kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
https://kubearmor.io/
Apache License 2.0
1.51k stars 345 forks source link

feat: KubeArmor based Github Action #1128

Open Ankurk99 opened 1 year ago

Ankurk99 commented 1 year ago

The Problem

KubeArmor should be able to identify change in the application posture early in the dev life cycle. If the app changes results in new app behavior such as new process invocation or new file system access or new network connections, then the same has to be highlighted early in the application life cycle so that the security posture changes can be handled accordingly.

The solution

karmor summary provides a way to verify the application behavior. The aim would be to baseline the application behavior and check for any deviation during subsequent application updates.

devsecops-kubearmor

(Note: It is not expected that the UI look exactly like this, but something similar where the user can figure out what is the change in the application behavior).

Feature Request

Create a Github Action utilizing KubeArmor and Discovery engine to generate runtime security policies

CC: @nyrahul @daemon1024 @kranurag7

zhy76 commented 1 year ago

Hi, @Ankurk99 I am a master from SEL laboratory of Zhejiang University, familiar with cloud native, kubernetes, docker, github action, Go. I am very interested in this issue and hope to participate in the community through this issue. I love open source. As a Sealer member(also a project under CNCF), I was responsible for implementing Sealer E2E test infra from ecs to containers, through this work, I became more familiar with CI, github action, k8s and docker. And I also participated in a ebpf project. Therefore, I think this project is quite suitable for me. I plan to apply for GSOC 2023 and apply for this project. Could you have more suggestions to help me get started?

xiao-jay commented 1 year ago

Hi @Ankurk99 ,I am also interested in this project,also familiar cloud native kubernetes, docker, github action. I am sealos(base on sealer,but have 10k star) contributor,have 34 commit . I was responsible for implementing Sealos E2E test CRD in github action, wirte CRD design docs and implement it,through this work, I became more familiar with CI, github action and k8s andCRD.I also plan to join GSOC 2023.

@zhy76 bro, We have so many similarities, so destined.Nice to meet you.Let's make progress together.

xiao-jay commented 1 year ago

Hi, @Ankurk99 I am a master from SEL laboratory of Zhejiang University, familiar with cloud native, kubernetes, docker, github action, Go. I am very interested in this issue and hope to participate in the community through this issue. I love open source. As a Sealer member(also a project under CNCF), I was responsible for implementing Sealer E2E test infra from ecs to containers, through this work, I became more familiar with CI, github action, k8s and docker. And I also participated in a ebpf project. Therefore, I think this project is quite suitable for me. I plan to apply for GSOC 2023 and apply for this project. Could you have more suggestions to help me get started?

@zhy76 hi, I think you can first learn how to install karmor ,quick start, and second learn to know karmor install shell.Finally learn karmor summary cmd

Ankurk99 commented 1 year ago

Hey @zhy76 @xiao-jay, Welcome to KubeArmor. I am glad that you are interested in the project and want to take it as your GSoC project. I would recommend you to try out KubeArmor and get a basic understanding of what it does. This project might also use docker image of Discovery Engine, so you might also want to check that out. To better understand the project, you might want to pick some beginner's issue which may or may not be related to Github Actions.

zhy76 commented 1 year ago

Hey @zhy76 @xiao-jay, Welcome to KubeArmor. I am glad that you are interested in the project and want to take it as your GSoC project. I would recommend you to try out KubeArmor and get a basic understanding of what it does. This project might also use docker image of Discovery Engine, so you might also want to check that out. To better understand the project, you might want to pick some beginner's issue which may or may not be related to Github Actions.

Thanks, I'll try!

zhy76 commented 1 year ago

Hi, @Ankurk99 I am a master from SEL laboratory of Zhejiang University, familiar with cloud native, kubernetes, docker, github action, Go. I am very interested in this issue and hope to participate in the community through this issue. I love open source. As a Sealer member(also a project under CNCF), I was responsible for implementing Sealer E2E test infra from ecs to containers, through this work, I became more familiar with CI, github action, k8s and docker. And I also participated in a ebpf project. Therefore, I think this project is quite suitable for me. I plan to apply for GSOC 2023 and apply for this project. Could you have more suggestions to help me get started?

@zhy76 hi, I think you can first learn how to install karmor ,quick start, and second learn to know karmor install shell.Finally learn karmor summary cmd

Thanks, nice to meet you!

zhy76 commented 1 year ago

After some research, let me try to understand what we need to do with this project. We need to create a CI test for KubeArmor when some app changed, we need to highlighted the new app behavior and generate runtime security policies for this new app. Am I right?

As far as I know, my initial thoughts are as follows:

  1. use github action to create a cluster(can use k3s or kind or other tools)
  2. deploy an app named app1, this app will create some application behaviors like: process invocation or file system access or new network connections.
  3. install KubeArmor.
  4. use karmor summary to verify the application behavior and the recorded baseline behavior is saved in a file named baseline for comparison in subsequent application updates.
  5. update app1 to app2
  6. use karmor summary to verify the application behavior and the recorded behavior is saved in a file named updated.
  7. use some tool like diff: diff baseline updated, This command compares the updated application behavior to the baseline behavior and prints the difference between them
  8. output the log to Discovery Engine to generate runtime security policies for app2.

Am I understanding this correctly? :) @Ankurk99

sayantani11 commented 1 year ago

Hi @Ankurk99 i have contributed to kubearmor previously as well and i really wanna take it forward for my GSOC project. Can you help me with this particular issue? I have understood the basics of kubearmor, and I will try to work on this issue, but i might require some help. Thank you!

daemon1024 commented 1 year ago

Hey folks. Thanks a lot for the interest in the project. We look forward to your proposals in the next 2 weeks. We can iterate over the proposals in the next 2 weeks and help you out gain more understanding about the issue and the project itself.

That said really appreciate y'all taking efforts to contribute to the project and we look forward to working with you. We are available over Slack if you have any specific queries, Happy to help out.

GetRohitansh commented 1 year ago

Is this issue still open or nearing its completion, I would like to contribute

zhy76 commented 1 year ago

This issue is done at kubearmor-action, there are still some areas that need to be improved in this project. We welcome your suggestions and contributions to this project. Thank you :)