fix(adapter): Update intentID to assessTLS from ensureTLS (#247)

* fix(adapter): Update intentID to assessTLS from ensureTLS Signed-off-by: Anurag Rajawat <[email protected]> * fix(adapter): Fix panic on scanning external addresses Signed-off-by: Anurag Rajawat <[email protected]> --------- Signed-off-by: Anurag Rajawat <[email protected]>
5GSEC · Aug 21, 2024 · b0eb27e · b0eb27e
1 parent 7eded6f
commit b0eb27e
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 31 deletions.
diff --git a/...ples/clusterscoped/ensuretls-default.yaml → ...ples/clusterscoped/assesstls-default.yaml b/...ples/clusterscoped/ensuretls-default.yaml → ...ples/clusterscoped/assesstls-default.yaml
@@ -4,10 +4,10 @@
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntent
 metadata:
-  name: ensure-tls-default
+  name: assess-tls-default
 spec:
   intent:
-    id: ensureTLS
+    id: assessTLS
     action: Audit
     description: |
       Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version,
@@ -17,10 +17,10 @@ spec:
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding
 metadata:
-  name: ensure-tls-default
+  name: assess-tls-default
 spec:
   intents:
-    - name: ensure-tls-default
+    - name: assess-tls-default
   selector:
     nsSelector:
       matchNames:

diff --git a/...ed/ensuretls-with-external-addresses.yaml → ...ed/assesstls-with-external-addresses.yaml b/...ed/ensuretls-with-external-addresses.yaml → ...ed/assesstls-with-external-addresses.yaml
@@ -4,10 +4,10 @@
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntent
 metadata:
-  name: ensure-tls-external-addresses
+  name: assess-tls-external-addresses
 spec:
   intent:
-    id: ensureTLS
+    id: assessTLS
     action: Audit
     severity: "medium"
     description: |
@@ -21,10 +21,10 @@ spec:
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding
 metadata:
-  name: ensure-tls-external-addresses
+  name: assess-tls-external-addresses
 spec:
   intents:
-    - name: ensure-tls-external-addresses
+    - name: assess-tls-external-addresses
   selector:
     nsSelector:
       matchNames:

diff --git a/...lusterscoped/ensuretls-with-schedule.yaml → ...lusterscoped/assesstls-with-schedule.yaml b/...lusterscoped/ensuretls-with-schedule.yaml → ...lusterscoped/assesstls-with-schedule.yaml
@@ -4,10 +4,10 @@
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: SecurityIntent
 metadata:
-  name: ensure-tls-scheduled
+  name: assess-tls-scheduled
 spec:
   intent:
-    id: ensureTLS
+    id: assessTLS
     action: Audit
     severity: "medium"
     description: |
@@ -20,10 +20,10 @@ spec:
 apiVersion: intent.security.nimbus.com/v1alpha1
 kind: ClusterSecurityIntentBinding
 metadata:
-  name: ensure-tls-scheduled
+  name: assess-tls-scheduled
 spec:
   intents:
-    - name: ensure-tls-scheduled
+    - name: assess-tls-scheduled
   selector:
     nsSelector:
       matchNames:

diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -17,7 +17,7 @@ const (
 	DisallowCapabilities      = "disallowCapabilities"
 	ExploitPFA                = "preventExecutionFromTempOrLogsFolders"
 	CocoWorkload              = "cocoWorkload"
-	EnsureTLS                 = "ensureTLS"
+	AssessTLS                 = "assessTLS"
 	DenyENAccess              = "denyExternalNetworkAccess"
 )
 
@@ -49,7 +49,7 @@ var KyvIds = []string{
 
 // k8tlsIds are IDs supported by k8tls.
 var k8tlsIds = []string{
-	EnsureTLS,
+	AssessTLS,
 }
 
 // IsIdSupportedBy determines whether a given ID is supported by a security engine.

diff --git a/pkg/adapter/nimbus-k8tls/Dockerfile b/pkg/adapter/nimbus-k8tls/Dockerfile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2023 Authors of Nimbus
 
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/pkg/adapter/nimbus-k8tls/builder/builder.go b/pkg/adapter/nimbus-k8tls/builder/builder.go
@@ -10,19 +10,20 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/5GSEC/nimbus/api/v1alpha1"
-	"github.com/5GSEC/nimbus/pkg/adapter/common"
-	"github.com/5GSEC/nimbus/pkg/adapter/idpool"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	"github.com/5GSEC/nimbus/api/v1alpha1"
+	"github.com/5GSEC/nimbus/pkg/adapter/common"
+	"github.com/5GSEC/nimbus/pkg/adapter/idpool"
 )
 
 var (
 	DefaultSchedule = "@weekly"
-	backOffLimit    = int32(5)	
+	backOffLimit    = int32(5)
 )
 
 func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batchv1.CronJob, *corev1.ConfigMap) {
@@ -45,29 +46,29 @@ func BuildCronJob(ctx context.Context, cwnp v1alpha1.ClusterNimbusPolicy) (*batc
 
 func cronJobFor(ctx context.Context, id string, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) {
 	switch id {
-	case idpool.EnsureTLS:
-		return ensureTlsCronJob(ctx, rule)
+	case idpool.AssessTLS:
+		return assessTlsCronJob(ctx, rule)
 	default:
 		return nil, nil
 	}
 }
 
-func ensureTlsCronJob(ctx context.Context, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) {
+func assessTlsCronJob(ctx context.Context, rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.ConfigMap) {
 	schedule, scheduleKeyExists := rule.Rule.Params["schedule"]
 	externalAddresses, addrKeyExists := rule.Rule.Params["external_addresses"]
 	if scheduleKeyExists && addrKeyExists {
-		return cronJobForEnsureTls(ctx, schedule[0], externalAddresses...)
+		return cronJobForAssessTls(ctx, schedule[0], externalAddresses...)
 	}
 	if scheduleKeyExists {
-		return cronJobForEnsureTls(ctx, schedule[0])
+		return cronJobForAssessTls(ctx, schedule[0])
 	}
 	if addrKeyExists {
-		return cronJobForEnsureTls(ctx, DefaultSchedule, externalAddresses...)
+		return cronJobForAssessTls(ctx, DefaultSchedule, externalAddresses...)
 	}
-	return cronJobForEnsureTls(ctx, DefaultSchedule)
+	return cronJobForAssessTls(ctx, DefaultSchedule)
 }
 
-func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) {
+func cronJobForAssessTls(ctx context.Context, schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) {
 	logger := log.FromContext(ctx)
 	cj := &batchv1.CronJob{
 		Spec: batchv1.CronJobSpec{
@@ -183,7 +184,7 @@ func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses
 	if len(externalAddresses) > 0 {
 		cm := buildConfigMap(externalAddresses)
 
-		cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+		cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts, corev1.VolumeMount{
 			Name:      cm.Name,
 			ReadOnly:  true,
 			MountPath: "/var/k8tls/",
@@ -199,10 +200,11 @@ func cronJobForEnsureTls(ctx context.Context, schedule string, externalAddresses
 			},
 		})
 
-		cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command[0] = "./tlsscan"
-		cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command,
+		cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command[0] = "./tlsscan"
+		cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command = append(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Command,
 			"--infile",
-			cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].VolumeMounts[2].MountPath+"addresses",
+			cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].VolumeMounts[2].MountPath+"addresses",
+			"--compact-json",
 		)
 		return cj, cm
 	}