feat: Add Network Policy adapter

Signed-off-by: Anurag Rajawat <[email protected]>
5GSEC · Jan 23, 2024 · 04c7b97 · 04c7b97
1 parent 0f90662
commit 04c7b97
Show file tree

Hide file tree

Showing 11 changed files with 639 additions and 7 deletions.
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -1,9 +1,13 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-// Package idpool manages a pool of IDs for use by KubeArmor.
+// Package idpool manages a pool of IDs for use by adapters.
 package idpool
 
+import (
+	"strings"
+)
+
 const (
 	SwDeploymentTools         = "swDeploymentTools"
 	UnAuthorizedSaTokenAccess = "unAuthorizedSaTokenAccess"
@@ -16,12 +20,28 @@ const (
 
 // KaIds are IDs supported by KubeArmor.
 var KaIds = []string{
-	SwDeploymentTools, UnAuthorizedSaTokenAccess,
+	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation,
+}
+
+// NetPolIDs are IDs supported by Network Policy adapter.
+var NetPolIDs = []string{
+	DNSManipulation,
+}
+
+// IsIdSupportedBy determines whether a given ID is supported by a security engine.
+func IsIdSupportedBy(id, securityEngine string) bool {
+	switch strings.ToLower(securityEngine) {
+	case "kubearmor":
+		return in(id, KaIds)
+	case "netpol":
+		return in(id, NetPolIDs)
+	default:
+		return false
+	}
 }
 
-// IsIdSupported determines whether a given ID is supported by KubeArmor.
-func IsIdSupported(id string) bool {
-	for _, currId := range KaIds {
+func in(id string, securityEngineIds []string) bool {
+	for _, currId := range securityEngineIds {
 		if currId == id {
 			return true
 		}

diff --git a/pkg/adapter/nimbus-kubearmor/manager/kspmanager.go b/pkg/adapter/nimbus-kubearmor/manager/kspmanager.go
@@ -99,7 +99,7 @@ func createKsp(ctx context.Context, npName, npNamespace string) {
 	// Check if all strict mode intents are implemented by the adapter.
 	allStrictIntentsImplemented := true
 	for _, rule := range np.Spec.NimbusRules {
-		if rule.Rule.Mode == "strict" && !idpool.IsIdSupported(rule.ID) {
+		if rule.Rule.Mode == "strict" && !idpool.IsIdSupportedBy(rule.ID, "kubearmor") {
 			allStrictIntentsImplemented = false
 			logger.Info("The adapter does not support the strict mode intent", "ID", rule.ID)
 			break

diff --git a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go
@@ -21,7 +21,7 @@ func BuildKspsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kubearmorv1.KubeAr
 	var ksps []kubearmorv1.KubeArmorPolicy
 	for _, nimbusRule := range np.Spec.NimbusRules {
 		id := nimbusRule.ID
-		if idpool.IsIdSupported(id) {
+		if idpool.IsIdSupportedBy(id, "kubearmor") {
 			ksp := buildKspFor(id)
 			ksp.Name = np.Name + "-" + strings.ToLower(id)
 			ksp.Namespace = np.Namespace

diff --git a/pkg/adapter/nimbus-netpol/.dockerignore b/pkg/adapter/nimbus-netpol/.dockerignore
@@ -0,0 +1 @@
+bin/
diff --git a/pkg/adapter/nimbus-netpol/Dockerfile b/pkg/adapter/nimbus-netpol/Dockerfile
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+# Build the nimbus-netpol binary
+FROM golang:1.21 as builder
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY manager/ manager/
+COPY processor/ processor/
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-netpol main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/nimbus-netpol .
+USER 65532:65532
+
+ENTRYPOINT ["/nimbus-netpol"]
diff --git a/pkg/adapter/nimbus-netpol/Makefile b/pkg/adapter/nimbus-netpol/Makefile
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+# Image URL to use all building/pushing image targets
+IMG ?= 5gsec/nimbus-cni
+# Image Tag to use all building/pushing image targets
+TAG ?= v0.1
+
+CONTAINER_TOOL ?= docker
+BINARY ?= bin/nimbus-netpol
+
+build:
+	@go build -ldflags="-w" -o ${BINARY}  main.go
+
+run: build
+	@./${BINARY}
+
+.PHONY: docker-build
+docker-build:
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} .
+
+.PHONY: docker-push
+docker-push:
+	$(CONTAINER_TOOL) push ${IMG}:${TAG}
+	$(CONTAINER_TOOL) push ${IMG}:latest
+
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx:
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
+	$(CONTAINER_TOOL) buildx use project-v3-builder
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross . || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; }
+	- $(CONTAINER_TOOL) buildx rm project-v3-builder
+	rm Dockerfile.cross
diff --git a/pkg/adapter/nimbus-netpol/go.mod b/pkg/adapter/nimbus-netpol/go.mod
@@ -0,0 +1,70 @@
+module github.com/5GSEC/nimbus/pkg/adapter/nimbus-netpol
+
+go 1.21
+
+require (
+	github.com/5GSEC/nimbus v0.0.0-20240123095101-3e46af24d848
+	github.com/go-logr/logr v1.4.1
+	k8s.io/api v0.29.0
+	k8s.io/apimachinery v0.29.0
+	sigs.k8s.io/controller-runtime v0.17.0
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.18.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.29.0 // indirect
+	k8s.io/client-go v0.29.0 // indirect
+	k8s.io/component-base v0.29.0 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)