feat: Move the policy generation code for the adapter and create a si…

…mple HTTP server.
5GSEC · Jan 2, 2024 · ee8db0a · ee8db0a
1 parent 396ad8b
commit ee8db0a
Show file tree

Hide file tree

Showing 5 changed files with 693 additions and 0 deletions.
diff --git a/nimbus-kubearmor/processor/network_policy.go b/nimbus-kubearmor/processor/network_policy.go
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package policy
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+
+	general "github.com/5GSEC/nimbus/pkg/controllers/general"
+	utils "github.com/5GSEC/nimbus/pkg/controllers/utils"
+)
+
+// NetworkPolicyController struct to handle network policies.
+type NetworkPolicyController struct {
+	Client client.Client   // Client to interact with Kubernetes API.
+	Scheme *runtime.Scheme // Scheme defines the runtime scheme of the Kubernetes objects.
+}
+
+// NewNetworkPolicyController creates a new instance of NetworkPolicyController.
+func NewNetworkPolicyController(client client.Client, scheme *runtime.Scheme) *NetworkPolicyController {
+	return &NetworkPolicyController{
+		Client: client,
+		Scheme: scheme,
+	}
+}
+
+// HandlePolicy processes the network policies defined in the SecurityIntent resource.
+func (npc *NetworkPolicyController) HandlePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error {
+	log := log.FromContext(ctx)
+	log.Info("Handling Network Policy", "BindingName", bindingInfo.Binding.Name)
+
+	// Build and apply/update Cilium Network Policy based on BindingInfo.
+	ciliumPolicySpec := utils.BuildCiliumNetworkPolicySpec(ctx, bindingInfo).(*ciliumv2.CiliumNetworkPolicy)
+	err := utils.ApplyOrUpdatePolicy(ctx, npc.Client, ciliumPolicySpec, bindingInfo.Binding.Name)
+	if err != nil {
+		log.Error(err, "Failed to apply Cilium Network Policy", "Name", bindingInfo.Binding.Name)
+		return err
+	}
+
+	log.Info("Applied Network Policy", "PolicyName", bindingInfo.Binding.Name)
+	return nil
+}
+
+// DeletePolicy removes the network policy associated with the SecurityIntent resource.
+func (npc *NetworkPolicyController) DeletePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error {
+	log := log.FromContext(ctx)
+
+	// Modified line: Merged variable declaration with assignment
+	err := utils.DeletePolicy(ctx, npc.Client, "CiliumNetworkPolicy", bindingInfo.Binding.Name, bindingInfo.Binding.Namespace)
+	if err != nil {
+		log.Error(err, "Failed to delete Cilium Network Policy", "Name", bindingInfo.Binding.Name)
+		return err
+	}
+
+	log.Info("Deleted Network Policy", "PolicyName", bindingInfo.Binding.Name)
+	return nil
+}
diff --git a/nimbus-kubearmor/processor/policy_controller.go b/nimbus-kubearmor/processor/policy_controller.go
@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package policy
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	general "github.com/5GSEC/nimbus/pkg/controllers/general"
+)
+
+// Constant for the finalizer name used in the SecurityIntent resource.
+// const securityIntentFinalizer = "finalizer.securityintent.intent.security.nimbus.com"
+
+// PolicyController struct handles different types of policies.
+type PolicyController struct {
+	Client                  client.Client            // Client for interacting with Kubernetes API.
+	Scheme                  *runtime.Scheme          // Scheme defines the runtime scheme of the Kubernetes objects.
+	NetworkPolicyController *NetworkPolicyController // Controller for handling network policies.
+	SystemPolicyController  *SystemPolicyController  // Controller for handling system policies.
+}
+
+// NewPolicyController creates a new instance of PolicyController.
+func NewPolicyController(client client.Client, scheme *runtime.Scheme) *PolicyController {
+	if client == nil || scheme == nil {
+		fmt.Println("PolicyController: Client or Scheme is nil")
