diff --git a/.gitignore b/.gitignore index aaa1cbd0..b6015af6 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ *.dylib bin Dockerfile.cross +nimbus-kubearmor # Test binary, build with `go test -c` *.test diff --git a/api/v1/nimbuspolicy_types.go b/api/v1/nimbuspolicy_types.go index 4fd31af0..8e85ff14 100644 --- a/api/v1/nimbuspolicy_types.go +++ b/api/v1/nimbuspolicy_types.go @@ -43,7 +43,7 @@ type Rule struct { MatchProtocols []MatchProtocol `json:"matchProtocols,omitempty"` // Process: MatchPaths, MatchDirectories, MatchPatterns - // File: MatchPaths, MatchDirectories + // File: MatchPaths, MatchDirectories, MatchPatterns MatchPaths []MatchPath `json:"matchPaths,omitempty"` MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"` MatchPatterns []MatchPattern `json:"matchPatterns,omitempty"` @@ -52,7 +52,8 @@ type Rule struct { MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"` // Syscalls: MatchSyscalls - MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"` + MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"` + MatchSyscallPaths []MatchSyscallPath `json:"matchSyscallPaths,omitempty"` FromCIDRSet []CIDRSet `json:"fromCIDRSet,omitempty"` ToPorts []ToPort `json:"toPorts,omitempty"` @@ -97,12 +98,26 @@ type MatchPattern struct { // MatchSyscall defines a syscall for syscall policies type MatchSyscall struct { - Syscalls []string `json:"syscalls,omitempty"` + Syscalls []string `json:"syscalls,omitempty"` + FromSource []SyscallFromSource `json:"fromSource,omitempty"` +} + +type MatchSyscallPath struct { + Path string `json:"path,omitempty"` + Recursive bool `json:"recursive,omitempty"` + Syscalls []string `json:"syscall,omitempty"` + FromSource []SyscallFromSource `json:"fromSource,omitempty"` +} + +type SyscallFromSource struct { + Path string `json:"path,omitempty"` + Dir string `json:"dir,omitempty"` } // MatchCapability defines a capability for capabilities policies type MatchCapability struct { - Capability string `json:"capability,omitempty"` + Capability string `json:"capability,omitempty"` + FromSource []NimbusFromSource `json:"fromSource,omitempty"` } // FromSource defines a source path for directory-based policies diff --git a/api/v1/securityintent_types.go b/api/v1/securityintent_types.go index 12fce719..dbc8b727 100644 --- a/api/v1/securityintent_types.go +++ b/api/v1/securityintent_types.go @@ -44,7 +44,8 @@ type SecurityIntentParams struct { MatchCapabilities []SecurityIntentMatchCapability `json:"matchCapabilities,omitempty"` // Syscalls: MatchSyscalls - MatchSyscalls []SecurityIntentMatchSyscall `json:"matchSyscalls,omitempty"` + MatchSyscalls []SecurityIntentMatchSyscall `json:"matchSyscalls,omitempty"` + MatchSyscallPaths []SecurityIntentMatchSyscallPath `json:"matchSyscallPaths,omitempty"` FromCIDRSet []SecurityIntentCIDRSet `json:"fromCIDRSet,omitempty"` ToPorts []SecurityIntentToPort `json:"toPorts,omitempty"` @@ -89,7 +90,15 @@ type SecurityIntentMatchPattern struct { // MatchSyscall defines a syscall for syscall policies type SecurityIntentMatchSyscall struct { - Syscalls []string `json:"syscalls,omitempty"` + Syscalls []string `json:"syscalls,omitempty"` + FromSource []SyscallFromSource `json:"fromSource,omitempty"` +} + +type SecurityIntentMatchSyscallPath struct { + Path string `json:"path,omitempty"` + Recursive bool `json:"recursive,omitempty"` + Syscalls []string `json:"syscall,omitempty"` + FromSource []SyscallFromSource `json:"fromSource,omitempty"` } // MatchCapability defines a capability for capabilities policies diff --git a/api/v1/securityintentbinding_types.go b/api/v1/securityintentbinding_types.go index ec69684f..0dcbfc52 100644 --- a/api/v1/securityintentbinding_types.go +++ b/api/v1/securityintentbinding_types.go @@ -15,11 +15,11 @@ type SecurityIntentBindingSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - // Foo is an example field of SecurityIntentBinding. Edit securityintentbinding_types.go to remove/update Intents []MatchIntent `json:"intents"` Selector Selector `json:"selector"` } +// Intent struct defines the request for a specific SecurityIntent type MatchIntent struct { Name string `json:"name"` } @@ -49,9 +49,10 @@ type SecurityIntentBindingStatus struct { // Important: Run "make" to regenerate code after modifying this file } -//+kubebuilder:object:root=true +// +kubebuilder:object:root=true // +kubebuilder:resource: shortName="sib" -//+kubebuilder:subresource:status +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // SecurityIntentBinding is the Schema for the securityintentbindings API type SecurityIntentBinding struct { @@ -61,8 +62,6 @@ type SecurityIntentBinding struct { Status SecurityIntentBindingStatus `json:"status,omitempty"` } -//+kubebuilder:object:root=true - // SecurityIntentBindingList contains a list of SecurityIntentBinding type SecurityIntentBindingList struct { metav1.TypeMeta `json:",inline"` diff --git a/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml b/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml index f98d8afb..6ae591fe 100644 --- a/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml +++ b/config/crd/bases/intent.security.nimbus.com_nimbuspolicies.yaml @@ -69,6 +69,15 @@ spec: properties: capability: type: string + fromSource: + items: + description: FromSource defines a source path + for directory-based policies + properties: + path: + type: string + type: object + type: array type: object type: array matchDirectories: @@ -91,7 +100,7 @@ spec: type: array matchPaths: description: 'Process: MatchPaths, MatchDirectories, MatchPatterns - File: MatchPaths, MatchDirectories' + File: MatchPaths, MatchDirectories, MatchPatterns' items: description: MatchPath defines a path for process or file policies @@ -119,12 +128,43 @@ spec: type: string type: object type: array + matchSyscallPaths: + items: + properties: + fromSource: + items: + properties: + dir: + type: string + path: + type: string + type: object + type: array + path: + type: string + recursive: + type: boolean + syscall: + items: + type: string + type: array + type: object + type: array matchSyscalls: description: 'Syscalls: MatchSyscalls' items: description: MatchSyscall defines a syscall for syscall policies properties: + fromSource: + items: + properties: + dir: + type: string + path: + type: string + type: object + type: array syscalls: items: type: string diff --git a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml index 4a535c46..a66964c2 100644 --- a/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml +++ b/config/crd/bases/intent.security.nimbus.com_securityintentbindings.yaml @@ -38,9 +38,8 @@ spec: description: SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding properties: intents: - description: Foo is an example field of SecurityIntentBinding. Edit - securityintentbinding_types.go to remove/update items: + description: Intent struct defines the request for a specific SecurityIntent properties: name: type: string diff --git a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml index b0439195..3b36be37 100644 --- a/config/crd/bases/intent.security.nimbus.com_securityintents.yaml +++ b/config/crd/bases/intent.security.nimbus.com_securityintents.yaml @@ -116,12 +116,43 @@ spec: type: string type: object type: array + matchSyscallPaths: + items: + properties: + fromSource: + items: + properties: + dir: + type: string + path: + type: string + type: object + type: array + path: + type: string + recursive: + type: boolean + syscall: + items: + type: string + type: array + type: object + type: array matchSyscalls: description: 'Syscalls: MatchSyscalls' items: description: MatchSyscall defines a syscall for syscall policies properties: + fromSource: + items: + properties: + dir: + type: string + path: + type: string + type: object + type: array syscalls: items: type: string diff --git a/docs/Quick-tutorials.md b/docs/Quick-tutorials.md index 01cc3c76..ef807301 100644 --- a/docs/Quick-tutorials.md +++ b/docs/Quick-tutorials.md @@ -9,61 +9,95 @@ $ kubectl apply -f ./test/env/multiubuntu.yaml ### Run Operators (Nimbus) ``` -$ make run +~/nimbus_accuknox$ make run +test -s /home/cclab/nimbus_accuknox/bin/controller-gen && /home/cclab/nimbus_accuknox/bin/controller-gen --version | grep -q v0.13.0 || \ +GOBIN=/home/cclab/nimbus_accuknox/bin go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0 +/home/cclab/nimbus_accuknox/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases +/home/cclab/nimbus_accuknox/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./pkg/..." +go fmt ./... +go vet ./... +go run cmd/main.go +2024-01-09T13:36:57Z INFO setup Starting manager +2024-01-09T13:36:57Z INFO controller-runtime.metrics Starting metrics server +2024-01-09T13:36:57Z INFO starting server {"kind": "health probe", "addr": "[::]:8081"} +2024-01-09T13:36:57Z INFO Starting EventSource {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "source": "kind source: *v1.SecurityIntent"} +2024-01-09T13:36:57Z INFO Starting EventSource {"controller": "nimbuspolicy", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "NimbusPolicy", "source": "kind source: *v1.NimbusPolicy"} +... ``` -### Run Adapter Server +### Run Adapter (in this example, KubeArmor) ``` -$ cd nimbus-kubearmor/receiver/server -$ go run server.go -2024/01/02 20:35:46 Server starting on port 13000... +~/nimbus_accuknox$ cd pkg/nimbus-kubearmor +~/nimbus_accuknox/pkg/nimbus-kubearmor$ make build +~/nimbus_accuknox/pkg/nimbus-kubearmor$ make run +... +2024/01/09 13:36:18 Starting Kubernetes client configuration +2024/01/09 13:36:18 Starting NimbusPolicyWatcher +2024/01/09 13:36:18 Starting policy processing loop ``` -### Create and apply Securityintent and SecurityintentBinding file +### Create and apply Securityintent and SecurityintentBinding ``` -$ kubectl apply -f ./test/v2/intents/system/intent-path-block.yaml +$ cd nimbus_accuknox/test/v2 +~/nimbus_accuknox/test/v2$ kubectl apply -f intents/system/intent-path-block.yaml +securityintent.intent.security.nimbus.com/group-1-proc-path-sleep-block created ``` ``` -$ kubectl apply -f ./test/v2/bindings/system/binding-path-block.yaml +~/nimbus_accuknox/test/v2$ kubectl apply -f bindings/system/binding-path-block.yaml +securityintentbinding.intent.security.nimbus.com/sys-proc-path-sleep-block created ``` ### Verify SecurityIntent and SecurityIntentBinding +You can also check the operator's logs to see the detection and the process of creating the Nimbus Policy. + +``` +... +2024-01-09T13:37:06Z INFO SecurityIntent resource found {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "SecurityIntent": {"name":"group-1-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "group-1-proc-path-sleep-block", "reconcileID": "5f7f67ea-33af-46b9-942a-af99a792c621", "Name": "group-1-proc-path-sleep-block", "Namespace": "multiubuntu"} +2024-01-09T13:37:19Z INFO SecurityIntentBinding resource found {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Name": "sys-proc-path-sleep-block", "Namespace": "multiubuntu"} +2024-01-09T13:37:19Z INFO Starting intent and binding matching {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166"} +2024-01-09T13:37:19Z INFO Matching completed {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Matched Intent Names": ["group-1-proc-path-sleep-block"], "Matched Binding Names": ["sys-proc-path-sleep-block"]} +2024-01-09T13:37:19Z INFO Starting NimbusPolicy building {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166"} +2024-01-09T13:37:19Z INFO NimbusPolicy built successfully {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "6425366f-c6ca-4a73-87e1-1191d7984166", "Policy": {"namespace": "multiubuntu", "name": "sys-proc-path-sleep-block"}} +2024-01-09T13:37:19Z INFO Found: NimbusPolicy {"controller": "nimbuspolicy", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "NimbusPolicy", "NimbusPolicy": {"name":"sys-proc-path-sleep-block","namespace":"multiubuntu"}, "namespace": "multiubuntu", "name": "sys-proc-path-sleep-block", "reconcileID": "46b8482e-bd09-44d4-9cdc-6b9b8c17febf", "Name": "sys-proc-path-sleep-block", "Namespace": "multiubuntu"} +... +``` + +To verify that it was actually created, you can check the following. +* Verify SecurityIntent ``` $ kubectl get SecurityIntent -n multiubuntu NAME AGE -group-1-proc-path-sleep-block 25s - +group-1-proc-path-sleep-block 28s ``` +* Verify SecurityIntentBinding ``` $ kubectl get SecurityIntentBinding -n multiubuntu NAME AGE sys-proc-path-sleep-block 29s - ``` - -### Verify Nimbus policy +* Verify Nimbus policy ``` $ kubectl get nimbuspolicy -n multiubuntu -NAME AGE -net-redis-ingress-deny 38s +NAME AGE +sys-proc-path-sleep-block 39s ``` ``` $ kubectl get np -n multiubuntu sys-proc-path-sleep-block -o yaml apiVersion: intent.security.nimbus.com/v1 kind: NimbusPolicy metadata: - creationTimestamp: "2024-01-02T20:37:33Z" + creationTimestamp: "2024-01-09T13:37:19Z" generation: 1 name: sys-proc-path-sleep-block namespace: multiubuntu - resourceVersion: "4281015" - uid: 00c3de93-92d4-4a88-bff6-389449751e3c + resourceVersion: "5753517" + uid: 5d2ae075-98b8-4958-850e-8114cb6dec19 spec: rules: - description: block the execution of '/bin/sleep' - id: sys-path-exec + id: sys-proc-paths rule: - action: Block matchPaths: @@ -71,4 +105,54 @@ spec: selector: matchLabels: group: group-1 -``` \ No newline at end of file +``` + +### Verify the adapter +The log for the adapter that detected nimbuspolicy is shown below. +``` +2024/01/09 13:36:18 Starting Kubernetes client configuration +2024/01/09 13:36:18 Starting NimbusPolicyWatcher +2024/01/09 13:36:18 Starting policy processing loop +2024/01/09 13:37:28 NimbusPolicy: Detected policy: Name: multiubuntu, Namespace: sys-proc-path-sleep-block, ID: [sys-proc-paths] +{TypeMeta:{Kind:NimbusPolicy APIVersion:intent.security.nimbus.com/v1} ObjectMeta:{Name:sys-proc-path-sleep-block GenerateName: Namespace:multiubuntu SelfLink: UID:5d2ae075-98b8-4958-850e-8114cb6dec19 ResourceVersion:5753517 Generation:1 CreationTimestamp:2024-01-09 13:37:19 +0000 UTC DeletionTimestamp: DeletionGracePeriodSeconds: Labels:map[] Annotations:map[] OwnerReferences:[] Finalizers:[] ManagedFields:[{Manager:main Operation:Update APIVersion:intent.security.nimbus.com/v1 Time:2024-01-09 13:37:19 +0000 UTC FieldsType:FieldsV1 FieldsV1:{"f:spec":{".":{},"f:rules":{},"f:selector":{".":{},"f:matchLabels":{".":{},"f:group":{}}}}} Subresource:}]} Spec:{Selector:{MatchLabels:map[group:group-1]} NimbusRules:[{Id:sys-proc-paths Type: Description:block the execution of '/bin/sleep' Rule:[{RuleAction:Block MatchProtocols:[] MatchPaths:[{Path:/bin/sleep}] MatchDirectories:[] MatchPatterns:[] MatchCapabilities:[] MatchSyscalls:[] MatchSyscallPaths:[] FromCIDRSet:[] ToPorts:[]}]}]} Status:{PolicyStatus:}} +2024/01/09 13:37:28 Exporting and Applying NimbusPolicy to KubeArmorPolicy +2024-01-09T13:37:28Z INFO Start Converting a NimbusPolicy {"PolicyName": "sys-proc-path-sleep-block"} +2024-01-09T13:37:28Z INFO Apply a new KubeArmorPolicy {"PolicyName": "sys-proc-path-sleep-block", "Policy": {"metadata":{"name":"sys-proc-path-sleep-block","namespace":"multiubuntu","creationTimestamp":null},"spec":{"selector":{"matchLabels":{"group":"group-1"}},"process":{"matchPaths":[{"path":"/bin/sleep"}]},"file":{},"network":{"matchProtocols":[{"protocol":"raw"}]},"capabilities":{"matchCapabilities":[{"capability":"lease"}]},"syscalls":{},"action":"Block"},"status":{}}} +2024/01/09 13:37:28 Successfully exported NimbusPolicy to KubeArmorPolicy +``` +
+You can also see the policies that were actually created. + +``` +$ kubectl get ksp -n multiubuntu +NAME AGE +sys-proc-path-sleep-block 3m24s +``` +``` +$ kubectl get ksp -n multiubuntu sys-proc-path-sleep-block -o yaml +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + creationTimestamp: "2024-01-09T13:37:28Z" + generation: 1 + name: sys-proc-path-sleep-block + namespace: multiubuntu + resourceVersion: "5753537" + uid: 16cb107b-e442-442f-90fe-dbb139658d5e +spec: + action: Block + capabilities: + matchCapabilities: + - capability: lease + file: {} + network: + matchProtocols: + - protocol: raw + process: + matchPaths: + - path: /bin/sleep + selector: + matchLabels: + group: group-1 + syscalls: {} +``` diff --git a/go.mod b/go.mod index 4ec53074..d336e8db 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/5GSEC/nimbus -go 1.20 +go 1.21 require ( github.com/cilium/cilium v1.14.3 diff --git a/go.work b/go.work new file mode 100644 index 00000000..dcd86d6e --- /dev/null +++ b/go.work @@ -0,0 +1,6 @@ +go 1.21 + +use ( + ./ + ./pkg/nimbus-kubearmor +) diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 00000000..d9ca1324 --- /dev/null +++ b/go.work.sum @@ -0,0 +1,536 @@ +cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw= +cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68= +cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo= +cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA= +cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA= +cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs= +cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw= +cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY= +cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg= +cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E= +cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ= +cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0= +cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE= +cloud.google.com/go/baremetalsolution v1.1.1/go.mod h1:D1AV6xwOksJMV4OSlWHtWuFNZZYujJknMAP4Qa27QIA= +cloud.google.com/go/batch v1.3.1/go.mod h1:VguXeQKXIYaeeIYbuozUmBR13AfL4SJP7IltNPS+A4A= +cloud.google.com/go/beyondcorp v1.0.0/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4= +cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA= +cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U= +cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI= +cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc= +cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI= +cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE= +cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0= +cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4= +cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw= +cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M= +cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI= +cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY= +cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4= +cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8= +cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4= +cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI= +cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E= +cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE= +cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk= +cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU= +cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4= +cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4= +cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4= +cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE= +cloud.google.com/go/gkebackup v1.3.0/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU= +cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw= +cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY= +cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ= +cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw= +cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk= +cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0= +cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc= +cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= +cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= +cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak= +cloud.google.com/go/maps v1.3.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s= +cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig= +cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA= +cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM= +cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E= +cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0= +cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ= +cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8= +cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk= +cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8= +cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE= +cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE= +cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs= +cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I= +cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0= +cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA= +cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0= +cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU= +cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE= +cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA= +cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg= +cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8= +cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw= +cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE= +cloud.google.com/go/run v1.2.0/go.mod h1:36V1IlDzQ0XxbQjUx6IYbw8H3TJnWvhii963WW3B/bo= +cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo= +cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw= +cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA= +cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ= +cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g= +cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI= +cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= +cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA= +cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24= +cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk= +cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E= +cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk= +cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU= +cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo= +cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU= +cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro= +cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs= +cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc= +cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg= +cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g= +git.cclab-inu.com/b0m313/nimbus v0.0.0-20240104180200-28e746f4b09a/go.mod h1:UXlxlrz7qbXQlfI/lkYNuzROQMq7XzxUsy+/VrNj7XA= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= +github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= +github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= +github.com/alecthomas/participle/v2 v2.0.0-beta.4/go.mod h1:RC764t6n4L8D8ITAJv0qdokritYSNR3wV5cVwmIEaMM= +github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= +github.com/aliyun/alibaba-cloud-sdk-go v1.62.392/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/armon/go-metrics v0.4.0/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2/config v1.18.27/go.mod h1:0My+YgmkGxeqjXZb5BYme5pc4drjTnM+x1GJ3zv42Nw= +github.com/aws/aws-sdk-go-v2/credentials v1.13.26/go.mod h1:GoXt2YC8jHUBbA4jr+W3JiemnIbkXOfxSXcisUsZ3os= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4/go.mod