Open viveksahu26 opened 2 years ago
Hey @nyrahul , I would like to work on this issue.
Hey @nyrahul , I would like to work on this issue.
Thanks for the interest. Would you be able to provide an analysis (set of implementation changes) before you start making the changes? This would help us sync on the appropriate next steps.
Ok, I will create small design doc for the same. And discuss it with the community in the next meeting.
/assign
Adding few policies based on the selector type matchExpression
.
MatchExpression
supports total 4 types of operators.
In
—Label’s value must match one of the specified values.
NotIn
—Label’s value must not match any of the specified values.
Exists
—Pod must include a label with the specified key (the value isn’t important). When using this operator, the values field should not be specified.
DoesNotExist
—Pod must not include a label with the specified key. The values property must not be specified.
Policy with matchExpression containing In
operator.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-1-proc-path-block
namespace: multiubuntu
spec:
severity: 5
message: "block the sleep command"
selector:
matchLabels:
group: group-1
matchExpressions:
- {key: security, operator: In, values: [apparmor, selinux, bpflsm]}
process:
matchPaths:
- path: /bin/sleep # try sleep 1 (permission denied)
action:
Block
Policy with matchExpression containing NotIn
operator.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-1-proc-path-block
namespace: multiubuntu
spec:
severity: 5
message: "block the sleep command"
selector:
matchLabels:
group: group-1
matchExpressions:
- {key: security, operator: NotIn, values: [apparmor, selinux, bpflsm]}
process:
matchPaths:
- path: /bin/sleep # try sleep 1 (permission denied)
action:
Block
And example of resource:-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ubuntu-1-deployment
namespace: multiubuntu
labels:
deployment: ubuntu-1
spec:
replicas: 1
selector:
matchLabels:
group: group-1
container: ubuntu-1
matchExpressions:
- {key: security, operator: In, values: [apparmor, selinux, bpflsm]}
template:
metadata:
labels:
group: group-1
container: ubuntu-1
security: apparmor
distros: ubuntu
spec:
containers:
- name: ubuntu-1-container
image: nginx
Need suggestion from @nyrahul , @daemon1024 and @nam-jaehyun . Among 4 operators, Do we need support for all 4 operators or some of them?
For ref:- Kyverno also supports selecting resource using matchExpression.
In the bi-weekly meeting, the conclusion was made to support all 4 operators(In
, NotIn
, Exists
, DoesNotExist
) for matchExpression
selector.
Hey guys, any update on this issue? Would be great to have this implemented.
Hey guys, any update on this issue? Would be great to have this implemented.
As of now we haven't planned this in v0.6 ... v0.6 is anticipated by the end of August, so backlog grooming for v0.7 is in progress. We can possibly take this up v0.7. Do you have any specific use-cases you can quote in the context? We have our community meeting today and we will discuss it there (will be great if you can be part of it). Thanks
Sure!
Today we have microservices using different languages, so I'm able to apply specific language policies, using matchLabels. ex: backend: kotlin
, backend: golang
But on the other hand, we have some policies that apply to all backend services, for example, accessing /etc/passwd
files, or /proc/1/environ
.
In this case, we had to create another label on our deployments, making changes on lots of manifests, since we could just apply the policy using `MatchExpression:
Feature Request
Short Description
Currently, KubeArmor policies selects resource on the basis of
matchLabels
. On a large scale deployment selecting resources withmatchLabels
won't help. To filter resources in more granularity policy must supportmatchExpression
to filter or select resources.Is your feature request related to a problem? Please describe the use case.
To support selection of resources in the policy with the help of
matchExpression
.Describe the solution you'd like
Need to add separate function to add functionality for
matchExpression
. To be taken care that, policy while selecting resources can select resources in either of 2 ways:- Case:1 EithermatchExpression
ormatchLabels
must present or Case:2 Both of them could be present.Current Scenario In current scenario when try to apply the policy containing
matchExpression
as a selector,Error: