diff --git a/Nimbus/api/v1/securityintent_types.go b/Nimbus/api/v1/securityintent_types.go new file mode 100644 index 00000000..30cee56b --- /dev/null +++ b/Nimbus/api/v1/securityintent_types.go @@ -0,0 +1,146 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// SecurityIntentSpec defines the desired state of SecurityIntent +type SecurityIntentSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + + Intent Intent `json:"intent"` // Define the details of the security policy. +} + +// Intent defines the security policy details +type Intent struct { + Description string `json:"description"` // Define the description + Action string `json:"action"` // Define the action of the policy + Type string `json:"type"` // Defines the type of the policy + Resource []Resource `json:"resource"` // Define the resources to which the security policy applies +} + +// Resource defines the resources that the security policy applies to +type Resource struct { + Network []Network `json:"network,omitempty"` + Process []Process `json:"process,omitempty"` + File []File `json:"file,omitempty"` + Capabilities []Capabilities `json:"capabilities,omitempty"` + Syscalls []Syscalls `json:"syscalls,omitempty"` + FromCIDRSet []CIDRSet `json:"fromCIDRSet,omitempty"` + ToPorts []ToPort `json:"toPorts,omitempty"` +} + +// Process defines the process-related policies +type Process struct { + MatchPaths []MatchPath `json:"matchPaths,omitempty"` + MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"` + MatchPatterns []MatchPattern `json:"matchPatterns,omitempty"` +} + +// File defines the file-related policies +type File struct { + MatchPaths []MatchPath `json:"matchPaths,omitempty"` + MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"` +} + +// Capabilities defines the capabilities-related policies +type Capabilities struct { + MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"` +} + +// Syscalls defines the syscalls-related policies +type Syscalls struct { + MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"` +} + +// CIDRSet defines CIDR ranges for network policies +type CIDRSet struct { + CIDR string `json:"cidr,omitempty"` +} + +// ToPort defines ports and protocols for network policies +type ToPort struct { + Ports []Port `json:"ports,omitempty"` +} + +// Port defines a network port and its protocol +type Port struct { + Port string `json:"port,omitempty"` + Protocol string `json:"protocol,omitempty"` +} + +// MatchProtocol defines a protocol for network policies +type MatchProtocol struct { + Protocol string `json:"protocol,omitempty"` +} + +// MatchPath defines a path for process or file policies +type MatchPath struct { + Path string `json:"path,omitempty"` +} + +// MatchDirectory defines a directory for process or file policies +type MatchDirectory struct { + Directory string `json:"dir,omitempty"` + FromSource []FromSource `json:"fromSource,omitempty"` +} + +// MatchPattern defines a pattern for process policies +type MatchPattern struct { + Pattern string `json:"pattern,omitempty"` +} + +// MatchSyscall defines a syscall for syscall policies +type MatchSyscall struct { + Syscalls []string `json:"syscalls,omitempty"` +} + +// MatchCapability defines a capability for capabilities policies +type MatchCapability struct { + Capability string `json:"capability,omitempty"` +} + +// FromSource defines a source path for directory-based policies +type FromSource struct { + Path string `json:"path,omitempty"` +} + +// SecurityIntentStatus defines the observed state of SecurityIntent +type SecurityIntentStatus struct { + // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + // Important: Run "make" to regenerate code after modifying this file + // This field can be updated to reflect the actual status of the application of the security intents +} + +// SecurityIntent is the Schema for the securityintents API +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SecurityIntent is the Schema for the securityintents API +type SecurityIntent struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec SecurityIntentSpec `json:"spec,omitempty"` + Status SecurityIntentStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// SecurityIntentList contains a list of SecurityIntent +type SecurityIntentList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []SecurityIntent `json:"items"` +} + +func init() { + SchemeBuilder.Register(&SecurityIntent{}, &SecurityIntentList{}) +} diff --git a/Nimbus/api/v1/securityintentbinding_types.go b/Nimbus/api/v1/securityintentbinding_types.go new file mode 100644 index 00000000..7d3e8e46 --- /dev/null +++ b/Nimbus/api/v1/securityintentbinding_types.go @@ -0,0 +1,79 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding +type SecurityIntentBindingSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + + // Foo is an example field of SecurityIntentBinding. Edit securityintentbinding_types.go to remove/update + Selector Selector `json:"selector"` + IntentRequests []IntentRequest `json:"intentRequests"` +} + +// Selector defines the selection criteria for resources +type Selector struct { + Any []ResourceFilter `json:"any,omitempty"` + All []ResourceFilter `json:"all,omitempty"` + CEL []string `json:"cel,omitempty"` +} + +// ResourceFilter is used for filtering resources +type ResourceFilter struct { + Resources Resources `json:"resources,omitempty"` +} + +// Resources defines the properties for selecting Kubernetes resources +type Resources struct { + Kind string `json:"kind,omitempty"` + Namespace string `json:"namespace,omitempty"` + MatchLabels map[string]string `json:"matchLabels,omitempty"` +} + +// IntentRequest defines the request for a specific SecurityIntent +type IntentRequest struct { + Type string `json:"type"` + IntentName string `json:"intentName"` + Description string `json:"description"` + Mode string `json:"mode"` +} + +// SecurityIntentBindingStatus defines the observed state of SecurityIntentBinding +type SecurityIntentBindingStatus struct { + // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + // Important: Run "make" to regenerate code after modifying this file +} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status + +// SecurityIntentBinding is the Schema for the securityintentbindings API +type SecurityIntentBinding struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec SecurityIntentBindingSpec `json:"spec,omitempty"` + Status SecurityIntentBindingStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// SecurityIntentBindingList contains a list of SecurityIntentBinding +type SecurityIntentBindingList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []SecurityIntentBinding `json:"items"` +} + +func init() { + SchemeBuilder.Register(&SecurityIntentBinding{}, &SecurityIntentBindingList{}) +} diff --git a/Nimbus/controllers/securityintent_controller.go b/Nimbus/controllers/securityintent_controller.go new file mode 100644 index 00000000..51434581 --- /dev/null +++ b/Nimbus/controllers/securityintent_controller.go @@ -0,0 +1,87 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +import ( + "context" + "fmt" + + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + + general "github.com/5GSEC/nimbus/Nimbus/controllers/general" + "github.com/5GSEC/nimbus/Nimbus/api/v1" +) + +type SecurityIntentReconciler struct { + client.Client + Scheme *runtime.Scheme + GeneralController *general.GeneralController +} + +// NewSecurityIntentReconciler creates a new SecurityIntentReconciler. +func NewSecurityIntentReconciler(client client.Client, scheme *runtime.Scheme) *SecurityIntentReconciler { + if client == nil { + fmt.Println("SecurityIntentReconciler: Client is nil") + return nil + } + + generalController, err := general.NewGeneralController(client) + if err != nil { + fmt.Println("SecurityIntentReconciler: Failed to initialize GeneralController:", err) + return nil + } + + return &SecurityIntentReconciler{ + Client: client, + Scheme: scheme, + GeneralController: generalController, + } +} + +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintents/finalizers,verbs=update + +// Reconcile is part of the main kubernetes reconciliation loop which aims to +// move the current state of the cluster closer to the desired state. +// TODO(user): Modify the Reconcile function to compare the state specified by +// the SecurityIntent object against the actual cluster state, and then +// perform operations to make the cluster state reflect the state specified by +// the user. +// +// For more details, check Reconcile and its Result here: +// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.16.3/pkg/reconcil + +// Reconcile handles the reconciliation of the SecurityIntent resources. +func (r *SecurityIntentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := log.FromContext(ctx) + + if r.GeneralController == nil { + fmt.Println("SecurityIntentReconciler: GeneralController is nil") + return ctrl.Result{}, fmt.Errorf("GeneralController is not properly initialized") + } + + intent, err := r.GeneralController.WatcherIntent.Reconcile(ctx, req) + if err != nil { + log.Error(err, "Error in WatcherIntent.Reconcile", "Request", req.NamespacedName) + return ctrl.Result{}, err + } + + if intent != nil { + log.Info("SecurityIntent resource found", "Name", req.Name, "Namespace", req.Namespace) + } else { + log.Info("SecurityIntent resource not found", "Name", req.Name, "Namespace", req.Namespace) + } + + return ctrl.Result{}, nil +} + +// SetupWithManager sets up the reconciler with the provided manager. +func (r *SecurityIntentReconciler) SetupWithManager(mgr ctrl.Manager) error { + // Set up the controller to manage SecurityIntent resources. + return ctrl.NewControllerManagedBy(mgr). + For(&v1.SecurityIntent{}). + Complete(r) +} diff --git a/Nimbus/controllers/securityintentbinding_controller.go b/Nimbus/controllers/securityintentbinding_controller.go new file mode 100644 index 00000000..fdc0d196 --- /dev/null +++ b/Nimbus/controllers/securityintentbinding_controller.go @@ -0,0 +1,111 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package controllers + +import ( + "context" + "fmt" + + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + + intentv1 "github.com/5GSEC/nimbus/Nimbus/api/v1" + general "github.com/5GSEC/nimbus/Nimbus/controllers/general" + policy "github.com/5GSEC/nimbus/Nimbus/controllers/policy" +) + +// SecurityIntentBindingReconciler reconciles a SecurityIntentBinding object +type SecurityIntentBindingReconciler struct { + client.Client + Scheme *runtime.Scheme + GeneralController *general.GeneralController + PolicyController *policy.PolicyController +} + +func NewSecurityIntentBindingReconciler(client client.Client, scheme *runtime.Scheme) *SecurityIntentBindingReconciler { + if client == nil { + fmt.Println("SecurityIntentBindingReconciler: Client is nil") + return nil + } + + generalController, err := general.NewGeneralController(client) + if err != nil { + fmt.Println("SecurityIntentBindingReconciler: Failed to initialize GeneralController:", err) + return nil + } + + policyController := policy.NewPolicyController(client, scheme) + if policyController == nil { + fmt.Println("SecurityIntentBindingReconciler: Failed to initialize PolicyController") + return nil + } + + return &SecurityIntentBindingReconciler{ + Client: client, + Scheme: scheme, + GeneralController: generalController, + PolicyController: policyController, + } +} + +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintentbindings,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintentbindings/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=intent.security.nimbus.com,resources=securityintentbindings/finalizers,verbs=update + +// Reconcile is part of the main kubernetes reconciliation loop which aims to +// move the current state of the cluster closer to the desired state. +// TODO(user): Modify the Reconcile function to compare the state specified by +// the SecurityIntentBinding object against the actual cluster state, and then +// perform operations to make the cluster state reflect the state specified by +// the user. +// +// For more details, check Reconcile and its Result here: +// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.16.3/pkg/reconcile + +func (r *SecurityIntentBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := log.FromContext(ctx) + + if r.GeneralController == nil || r.GeneralController.WatcherBinding == nil { + fmt.Println("SecurityIntentBindingReconciler: GeneralController or WatcherBinding is not initialized") + return ctrl.Result{}, fmt.Errorf("GeneralController or WatcherBinding is not initialized") + } + + binding, err := r.GeneralController.WatcherBinding.Reconcile(ctx, req) + if err != nil { + return ctrl.Result{}, fmt.Errorf("Error in WatcherBinding.Reconcile: %v", err) + } + + if binding != nil { + log.Info("SecurityIntentBinding resource found", "Name", req.Name, "Namespace", req.Namespace) + + bindingInfo, err := general.MatchIntentAndBinding(ctx, r.Client, binding) + if err != nil { + log.Error(err, "Failed to match SecurityIntent with SecurityIntentBinding", "BindingName", binding.Name) + return ctrl.Result{}, err + } + + if bindingInfo != nil { + err = r.PolicyController.Reconcile(ctx, bindingInfo) + if err != nil { + log.Error(err, "Failed to apply policy for SecurityIntentBinding", "BindingName", binding.Name) + return ctrl.Result{}, err + } + } else { + log.Info("No matching SecurityIntent found for SecurityIntentBinding", "BindingName", binding.Name) + } + } else { + log.Info("SecurityIntentBinding resource not found", "Name", req.Name, "Namespace", req.Namespace) + } + + return ctrl.Result{}, nil +} + +// SetupWithManager sets up the controller with the Manager. +func (r *SecurityIntentBindingReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&intentv1.SecurityIntentBinding{}). + Complete(r) +} diff --git a/Nimbus/controllers/suite_test.go b/Nimbus/controllers/suite_test.go new file mode 100644 index 00000000..9a0874a7 --- /dev/null +++ b/Nimbus/controllers/suite_test.go @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package controllers + +import ( + "fmt" + "path/filepath" + "runtime" + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + intentv1 "github.com/5GSEC/nimbus/Nimbus/api/v1" + //+kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config // cfg will hold the Kubernetes rest configuration. +var k8sClient client.Client // k8sClient is the Kubernetes client for the test environment. +var testEnv *envtest.Environment // testEnv is the environment for running the tests. + +// TestControllers is the entry point for testing the controllers package. +func TestControllers(t *testing.T) { + RegisterFailHandler(Fail) // Register a Ginkgo fail handler. + + RunSpecs(t, "Controller Suite") // Run the Ginkgo specs for the 'Controller Suite'. +} + +var _ = BeforeSuite(func() { + // Setup for the test suite, executed before any specs are run. + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) // Set up the logger. + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + // CRDDirectoryPaths specifies the paths to the CRD manifests. + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: true, + + // The BinaryAssetsDirectory is only required if you want to run the tests directly + // without call the makefile target test. If not informed it will look for the + // default path defined in controller-runtime which is /usr/local/kubebuilder/. + // Note that you must have the required binaries setup under the bin directory to perform + // the tests directly. When we run make test it will be setup and used automatically. + BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s", + fmt.Sprintf("1.28.3-%s-%s", runtime.GOOS, runtime.GOARCH)), + } + + var err error + cfg, err = testEnv.Start() // Start the test environment. + Expect(err).NotTo(HaveOccurred()) // Assert that starting the environment does not produce an error. + Expect(cfg).NotTo(BeNil()) // Assert that the config is not nil. + + // Add the intentv1 API scheme to the runtime scheme. + err = intentv1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) // Assert that adding the scheme does not produce an error. + + // Scaffold additional schemes here if needed. + + // Initialize the Kubernetes client for the test environment. + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).NotTo(HaveOccurred()) // Assert that creating the client does not produce an error. + Expect(k8sClient).NotTo(BeNil()) // Assert that the client is not nil. + +}) + +var _ = AfterSuite(func() { + // Teardown for the test suite, executed after all specs have run. + By("tearing down the test environment") + err := testEnv.Stop() // Stop the test environment. + Expect(err).NotTo(HaveOccurred()) // Assert that stopping the environment does not produce an error. +}) diff --git a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml new file mode 100644 index 00000000..8d31ce03 --- /dev/null +++ b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml @@ -0,0 +1,116 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: securityintentbindings.intent.security.nimbus.com +spec: + group: intent.security.nimbus.com + names: + kind: SecurityIntentBinding + listKind: SecurityIntentBindingList + plural: securityintentbindings + singular: securityintentbinding + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SecurityIntentBinding is the Schema for the securityintentbindings + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding + properties: + intentRequests: + items: + description: IntentRequest defines the request for a specific SecurityIntent + properties: + description: + type: string + intentName: + type: string + mode: + type: string + type: + type: string + required: + - description + - intentName + - mode + - type + type: object + type: array + selector: + description: Foo is an example field of SecurityIntentBinding. Edit + securityintentbinding_types.go to remove/update + properties: + all: + items: + description: ResourceFilter is used for filtering resources + properties: + resources: + description: Resources defines the properties for selecting + Kubernetes resources + properties: + kind: + type: string + matchLabels: + additionalProperties: + type: string + type: object + namespace: + type: string + type: object + type: object + type: array + any: + items: + description: ResourceFilter is used for filtering resources + properties: + resources: + description: Resources defines the properties for selecting + Kubernetes resources + properties: + kind: + type: string + matchLabels: + additionalProperties: + type: string + type: object + namespace: + type: string + type: object + type: object + type: array + cel: + items: + type: string + type: array + type: object + required: + - intentRequests + - selector + type: object + status: + description: SecurityIntentBindingStatus defines the observed state of + SecurityIntentBinding + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml index 0eb4c348..6438c68d 100644 --- a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml +++ b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml @@ -39,152 +39,162 @@ spec: properties: action: type: string - mode: + description: type: string resource: items: description: Resource defines the resources that the security policy applies to properties: - attrs: + capabilities: items: - type: string + description: Capabilities defines the capabilities-related + policies + properties: + matchCapabilities: + items: + description: MatchCapability defines a capability + for capabilities policies + properties: + capability: + type: string + type: object + type: array + type: object + type: array + file: + items: + description: File defines the file-related policies + properties: + matchDirectories: + items: + description: MatchDirectory defines a directory + for process or file policies + properties: + dir: + type: string + fromSource: + items: + description: FromSource defines a source path + for directory-based policies + properties: + path: + type: string + type: object + type: array + type: object + type: array + matchPaths: + items: + description: MatchPath defines a path for process + or file policies + properties: + path: + type: string + type: object + type: array + type: object + type: array + fromCIDRSet: + items: + description: CIDRSet defines CIDR ranges for network policies + properties: + cidr: + type: string + type: object + type: array + network: + items: {} type: array - key: - type: string - val: + process: items: - type: string + description: Process defines the process-related policies + properties: + matchDirectories: + items: + description: MatchDirectory defines a directory + for process or file policies + properties: + dir: + type: string + fromSource: + items: + description: FromSource defines a source path + for directory-based policies + properties: + path: + type: string + type: object + type: array + type: object + type: array + matchPaths: + items: + description: MatchPath defines a path for process + or file policies + properties: + path: + type: string + type: object + type: array + matchPatterns: + items: + description: MatchPattern defines a pattern for + process policies + properties: + pattern: + type: string + type: object + type: array + type: object + type: array + syscalls: + items: + description: Syscalls defines the syscalls-related policies + properties: + matchSyscalls: + items: + description: MatchSyscall defines a syscall for + syscall policies + properties: + syscalls: + items: + type: string + type: array + type: object + type: array + type: object + type: array + toPorts: + items: + description: ToPort defines ports and protocols for network + policies + properties: + ports: + items: + description: Port defines a network port and its + protocol + properties: + port: + type: string + protocol: + type: string + type: object + type: array + type: object type: array - valcel: - type: string type: object type: array type: type: string required: - action - - mode + - description - resource - type type: object - selector: - description: Selector defines the selection criteria for resources - properties: - cel: - items: - type: string - type: array - match: - description: Match defines the resource filters to be used - properties: - all: - items: - description: ResourceFilter is used for filtering resources, - subjects, roles, and cluster roles - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kinds: - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - type: object - names: - items: - type: string - type: array - namespaces: - items: - type: string - type: array - operations: - items: - type: string - type: array - required: - - kinds - type: object - roles: - items: - type: string - type: array - subjects: - items: - description: Subject defines the subject for filtering - properties: - kind: - type: string - name: - type: string - required: - - kind - type: object - type: array - type: object - type: array - any: - items: - description: ResourceFilter is used for filtering resources, - subjects, roles, and cluster roles - properties: - resources: - description: Resources defines the properties for selecting - Kubernetes resources - properties: - kinds: - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - type: object - names: - items: - type: string - type: array - namespaces: - items: - type: string - type: array - operations: - items: - type: string - type: array - required: - - kinds - type: object - roles: - items: - type: string - type: array - subjects: - items: - description: Subject defines the subject for filtering - properties: - kind: - type: string - name: - type: string - required: - - kind - type: object - type: array - type: object - type: array - type: object - required: - - cel - type: object required: - intent - - selector type: object status: description: SecurityIntentStatus defines the observed state of SecurityIntent