rulebindingstore

package

v0.0.24 Latest Latest Go to latest Published: Jan 15, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/armosec/kubecop

Links

Open Source Insights

README ¶

runtime rule alert binding

In order to determine which rules should be applied to which workloads, we need to bind the rules to the workloads. This is done by creating a RuntimeRuleAlertBinding object that binds a Rule to certain pods. This is a CRD needed to be created by the user. The RuntimeRuleAlertBinding object is inspired by K8s native policies and bindings, such as NetworkPolicy and ValidatingAdmissionPolicyBinding objects and so it contains the following fields:

namespaceSelector - a selector that selects the namespaces that the rule should be applied to. If not specified, the rule will be applied to all namespaces.
podSelector - a selector that selects the pods that the rule should be applied to. If not specified, the rule will be applied to all pods.
rules - a list of rules that should be applied to the selected pods.

Each rule in the list contains the following fields:

ruleName (mandatory) - the name of the rule to be applied.
severity -(optional) the severity of the alert that will be generated if the rule is violated. Each rule has a default severity, but it can be overridden by the user.
parameters - (optional) a list of parameters that can be passed to the rule. Each rule has a default set of parameters, but it can be overridden by the user.

Example

The first step is to apply the RuntimeRuleAlertBinding CRD to the cluster:

kubectl apply -f chart/kubecop/crds/runtime-rule-binding.crd.yaml

The second step is to create the RuntimeRuleAlertBinding object:

apiVersion: kubescape.io/v1
kind: RuntimeRuleAlertBinding
metadata:
  name: single-rule-for-app-nginx-default-ns
spec:
  namespaceSelector:
    matchLabels:
      kubernetes.io/metadata.name: default
  podSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - nginx
  rules:
    - ruleName: "Unexpected process launched"

In the above example, we bind the rule Unexpected process launched to the pods in the namespace default. The rule will be applied to all the pods that are labeled with app: nginx in the namespace default.

how does it work?

Once the user applies a change to a RuntimeRuleAlertBinding object or any container in the cluster is created/updated/deleted, the KubeCop will be notified and will update the rules that are applied to each pod. The KubeCop will then apply the rules to the pods and will generate alerts if needed.

So there are 2 flows that can trigger the KubeCop to apply the rules to the pods:

The user applies a change to a RuntimeRuleAlertBinding object. Those changes are handled by the RuleBindingK8sStore.
A container in the cluster is created/updated/deleted. Those changes usually handled by the Engine.

In the 1st flow, the RuleBindingK8sStore will notify the subscribers (callback functions) about the change. Then the subsciber will get list of pods it needs to apply the rules to. For each pod, the subscriber will call GetRulesForPod to ask the RuleBindingK8sStore for the rules that should be applied to the pod.

In the 2nd flow, the watcher of the container, usually the Engine, will call GetRulesForPod to ask the RuleBindingK8sStore for the rules that should be applied to the pod.

Then the caller of the GetRulesForPod will handle the rules for the pod.

If more than one RuntimeRuleAlertBinding object is applied to the pod, the rules will be aggregated together.

Documentation ¶

Index ¶

Constants
Variables
type RuleBindingChangedHandler
type RuleBindingK8sStore
- func NewRuleBindingK8sStore(dynamicClient dynClient, coreV1Client v1.CoreV1Interface, nodeName string) (*RuleBindingK8sStore, error)
type RuntimeAlertRuleBinding
type RuntimeAlertRuleBindingList
type RuntimeAlertRuleBindingRule
type RuntimeAlertRuleBindingSpec

Constants ¶

View Source

const RuntimeRuleBindingAlertPlural = "runtimerulealertbindings"

Variables ¶

View Source

var RuleBindingAlertGvr schema.GroupVersionResource = schema.GroupVersionResource{
	Group:    collector.ApplicationProfileGroup,
	Version:  collector.ApplicationProfileVersion,
	Resource: RuntimeRuleBindingAlertPlural,
}

Functions ¶

This section is empty.

Types ¶

type RuleBindingChangedHandler ¶

type RuleBindingChangedHandler func(ruleBinding RuntimeAlertRuleBinding)

type RuleBindingK8sStore ¶

type RuleBindingK8sStore struct {
	// contains filtered or unexported fields
}

func NewRuleBindingK8sStore ¶

func NewRuleBindingK8sStore(dynamicClient dynClient, coreV1Client v1.CoreV1Interface, nodeName string) (*RuleBindingK8sStore, error)

func (*RuleBindingK8sStore) Destroy ¶

func (store *RuleBindingK8sStore) Destroy()

func (*RuleBindingK8sStore) GetRulesForPod ¶

func (store *RuleBindingK8sStore) GetRulesForPod(podName, namespace string) ([]RuntimeAlertRuleBindingRule, error)

func (*RuleBindingK8sStore) SetRuleBindingChangedHandlers ¶

func (store *RuleBindingK8sStore) SetRuleBindingChangedHandlers(handlers []RuleBindingChangedHandler)

func (*RuleBindingK8sStore) StartController ¶

func (store *RuleBindingK8sStore) StartController()

type RuntimeAlertRuleBinding ¶

type RuntimeAlertRuleBinding struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// Specification of the desired behavior of the RuntimeAlertRuleBinding
	Spec RuntimeAlertRuleBindingSpec `json:"spec,omitempty"`
}

type RuntimeAlertRuleBindingList ¶

type RuntimeAlertRuleBindingList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is the list of RuntimeAlertRuleBinding
	Items []RuntimeAlertRuleBinding `json:"items"`
}

type RuntimeAlertRuleBindingRule ¶

type RuntimeAlertRuleBindingRule struct {
	RuleName   string                 `json:"ruleName" yaml:"ruleName"`
	RuleID     string                 `json:"ruleID" yaml:"ruleID"`
	RuleTags   []string               `json:"ruleTags" yaml:"ruleTags"`
	Severity   string                 `json:"severity" yaml:"severity"`
	Parameters map[string]interface{} `json:"parameters" yaml:"parameters"`
}

type RuntimeAlertRuleBindingSpec ¶

type RuntimeAlertRuleBindingSpec struct {
	Rules             []RuntimeAlertRuleBindingRule `json:"rules" yaml:"rules"`
	PodSelector       metav1.LabelSelector          `json:"podSelector" yaml:"podSelector"`
	NamespaceSelector metav1.LabelSelector          `json:"namespaceSelector" yaml:"namespaceSelector"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL