search

defenseunicorns / uds-core

A secure runtime platform for mission-critical capabilities
https://uds.defenseunicorns.com
Apache License 2.0
42 stars 19 forks source link

Create Application White Listing Pepr Policy #370

Open CloudBeard opened 4 months ago

CloudBeard commented 4 months ago

Is your feature request related to a problem? Please describe.

For FedRAMP/NIST compliance we need an application white listing policy.

Describe the solution you'd like

Create an application white listing Pepr policy that prevents any application from running unless it is "approved".

Main goal is every application that runs in the cluster is checked against a policy to see if it is allowed to run or not. If it is not on the "list" it is not allowed to run. If it is it can run.

mjnagel commented 4 months ago

I'm curious on the typical implementation of the policy, especially as related to k8s environments. Would it be common to have a list of allowed namespaces, images, both, something different? We could definitely do this in a number of ways but would expect that we need to provide a config value for the policy given that some people might be running SWF, some may not (and all the other extra app possibilities).

CloudBeard commented 4 months ago

I have seen it done with Admission Controllers and its based on image but could be both namespaces and images to more granular. I have also seen Prisma used and I think it works on image name, digest, and namespace (maybe a combo of those too)

Outside of Kubernetes environments ive see Trend Micros Deep Security used a ton, I think it works off specific file paths to specific types of executables.