search

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
https://kubearmor.io/
Apache License 2.0
1.32k stars 325 forks source link

Support `matchExpression` for selecting resources in policy #629

Open viveksahu26 opened 2 years ago

viveksahu26 commented 2 years ago

Feature Request

Short Description

Currently, KubeArmor policies selects resource on the basis of matchLabels. On a large scale deployment selecting resources with matchLabels won't help. To filter resources in more granularity policy must support matchExpression to filter or select resources.

Is your feature request related to a problem? Please describe the use case.

To support selection of resources in the policy with the help of matchExpression.

Describe the solution you'd like

Need to add separate function to add functionality for matchExpression. To be taken care that, policy while selecting resources can select resources in either of 2 ways:- Case:1 Either matchExpression or matchLabels must present or Case:2 Both of them could be present.

Current Scenario In current scenario when try to apply the policy containing matchExpression as a selector,

kubectl apply -n multiubutu -f-     << EOF

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-group-1-proc-path-block
  namespace: multiubuntu
spec:
  selector:
    matchExpressions:
    - {key: group, operator: In, values: [group-1]}
  process:
    matchPaths:
    - path: /bin/sleep
  action:
    Block
EOF

Error: 

error: error validating "STDIN": error validating data: ValidationError(KubeArmorPolicy.spec.selector): unknown field "matchExpressions" in com.kubearmor.security.v1.KubeArmorPolicy.spec.selector; if you choose to ignore these errors, turn validation off with --validate=false
viveksahu26 commented 2 years ago

Hey @nyrahul , I would like to work on this issue.

nyrahul commented 2 years ago

Hey @nyrahul , I would like to work on this issue.

Thanks for the interest. Would you be able to provide an analysis (set of implementation changes) before you start making the changes? This would help us sync on the appropriate next steps.

viveksahu26 commented 2 years ago

Ok, I will create small design doc for the same. And discuss it with the community in the next meeting.

viveksahu26 commented 2 years ago

/assign

viveksahu26 commented 2 years ago

Adding few policies based on the selector type matchExpression. MatchExpression supports total 4 types of operators. In—Label’s value must match one of the specified values. NotIn—Label’s value must not match any of the specified values. Exists —Pod must include a label with the specified key (the value isn’t important). When using this operator, the values field should not be specified. DoesNotExist —Pod must not include a label with the specified key. The values property must not be specified.

Policy with matchExpression containing In operator.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-group-1-proc-path-block
  namespace: multiubuntu
spec:
  severity: 5
  message: "block the sleep command"
  selector:
    matchLabels:
      group: group-1
    matchExpressions:
      - {key: security, operator: In, values: [apparmor, selinux, bpflsm]}
  process:
    matchPaths:
    - path: /bin/sleep # try sleep 1 (permission denied)
  action:
    Block

Policy with matchExpression containing NotIn operator.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-group-1-proc-path-block
  namespace: multiubuntu
spec:
  severity: 5
  message: "block the sleep command"
  selector:
    matchLabels:
      group: group-1
    matchExpressions:
      - {key: security, operator: NotIn, values: [apparmor, selinux, bpflsm]}
  process:
    matchPaths:
    - path: /bin/sleep # try sleep 1 (permission denied)
  action:
    Block

And example of resource:-

apiVersion: apps/v1
kind: Deployment
metadata:
 name: ubuntu-1-deployment
 namespace: multiubuntu
 labels:
   deployment: ubuntu-1
spec:
 replicas: 1
 selector:
   matchLabels:
     group: group-1
     container: ubuntu-1
   matchExpressions:
   - {key: security, operator: In, values: [apparmor, selinux, bpflsm]}
 template:
   metadata:
     labels:
       group: group-1
       container: ubuntu-1
       security: apparmor
       distros: ubuntu
   spec:
     containers:
       - name: ubuntu-1-container
         image: nginx

Need suggestion from @nyrahul , @daemon1024 and @nam-jaehyun . Among 4 operators, Do we need support for all 4 operators or some of them?

For ref:- Kyverno also supports selecting resource using matchExpression.

viveksahu26 commented 2 years ago

In the bi-weekly meeting, the conclusion was made to support all 4 operators(In, NotIn, Exists, DoesNotExist) for matchExpression selector.

kaiquerass commented 1 year ago

Hey guys, any update on this issue? Would be great to have this implemented.

nyrahul commented 1 year ago

Hey guys, any update on this issue? Would be great to have this implemented.

As of now we haven't planned this in v0.6 ... v0.6 is anticipated by the end of August, so backlog grooming for v0.7 is in progress. We can possibly take this up v0.7. Do you have any specific use-cases you can quote in the context? We have our community meeting today and we will discuss it there (will be great if you can be part of it). Thanks

kaiquerass commented 1 year ago

Sure! Today we have microservices using different languages, so I'm able to apply specific language policies, using matchLabels. ex: backend: kotlin, backend: golang

But on the other hand, we have some policies that apply to all backend services, for example, accessing /etc/passwdfiles, or /proc/1/environ. In this case, we had to create another label on our deployments, making changes on lots of manifests, since we could just apply the policy using `MatchExpression: