feat: Update SecurityIntent and Add IntentBinding

5GSEC · Dec 13, 2023 · d83ecf8 · d83ecf8
1 parent 0b85945
commit d83ecf8
Show file tree

Hide file tree

Showing 7 changed files with 756 additions and 125 deletions.
diff --git a/Nimbus/api/v1/securityintent_types.go b/Nimbus/api/v1/securityintent_types.go
@@ -0,0 +1,146 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// SecurityIntentSpec defines the desired state of SecurityIntent
+type SecurityIntentSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	Intent   Intent   `json:"intent"`   // Define the details of the security policy.
+}
+
+// Intent defines the security policy details
+type Intent struct {
+	Description string     `json:"description"` // Define the description
+	Action      string     `json:"action"`      // Define the action of the policy
+	Type        string     `json:"type"`        // Defines the type of the policy
+	Resource    []Resource `json:"resource"`    // Define the resources to which the security policy applies
+}
+
+// Resource defines the resources that the security policy applies to
+type Resource struct {
+	Network      []Network      `json:"network,omitempty"`
+	Process      []Process      `json:"process,omitempty"`
+	File         []File         `json:"file,omitempty"`
+	Capabilities []Capabilities `json:"capabilities,omitempty"`
+	Syscalls     []Syscalls     `json:"syscalls,omitempty"`
+	FromCIDRSet  []CIDRSet      `json:"fromCIDRSet,omitempty"`
+	ToPorts      []ToPort       `json:"toPorts,omitempty"`
+}
+
+// Process defines the process-related policies
+type Process struct {
+	MatchPaths       []MatchPath      `json:"matchPaths,omitempty"`
+	MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
+	MatchPatterns    []MatchPattern   `json:"matchPatterns,omitempty"`
+}
+
+// File defines the file-related policies
+type File struct {
+	MatchPaths       []MatchPath      `json:"matchPaths,omitempty"`
+	MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
+}
+
+// Capabilities defines the capabilities-related policies
+type Capabilities struct {
+	MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"`
+}
+
+// Syscalls defines the syscalls-related policies
+type Syscalls struct {
+	MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"`
+}
+
+// CIDRSet defines CIDR ranges for network policies
+type CIDRSet struct {
+	CIDR string `json:"cidr,omitempty"`
+}
+
+// ToPort defines ports and protocols for network policies
+type ToPort struct {
+	Ports []Port `json:"ports,omitempty"`
+}
+
+// Port defines a network port and its protocol
+type Port struct {
+	Port     string `json:"port,omitempty"`
+	Protocol string `json:"protocol,omitempty"`
+}
+
+// MatchProtocol defines a protocol for network policies
+type MatchProtocol struct {
+	Protocol string `json:"protocol,omitempty"`
+}
+
+// MatchPath defines a path for process or file policies
+type MatchPath struct {
+	Path string `json:"path,omitempty"`
+}
+
+// MatchDirectory defines a directory for process or file policies
+type MatchDirectory struct {
+	Directory  string       `json:"dir,omitempty"`
+	FromSource []FromSource `json:"fromSource,omitempty"`
+}
+
+// MatchPattern defines a pattern for process policies
+type MatchPattern struct {
+	Pattern string `json:"pattern,omitempty"`
+}
+
+// MatchSyscall defines a syscall for syscall policies
+type MatchSyscall struct {
+	Syscalls []string `json:"syscalls,omitempty"`
+}
+
+// MatchCapability defines a capability for capabilities policies
+type MatchCapability struct {
+	Capability string `json:"capability,omitempty"`
+}
+
+// FromSource defines a source path for directory-based policies
+type FromSource struct {
+	Path string `json:"path,omitempty"`
+}
+
+// SecurityIntentStatus defines the observed state of SecurityIntent
+type SecurityIntentStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+	// This field can be updated to reflect the actual status of the application of the security intents
+}
+
+// SecurityIntent is the Schema for the securityintents API
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SecurityIntent is the Schema for the securityintents API
+type SecurityIntent struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              SecurityIntentSpec   `json:"spec,omitempty"`
+	Status            SecurityIntentStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// SecurityIntentList contains a list of SecurityIntent
+type SecurityIntentList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecurityIntent `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&SecurityIntent{}, &SecurityIntentList{})
+}
diff --git a/Nimbus/api/v1/securityintentbinding_types.go b/Nimbus/api/v1/securityintentbinding_types.go
