to Calico StagedGlobalNetworkPolicy resources in the security tier. 1220 | apiVersion: rbac.authorization.k8s.io/v1 1221 | kind: ClusterRole 1222 | metadata: 1223 | name: tigera-read-write-stagedglobalnetworkpolicies-in-tier-security 1224 | labels: 1225 | tigera.io/rbac-controller: "true" 1226 | tigera.io/resource: stagedglobalnetworkpolicies 1227 | tigera.io/scope: global 1228 | tigera.io/access: read-write 1229 | tigera.io/tier: security 1230 | tigera.io/rbac-id: rdwr-sgnp-tier-security 1231 | annotations: 1232 | tigera.io/description: "read-write StagedGlobalNetworkPolicy resources in Tier security" 1233 | rules: 1234 | - apiGroups: 1235 | - projectcalico.org 1236 | resources: 1237 | - tier.stagedglobalnetworkpolicies 1238 | resourceNames: 1239 | - security.* 1240 | verbs: 1241 | - "*" 1242 | --- 1243 | 1244 | # This allows read access to Calico StagedGlobalNetworkPolicy resources in the security tier. 1245 | apiVersion: rbac.authorization.k8s.io/v1 1246 | kind: ClusterRole 1247 | metadata: 1248 | name: tigera-read-stagedglobalnetworkpolicies-in-tier-security 1249 | labels: 1250 | tigera.io/rbac-controller: "true" 1251 | tigera.io/resource: stagedglobalnetworkpolicies 1252 | tigera.io/scope: global 1253 | tigera.io/access: read 1254 | tigera.io/tier: security 1255 | tigera.io/rbac-id: rd-sgnp-tier-security 1256 | annotations: 1257 | tigera.io/description: "read StagedGlobalNetworkPolicy resources in Tier security" 1258 | rules: 1259 | - apiGroups: 1260 | - projectcalico.org 1261 | resources: 1262 | - tier.stagedglobalnetworkpolicies 1263 | resourceNames: 1264 | - security.* 1265 | verbs: 1266 | - get 1267 | - watch 1268 | - list 1269 | --- 1270 | 1271 | ## platform tier 1272 | 1273 | # This allows read access to Calico GlobalNetworkPolicy resources in the platform tier. 1274 | apiVersion: rbac.authorization.k8s.io/v1 1275 | kind: ClusterRole 1276 | metadata: 1277 | name: tigera-read-globalnetworkpolicies-in-tier-platform 1278 | labels: 1279 | tigera.io/rbac-controller: "true" 1280 | tigera.io/resource: globalnetworkpolicies 1281 | tigera.io/scope: global 1282 | tigera.io/access: read 1283 | tigera.io/tier: platform 1284 | tigera.io/rbac-id: rd-gnp-tier-platform 1285 | annotations: 1286 | tigera.io/description: "read GlobalNetworkPolicy resources in Tier platform" 1287 | rules: 1288 | - apiGroups: 1289 | - projectcalico.org 1290 | resources: 1291 | - tier.globalnetworkpolicies 1292 | resourceNames: 1293 | - platform.* 1294 | verbs: 1295 | - get 1296 | - watch 1297 | - list 1298 | --- 1299 | --------------------------------------------------------------------------------