+		return nil
+	}
+
+	return &PolicyController{
+		Client:                  client,
+		Scheme:                  scheme,
+		NetworkPolicyController: NewNetworkPolicyController(client, scheme),
+		SystemPolicyController:  NewSystemPolicyController(client, scheme),
+	}
+}
+
+// Reconcile handles the reconciliation logic for the SecurityIntent and SecurityIntentBinding resources.
+func (pc *PolicyController) Reconcile(ctx context.Context, bindingInfo *general.BindingInfo) error {
+	log := log.FromContext(ctx)
+
+	var intentRequestType string
+	if len(bindingInfo.Binding.Spec.IntentRequests) > 0 {
+		intentRequestType = bindingInfo.Binding.Spec.IntentRequests[0].Type
+	}
+
+	log.Info("Processing policy", "BindingName", bindingInfo.Binding.Name, "IntentType", intentRequestType)
+
+	var err error
+	switch intentRequestType {
+	case "network":
+		err = pc.NetworkPolicyController.HandlePolicy(ctx, bindingInfo)
+		if err != nil {
+			log.Error(err, "Failed to apply network policy", "BindingName", bindingInfo.Binding.Name)
+			return err
+		}
+	case "system":
+		err = pc.SystemPolicyController.HandlePolicy(ctx, bindingInfo)
+		if err != nil {
+			log.Error(err, "Failed to apply system policy", "BindingName", bindingInfo.Binding.Name)
+			return err
+		}
+	default:
+		err = fmt.Errorf("unknown policy type: %s", intentRequestType)
+		log.Error(err, "Unknown policy type", "Type", intentRequestType)
+		return err
+	}
+	if err != nil {
+		log.Error(err, "Failed to apply policy", "BindingName", bindingInfo.Binding.Name)
+		return err
+	}
+
+	return nil
+}
diff --git a/nimbus-kubearmor/processor/system_policy.go b/nimbus-kubearmor/processor/system_policy.go
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package policy
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	general "github.com/5GSEC/nimbus/pkg/controllers/general"
+	utils "github.com/5GSEC/nimbus/pkg/controllers/utils"
+)
+
+// SystemPolicyController is a struct to handle system policies.
+type SystemPolicyController struct {
+	Client client.Client   // Client for interacting with Kubernetes API.
+	Scheme *runtime.Scheme // Scheme defines the runtime scheme of the Kubernetes objects.
+}
+
+// NewSystemPolicyController creates a new instance of SystemPolicyController.
+func NewSystemPolicyController(client client.Client, scheme *runtime.Scheme) *SystemPolicyController {
+	return &SystemPolicyController{
+		Client: client,
+		Scheme: scheme,
+	}
+}
+
+// HandlePolicy processes the system policy as defined in SecurityIntent.
+func (spc *SystemPolicyController) HandlePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error {
+	log := log.FromContext(ctx) // Logger with context.
+	log.Info("Handling System Policy", "BindingName", bindingInfo.Binding.Name)
+
+	// Build KubeArmorPolicy based on BindingInfo
+	kubearmorPolicy := utils.BuildKubeArmorPolicySpec(ctx, bindingInfo)
+
+	err := utils.ApplyOrUpdatePolicy(ctx, spc.Client, kubearmorPolicy, bindingInfo.Binding.Name)
+	if err != nil {
+		log.Error(err, "Failed to apply KubeArmorPolicy", "Name", bindingInfo.Binding.Name)
+		return err
+	}
+
+	log.Info("Applied KubeArmorPolicy", "PolicyName", bindingInfo.Binding.Name)
+	return nil
+}
+
+// DeletePolicy removes the system policy associated with the SecurityIntent resource.
+func (spc *SystemPolicyController) DeletePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error {
+	log := log.FromContext(ctx)
+
+	// Delete KubeArmor Policy
+	err := utils.DeletePolicy(ctx, spc.Client, "KubeArmorPolicy", bindingInfo.Binding.Name, bindingInfo.Binding.Namespace)
+	if err != nil {
+		log.Error(err, "Failed to delete KubeArmor Policy", "Name", bindingInfo.Binding.Name)
+		return err
+	}
+
+	log.Info("Deleted System Policy", "PolicyName", bindingInfo.Binding.Name)
+	return nil
+}