diff --git a/docs/getting-started.md b/docs/getting-started.md index fc1e543d..34792f54 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -37,7 +37,7 @@ Run the operator: make run ``` -## Using helm chart +## From Helm Chart Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. @@ -74,7 +74,7 @@ Run `nimbus-kubearmor` adapter: make run ``` -### Using helm chart +### From Helm Chart Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. @@ -106,6 +106,6 @@ Run `nimbus-netpol` adapter: make run ``` -### Using helm chart +### From Helm Chart Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. diff --git a/docs/quick-tutorials.md b/docs/quick-tutorials.md index a92ef825..0673eb2f 100644 --- a/docs/quick-tutorials.md +++ b/docs/quick-tutorials.md @@ -1,66 +1,35 @@ # Quick Tutorials -## Create a sample deployment - -```shell -kubectl apply -f ./test/env/nginx-deploy.yaml -deployment.apps/nginx created -``` - ## Install Nimbus Operator Follow [this](../deployments/nimbus/Readme.md) guide to install `nimbus` operator. -## Run Adapters +## Install Adapters ### KubeArmor -> [!Note] -> The `nimbus-kubearmor` adapter leverages the [KubeArmor](https://kubearmor.io) security engine for its functionality. -> To use this adapter, you'll need KubeArmor installed. Please -> follow [this](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment_guide.md) guide for -> installation. -> Creating a KubeArmorPolicy resource without KubeArmor will have no effect. - Follow [this](../deployments/nimbus-kubearmor/Readme.md) guide to install `nimbus-kubearmor` adapter. -Open a new terminal and execute following command to check logs: - -```shell -$ kubectl -n nimbus logs -f deploy/nimbus-kubearmor -{"level":"info","ts":"2024-01-31T14:55:11+05:30","msg":"KubeArmor adapter started"} -{"level":"info","ts":"2024-01-31T14:55:11+05:30","msg":"ClusterNimbusPolicy watcher started"} -{"level":"info","ts":"2024-01-31T14:55:11+05:30","msg":"NimbusPolicy watcher started"} -``` - ### Network Policy -> [!Note] -> The `nimbus-netpol` adapter leverages -> the [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). -> To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a -> NetworkPolicy resource without a controller that implements it will have no effect. - - Follow [this](../deployments/nimbus-netpol/Readme.md) guide to install `nimbus-netpol` adapter. -Open a new terminal and execute following command to check logs: +## Create a sample deployment ```shell -$ kubectl -n nimbus logs -f deploy/nimbus-netpol -{"level":"info","ts":"2024-01-31T14:53:36+05:30","msg":"NimbusPolicy watcher started"} -{"level":"info","ts":"2024-01-31T14:53:36+05:30","msg":"ClusterNimbusPolicy watcher started"} -{"level":"info","ts":"2024-01-31T14:53:36+05:30","msg":"Network Policy adapter started"} +kubectl apply -f ./examples/env/nginx-deploy.yaml ``` ## Create SecurityIntent and SecurityIntentBinding +### [DNS Manipulation](https://fight.mitre.org/techniques/FGT5006) + +Create SecurityIntent and SecurityIntentBinding to prevent DNS Manipulation. + ```shell -$ kubectl apply -f ./test/v2/namespaced/multiple-si-sib-namespaced.yaml -securityintent.intent.security.nimbus.com/pkg-mgr-exec-multiple-nsscoped created -securityintent.intent.security.nimbus.com/unauthorized-sa-token-access-multiple-nsscoped created -securityintent.intent.security.nimbus.com/dns-manipulation-multiple-nsscoped created -securityintentbinding.intent.security.nimbus.com/multiple-sis-nsscoped-binding created +$ kubectl apply -f ./examples/namespaced/dns-manipulation-si-sib.yaml +securityintent.intent.security.nimbus.com/dns-manipulation created +securityintentbinding.intent.security.nimbus.com/dns-manipulation-binding created ``` ## Verify SecurityIntent and SecurityIntentBinding @@ -69,49 +38,35 @@ securityintentbinding.intent.security.nimbus.com/multiple-sis-nsscoped-binding c ```shell $ kubectl get securityintent -NAME STATUS -pkg-mgr-exec-multiple-nsscoped Created -unauthorized-sa-token-access-multiple-nsscoped Created -dns-manipulation-multiple-nsscoped Created +NAME STATUS +dns-manipulation Created ``` * Verify SecurityIntentBinding ```shell $ kubectl get securityintentbinding -NAME STATUS -multiple-sis-nsscoped-binding Created +NAME STATUS +dns-manipulation-binding Created ``` ## Verify the Security Engines policies ### KubeArmorPolicy -KubeArmor adapter logs that detected NimbusPolicy is shown below: - -```shell -... -... -{"level":"info","ts":"2024-01-31T14:55:18+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:19+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:19+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:19+05:30","msg":"KubeArmorPolicy Created","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","KubeArmorPolicy.Namespace":"default"} -``` - -You can also review the policies that were successfully generated: +Review the policies that were successfully generated as part of `DNSManipulation` SecurityIntent and +SecurityIntentBinding: ```shell $ kubectl get kubearmorpolicy -NAME AGE -multiple-sis-nsscoped-binding-swdeploymenttools 2m -multiple-sis-nsscoped-binding-unauthorizedsatokenaccess 2m -multiple-sis-nsscoped-binding-dnsmanipulation 2m +NAME AGE +dns-manipulation-binding-dnsmanipulation 2m44s ``` -Or, inspect each individual policy for detailed info: +Inspect the policy for detailed info: ```shell -$ kubectl get kubearmorpolicy multiple-sis-nsscoped-binding-swdeploymenttools -o yaml +$ kubectl get kubearmorpolicy dns-manipulation-binding-dnsmanipulation -o yaml ``` ```yaml @@ -120,130 +75,19 @@ kind: KubeArmorPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-kubearmor - creationTimestamp: "2024-01-31T09:25:19Z" + creationTimestamp: "2024-02-02T08:27:03Z" generation: 1 - name: multiple-sis-nsscoped-binding-swdeploymenttools + name: dns-manipulation-binding-dnsmanipulation namespace: default ownerReferences: - apiVersion: intent.security.nimbus.com/v1 blockOwnerDeletion: true controller: true kind: NimbusPolicy - name: multiple-sis-nsscoped-binding - uid: d2176ea3-3e0b-4671-8f58-dbff376d87b0 - resourceVersion: "594438" - uid: 363d5191-20b9-471e-80c2-a142f8396e13 -spec: - action: Block - capabilities: { } - file: { } - message: Do not allow the execution of package managers inside the containers - network: { } - process: - matchPaths: - - path: /usr/bin/apt - - path: /usr/bin/apt-get - - path: /bin/apt-get - - path: /bin/apt - - path: /usr/bin/dpkg - - path: /bin/dpkg - - path: /usr/bin/gdebi - - path: /bin/gdebi - - path: /usr/bin/make - - path: /bin/make - - path: /usr/bin/yum - - path: /bin/yum - - path: /usr/bin/rpm - - path: /bin/rpm - - path: /usr/bin/dnf - - path: /bin/dnf - - path: /usr/bin/pacman - - path: /usr/sbin/pacman - - path: /bin/pacman - - path: /sbin/pacman - - path: /usr/bin/makepkg - - path: /usr/sbin/makepkg - - path: /bin/makepkg - - path: /sbin/makepkg - - path: /usr/bin/yaourt - - path: /usr/sbin/yaourt - - path: /bin/yaourt - - path: /sbin/yaourt - - path: /usr/bin/zypper - - path: /bin/zypper - severity: 5 - selector: - matchLabels: - app: nginx - syscalls: { } - tags: - - NIST - - CM-7(5) - - SI-4 - - Package Manager -``` - -```shell -$ kubectl get kubearmorpolicy multiple-sis-nsscoped-binding-unauthorizedsatokenaccess -o yaml -``` - -```yaml -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - annotations: - app.kubernetes.io/managed-by: nimbus-kubearmor - creationTimestamp: "2024-01-31T09:25:19Z" - generation: 1 - name: multiple-sis-nsscoped-binding-unauthorizedsatokenaccess - namespace: default - ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 - blockOwnerDeletion: true - controller: true - kind: NimbusPolicy - name: multiple-sis-nsscoped-binding - uid: d2176ea3-3e0b-4671-8f58-dbff376d87b0 - resourceVersion: "594439" - uid: 166b1193-751c-4b6b-acbd-a68ed1dd26e8 -spec: - action: Block - capabilities: { } - file: - matchDirectories: - - dir: /run/secrets/kubernetes.io/serviceaccount/ - recursive: true - network: { } - process: { } - selector: - matchLabels: - app: nginx - syscalls: { } -``` - -```shell -$ kubectl get kubearmorpolicy multiple-sis-nsscoped-binding-dnsmanipulation -o yaml -``` - -```yaml -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - annotations: - app.kubernetes.io/managed-by: nimbus-kubearmor - creationTimestamp: "2024-01-31T09:25:19Z" - generation: 1 - name: multiple-sis-nsscoped-binding-dnsmanipulation - namespace: default - ownerReferences: - - apiVersion: intent.security.nimbus.com/v1 - blockOwnerDeletion: true - controller: true - kind: NimbusPolicy - name: multiple-sis-nsscoped-binding - uid: d2176ea3-3e0b-4671-8f58-dbff376d87b0 - resourceVersion: "594440" - uid: cbce8ea8-988d-4033-9d9d-c597acbe496a + name: dns-manipulation-binding + uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f + resourceVersion: "610470" + uid: 7f23a7f3-3012-449d-92ee-1ea2a741b7ec spec: action: Block capabilities: { } @@ -261,26 +105,16 @@ spec: ### NetworkPolicy -Network Policy adapter logs that detected NimbusPolicy is shown below: - -```shell -... -... -{"level":"info","ts":"2024-01-31T14:55:18+05:30","msg":"NimbusPolicy found","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:18+05:30","msg":"Network Policy adapter does not support this ID","ID":"swDeploymentTools","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:18+05:30","msg":"Network Policy adapter does not support this ID","ID":"unAuthorizedSaTokenAccess","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T14:55:18+05:30","msg":"NetworkPolicy created","NetworkPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","NetworkPolicy.Namespace":"default"} -``` - -You can also review the network policies that were successfully generated: +Review the network policies that were successfully generated as part of `DNSManipulation` SecurityIntent and +SecurityIntentBinding: ```shell $ kubectl get networkpolicy -NAME POD-SELECTOR AGE -multiple-sis-nsscoped-binding-dnsmanipulation app=nginx 5m6s +NAME POD-SELECTOR AGE +dns-manipulation-binding-dnsmanipulation app=nginx 5m54s ``` -Or, inspect policy for detailed info: +Inspect policy for detailed info: ```shell $ kubectl get networkpolicy multiple-sis-nsscoped-binding-dnsmanipulation -o yaml @@ -292,19 +126,19 @@ kind: NetworkPolicy metadata: annotations: app.kubernetes.io/managed-by: nimbus-netpol - creationTimestamp: "2024-01-31T09:25:18Z" + creationTimestamp: "2024-02-02T08:27:03Z" generation: 1 - name: multiple-sis-nsscoped-binding-dnsmanipulation + name: dns-manipulation-binding-dnsmanipulation namespace: default ownerReferences: - apiVersion: intent.security.nimbus.com/v1 blockOwnerDeletion: true controller: true kind: NimbusPolicy - name: multiple-sis-nsscoped-binding - uid: d2176ea3-3e0b-4671-8f58-dbff376d87b0 - resourceVersion: "594436" - uid: 5d7743e6-7dfd-4d3e-b503-6c43bea4473d + name: dns-manipulation-binding + uid: c2571f5b-8299-4e0f-9594-b6804a5a4d8f + resourceVersion: "610469" + uid: 7cbf50e3-8c47-443e-8851-01b0ca167bd3 spec: egress: - ports: @@ -326,44 +160,30 @@ spec: - Egress ``` -## Cleanup +From the `DNSManipulation` SecurityIntent two security policies were generated: -* The SecurityIntent and SecurityIntentBinding created earlier are no longer needed and can be deleted: +- KubeArmor Policy: This policy prevents modification of the `/etc/resolv.conf` file, ensuring the integrity of DNS + configuration and preventing potential DNS hijacking. -```shell -$ kubectl delete -f ./test/v2/namespaced/multiple-si-sib-namespaced.yaml -securityintent.intent.security.nimbus.com "pkg-mgr-exec-multiple-nsscoped" deleted -securityintent.intent.security.nimbus.com "unauthorized-sa-token-access-multiple-nsscoped" deleted -securityintent.intent.security.nimbus.com "dns-manipulation-multiple-nsscoped" deleted -securityintentbinding.intent.security.nimbus.com "multiple-sis-nsscoped-binding" deleted -``` -* Check KubeArmor Security Engine adapter logs: +- Kubernetes Network Policy: This policy allows outbound traffic on UDP and TCP ports 53 only to the + `kube-dns` pods within the `kube-system` namespace. This restricts access to the DNS server, enhancing security while + enabling pods to resolve DNS names. -```shell -... -... -{"level":"info","ts":"2024-01-31T15:01:09+05:30","msg":"NimbusPolicy deleted","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:10+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-swdeploymenttools","KubeArmorPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:10+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-unauthorizedsatokenaccess","KubeArmorPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:10+05:30","msg":"KubeArmorPolicy already deleted, no action needed","KubeArmorPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","KubeArmorPolicy.Namespace":"default"} -``` +## Cleanup -* Check Network Policy adapter logs: +* The SecurityIntent and SecurityIntentBinding created earlier are no longer needed and can be deleted: ```shell -... -... -{"level":"info","ts":"2024-01-31T15:01:09+05:30","msg":"NimbusPolicy deleted","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:09+05:30","msg":"Network Policy adapter does not support this ID","ID":"swDeploymentTools","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:09+05:30","msg":"Network Policy adapter does not support this ID","ID":"unAuthorizedSaTokenAccess","NimbusPolicy.Name":"multiple-sis-nsscoped-binding","NimbusPolicy.Namespace":"default"} -{"level":"info","ts":"2024-01-31T15:01:09+05:30","msg":"NetworkPolicy already deleted, no action needed","NetworkPolicy.Name":"multiple-sis-nsscoped-binding-dnsmanipulation","NetworkPolicy.Namespace":"default"} +$ kubectl delete -f ./examples/namespaced/dns-manipulation-si-sib.yaml +securityintent.intent.security.nimbus.com "dns-manipulation" deleted +securityintentbinding.intent.security.nimbus.com "dns-manipulation-binding" deleted ``` * Delete deployment ```shell -$ kubectl delete -f ./test/env/nginx-deploy.yaml +$ kubectl delete -f ./examples/env/nginx-deploy.yaml deployment.apps "nginx" deleted ``` @@ -372,4 +192,9 @@ deployment.apps "nginx" deleted ```shell $ kubectl get securityintent,securityintentbinding,kubearmorpolicy,netpol -A No resources found -``` \ No newline at end of file +``` + +## Next steps + +- Try out other sample [SecurityIntents](../examples/namespaced) and review the policy generation. +- Checkout [Security Intents](https://github.com/5GSEC/security-intents). diff --git a/test/env/nginx-deploy.yaml b/examples/env/nginx-deploy.yaml similarity index 100% rename from test/env/nginx-deploy.yaml rename to examples/env/nginx-deploy.yaml diff --git a/test/v2/namespaced/single-si-sib.yaml b/examples/namespaced/dns-manipulation-si-sib.yaml similarity index 62% rename from test/v2/namespaced/single-si-sib.yaml rename to examples/namespaced/dns-manipulation-si-sib.yaml index c31c73c8..39e69934 100644 --- a/test/v2/namespaced/single-si-sib.yaml +++ b/examples/namespaced/dns-manipulation-si-sib.yaml @@ -4,21 +4,20 @@ apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: - name: pkg-mgr-exec-single-nsscoped + name: dns-manipulation spec: intent: - id: swDeploymentTools - description: "Do not allow the execution of package managers inside the containers" + id: dnsManipulation + description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." action: Block - mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntentBinding metadata: - name: pkg-mgr-exec-single-nsscoped-binding + name: dns-manipulation-binding spec: intents: - - name: pkg-mgr-exec-single-nsscoped + - name: dns-manipulation selector: any: - resources: diff --git a/test/v2/namespaced/multiple-si-sib-namespaced.yaml b/examples/namespaced/multiple-si-sib-namespaced.yaml similarity index 84% rename from test/v2/namespaced/multiple-si-sib-namespaced.yaml rename to examples/namespaced/multiple-si-sib-namespaced.yaml index 4eee5924..f46e772d 100644 --- a/test/v2/namespaced/multiple-si-sib-namespaced.yaml +++ b/examples/namespaced/multiple-si-sib-namespaced.yaml @@ -8,9 +8,7 @@ metadata: spec: intent: id: swDeploymentTools - description: "Do not allow the execution of package managers inside the containers" action: Block - mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent @@ -20,8 +18,6 @@ spec: intent: id: unAuthorizedSaTokenAccess action: Block - mode: strict - #mode: best-effort --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent @@ -31,8 +27,6 @@ spec: intent: id: dnsManipulation action: Block - mode: best-effort - #mode: strict --- apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntentBinding diff --git a/examples/namespaced/pkg-mgr-exec-si-sib.yaml b/examples/namespaced/pkg-mgr-exec-si-sib.yaml new file mode 100644 index 00000000..854bc749 --- /dev/null +++ b/examples/namespaced/pkg-mgr-exec-si-sib.yaml @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: pkg-mgr-execution +spec: + intent: + id: swDeploymentTools + description: > + Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, + and deployment systems, to move laterally through the network. + action: Block +--- +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: pkg-mgr-execution-binding +spec: + intents: + - name: pkg-mgr-execution + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh deleted file mode 100755 index 31d3bb2c..00000000 --- a/scripts/cleanup.sh +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -#!/bin/bash - -# Delete all SecurityIntent resources -kubectl delete securityintents --all --all-namespaces - -# Delete all SecurityIntentBinding resources -kubectl delete securityintentbindings --all --all-namespaces - -# Delete all NimbusPolicy resources -kubectl delete nimbuspolicies --all --all-namespaces - -# Delete all KubeArmorPolicy resouces -kubectl delete ksp --all --all-namespaces - -echo "All resources have been successfully deleted." \ No newline at end of file diff --git a/test/env/busybox-pod.yaml b/test/env/busybox-pod.yaml deleted file mode 100644 index 7f85454f..00000000 --- a/test/env/busybox-pod.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: v1 -kind: Pod -metadata: - name: busybox - labels: - app: busybox -spec: - containers: - - name: busybox - image: busybox - command: ['sh', '-c', 'echo Container is Running; while true; do sleep 3600; done'] diff --git a/test/env/multiubuntu.yaml b/test/env/multiubuntu.yaml deleted file mode 100644 index e67316a2..00000000 --- a/test/env/multiubuntu.yaml +++ /dev/null @@ -1,254 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: v1 -kind: Namespace -metadata: - name: multiubuntu ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu-1-service - namespace: multiubuntu - labels: - service: ubuntu-1 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: http-8000 - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http-8080 - selector: - group: group-1 - container: ubuntu-1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ubuntu-1-deployment - namespace: multiubuntu - labels: - deployment: ubuntu-1 -spec: - replicas: 1 - selector: - matchLabels: - group: group-1 - container: ubuntu-1 - template: - metadata: - labels: - group: group-1 - container: ubuntu-1 - spec: - containers: - - name: ubuntu-1-container - image: 0x010/ubuntu-w-utils:latest ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu-2-service - namespace: multiubuntu - labels: - service: ubuntu-2 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: http-8000 - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http-8080 - selector: - group: group-1 - container: ubuntu-2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ubuntu-2-deployment - namespace: multiubuntu - labels: - deployment: ubuntu-2 -spec: - replicas: 1 - selector: - matchLabels: - group: group-1 - container: ubuntu-2 - template: - metadata: - labels: - group: group-1 - container: ubuntu-2 - spec: - containers: - - name: ubuntu-2-container - image: 0x010/ubuntu-w-utils:latest ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu-3-service - namespace: multiubuntu - labels: - service: ubuntu-3 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: http-8000 - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http-8080 - selector: - group: group-1 - container: ubuntu-3 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ubuntu-3-deployment - namespace: multiubuntu - labels: - deployment: ubuntu-3 -spec: - replicas: 1 - selector: - matchLabels: - group: group-1 - container: ubuntu-3 - template: - metadata: - labels: - group: group-1 - container: ubuntu-3 - spec: - containers: - - name: ubuntu-3-container - image: 0x010/ubuntu-w-utils:latest ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu-4-service - namespace: multiubuntu - labels: - service: ubuntu-4 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: http-8000 - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http-8080 - selector: - group: group-2 - container: ubuntu-4 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ubuntu-4-deployment - namespace: multiubuntu - labels: - deployment: ubuntu-4 -spec: - replicas: 1 - selector: - matchLabels: - group: group-2 - container: ubuntu-4 - template: - metadata: - labels: - group: group-2 - container: ubuntu-4 - spec: - containers: - - name: ubuntu-4-container - image: 0x010/ubuntu-w-utils:latest ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu-5-service - namespace: multiubuntu - labels: - service: ubuntu-5 -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: http-8000 - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http-8080 - selector: - group: group-2 - container: ubuntu-5 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ubuntu-5-deployment - namespace: multiubuntu - labels: - deployment: ubuntu-5 -spec: - replicas: 1 - selector: - matchLabels: - group: group-2 - container: ubuntu-5 - template: - metadata: - labels: - group: group-2 - container: ubuntu-5 - spec: - containers: - - name: ubuntu-5-container - image: 0x010/ubuntu-w-utils:latest ---- -apiVersion: v1 -kind: Endpoints -metadata: - namespace: multiubuntu - name: external-service -subsets: - - addresses: - - ip: 143.248.36.38 # seungsoo.net - ports: - - port: 80 - protocol: TCP - name: http-80 ---- -apiVersion: v1 -kind: Service -metadata: - namespace: multiubuntu - name: external-service - labels: - service: external-service -spec: - ports: - - port: 8000 - targetPort: 80 - protocol: TCP - name: http-80 \ No newline at end of file diff --git a/test/env/redis-pod.yaml b/test/env/redis-pod.yaml deleted file mode 100644 index 9122ee40..00000000 --- a/test/env/redis-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: v1 -kind: Pod -metadata: - name: redis - labels: - app: redis -spec: - containers: - - name: redis - image: redis - ports: - - containerPort: 6379 diff --git a/test/v1/intents/network/intent-net-icmp-audit.yaml b/test/v1/intents/network/intent-net-icmp-audit.yaml deleted file mode 100644 index bf1b8c9a..00000000 --- a/test/v1/intents/network/intent-net-icmp-audit.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: audit-icmp-network-activity-ubuntu-5 - namespace: multiubuntu -spec: - selector: - match: - any: - - resources: - names: ["ubuntu-5-deployment"] - kinds: ["Deployment"] - namespaces: ["multiubuntu"] - matchLabels: - container: "ubuntu-5" - - cel: - - "object.spec.network.matchProtocols.any(protocol, protocol == 'icmp')" - intent: - action: Audit - mode: strict - type: network - resource: - - key: "protocols" - val: ["icmp"] diff --git a/test/v1/intents/network/intent-network-sample.yaml b/test/v1/intents/network/intent-network-sample.yaml deleted file mode 100644 index 0cd1e4f6..00000000 --- a/test/v1/intents/network/intent-network-sample.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: audit-tcp-network-activity-ubuntu-5 - namespace: multiubuntu -spec: - selector: - match: - any: - - resources: - names: ["ubuntu-5-deployment"] - kinds: ["Deployment"] - namespaces: ["multiubuntu"] - matchLabels: - container: "ubuntu-5" - cel: - - "object.spec.network.matchProtocols.any(protocol, protocol == 'tcp')" - intent: - action: Audit - mode: strict - type: network - resource: - - key: "protocols" - val: ["udp"] diff --git a/test/v1/intents/network/intent-redis.yaml b/test/v1/intents/network/intent-redis.yaml deleted file mode 100644 index 8ca970f9..00000000 --- a/test/v1/intents/network/intent-redis.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: redis-ingress-deny-traffic - namespace: default -spec: - selector: - match: - any: - - resources: - names: ["redis-pod"] - namespaces: ["default"] - kinds: ["Pod"] - matchLabels: - app: "redis" - cel: - - "object.spec.template.spec.containers.all(container, container.ports.any(port, port.number == 6379))" - intent: - action: block - mode: strict - type: network - resource: - - key: "ingress" - val: ["0.0.0.0/0-6379"] diff --git a/test/v1/intents/network/intent-risky-network-access.yaml b/test/v1/intents/network/intent-risky-network-access.yaml deleted file mode 100644 index 4888b685..00000000 --- a/test/v1/intents/network/intent-risky-network-access.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -#kind: SecurityIntent -#metadata: -# name: risky-network-access -# namespace: multiubuntu -#spec: -# selector: -# cel: -# - “object.spec.template.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))” -# intent: -# action: allow -# mode: strict -# type: network -# resource: -# - key: “egress” -# val: [ “10.0.0.0/8-1:65535” “192.168.0.0/16-1:65535” “172.16.0.0/12-1:65535”] - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: risky-network-access - namespace: multiubuntu -spec: - selector: - match: - any: - - resources: - names: ["ubuntu-1-deployment"] - namespaces: ["multiubuntu"] - kinds: ["Deployment"] - matchLabels: - group: "group-1" - container: "ubuntu-1" - cel: - - "object.spec.template.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" - intent: - action: allow - mode: strict - type: network - resource: - - key: "egress" - val: [ "10.0.0.0/8-1:65535", "192.168.0.0/16-1:65535", "172.16.0.0/12-1:65535"] \ No newline at end of file diff --git a/test/v1/intents/system/intent-accessd-shadow-file.yaml b/test/v1/intents/system/intent-accessd-shadow-file.yaml deleted file mode 100644 index 14745954..00000000 --- a/test/v1/intents/system/intent-accessd-shadow-file.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: block-access-to-sensitive-files - namespace: default -spec: - selector: - cel: - - "object.metadata.labels['kubernetes.io/hostname'] == 'master'" - intent: - action: block - mode: strict - type: system - resource: - - key: "paths" - val: [ "/etc/shadow", "/etc/subuid", "/etc/subgid" ] diff --git a/test/v1/intents/system/intent-allow-access-to-credentials-dir.yaml b/test/v1/intents/system/intent-allow-access-to-credentials-dir.yaml deleted file mode 100644 index 0f5e8f84..00000000 --- a/test/v1/intents/system/intent-allow-access-to-credentials-dir.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: allow-access-to-credentials-dir-ubuntu-3 - namespace: multiubuntu -spec: - selector: - match: - any: - - resources: - matchLabels: - container: "ubuntu-3" - namespaces: ["multiubuntu"] - cel: - - "object.spec.file.matchDirectories.any(dir, dir == '/credentials/') && object.spec.file.fromSource.any(source, source == '/bin/cat')" - intent: - action: Allow - mode: strict - type: system - resource: - - key: "directories" - val: ["/credentials/"] - - key: "sourcePath" - val: ["/bin/cat"] diff --git a/test/v1/intents/system/intent-bug-block.yaml b/test/v1/intents/system/intent-bug-block.yaml deleted file mode 100644 index 5f63ef08..00000000 --- a/test/v1/intents/system/intent-bug-block.