Rancher Plugin Integration

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.35k stars 335 forks source link

Rancher Plugin Integration #992

Open daemon1024 opened 1 year ago

daemon1024 commented 1 year ago

An extension for Rancher Manager (^v2.7.0) which allows you to interact with KubeArmor.

Initial Scope

[ ] Installation
[ ] Manager to See and apply Policies
- [ ] Intuitive Form to Create Policies
[ ] Recommended Policies
[ ] KubeArmor state dashboard
- [ ] Show and configure default posture/visibility for a pod/namespace.
- [ ] List KubeArmor/KubeArmorHost policies.
- [ ] List protected containers/nodes
[ ] Alerts/Telemetry leveraging Grafana Stack

Future Items

Multi Cluster Integration

Notes :

Needs v2.7.0 Rancher, (~~still in RC yet to be stable~~ Released Now 🚀 )
About Rancher Extensions - https://docs.ranchermanager.rancher.io/integrations-in-rancher/rancher-extensions
Largely based around https://github.com/kubewarden/ui workflow

daemon1024 commented 1 year ago

WIP at https://github.com/daemon1024/ucy

daemon1024 commented 1 year ago

Regarding the Form to create policies

I was planning to have the following grouping and inputs

- General
    * Name
    * Namespace
- Policy Details
    * Selector 
    * Tags
    * Message
    * Severity
    * Action
- Process
- File 
- Network

For context this what grouping mean

Any feedback/inputs here?

nyrahul commented 1 year ago

This is nice!

Imo, it would be ok to club "General" and "Policy Details" together. So my assumption is that in the policy details we will have, Policy Name, Namespace, Selector Labels, Tags, Message, Severity.

Process, File, Network will have relevant options.

Is there a config change if a new attribute has to be added or do we have to change the code?

daemon1024 commented 1 year ago

That said I can prolly split it into General and Rules. Since it's going to be one rule at a time anyway 🤔

Is there a config change if a new attribute has to be added or do we have to change the code?

It's a code change for now, I will try to figure out how it could be just a config change later.

daemon1024 commented 1 year ago

Update: No it will have to be a code change, but since it's filled up of components, would most likely be a copy pasta job if we need to extend it.

Also.

General Tab Done

![image](https://user-images.githubusercontent.com/47106543/203812243-f6f662ae-13ca-4ca5-bb7b-2f3bd30df0f5.png)

And yeah they convert to actual rules.

![image](https://user-images.githubusercontent.com/47106543/203812554-38129da1-e4bd-4d63-9b65-8cb9c472f9db.png)

Yet to figure out how to form Policy Rules,

im-adithya commented 1 year ago

Hello @nyrahul and @daemon1024, I'm interested in working on this issue under LFX Spring Mentorship!

daemon1024 commented 7 months ago

Ref #1591

harkiratsm commented 6 months ago

What's the status of this issue? Is it resolved, or are there pending tasks?

Nitinshukla88 commented 6 months ago

Hey @daemon1024 I'm interested in this issue. Since it is under gsoc 2024, I would love to work on with KubeArmor Rancher Plugin.

abhi-bhatra commented 6 months ago

hi @daemon1024 @PrimalPimmy @DelusionalOptimist @kranurag7 I have done the setup of Rancher over my Azure AKS cluster, I have installed some tools using Helm:

I have also done the installation of KubeArmor on same cluster, I can see my KubeArmor resources deployed on my cluster using Rancher. I do had a prior working experience with Rancher, as I worked with SUSE under Google Summer of Code 2024. But, I want to know more about Plugin integration. Do we need to install Kubearmor as a Rancher extension.

Here, this doc explains about Rancher extension: https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions

Do we need the same for KubeArmor ?

Ayush9026 commented 6 months ago

@daemon1024 i am also interested in this issue for GSoC 2024.