h1:E1hLXN/BL2e6YizK1zFlYd8vsfi2GTjbjBazinMmeaM= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35/go.mod h1:0Eg1YjxE0Bhn56lx+SHJwCzhW+2JGtizsrx+lCqrfm0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.102.0/go.mod h1:tIctCeX9IbzsUTKHt53SVEcgyfxV2ElxJeEB+QUbc4M= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28/go.mod h1:jj7znCIg05jXlaGBlFMGP8+7UN3VtCkRBG2spnmRQkU= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.12/go.mod h1:HuCOxYsF21eKrerARYO6HapNeh9GBNq7fius2AcwodY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12/go.mod h1:E4VrHCPzmVB/KFXtqBGKb3c8zpbNBgKe3fisDNLAW5w= +github.com/aws/aws-sdk-go-v2/service/sts v1.19.2/go.mod h1:dp0yLPsLBOi++WTxzCjA/oZqi6NPIhoR+uF7GeMU9eg= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= +github.com/cilium/coverbee v0.3.2/go.mod h1:p9Q2SRC/sPA0qATNfY19GXBUPdcQP6UVV2LKgOHRIzQ= +github.com/cilium/deepequal-gen v0.0.0-20230330134849-754271daeec2/go.mod h1:Fjjkur+OWg3is19QRyUYbdPm1KP1aMsVV/IurXYmO3c= +github.com/cilium/fake v0.4.0/go.mod h1:21afzsL8AAyP1Mrz/qz5vCenHmtYxIJxnULri9ofXF8= +github.com/cilium/kafka v0.0.0-20180809090225-01ce283b732b/go.mod h1:ktgizta3CPZBKz5uW272SJyjiro0vn4nOVP7Pk4RopA= +github.com/cilium/linters v0.0.0-20230711081823-012f25fa2197/go.mod h1:UcjOuDlOEdaySs4Y1jITQtTPiWOChILk9JbRNhmll2k= +github.com/cilium/lumberjack/v2 v2.3.0/go.mod h1:yfbtPGmg4i//5oEqzaMxDqSWqgfZFmMoV70Mc2k6v0A= +github.com/cilium/workerpool v1.2.0/go.mod h1:GOYJhwlnIjR+jWSDNBb5kw47G1H/XA9X4WOBpgr4pQU= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= +github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/libnetwork v0.8.0-dev.2.0.20210525090646-64b7a4574d14/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q= +github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss= +github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= +github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.12.0/go.mod h1:lHd+EkCZPIwYItmGDDRdhinkzX2A1sj+M9biaEaizzs= +github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/gobuffalo/flect v0.3.0/go.mod h1:5pf3aGnsvqvCj50AVni7mJJF8ICxGZ8HomberC3pXLE= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/cel-go v0.16.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= +github.com/google/gops v0.3.27/go.mod h1:lYqabmfnq4Q6UumWNx96Hjup5BDAVc8zmfIy0SkNCSk= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= +github.com/hashicorp/consul/api v1.21.0/go.mod h1:f8zVJwBcLdr1IQnfdfszjUM0xzp31Zl3bpws3pL9uFM= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix/v2 v2.0.0/go.mod h1:hgdqLXA4f6NIjRVisM1TJ9aOJVNRqKZj+xDGF6m7PBw= +github.com/hashicorp/go-memdb v1.3.4/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru/v2 v2.0.4/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= +github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/ishidawataru/sctp v0.0.0-20210707070123-9a39160e9062/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg= +github.com/jeremywohl/flatten v1.0.1/go.mod h1:4AmD/VxjWcI5SRB0n6szE2A6s2fsNHDLO0nAlMHgfLQ= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/k-sone/critbitgo v1.4.0/go.mod h1:7E6pyoyADnFxlUBEKcnfS49b7SUAQGMK+OAp/UQvo0s= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20231216173200-e64ccb7fede8/go.mod h1:LtrnsoV9isTrXx0ClJgKxSJ/gbYmDj9m3pXIjG1yxBg= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/mdlayher/arp v0.0.0-20220221190821-c37aaafac7f9/go.mod h1:kfOoFJuHWp76v1RgZCb9/gVUc7XdY877S2uVYbNliGc= +github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118/go.mod h1:ZFUnHIVchZ9lJoWoEGUg8Q3M4U8aNNWA3CVSUTkW4og= +github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o= +github.com/mdlayher/ndp v0.0.0-20200602162440-17ab9e3e5567/go.mod h1:32w/5dDZWVSEOxyniAgKK4d7dHTuO6TCxWmUznQe3f8= +github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= +github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU+x0kew4= +github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= +github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/ginkgo/v2 v2.9.7/go.mod h1:cxrmXWykAwTwhQsJOPfdIDiJ+l2RYq7U8hFU+M/1uw0= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/osrg/gobgp/v3 v3.15.1-0.20230612211909-79d301f75b42/go.mod h1:tSUXn/s9uggSRTKP3IBeT5zI4ayOUX3O7fG5+n+SHPc= +github.com/pelletier/go-toml v1.7.0 h1:7utD74fnzVc/cpcyy8sjrlFr5vYpypUixARcHIMIGuI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/common v0.43.0/go.mod h1:NCvr5cQIh3Y/gy73/RdVtC9r8xxrxwJnB+2lB3BxrFc= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rootless-containers/rootlesskit v1.1.0/go.mod h1:H+o9ndNe7tS91WqU0/+vpvc+VaCd7TCIWaJjnV0ujUo= +github.com/sagikazarmark/crypt v0.10.0/go.mod h1:gwTNHQVoOS3xp9Xvz5LLR+1AauC5M6880z5NWzdhOyQ= +github.com/servak/go-fastping v0.0.0-20160802140958-5718d12e20a0/go.mod h1:udnTWkGp1ZiRsEU6rPpITf4oM2aLVcoGY/Z100KY4zY= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= +github.com/spiffe/spire-api-sdk v1.7.0/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +gitlab.com/golang-commonmark/puny v0.0.0-20191124015043-9f83538fa04f/go.mod h1:Tiuhl+njh/JIg0uS/sOJVYi0x2HEa5rc1OAaVsb5tAs= +go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k= +go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4= +go.etcd.io/etcd/client/v2 v2.305.9/go.mod h1:0NBdNx9wbxtEQLwAQtrDHwx58m02vXpDcgSYI2seohQ= +go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA= +go.etcd.io/etcd/pkg/v3 v3.5.9/go.mod h1:BZl0SAShQFk0IpLWR78T/+pyt8AruMHhTNNX73hkNVY= +go.etcd.io/etcd/raft/v3 v3.5.9/go.mod h1:WnFkqzFdZua4LVlVXQEGhmooLeyS7mqzS4Pf4BCVqXg= +go.etcd.io/etcd/server/v3 v3.5.9/go.mod h1:GgI1fQClQCFIzuVjlvdbMxNbnISt90gdfYyqiAIt65g= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= +go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= +go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= +go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= +go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= +go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM= +go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= +go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +go.universe.tf/metallb v0.11.0/go.mod h1:fgWtLDBVO1yuhoBhChX1PKI31WAlF9nu5yROMN8nFBs= +go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= +golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= +golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e h1:xIXmWJ303kJCuogpj0bHq+dcjcZHU+XFyc1I0Yl9cRg= +google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108= +google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6d/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +k8s.io/api v0.27.1/go.mod h1:z5g/BpAiD+f6AArpqNjkY+cji8ueZDU/WV1jcj5Jk4E= +k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= +k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/apiextensions-apiserver v0.27.1/go.mod h1:8jEvRDtKjVtWmdkhOqE84EcNWJt/uwF8PC4627UZghY= +k8s.io/apimachinery v0.27.1/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM= +k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= +k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/apiserver v0.28.3/go.mod h1:YIpM+9wngNAv8Ctt0rHG4vQuX/I5rvkEMtZtsxW2rNM= +k8s.io/client-go v0.27.1/go.mod h1:f8LHMUkVb3b9N8bWturc+EDtVVVwZ7ueTVquFAJb2vA= +k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= +k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/code-generator v0.28.3/go.mod h1:A2EAHTRYvCvBrb/MM2zZBNipeCk3f8NtpdNIKawC43M= +k8s.io/component-base v0.27.1/go.mod h1:UGEd8+gxE4YWoigz5/lb3af3Q24w98pDseXcXZjw+E0= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kms v0.28.3/go.mod h1:kSMjU2tg7vjqqoWVVCcmPmNZ/CofPsoTbSxAipCvZuE= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0= +sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-tools v0.11.4/go.mod h1:qcfX7jfcfYD/b7lAhvqAyTbt/px4GpvN88WKLFFv7p8= +sigs.k8s.io/gateway-api v0.7.1/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/pkg/cleanup/cleanup.go b/pkg/cleanup/cleanup.go deleted file mode 100644 index 755290a4..00000000 --- a/pkg/cleanup/cleanup.go +++ /dev/null @@ -1,57 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package cleanup - -/* -import ( - "context" - - "github.com/go-logr/logr" - "sigs.k8s.io/controller-runtime/pkg/client" - - intentv1 "github.com/5GSEC/nimbus/pkg/api/v1" - general "github.com/5GSEC/nimbus/pkg/controllers/general" - policy "github.com/5GSEC/nimbus/pkg/controllers/policy" -) - -// Cleanup is a function to clean up SecurityIntent resources. -// It removes all policies associated with each SecurityIntent before deleting the SecurityIntent itself. -func Cleanup(ctx context.Context, k8sClient client.Client, logger logr.Logger) error { - - // Logging the start of the cleanup process. - logger.Info("Performing cleanup") - - var securityIntentBindings intentv1.SecurityIntentBindingList - if err := k8sClient.List(ctx, &securityIntentBindings); err != nil { - logger.Error(err, "Unable to list SecurityIntentBinding resources for cleanup") - return err - } - - if len(securityIntentBindings.Items) == 0 { - logger.Info("No SecurityIntentBinding resources found for cleanup") - return nil - } - - npc := policy.NewNetworkPolicyController(k8sClient, nil) - - // Iterating over each SecurityIntent to delete associated policies. - for _, binding := range securityIntentBindings.Items { - bindingCopy := binding - bindingInfo := &general.BindingInfo{ - Binding: &bindingCopy, - } - - // Deleting network policies associated with the current SecurityIntent. - if err := npc.DeletePolicy(ctx, bindingInfo); err != nil { - logger.Error(err, "Failed to delete network policy for SecurityIntentBinding", "Name", bindingCopy.Name) - return err - } - if err := k8sClient.Delete(ctx, &bindingCopy); err != nil { - logger.Error(err, "Failed to delete SecurityIntentBinding", "Name", bindingCopy.Name) - continue - } - } - return nil -} -*/ diff --git a/pkg/exporter/applier/nimbuspolicy_applier.go b/pkg/exporter/applier/nimbuspolicy_applier.go new file mode 100644 index 00000000..4219dbde --- /dev/null +++ b/pkg/exporter/applier/nimbuspolicy_applier.go @@ -0,0 +1,54 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package applier + +import ( + "context" + "fmt" + + v1 "github.com/5GSEC/nimbus/api/v1" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" +) + +// NimbusPolicyApplier is responsible for applying NimbusPolicy objects to the Kubernetes cluster. +type NimbusPolicyApplier struct { + Client client.Client +} + +// NewNimbusPolicyApplier creates a new instance of NimbusPolicyApplier. +func NewNimbusPolicyApplier(client client.Client) *NimbusPolicyApplier { + return &NimbusPolicyApplier{ + Client: client, + } +} + +func (npa *NimbusPolicyApplier) ApplyNimbusPolicy(ctx context.Context, policy *v1.NimbusPolicy) error { + logger := log.FromContext(ctx) + + // Check if the NimbusPolicy already exists. + existingPolicy := &v1.NimbusPolicy{} + err := npa.Client.Get(ctx, client.ObjectKeyFromObject(policy), existingPolicy) + + // Handle NotFound errors the right way + if err != nil { + if client.IgnoreNotFound(err) != nil { + return fmt.Errorf("Failed to check for existing NimbusPolicy: %v", err) + } + // If it's a NotFound error, create a new Nimbus policy. + logger.Info("Apply NimbusPolicy", "Policy", policy.Name) + if err := npa.Client.Create(ctx, policy); err != nil { + return fmt.Errorf("Failed to Apply NimbusPolicy: %v", err) + } + } else { + // If the policy already exists, update it. + logger.Info("Update NimbusPolicy", "Policy", policy.Name) + policy.ResourceVersion = existingPolicy.ResourceVersion + if err := npa.Client.Update(ctx, policy); err != nil { + return fmt.Errorf("Failed to update NimbusPolicy: %v", err) + } + } + + return nil +} diff --git a/pkg/exporter/httpexporter/http_nimbus.go