@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding
+type SecurityIntentBindingSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Foo is an example field of SecurityIntentBinding. Edit securityintentbinding_types.go to remove/update
+	Selector       Selector        `json:"selector"`
+	IntentRequests []IntentRequest `json:"intentRequests"`
+}
+
+// Selector defines the selection criteria for resources
+type Selector struct {
+	Any []ResourceFilter `json:"any,omitempty"`
+	All []ResourceFilter `json:"all,omitempty"`
+	CEL []string         `json:"cel,omitempty"`
+}
+
+// ResourceFilter is used for filtering resources
+type ResourceFilter struct {
+	Resources Resources `json:"resources,omitempty"`
+}
+
+// Resources defines the properties for selecting Kubernetes resources
+type Resources struct {
+	Kind        string            `json:"kind,omitempty"`
+	Namespace   string            `json:"namespace,omitempty"`
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+}
+
+// IntentRequest defines the request for a specific SecurityIntent
+type IntentRequest struct {
+	Type        string `json:"type"`
+	IntentName  string `json:"intentName"`
+	Description string `json:"description"`
+	Mode        string `json:"mode"`
+}
+
+// SecurityIntentBindingStatus defines the observed state of SecurityIntentBinding
+type SecurityIntentBindingStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// SecurityIntentBinding is the Schema for the securityintentbindings API
+type SecurityIntentBinding struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecurityIntentBindingSpec   `json:"spec,omitempty"`
+	Status SecurityIntentBindingStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// SecurityIntentBindingList contains a list of SecurityIntentBinding
+type SecurityIntentBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecurityIntentBinding `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&SecurityIntentBinding{}, &SecurityIntentBindingList{})
+}
diff --git a/Nimbus/controllers/securityintent_controller.go b/Nimbus/controllers/securityintent_controller.go
@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"	
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	general "github.com/5GSEC/nimbus/Nimbus/controllers/general"
+	"github.com/5GSEC/nimbus/Nimbus/api/v1"
+)
+
+type SecurityIntentReconciler struct {
+	client.Client
+	Scheme            *runtime.Scheme
+	GeneralController *general.GeneralController
+}
+
+// NewSecurityIntentReconciler creates a new SecurityIntentReconciler.
+func NewSecurityIntentReconciler(client client.Client, scheme *runtime.Scheme) *SecurityIntentReconciler {
+	if client == nil {
+		fmt.Println("SecurityIntentReconciler: Client is nil")
+		return nil
+	}
+
+	generalController, err := general.NewGeneralController(client)
+	if err != nil {
+		fmt.Println("SecurityIntentReconciler: Failed to initialize GeneralController:", err)
+		return nil
+	}
+
+	return &SecurityIntentReconciler{
+		Client:            client,
+		Scheme:            scheme,
+		GeneralController: generalController,
+	}
+}
+
+//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents/finalizers,verbs=update
+
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// TODO(user): Modify the Reconcile function to compare the state specified by
+// the SecurityIntent object against the actual cluster state, and then
+// perform operations to make the cluster state reflect the state specified by
+// the user.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcil
+
+// Reconcile handles the reconciliation of the SecurityIntent resources.
+func (r *SecurityIntentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	if r.GeneralController == nil {
+		fmt.Println("SecurityIntentReconciler: GeneralController is nil")
+		return ctrl.Result{}, fmt.Errorf("GeneralController is not properly initialized")
+	}
+
+	intent, err := r.GeneralController.WatcherIntent.Reconcile(ctx, req)
+	if err != nil {
+		log.Error(err, "Error in WatcherIntent.Reconcile", "Request", req.NamespacedName)
+		return ctrl.Result{}, err
+	}
+
+	if intent != nil {
+		log.Info("SecurityIntent resource found", "Name", req.Name, "Namespace", req.Namespace)
+	} else {
+		log.Info("SecurityIntent resource not found", "Name", req.Name, "Namespace", req.Namespace)
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the reconciler with the provided manager.
+func (r *SecurityIntentReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	// Set up the controller to manage SecurityIntent resources.
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&v1.SecurityIntent{}).
+		Complete(r)
+}