b/pkg/exporter/httpexporter/http_nimbus.go deleted file mode 100644 index ecccfe9c..00000000 --- a/pkg/exporter/httpexporter/http_nimbus.go +++ /dev/null @@ -1,63 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -// Initialize HTTP Client: Set up the client for HTTP communication. -// Format Nimbus Policy Data: Convert Nimbus Policy data into JSON format. -// Send Data: Send the converted data to the adapter's URL using a POST request. -// Process Response: Handle the response from the adapter and log as necessary. - -package httpexporter - -import ( - "bytes" - "context" - "encoding/json" - "fmt" - "net/http" - - v1 "github.com/5GSEC/nimbus/api/v1" -) - -// HttpNimbusExporter struct defines the HTTP client and the URL for exporting Nimbus policies. -type HttpNimbusExporter struct { - client *http.Client - url string -} - -// NewHttpNimbusExporter creates a new HttpNimbusExporter with the provided URL. -func NewHttpNimbusExporter(url string) *HttpNimbusExporter { - return &HttpNimbusExporter{ - client: &http.Client{}, - url: url, - } -} - -// ExportNimbusPolicy exports a NimbusPolicy to a remote server via HTTP POST. -func (h *HttpNimbusExporter) ExportNimbusPolicy(ctx context.Context, policy *v1.NimbusPolicy) error { - // Convert the NimbusPolicy into JSON format. - data, err := json.Marshal(policy) - if err != nil { - return fmt.Errorf("failed to marshal NimbusPolicy: %v", err) - } - - // Create a new HTTP POST request with the policy data. - req, err := http.NewRequestWithContext(ctx, "POST", h.url, bytes.NewBuffer(data)) - if err != nil { - return fmt.Errorf("failed to create request: %v", err) - } - req.Header.Set("Content-Type", "application/json") - - // Send the request to the server. - resp, err := h.client.Do(req) - if err != nil { - return fmt.Errorf("failed to send request: %v", err) - } - defer resp.Body.Close() - - // Check if the response status is OK (HTTP 200). - if resp.StatusCode != http.StatusOK { - return fmt.Errorf("non-OK response received: %v", resp.Status) - } - - return nil -} diff --git a/pkg/exporter/nimbuspolicy/nimbuspolicy_controller.go b/pkg/exporter/nimbuspolicy/nimbuspolicy_controller.go index 3fedde49..91caa799 100644 --- a/pkg/exporter/nimbuspolicy/nimbuspolicy_controller.go +++ b/pkg/exporter/nimbuspolicy/nimbuspolicy_controller.go @@ -13,7 +13,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" v1 "github.com/5GSEC/nimbus/api/v1" - "github.com/5GSEC/nimbus/pkg/exporter/httpexporter" "github.com/5GSEC/nimbus/pkg/receiver/watcher" ) @@ -34,7 +33,7 @@ func NewNimbusPolicyReconciler(client client.Client, scheme *runtime.Scheme) *Ni watcherNimbusPolicy, err := watcher.NewWatcherNimbusPolicy(client) if err != nil { - fmt.Println("NimbusPolicyReconciler: Failed to initialize WatcherNimbusPolicy:", err) + fmt.Println("NimbusPolicyReconciler: Failed to initialize WatcherNimbusPolicy", err) return nil } @@ -62,31 +61,19 @@ func (r *NimbusPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request log := log.FromContext(ctx) if r.WatcherNimbusPolicy == nil { - fmt.Println("NimbusPolicyReconciler: WatcherNimbusPolicy is nil") - return ctrl.Result{}, fmt.Errorf("WatcherNimbusPolicy is not properly initialized") + return ctrl.Result{}, fmt.Errorf("NimbusPolicyReconciler: WatcherNimbusPolicy is nil") } nimPol, err := r.WatcherNimbusPolicy.Reconcile(ctx, req) if err != nil { - log.Error(err, "Error in WatcherNimbusPolicy.Reconcile", "Request", req.NamespacedName) + log.Error(err, "NimbusPolicyReconciler: WatcherNimbusPolicy is error") return ctrl.Result{}, err } if nimPol != nil { - log.Info("NimbusPolicy resource found", "Name", req.Name, "Namespace", req.Namespace) + log.Info("Found: NimbusPolicy", "Name", req.Name, "Namespace", req.Namespace) } else { - log.Info("NimbusPolicy resource not found", "Name", req.Name, "Namespace", req.Namespace) - } - - // Exporting the NimbusPolicy if it is found. - if nimPol != nil { - exporter := httpexporter.NewHttpNimbusExporter("http://localhost:13000/api/v1/nimbus/export") // Update the URL as needed. - err := exporter.ExportNimbusPolicy(ctx, nimPol) - if err != nil { - log.Error(err, "Failed to export NimbusPolicy") - return ctrl.Result{}, err - } - log.Info("NimbusPolicy exported successfully") + log.Info("Not Found: NimbusPolicy") } return ctrl.Result{}, nil diff --git a/pkg/nimbus-kubearmor/Makefile b/pkg/nimbus-kubearmor/Makefile new file mode 100644 index 00000000..efb0004a --- /dev/null +++ b/pkg/nimbus-kubearmor/Makefile @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +.PHONY: build run deploy-rbac + +BINARY_NAME=nimbus-kubearmor + +build: + GOARCH=amd64 GOOS=linux go build -o ${BINARY_NAME} main.go + +run: + ./nimbus-kubearmor + +deploy-rbac: + kubectl apply -f config/service_account.yaml + kubectl apply -f config/role.yaml + kubectl apply -f config/role_binding.yaml \ No newline at end of file diff --git a/pkg/nimbus-kubearmor/config/role.yaml b/pkg/nimbus-kubearmor/config/role.yaml new file mode 100644 index 00000000..03e0ea24 --- /dev/null +++ b/pkg/nimbus-kubearmor/config/role.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nimbuspolicy-viewer-role +rules: +- apiGroups: ["intent.security.nimbus.com"] + resources: ["nimbuspolicies"] + verbs: ["get", "list", "watch"] diff --git a/pkg/nimbus-kubearmor/config/role_binding.yaml b/pkg/nimbus-kubearmor/config/role_binding.yaml new file mode 100644 index 00000000..5fa00ee0 --- /dev/null +++ b/pkg/nimbus-kubearmor/config/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nimbus-karmor-adapter-viewer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nimbuspolicy-viewer-role +subjects: +- kind: ServiceAccount + name: nimbus-karmor-adapter + namespace: default diff --git a/pkg/nimbus-kubearmor/config/service_account.yaml b/pkg/nimbus-kubearmor/config/service_account.yaml new file mode 100644 index 00000000..f4d2c600 --- /dev/null +++ b/pkg/nimbus-kubearmor/config/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nimbus-karmor-adapter + namespace: default diff --git a/pkg/nimbus-kubearmor/go.mod b/pkg/nimbus-kubearmor/go.mod new file mode 100644 index 00000000..4d2bf3d1 --- /dev/null +++ b/pkg/nimbus-kubearmor/go.mod @@ -0,0 +1,70 @@ +module github.com/5GSEC/nimbus/pkg/nimbus-kubearmor + +go 1.21 + +require ( + github.com/5GSEC/nimbus v0.0.0-20240104111857-cf09d5346fc6 + github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20231218054902-8b18cac961c0 + k8s.io/apimachinery v0.29.0 + k8s.io/client-go v0.29.0 + sigs.k8s.io/controller-runtime v0.16.3 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect + github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.20.0 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.4 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.5.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.17.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect + golang.org/x/time v0.3.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/api v0.29.0 // indirect + k8s.io/apiextensions-apiserver v0.28.3 // indirect + k8s.io/component-base v0.28.3 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/pkg/nimbus-kubearmor/go.sum b/pkg/nimbus-kubearmor/go.sum new file mode 100644 index 00000000..6c809fc8 --- /dev/null +++ b/pkg/nimbus-kubearmor/go.sum @@ -0,0 +1,220 @@ +github.com/5GSEC/nimbus v0.0.0-20240104111857-cf09d5346fc6 h1:DtWy2kV7zQad5dq9wN5yTvyImzNma702CXjnRvmxj3o= +github.com/5GSEC/nimbus v0.0.0-20240104111857-cf09d5346fc6/go.mod h1:lob1rgxnuApFgyV2IhFEMqfFaf1J3zuX5eIUTepMwLs= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= +github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ= +github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20231218054902-8b18cac961c0 h1:Mme8Mfj+g9eQudASTXdz9d/zG2mLIpptvisC9u2RCRQ= +github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20231218054902-8b18cac961c0/go.mod h1:LtrnsoV9isTrXx0ClJgKxSJ/gbYmDj9m3pXIjG1yxBg= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= +github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= +k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08= +k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc= +k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= +k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= +k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= +k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= +sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/pkg/nimbus-kubearmor/main.go b/pkg/nimbus-kubearmor/main.go new file mode 100644 index 00000000..132ccccb --- /dev/null +++ b/pkg/nimbus-kubearmor/main.go @@ -0,0 +1,102 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package main + +import ( + "context" + "fmt" + "log" + "os" + "path/filepath" + "strings" + "time" + + v1 "github.com/5GSEC/nimbus/api/v1" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/processor/enforcer" + watcher "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/receiver/verifier" + ctrl "sigs.k8s.io/controller-runtime" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" +) + +// Initialize the global scheme variable +var scheme = runtime.NewScheme() + +func init() { + utilruntime.Must(v1.AddToScheme(scheme)) + utilruntime.Must(kubearmorv1.AddToScheme(scheme)) +} + +func main() { + ctrl.SetLogger(zap.New(zap.UseDevMode(true))) + log.Println("Starting Kubernetes client configuration") + + var cfg *rest.Config + var err error + if cfg, err = rest.InClusterConfig(); err != nil { + kubeconfig := filepath.Join(os.Getenv("HOME"), ".kube", "config") + cfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig) + if err != nil { + log.Fatalf("Failed to set up Kubernetes config: %v", err) + } + } + + c, err := client.New(cfg, client.Options{Scheme: scheme}) + if err != nil { + log.Fatalf("Failed to create client: %v", err) + } + + log.Println("Starting NimbusPolicyWatcher") + npw := watcher.NewNimbusPolicyWatcher(c) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + policyChan, err := npw.WatchNimbusPolicies(ctx) + if err != nil { + log.Fatalf("NimbusPolicy: Watch Failed %v", err) + } + + detectedPolicies := make(map[string]bool) + enforcer := enforcer.NewPolicyEnforcer(c) + + log.Println("Starting policy processing loop") + for { + select { + case policy := <-policyChan: + policyKey := fmt.Sprintf("%s/%s", policy.Namespace, policy.Name) + if _, detected := detectedPolicies[policyKey]; !detected { + if verifier.HandlePolicy(policy) { + log.Printf("NimbusPolicy: Detected policy: Name: %s, Namespace: %s, ID: %s \n%+v\n", policy.Namespace, policy.Name, getRulesIDs(policy), policy) + detectedPolicies[policyKey] = true + + log.Println("Exporting and Applying NimbusPolicy to KubeArmorPolicy") + err := enforcer.Enforcer(ctx, policy) + if err != nil { + log.Printf("Error exporting NimbusPolicy: %v", err) + } else { + log.Println("Successfully exported NimbusPolicy to KubeArmorPolicy") + } + } + } + case <-time.After(120 * time.Second): + log.Println("NimbusPolicy: No detections for 120 seconds") + } + } +} + +func getRulesIDs(policy v1.NimbusPolicy) string { + var ruleIDs []string + for _, rule := range policy.Spec.NimbusRules { + ruleIDs = append(ruleIDs, rule.Id) + } + return fmt.Sprintf("[%s]", strings.Join(ruleIDs, ", ")) +} diff --git a/pkg/nimbus-kubearmor/processor/applier/applier.go b/pkg/nimbus-kubearmor/processor/applier/applier.go new file mode 100644 index 00000000..aa7bc299 --- /dev/null +++ b/pkg/nimbus-kubearmor/processor/applier/applier.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package applier + +import ( + "context" + + "sigs.k8s.io/controller-runtime/pkg/log" + + kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// Applier manages the enforcement of policies. +type Applier struct { + Client client.Client +} + +// NewApplier creates a new Applier. +func NewApplier(client client.Client) *Applier { + return &Applier{Client: client} +} + +// ApplyPolicy applies or updates a given KubeArmorPolicy. +func (e *Applier) ApplyPolicy(ctx context.Context, kubeArmorPolicy *kubearmorv1.KubeArmorPolicy) error { + log := log.FromContext(ctx) + + // Check if the policy already exists + existingPolicy := &kubearmorv1.KubeArmorPolicy{} + err := e.Client.Get(ctx, types.NamespacedName{Name: kubeArmorPolicy.Name, Namespace: kubeArmorPolicy.Namespace}, existingPolicy) + if err != nil && !errors.IsNotFound(err) { + log.Error(err, "Existing KubeArmorPolicy lookup failed", "PolicyName", kubeArmorPolicy.Name) + return err + } + + // Update if exists, create otherwise + if errors.IsNotFound(err) { + log.Info("Apply a new KubeArmorPolicy", "PolicyName", kubeArmorPolicy.Name, "Policy", kubeArmorPolicy) + return e.Client.Create(ctx, kubeArmorPolicy) + } else { + log.Info("Update existing KubeArmorPolicy", "PolicyName", kubeArmorPolicy.Name) + existingPolicy.Spec = kubeArmorPolicy.Spec + return e.Client.Update(ctx, existingPolicy) + } +} diff --git a/pkg/nimbus-kubearmor/processor/converter/converter.go b/pkg/nimbus-kubearmor/processor/converter/converter.go new file mode 100644 index 00000000..cf630bbc --- /dev/null +++ b/pkg/nimbus-kubearmor/processor/converter/converter.go @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package converter + +import ( + "context" + "strings" + + v1 "github.com/5GSEC/nimbus/api/v1" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + + kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type PolicyConverter struct { + Client client.Client +} + +func NewPolicyConverter(client client.Client) *PolicyConverter { + return &PolicyConverter{Client: client} +} + +func (pt *PolicyConverter) Converter(ctx context.Context, nimbusPolicy v1.NimbusPolicy) (*kubearmorv1.KubeArmorPolicy, error) { + log := log.FromContext(ctx) + log.Info("Start Converting a NimbusPolicy", "PolicyName", nimbusPolicy.Name) + + kubeArmorPolicy := &kubearmorv1.KubeArmorPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: nimbusPolicy.Name, + Namespace: nimbusPolicy.Namespace, + }, + Spec: kubearmorv1.KubeArmorPolicySpec{ + Selector: kubearmorv1.SelectorType{ + MatchLabels: nimbusPolicy.Spec.Selector.MatchLabels, + }, + }, + } + kubeArmorPolicy.Spec.Selector.MatchLabels = nimbusPolicy.Spec.Selector.MatchLabels + + for _, nimbusRule := range nimbusPolicy.Spec.NimbusRules { + idParts := strings.Split(nimbusRule.Id, "-") + if len(idParts) != 3 { + log.Info("Invalid rule ID format", "ID", nimbusRule.Id) + continue + } + + ruleType := idParts[1] + category := idParts[2] + + for _, rule := range nimbusRule.Rule { + kubeArmorPolicy.Spec.Action = kubearmorv1.ActionType(rule.RuleAction) + + switch ruleType { + case "proc": + if processType, err := handleProcessPolicy(rule, category); err == nil { + kubeArmorPolicy.Spec.Process = processType + } else { + log.Error(err, "Failed to handle process policy") + return nil, err + } + + case "file": + if fileType, err := handleFilePolicy(rule, category); err == nil { + kubeArmorPolicy.Spec.File = fileType + } else { + log.Error(err, "Failed to handle file policy") + return nil, err + } + + case "net": + if networkType, err := handleNetworkPolicy(rule); err == nil { + kubeArmorPolicy.Spec.Network = networkType + } else { + log.Error(err, "Failed to handle network policy") + return nil, err + } + + case "syscall": + if syscallType, err := handleSyscallPolicy(rule, category); err == nil { + kubeArmorPolicy.Spec.Syscalls = syscallType + } else { + log.Error(err, "Failed to handle syscall policy") + return nil, err + } + + case "cap": + if capabilityType, err := handleCapabilityPolicy(rule); err == nil { + kubeArmorPolicy.Spec.Capabilities = capabilityType + } else { + log.Error(err, "Failed to handle capability policy") + return nil, err + } + default: + log.Info("Unsupported rule type", "Type", ruleType) + } + } + } + + if len(kubeArmorPolicy.Spec.Network.MatchProtocols) == 0 { + kubeArmorPolicy.Spec.Network.MatchProtocols = append(kubeArmorPolicy.Spec.Network.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ + Protocol: "raw", + }) + } + if len(kubeArmorPolicy.Spec.Capabilities.MatchCapabilities) == 0 { + kubeArmorPolicy.Spec.Capabilities.MatchCapabilities = append(kubeArmorPolicy.Spec.Capabilities.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ + Capability: "lease", + }) + } + + return kubeArmorPolicy, nil +} diff --git a/pkg/nimbus-kubearmor/processor/converter/converthelper.go b/pkg/nimbus-kubearmor/processor/converter/converthelper.go new file mode 100644 index 00000000..c8325732 --- /dev/null +++ b/pkg/nimbus-kubearmor/processor/converter/converthelper.go @@ -0,0 +1,209 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package converter + +import ( + v1 "github.com/5GSEC/nimbus/api/v1" + + kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" +) + +func handleProcessPolicy(rule v1.Rule, category string) (kubearmorv1.ProcessType, error) { + processType := kubearmorv1.ProcessType{ + MatchPaths: []kubearmorv1.ProcessPathType{}, + MatchDirectories: []kubearmorv1.ProcessDirectoryType{}, + MatchPatterns: []kubearmorv1.ProcessPatternType{}, + } + + switch category { + case "paths": + for _, matchPath := range rule.MatchPaths { + if matchPath.Path != "" { + processType.MatchPaths = append(processType.MatchPaths, kubearmorv1.ProcessPathType{ + Path: kubearmorv1.MatchPathType(matchPath.Path), + }) + } + } + + case "dirs": + for _, matchDir := range rule.MatchDirectories { + var fromSources []kubearmorv1.MatchSourceType + for _, source := range matchDir.FromSource { + fromSources = append(fromSources, kubearmorv1.MatchSourceType{ + Path: kubearmorv1.MatchPathType(source.Path), + }) + } + if matchDir.Directory != "" || len(fromSources) > 0 { + processType.MatchDirectories = append(processType.MatchDirectories, kubearmorv1.ProcessDirectoryType{ + Directory: kubearmorv1.MatchDirectoryType(matchDir.Directory), + FromSource: fromSources, + }) + } + } + + case "patterns": + for _, matchPattern := range rule.MatchPatterns { + if matchPattern.Pattern != "" { + processType.MatchPatterns = append(processType.MatchPatterns, kubearmorv1.ProcessPatternType{ + Pattern: matchPattern.Pattern, + }) + } + } + } + + // Set empty slices if fields are empty + if len(processType.MatchPaths) == 0 { + processType.MatchPaths = []kubearmorv1.ProcessPathType{} + } + if len(processType.MatchDirectories) == 0 { + processType.MatchDirectories = []kubearmorv1.ProcessDirectoryType{} + } + if len(processType.MatchPatterns) == 0 { + processType.MatchPatterns = []kubearmorv1.ProcessPatternType{} + } + + return processType, nil +} + +func handleFilePolicy(rule v1.Rule, category string) (kubearmorv1.FileType, error) { + fileType := kubearmorv1.FileType{ + MatchPaths: []kubearmorv1.FilePathType{}, + MatchDirectories: []kubearmorv1.FileDirectoryType{}, + MatchPatterns: []kubearmorv1.FilePatternType{}, + } + + switch category { + case "paths": + for _, matchPath := range rule.MatchPaths { + if matchPath.Path != "" { + fileType.MatchPaths = append(fileType.MatchPaths, kubearmorv1.FilePathType{ + Path: kubearmorv1.MatchPathType(matchPath.Path), + }) + } + } + case "dirs": + for _, matchDir := range rule.MatchDirectories { + var fromSources []kubearmorv1.MatchSourceType + for _, source := range matchDir.FromSource { + fromSources = append(fromSources, kubearmorv1.MatchSourceType{ + Path: kubearmorv1.MatchPathType(source.Path), + }) + } + if matchDir.Directory != "" || len(fromSources) > 0 { + fileType.MatchDirectories = append(fileType.MatchDirectories, kubearmorv1.FileDirectoryType{ + Directory: kubearmorv1.MatchDirectoryType(matchDir.Directory), + FromSource: fromSources, + }) + } + } + case "patterns": + for _, matchPattern := range rule.MatchPatterns { + if matchPattern.Pattern != "" { + fileType.MatchPatterns = append(fileType.MatchPatterns, kubearmorv1.FilePatternType{ + Pattern: matchPattern.Pattern, + }) + } + } + } + + // Set empty slices if fields are empty + if len(fileType.MatchPaths) == 0 { + fileType.MatchPaths = []kubearmorv1.FilePathType{} + } + if len(fileType.MatchDirectories) == 0 { + fileType.MatchDirectories = []kubearmorv1.FileDirectoryType{} + } + if len(fileType.MatchPatterns) == 0 { + fileType.MatchPatterns = []kubearmorv1.FilePatternType{} + } + + return fileType, nil +} + +func handleNetworkPolicy(rule v1.Rule) (kubearmorv1.NetworkType, error) { + networkType := kubearmorv1.NetworkType{ + MatchProtocols: []kubearmorv1.MatchNetworkProtocolType{}, + } + + for _, matchProtocol := range rule.MatchProtocols { + if matchProtocol.Protocol != "" { + networkType.MatchProtocols = append(networkType.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ + Protocol: kubearmorv1.MatchNetworkProtocolStringType(matchProtocol.Protocol), + }) + } + } + return networkType, nil +} + +func handleSyscallPolicy(rule v1.Rule, category string) (kubearmorv1.SyscallsType, error) { + // Initialize syscallType with default values + syscallType := kubearmorv1.SyscallsType{ + MatchSyscalls: []kubearmorv1.SyscallMatchType{}, + MatchPaths: []kubearmorv1.SyscallMatchPathType{}, + } + + switch category { + case "syscalls": + for _, matchSyscall := range rule.MatchSyscalls { + syscallMatch := kubearmorv1.SyscallMatchType{ + Syscalls: []kubearmorv1.Syscall{}, + } + for _, syscall := range matchSyscall.Syscalls { + if syscall != "" { + syscallMatch.Syscalls = append(syscallMatch.Syscalls, kubearmorv1.Syscall(syscall)) + } + } + syscallType.MatchSyscalls = append(syscallType.MatchSyscalls, syscallMatch) + } + + case "paths": + for _, matchSyscallPath := range rule.MatchSyscallPaths { + syscallMatchPath := kubearmorv1.SyscallMatchPathType{ + Path: kubearmorv1.MatchSyscallPathType(matchSyscallPath.Path), + Recursive: matchSyscallPath.Recursive, + Syscalls: []kubearmorv1.Syscall{}, + FromSource: []kubearmorv1.SyscallFromSourceType{}, + } + for _, syscall := range matchSyscallPath.Syscalls { + if syscall != "" { + syscallMatchPath.Syscalls = append(syscallMatchPath.Syscalls, kubearmorv1.Syscall(syscall)) + } + } + for _, fromSource := range matchSyscallPath.FromSource { + syscallFromSource := kubearmorv1.SyscallFromSourceType{ + Path: kubearmorv1.MatchPathType(fromSource.Path), + Dir: fromSource.Dir, + } + syscallMatchPath.FromSource = append(syscallMatchPath.FromSource, syscallFromSource) + } + syscallType.MatchPaths = append(syscallType.MatchPaths, syscallMatchPath) + } + } + + // Set empty slices if fields are empty + if len(syscallType.MatchSyscalls) == 0 { + syscallType.MatchSyscalls = []kubearmorv1.SyscallMatchType{} + } + // Set empty slices if fields are empty + if len(syscallType.MatchPaths) == 0 { + syscallType.MatchPaths = []kubearmorv1.SyscallMatchPathType{} + } + + return syscallType, nil +} + +func handleCapabilityPolicy(rule v1.Rule) (kubearmorv1.CapabilitiesType, error) { + capabilityType := kubearmorv1.CapabilitiesType{ + MatchCapabilities: []kubearmorv1.MatchCapabilitiesType{}, + } + + for _, matchCapability := range rule.MatchCapabilities { + if matchCapability.Capability != "" { + capabilityType.MatchCapabilities = append(capabilityType.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ + Capability: kubearmorv1.MatchCapabilitiesStringType(matchCapability.Capability), + }) + } + } + return capabilityType, nil +} diff --git a/pkg/nimbus-kubearmor/processor/enforcer/enforcer.go b/pkg/nimbus-kubearmor/processor/enforcer/enforcer.go new file mode 100644 index 00000000..86191e82 --- /dev/null +++ b/pkg/nimbus-kubearmor/processor/enforcer/enforcer.go @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package enforcer + +import ( + "context" + + v1 "github.com/5GSEC/nimbus/api/v1" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/processor/applier" + "github.com/5GSEC/nimbus/pkg/nimbus-kubearmor/processor/converter" + + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// PolicyEnforcer manages the conversion and enforcement of Nimbus policies. +type PolicyEnforcer struct { + converter *converter.PolicyConverter + applier *applier.Applier +} + +// NewPolicyEnforcer creates a new PolicyEnforcer instance. +func NewPolicyEnforcer(client client.Client) *PolicyEnforcer { + return &PolicyEnforcer{ + converter: converter.NewPolicyConverter(client), + applier: applier.NewApplier(client), + } +} + +// ExportAndApplyPolicy converts a NimbusPolicy to a KubeArmorPolicy and applies it. +func (pe *PolicyEnforcer) Enforcer(ctx context.Context, nimbusPolicy v1.NimbusPolicy) error { + // Convert NimbusPolicy to KubeArmorPolicy + kubeArmorPolicy, err := pe.converter.Converter(ctx, nimbusPolicy) + if err != nil { + return err + } + + // Apply the converted KubeArmorPolicy + return pe.applier.ApplyPolicy(ctx, kubeArmorPolicy) +} diff --git a/pkg/nimbus-kubearmor/processor/network_policy.go b/pkg/nimbus-kubearmor/processor/network_policy.go deleted file mode 100644 index 34ba8d10..00000000 --- a/pkg/nimbus-kubearmor/processor/network_policy.go +++ /dev/null @@ -1,65 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package processor - -/* -import ( - "context" - - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/log" - - ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - - general "github.com/5GSEC/nimbus/pkg/controllers/general" - utils "github.com/5GSEC/nimbus/pkg/controllers/utils" -) - -// NetworkPolicyController struct to handle network policies. -type NetworkPolicyController struct { - Client client.Client // Client to interact with Kubernetes API. - Scheme *runtime.Scheme // Scheme defines the runtime scheme of the Kubernetes objects. -} - -// NewNetworkPolicyController creates a new instance of NetworkPolicyController. -func NewNetworkPolicyController(client client.Client, scheme *runtime.Scheme) *NetworkPolicyController { - return &NetworkPolicyController{ - Client: client, - Scheme: scheme, - } -} - -// HandlePolicy processes the network policies defined in the SecurityIntent resource. -func (npc *NetworkPolicyController) HandlePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error { - log := log.FromContext(ctx) - log.Info("Handling Network Policy", "BindingName", bindingInfo.Binding.Name) - - // Build and apply/update Cilium Network Policy based on BindingInfo. - ciliumPolicySpec := utils.BuildCiliumNetworkPolicySpec(ctx, bindingInfo).(*ciliumv2.CiliumNetworkPolicy) - err := utils.ApplyOrUpdatePolicy(ctx, npc.Client, ciliumPolicySpec, bindingInfo.Binding.Name) - if err != nil { - log.Error(err, "Failed to apply Cilium Network Policy", "Name", bindingInfo.Binding.Name) - return err - } - - log.Info("Applied Network Policy", "PolicyName", bindingInfo.Binding.Name) - return nil -} - -// DeletePolicy removes the network policy associated with the SecurityIntent resource. -func (npc *NetworkPolicyController) DeletePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error { - log := log.FromContext(ctx) - - // Modified line: Merged variable declaration with assignment - err := utils.DeletePolicy(ctx, npc.Client, "CiliumNetworkPolicy", bindingInfo.Binding.Name, bindingInfo.Binding.Namespace) - if err != nil { - log.Error(err, "Failed to delete Cilium Network Policy", "Name", bindingInfo.Binding.Name) - return err - } - - log.Info("Deleted Network Policy", "PolicyName", bindingInfo.Binding.Name) - return nil -} -*/ diff --git a/pkg/nimbus-kubearmor/processor/policy_controller.go b/pkg/nimbus-kubearmor/processor/policy_controller.go deleted file mode 100644 index 8ac90071..00000000 --- a/pkg/nimbus-kubearmor/processor/policy_controller.go +++ /dev/null @@ -1,81 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package processor - -/* -import ( - "context" - "fmt" - - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/log" - - general "github.com/5GSEC/nimbus/pkg/controllers/general" -) - -// Constant for the finalizer name used in the SecurityIntent resource. -// const securityIntentFinalizer = "finalizer.securityintent.intent.security.nimbus.com" - -// PolicyController struct handles different types of policies. -type PolicyController struct { - Client client.Client // Client for interacting with Kubernetes API. - Scheme *runtime.Scheme // Scheme defines the runtime scheme of the Kubernetes objects. - NetworkPolicyController *NetworkPolicyController // Controller for handling network policies. - SystemPolicyController *SystemPolicyController // Controller for handling system policies. -} - -// NewPolicyController creates a new instance of PolicyController. -func NewPolicyController(client client.Client, scheme *runtime.Scheme) *PolicyController { - if client == nil || scheme == nil { - fmt.Println("PolicyController: Client or Scheme is nil") - return nil - } - - return &PolicyController{ - Client: client, - Scheme: scheme, - NetworkPolicyController: NewNetworkPolicyController(client, scheme), - SystemPolicyController: NewSystemPolicyController(client, scheme), - } -} - -// Reconcile handles the reconciliation logic for the SecurityIntent and SecurityIntentBinding resources. -func (pc *PolicyController) Reconcile(ctx context.Context, bindingInfo *general.BindingInfo) error { - log := log.FromContext(ctx) - - var intentRequestType string - if len(bindingInfo.Binding.Spec.IntentRequests) > 0 { - intentRequestType = bindingInfo.Binding.Spec.IntentRequests[0].Type - } - - log.Info("Processing policy", "BindingName", bindingInfo.Binding.Name, "IntentType", intentRequestType) - - var err error - switch intentRequestType { - case "network": - err = pc.NetworkPolicyController.HandlePolicy(ctx, bindingInfo) - if err != nil { - log.Error(err, "Failed to apply network policy", "BindingName", bindingInfo.Binding.Name) - return err - } - case "system": - err = pc.SystemPolicyController.HandlePolicy(ctx, bindingInfo) - if err != nil { - log.Error(err, "Failed to apply system policy", "BindingName", bindingInfo.Binding.Name) - return err - } - default: - err = fmt.Errorf("unknown policy type: %s", intentRequestType) - log.Error(err, "Unknown policy type", "Type", intentRequestType) - return err - } - if err != nil { - log.Error(err, "Failed to apply policy", "BindingName", bindingInfo.Binding.Name) - return err - } - - return nil -} -*/ diff --git a/pkg/nimbus-kubearmor/processor/system_policy.go b/pkg/nimbus-kubearmor/processor/system_policy.go deleted file mode 100644 index 05ffba40..00000000 --- a/pkg/nimbus-kubearmor/processor/system_policy.go +++ /dev/null @@ -1,64 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package processor - -/* -import ( - "context" - - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/log" - - general "github.com/5GSEC/nimbus/pkg/controllers/general" - utils "github.com/5GSEC/nimbus/pkg/controllers/utils" -) - -// SystemPolicyController is a struct to handle system policies. -type SystemPolicyController struct { - Client client.Client // Client for interacting with Kubernetes API. - Scheme *runtime.Scheme // Scheme defines the runtime scheme of the Kubernetes objects. -} - -// NewSystemPolicyController creates a new instance of SystemPolicyController. -func NewSystemPolicyController(client client.Client, scheme *runtime.Scheme) *SystemPolicyController { - return &SystemPolicyController{ - Client: client, - Scheme: scheme, - } -} - -// HandlePolicy processes the system policy as defined in SecurityIntent. -func (spc *SystemPolicyController) HandlePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error { - log := log.FromContext(ctx) // Logger with context. - log.Info("Handling System Policy", "BindingName", bindingInfo.Binding.Name) - - // Build KubeArmorPolicy based on BindingInfo - kubearmorPolicy := utils.BuildKubeArmorPolicySpec(ctx, bindingInfo) - - err := utils.ApplyOrUpdatePolicy(ctx, spc.Client, kubearmorPolicy, bindingInfo.Binding.Name) - if err != nil { - log.Error(err, "Failed to apply KubeArmorPolicy", "Name", bindingInfo.Binding.Name) - return err - } - - log.Info("Applied KubeArmorPolicy", "PolicyName", bindingInfo.Binding.Name) - return nil -} - -// DeletePolicy removes the system policy associated with the SecurityIntent resource. -func (spc *SystemPolicyController) DeletePolicy(ctx context.Context, bindingInfo *general.BindingInfo) error { - log := log.FromContext(ctx) - - // Delete KubeArmor Policy - err := utils.DeletePolicy(ctx, spc.Client, "KubeArmorPolicy", bindingInfo.Binding.Name, bindingInfo.Binding.Namespace) - if err != nil { - log.Error(err, "Failed to delete KubeArmor Policy", "Name", bindingInfo.Binding.Name) - return err - } - - log.Info("Deleted System Policy", "PolicyName", bindingInfo.Binding.Name) - return nil -} -*/ diff --git a/pkg/nimbus-kubearmor/processor/utils/utils_policy.go b/pkg/nimbus-kubearmor/processor/utils/utils_policy.go deleted file mode 100644 index dfccc0e4..00000000 --- a/pkg/nimbus-kubearmor/processor/utils/utils_policy.go +++ /dev/null @@ -1,427 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package utils - -/* -import ( - "context" - "fmt" - "reflect" - "strings" - - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - - general "github.com/5GSEC/nimbus/pkg/controllers/general" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - client "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/log" - - ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - "github.com/cilium/cilium/pkg/policy/api" - kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" -) - -// --------------------------------------------------- -// -------- Creation of Policy Specifications -------- -// --------------------------------------------------- - -// BuildKubeArmorPolicySpec creates a policy specification (either KubeArmorPolicy or KubeArmorHostPolicy) -// based on the provided SecurityIntent and the type of policy. -// BuildKubeArmorPolicySpec creates a KubeArmor policy specification based on the provided SecurityIntentBinding. -func BuildKubeArmorPolicySpec(ctx context.Context, bindingInfo *general.BindingInfo) *kubearmorv1.KubeArmorPolicy { - log := log.FromContext(ctx) - log.Info("Creating KubeArmorPolicy", "BindingName", bindingInfo.Binding.Name) - - intent := bindingInfo.Intent[0] - - return &kubearmorv1.KubeArmorPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: bindingInfo.Binding.Name, - Namespace: bindingInfo.Binding.Namespace, - }, - Spec: kubearmorv1.KubeArmorPolicySpec{ - Selector: kubearmorv1.SelectorType{ - MatchLabels: extractMatchLabels(bindingInfo), - }, - Process: extractToKubeArmorPolicyProcessType(bindingInfo), - File: extractToKubeArmorPolicyFileType(bindingInfo), - Capabilities: extractToKubeArmorPolicyCapabilitiesType(bindingInfo), - Network: extractToKubeArmorPolicyNetworkType(bindingInfo), - // TODO: To discuss - //Network: convertToKubeArmorHostPolicyNetworkType(extractNetworkPolicy(intent)), - Action: kubearmorv1.ActionType(intent.Spec.Intent.Action), - }, - } -} - -// BuildCiliumNetworkPolicySpec creates a Cilium network policy specification based on the provided BindingInfo. -func BuildCiliumNetworkPolicySpec(ctx context.Context, bindingInfo *general.BindingInfo) interface{} { - log := log.FromContext(ctx) - log.Info("Creating CiliumNetworkPolicy", "Name", bindingInfo.Binding.Name) - - endpointSelector := getEndpointSelector(ctx, bindingInfo) - ingressDenyRules := getIngressDenyRules(bindingInfo) - - policy := &ciliumv2.CiliumNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: bindingInfo.Binding.Name, - Namespace: bindingInfo.Binding.Namespace, - }, - Spec: &api.Rule{ - EndpointSelector: endpointSelector, - IngressDeny: ingressDenyRules, - }, - } - return policy -} - -// TODO: To discuss -//func convertToKubeArmorHostPolicyNetworkType(slice []interface{}) kubearmorv1.MatchHostNetworkProtocolType { -// var result kubearmorv1.MatchHostNetworkProtocolType -// for _, item := range slice { -// str, ok := item.(string) -// if !ok { -// continue // or appropriate error handling -// } -// // Requires explicit type conversion to MatchNetworkProtocolStringType -// protocol := kubearmorv1.MatchNetworkProtocolStringType(str) -// result.MatchProtocols = append(result.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ -// Protocol: protocol, -// }) -// } -// return result -//} - -// -------------------------------------- -// -------- Utility Functions ---------- -// -------------------------------------- - -// extractMatchLabelsFromBinding extracts matchLabels from the SecurityIntentBinding. -func extractMatchLabels(bindingInfo *general.BindingInfo) map[string]string { - matchLabels := make(map[string]string) - for _, filter := range bindingInfo.Binding.Spec.Selector.Any { - for key, val := range filter.Resources.MatchLabels { - matchLabels[key] = val - } - } - - for _, filter := range bindingInfo.Binding.Spec.Selector.All { - for key, val := range filter.Resources.MatchLabels { - matchLabels[key] = val - } - } - - // Remove 'any:', 'all:', 'cel:' prefixes from the keys - processedLabels := make(map[string]string) - for key, val := range matchLabels { - processedKey := removeReservedPrefixes(key) - processedLabels[processedKey] = val - } - - return processedLabels -} - -func extractToKubeArmorPolicyProcessType(bindingInfo *general.BindingInfo) kubearmorv1.ProcessType { - intent := bindingInfo.Intent[0] - - var processType kubearmorv1.ProcessType - for _, resource := range intent.Spec.Intent.Resource { - for _, process := range resource.Process { - for _, match := range process.MatchPaths { - if path := match.Path; path != "" && strings.HasPrefix(path, "/") { - processType.MatchPaths = append(processType.MatchPaths, kubearmorv1.ProcessPathType{ - Path: kubearmorv1.MatchPathType(path), - }) - } - } - for _, dir := range process.MatchDirectories { - var fromSources []kubearmorv1.MatchSourceType - for _, source := range dir.FromSource { - fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - Path: kubearmorv1.MatchPathType(source.Path), - }) - } - if dir.Directory != "" || len(fromSources) > 0 { - processType.MatchDirectories = append(processType.MatchDirectories, kubearmorv1.ProcessDirectoryType{ // Adjusted type here - Directory: kubearmorv1.MatchDirectoryType(dir.Directory), - Recursive: dir.Recursive, - FromSource: fromSources, - }) - } - } - for _, pattern := range process.MatchPatterns { - if pattern.Pattern != "" { - processType.MatchPatterns = append(processType.MatchPatterns, kubearmorv1.ProcessPatternType{ - Pattern: pattern.Pattern, - }) - } - } - } - } - return processType -} - -func extractToKubeArmorPolicyFileType(bindingInfo *general.BindingInfo) kubearmorv1.FileType { - intent := bindingInfo.Intent[0] - - var fileType kubearmorv1.FileType - - for _, resource := range intent.Spec.Intent.Resource { - for _, file := range resource.File { - for _, path := range file.MatchPaths { - if path.Path != "" { - fileType.MatchPaths = append(fileType.MatchPaths, kubearmorv1.FilePathType{ - Path: kubearmorv1.MatchPathType(path.Path), - }) - } - } - - for _, dir := range file.MatchDirectories { - var fromSources []kubearmorv1.MatchSourceType - for _, source := range dir.FromSource { - fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - Path: kubearmorv1.MatchPathType(source.Path), - }) - } - if dir.Directory != "" || len(fromSources) > 0 { - fileType.MatchDirectories = append(fileType.MatchDirectories, kubearmorv1.FileDirectoryType{ - Directory: kubearmorv1.MatchDirectoryType(dir.Directory), - Recursive: dir.Recursive, - FromSource: fromSources, - }) - } - } - } - } - - return fileType -} - -func extractToKubeArmorPolicyCapabilitiesType(bindingInfo *general.BindingInfo) kubearmorv1.CapabilitiesType { - var capabilitiesType kubearmorv1.CapabilitiesType - intent := bindingInfo.Intent[0] - - if len(intent.Spec.Intent.Resource) > 0 && len(intent.Spec.Intent.Resource[0].Capabilities) > 0 { - for _, capability := range intent.Spec.Intent.Resource[0].Capabilities { - for _, matchCapability := range capability.MatchCapabilities { - if matchCapability.Capability != "" { - capabilitiesType.MatchCapabilities = append(capabilitiesType.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ - Capability: kubearmorv1.MatchCapabilitiesStringType(matchCapability.Capability), - }) - } - } - } - } else { - capabilitiesType.MatchCapabilities = append(capabilitiesType.MatchCapabilities, kubearmorv1.MatchCapabilitiesType{ - Capability: "lease", - }) - } - return capabilitiesType -} - -func extractToKubeArmorPolicyNetworkType(bindingInfo *general.BindingInfo) kubearmorv1.NetworkType { - var networkType kubearmorv1.NetworkType - intent := bindingInfo.Intent[0] - - if len(intent.Spec.Intent.Resource) > 0 && len(intent.Spec.Intent.Resource[0].Network) > 0 { - for _, network := range intent.Spec.Intent.Resource[0].Network { - for _, matchProtocol := range network.MatchProtocols { - var fromSources []kubearmorv1.MatchSourceType - for _, source := range matchProtocol.FromSource { - fromSources = append(fromSources, kubearmorv1.MatchSourceType{ - Path: kubearmorv1.MatchPathType(source.Path), - }) - } - if matchProtocol.Protocol != "" { - networkType.MatchProtocols = append(networkType.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ - Protocol: kubearmorv1.MatchNetworkProtocolStringType(matchProtocol.Protocol), - FromSource: fromSources, - }) - } - } - } - } else { - networkType.MatchProtocols = append(networkType.MatchProtocols, kubearmorv1.MatchNetworkProtocolType{ - Protocol: "raw", - }) - } - return networkType -} - -// getEndpointSelector creates an endpoint selector from the SecurityIntent. -func getEndpointSelector(ctx context.Context, bindingInfo *general.BindingInfo) api.EndpointSelector { - - matchLabels := make(map[string]string) - /// Extract matched labels from BindingInfo - for _, filter := range bindingInfo.Binding.Spec.Selector.Any { - for key, val := range filter.Resources.MatchLabels { - matchLabels[key] = val - } - } - - for _, filter := range bindingInfo.Binding.Spec.Selector.All { - for key, val := range filter.Resources.MatchLabels { - matchLabels[key] = val - } - } - - processedLabels := make(map[string]string) - for key, val := range matchLabels { - processedKey := removeReservedPrefixes(key) - processedLabels[processedKey] = val - } - - // Create an Endpoint Selector based on processed labels - return api.NewESFromMatchRequirements(processedLabels, nil) -} - -func removeReservedPrefixes(key string) string { - for _, prefix := range []string{"any:", "all:", "cel:"} { - for strings.HasPrefix(key, prefix) { - key = strings.TrimPrefix(key, prefix) - } - } - return strings.TrimSpace(key) -} - -// getIngressDenyRules generates ingress deny rules from SecurityIntent specified in BindingInfo. -func getIngressDenyRules(bindingInfo *general.BindingInfo) []api.IngressDenyRule { - intent := bindingInfo.Intent[0] - - var ingressDenyRules []api.IngressDenyRule - - for _, resource := range intent.Spec.Intent.Resource { - ingressRule := api.IngressDenyRule{} - - for _, cidrSet := range resource.FromCIDRSet { - ingressRule.FromCIDRSet = append(ingressRule.FromCIDRSet, api.CIDRRule{ - Cidr: api.CIDR(cidrSet.CIDR), - }) - } - - for _, toPort := range resource.ToPorts { - var ports []api.PortProtocol - for _, port := range toPort.Ports { - ports = append(ports, api.PortProtocol{ - Port: port.Port, - Protocol: parseProtocol(port.Protocol), - }) - } - ingressRule.ToPorts = api.PortDenyRules{ - { - Ports: ports, - }, - } - } - - ingressDenyRules = append(ingressDenyRules, ingressRule) - } - - return ingressDenyRules -} - -func parseProtocol(protocol string) api.L4Proto { - // Convert protocol string to L4Proto type. - switch strings.ToUpper(protocol) { - case "TCP": - return api.ProtoTCP - case "UDP": - return api.ProtoUDP - case "ICMP": - return api.ProtoICMP - default: - return api.ProtoTCP - } -} - -// ---------------------------------------- -// -------- Apply & Update Policy -------- -// ---------------------------------------- - -// ApplyOrUpdatePolicy applies or updates the given policy. -func ApplyOrUpdatePolicy(ctx context.Context, c client.Client, policy client.Object, policyName string) error { - // Update the policy if it already exists, otherwise create a new one. - log := log.FromContext(ctx) - - var existingPolicy client.Object - var policySpec interface{} - - switch p := policy.(type) { - case *kubearmorv1.KubeArmorPolicy: - existingPolicy = &kubearmorv1.KubeArmorPolicy{} - policySpec = p.Spec - case *kubearmorv1.KubeArmorHostPolicy: - existingPolicy = &kubearmorv1.KubeArmorHostPolicy{} - policySpec = p.Spec - case *ciliumv2.CiliumNetworkPolicy: - existingPolicy = &ciliumv2.CiliumNetworkPolicy{} - policySpec = p.Spec - default: - return fmt.Errorf("unsupported policy type") - } - - err := c.Get(ctx, types.NamespacedName{Name: policyName, Namespace: policy.GetNamespace()}, existingPolicy) - if err != nil && !errors.IsNotFound(err) { - // Other error handling - log.Error(err, "Failed to get existing policy", "policy", policyName) - return err - } - - if errors.IsNotFound(err) { - // Create a policy if it doesn't exist - if err := c.Create(ctx, policy); err != nil { - log.Error(err, "Failed to apply policy", "policy", policyName) - return err - } - log.Info("Policy created", "Name", policyName) - } else { - // Update if policy already exists (compares specs only) - existingSpec := reflect.ValueOf(existingPolicy).Elem().FieldByName("Spec").Interface() - if !reflect.DeepEqual(policySpec, existingSpec) { - reflect.ValueOf(existingPolicy).Elem().FieldByName("Spec").Set(reflect.ValueOf(policySpec)) - if err := c.Update(ctx, existingPolicy); err != nil { - log.Error(err, "Failed to update policy", "policy", policyName) - return err - } - log.Info("Policy updated", "Name", policyName) - } else { - log.Info("Policy unchanged", "Name", policyName) - } - } - return nil -} - -// ---------------------------------------- -// ----------- Delete Policy ------------- -// ---------------------------------------- - -// DeletePolicy deletes a policy based on type, name, and namespace. -func DeletePolicy(ctx context.Context, c client.Client, policyType, name, namespace string) error { - // Process the deletion request based on policy type. - - var policy client.Object - log := log.FromContext(ctx) - - switch policyType { - case "KubeArmorPolicy": - policy = &kubearmorv1.KubeArmorPolicy{} - case "KubeArmorHostPolicy": - policy = &kubearmorv1.KubeArmorHostPolicy{} - case "CiliumNetworkPolicy": - policy = &ciliumv2.CiliumNetworkPolicy{} - default: - return fmt.Errorf("Unknown policy type: %s", policyType) - } - - policy.SetName(name) - policy.SetNamespace(namespace) - - if err := c.Delete(ctx, policy); client.IgnoreNotFound(err) != nil { - log.Error(err, "Failed to delete policy", "Type", policyType, "Name", name, "Namespace", namespace) - return err - } - return nil -} -*/ diff --git a/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher/watcher.go b/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher/watcher.go new file mode 100644 index 00000000..8e225df2 --- /dev/null +++ b/pkg/nimbus-kubearmor/receiver/nimbuspolicywatcher/watcher.go @@ -0,0 +1,62 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package nimbuspolicywatcher + +import ( + "context" + "log" + "time" + + "sigs.k8s.io/controller-runtime/pkg/client" + + v1 "github.com/5GSEC/nimbus/api/v1" +) + +// NimbusPolicyWatcher is a struct that holds a client for interacting with Kubernetes API. +type NimbusPolicyWatcher struct { + client.Client +} + +// NewNimbusPolicyWatcher creates a new instance of NimbusPolicyWatcher. +// It requires a Kubernetes client for operations. +func NewNimbusPolicyWatcher(client client.Client) *NimbusPolicyWatcher { + return &NimbusPolicyWatcher{Client: client} +} + +// WatchNimbusPolicies continuously watches for changes to NimbusPolicy resources across all namespaces. +// It returns a channel through which the NimbusPolicy objects can be received. +func (npw *NimbusPolicyWatcher) WatchNimbusPolicies(ctx context.Context) (<-chan v1.NimbusPolicy, error) { + policyChan := make(chan v1.NimbusPolicy) + + go func() { + defer close(policyChan) + + for { + select { + case <-ctx.Done(): + // Exit the loop if the context is cancelled + return + default: + var nimbusPolicies v1.NimbusPolicyList + // Attempt to list all NimbusPolicies in all namespaces + if err := npw.List(ctx, &nimbusPolicies, client.InNamespace("")); err != nil { + log.Printf("Error listing NimbusPolicies: %v", err) + // Wait before retrying in case of an error + time.Sleep(time.Second * 5) + continue + } + + // Send each found NimbusPolicy to the channel + for _, np := range nimbusPolicies.Items { + policyChan <- np + } + + // Wait before checking for new changes + time.Sleep(time.Second * 10) + } + } + }() + + return policyChan, nil +} diff --git a/pkg/nimbus-kubearmor/receiver/server/server.go b/pkg/nimbus-kubearmor/receiver/server/server.go deleted file mode 100644 index f58d5285..00000000 --- a/pkg/nimbus-kubearmor/receiver/server/server.go +++ /dev/null @@ -1,82 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2023 Authors of Nimbus - -package main - -import ( - "encoding/json" - "fmt" - "io" - "log" - "net/http" - "sync" - "time" -) - -var ( - // Memory store for saved Nimbus Policies - nimbusPolicies []interface{} - lock sync.Mutex -) - -func main() { - // Handler for exporting Nimbus Policies - http.HandleFunc("/api/v1/nimbus/export", func(w http.ResponseWriter, r *http.Request) { - if r.Method != "POST" { - http.Error(w, "Only POST method is accepted", http.StatusMethodNotAllowed) - return - } - - // Read the request body - body, err := io.ReadAll(r.Body) - if err != nil { - http.Error(w, "Error reading request body", http.StatusInternalServerError) - return - } - defer r.Body.Close() - - // Unmarshal the JSON data from the request - var data interface{} - err = json.Unmarshal(body, &data) - if err != nil { - http.Error(w, "Error unmarshalling request body", http.StatusBadRequest) - return - } - - // Store the received Nimbus Policy - lock.Lock() - nimbusPolicies = append(nimbusPolicies, data) - lock.Unlock() - - // Log the received policy - fmt.Printf("Received Nimbus Policy: %+v\n", data) - w.WriteHeader(http.StatusOK) - }) - - // Handler for retrieving stored Nimbus Policies - http.HandleFunc("/api/v1/nimbus/policies", func(w http.ResponseWriter, r *http.Request) { - if r.Method != "GET" { - http.Error(w, "Only GET method is accepted", http.StatusMethodNotAllowed) - return - } - - lock.Lock() - defer lock.Unlock() - // Encode and respond with the stored policies - if err := json.NewEncoder(w).Encode(nimbusPolicies); err != nil { - http.Error(w, "Error encoding response", http.StatusInternalServerError) - } - }) - - // Create a custom HTTP server with timeouts - server := &http.Server{ - Addr: ":13000", - ReadTimeout: 10 * time.Second, - WriteTimeout: 10 * time.Second, - IdleTimeout: 15 * time.Second, - } - - // Start the server - log.Println("Server starting on port 13000...") - log.Fatal(server.ListenAndServe()) -} diff --git a/pkg/nimbus-kubearmor/receiver/verifier/verifier.go b/pkg/nimbus-kubearmor/receiver/verifier/verifier.go new file mode 100644 index 00000000..83d26ec7 --- /dev/null +++ b/pkg/nimbus-kubearmor/receiver/verifier/verifier.go @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + +package verifier + +import ( + "strings" + + v1 "github.com/5GSEC/nimbus/api/v1" +) + +// HandlePolicy checks if the given NimbusPolicy contains any rules that start with "sys". +// It iterates through the NimbusRules in the policy and returns true if any rule's Id starts with "sys". +// This function is used to identify policies that should be processed by this adapter. +func HandlePolicy(policy v1.NimbusPolicy) bool { + for _, rule := range policy.Spec.NimbusRules { + if strings.HasPrefix(rule.Id, "sys") { + // If any rule's Id starts with "sys", return true + return true + } + } + // Return false if no such rules are found + return false +} diff --git a/pkg/processor/nimbuspolicybuilder/nimbuspolicy_builder.go b/pkg/processor/nimbuspolicybuilder/nimbuspolicy_builder.go index 01384862..0cb63a95 100644 --- a/pkg/processor/nimbuspolicybuilder/nimbuspolicy_builder.go +++ b/pkg/processor/nimbuspolicybuilder/nimbuspolicy_builder.go @@ -167,12 +167,22 @@ func processSecurityIntentParams(rule *v1.Rule, param v1.SecurityIntentParams) { // Processes MatchCapabilities. for _, mc := range param.MatchCapabilities { - rule.MatchCapabilities = append(rule.MatchCapabilities, v1.MatchCapability(mc)) + matchCapability := v1.MatchCapability{ + Capability: mc.Capability, + FromSource: []v1.NimbusFromSource{}, + } + rule.MatchCapabilities = append(rule.MatchCapabilities, matchCapability) } - // Processes MatchSyscalls. + // Processes MatchSyscalls and MatchSyscallPaths. for _, ms := range param.MatchSyscalls { - rule.MatchSyscalls = append(rule.MatchSyscalls, v1.MatchSyscall(ms)) + var matchSyscall v1.MatchSyscall + matchSyscall.Syscalls = ms.Syscalls + rule.MatchSyscalls = append(rule.MatchSyscalls, matchSyscall) + } + + for _, msp := range param.MatchSyscallPaths { + rule.MatchSyscallPaths = append(rule.MatchSyscallPaths, v1.MatchSyscallPath(msp)) } // Processes FromCIDRSet. @@ -200,7 +210,7 @@ func extractSelector(selector v1.Selector) (map[string]string, error) { if len(selector.CEL) > 0 { celMatchLabels, err := ProcessCEL(selector.CEL) if err != nil { - return nil, fmt.Errorf("error processing CEL: %v", err) + return nil, fmt.Errorf("Error processing CEL: %v", err) } for k, v := range celMatchLabels { matchLabels[k] = v @@ -211,7 +221,7 @@ func extractSelector(selector v1.Selector) (map[string]string, error) { if len(selector.Any) > 0 || len(selector.All) > 0 { matchLabelsFromAnyAll, err := ProcessMatchLabels(selector.Any, selector.All) if err != nil { - return nil, fmt.Errorf("error processing Any/All match labels: %v", err) + return nil, fmt.Errorf("Error processing Any/All match labels: %v", err) } for key, value := range matchLabelsFromAnyAll { matchLabels[key] = value @@ -229,7 +239,7 @@ func ProcessCEL(expressions []string) (map[string]string, error) { ), ) if err != nil { - return nil, fmt.Errorf("error creating CEL environment: %v", err) + return nil, fmt.Errorf("Error creating CEL environment: %v", err) } matchLabels := make(map[string]string) @@ -237,19 +247,19 @@ func ProcessCEL(expressions []string) (map[string]string, error) { for _, expr := range expressions { ast, issues := env.Compile(expr) if issues != nil && issues.Err() != nil { - return nil, fmt.Errorf("error compiling CEL expression: %v", issues.Err()) + return nil, fmt.Errorf("Error compiling CEL expression: %v", issues.Err()) } prg, err := env.Program(ast) if err != nil { - return nil, fmt.Errorf("error creating CEL program: %v", err) + return nil, fmt.Errorf("Error creating CEL program: %v", err) } out, _, err := prg.Eval(map[string]interface{}{ "label": map[string]interface{}{}, }) if err != nil { - return nil, fmt.Errorf("error evaluating CEL expression: %v", err) + return nil, fmt.Errorf("Error evaluating CEL expression: %v", err) } // Handle the output of the CEL expression. @@ -261,7 +271,6 @@ func ProcessCEL(expressions []string) (map[string]string, error) { } } } - return matchLabels, nil } diff --git a/pkg/receiver/securityintentbinding/securityintentbinding_controller.go b/pkg/receiver/securityintentbinding/securityintentbinding_controller.go index 0b5562d3..9ed19902 100644 --- a/pkg/receiver/securityintentbinding/securityintentbinding_controller.go +++ b/pkg/receiver/securityintentbinding/securityintentbinding_controller.go @@ -7,7 +7,9 @@ import ( "context" "fmt" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" @@ -16,6 +18,7 @@ import ( "github.com/5GSEC/nimbus/pkg/processor/intentbinder" "github.com/5GSEC/nimbus/pkg/processor/nimbuspolicybuilder" "github.com/5GSEC/nimbus/pkg/receiver/watcher" + kubearmorv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" ) // SecurityIntentBindingReconciler reconciles a SecurityIntentBinding object @@ -76,6 +79,32 @@ func (r *SecurityIntentBindingReconciler) Reconcile(ctx context.Context, req ctr log.Info("SecurityIntentBinding resource found", "Name", req.Name, "Namespace", req.Namespace) } else { log.Info("SecurityIntentBinding resource not found", "Name", req.Name, "Namespace", req.Namespace) + + // Delete associated NimbusPolicy if exists + nimbusPolicy := &v1.NimbusPolicy{} + err := r.Get(ctx, types.NamespacedName{Name: req.Name, Namespace: req.Namespace}, nimbusPolicy) + if err != nil && !errors.IsNotFound(err) { + log.Error(err, "Failed to get NimbusPolicy for deletion") + return ctrl.Result{}, err + } + if err == nil { + // NimbusPolicy exists, delete it + if err := r.Delete(ctx, nimbusPolicy); err != nil { + log.Error(err, "Failed to delete NimbusPolicy") + return ctrl.Result{}, err + } + log.Info("Deleted NimbusPolicy due to SecurityIntentBinding deletion", "NimbusPolicy", req.NamespacedName) + } + // Delete Kubearmor Policy with the same name and namespace + kubearmorPolicy := &kubearmorv1.KubeArmorPolicy{} + if err := r.Get(ctx, client.ObjectKey{Name: req.Name, Namespace: req.Namespace}, kubearmorPolicy); err == nil { + if err := r.Delete(ctx, kubearmorPolicy); err != nil { + log.Error(err, "Failed to delete KubearmorPolicy") + return ctrl.Result{}, err + } + log.Info("Deleted KubearmorPolicy due to SecurityIntentBinding deletion", "KubearmorPolicy", req.NamespacedName) + } + return ctrl.Result{}, nil } // Call the MatchAndBindIntents function to generate the binding information. diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh new file mode 100755 index 00000000..31d3bb2c --- /dev/null +++ b/scripts/cleanup.sh @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +#!/bin/bash + +# Delete all SecurityIntent resources +kubectl delete securityintents --all --all-namespaces + +# Delete all SecurityIntentBinding resources +kubectl delete securityintentbindings --all --all-namespaces + +# Delete all NimbusPolicy resources +kubectl delete nimbuspolicies --all --all-namespaces + +# Delete all KubeArmorPolicy resouces +kubectl delete ksp --all --all-namespaces + +echo "All resources have been successfully deleted." \ No newline at end of file diff --git a/test/v2/intents/system/intent-path-block.yaml b/test/v2/intents/system/intent-path-block.yaml index 451ca150..2f6dbf39 100644 --- a/test/v2/intents/system/intent-path-block.yaml +++ b/test/v2/intents/system/intent-path-block.yaml @@ -5,7 +5,7 @@ metadata: namespace: multiubuntu spec: intent: - id: sys-path-exec + id: sys-proc-paths description: "block the execution of '/bin/sleep'" action: Block mode: Strict