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -#apiVersion: intent.security.nimbus.com/v1 -#kind: SecurityIntent -#metadata: -# name: hsp-cve-2020-8559-bug-block -# namespace: default -#spec: -# selector: -# cel: -# - "object.metadata.labels['kubernetes.io/arch'] == 'amd64'" # CEL 표현식으로 노드 선택 -# intent: -# action: block -# mode: strict -# type: system -# resource: -# - key: "commands" -# val: [ "mv", "cp", "kill" ] -# valcel: "pattern: /**/{command}" - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: bug-block-hsp - namespace: default -spec: - selector: - cel: - - "object.metadata.labels['kubernetes.io/arch'] == 'amd64'" - intent: - action: block - mode: strict - type: system - resource: - - key: "commands" - val: [ "mv", "cp", "kill" ] - valcel: "pattern: /usr/bin/{command}" \ No newline at end of file diff --git a/test/v1/intents/system/intent-cap-net-raw-block.yaml b/test/v1/intents/system/intent-cap-net-raw-block.yaml deleted file mode 100644 index 6c71ab9b..00000000 --- a/test/v1/intents/system/intent-cap-net-raw-block.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: block-net-raw-capability-ubuntu-1 - namespace: multiubuntu -spec: - selector: - match: - any: - - resources: - kinds: ["Deployment"] - matchLabels: - container: "ubuntu-1" - namespaces: ["multiubuntu"] - cel: - - "object.spec.capabilities.matchCapabilities.any(capability, capability == 'net_raw')" - intent: - action: Block - mode: strict - type: system - resource: - - key: "capabilities" - val: ["net_raw"] diff --git a/test/v1/intents/system/intent-do-not-allow-priv-escalation.yaml b/test/v1/intents/system/intent-do-not-allow-priv-escalation.yaml deleted file mode 100644 index 1e41f795..00000000 --- a/test/v1/intents/system/intent-do-not-allow-priv-escalation.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: do-not-allow-priv-escalation - namespace: multiubuntu -spec: - selector: - match: #check with kyverno format - cel: - - xxx - intent: - action: block - mode: best-effort - type: system - resource: - - key: “capabilities” - val: [ “privilege”, “CAP_SYSADMIN” ] \ No newline at end of file diff --git a/test/v1/intents/system/intent-path-block.yaml b/test/v1/intents/system/intent-path-block.yaml deleted file mode 100644 index 6cfe4f76..00000000 --- a/test/v1/intents/system/intent-path-block.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: ksp-group-1-proc-path-block - namespace: multiubuntu -spec: - selector: - cel: - - "object.metadata.labels.group == 'group-1'" - intent: - action: block - mode: strict - type: system - resource: - - key: "paths" - val: [ "/bin/sleep" ] diff --git a/test/v1/intents/system/intent-restrict-write-access-to-sys-folders.yaml b/test/v1/intents/system/intent-restrict-write-access-to-sys-folders.yaml deleted file mode 100644 index 87330ec9..00000000 --- a/test/v1/intents/system/intent-restrict-write-access-to-sys-folders.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: restrict-write-access-to-sys-folders - namespace: multiubuntu -spec: - selector: - cel: - - xxx - intent: - action: block - mode: best-effort - type: system - resource: - - key: “paths” - val: [ “/sbin/”, “/boot/” ] - attrs: [ “write”, “recursive” ] \ No newline at end of file diff --git a/test/v1/intents/template-intent.yaml b/test/v1/intents/template-intent.yaml deleted file mode 100644 index 1049d5b5..00000000 --- a/test/v1/intents/template-intent.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: [intent-name] - namespace: [intent-namespace] -spec: - selector: - match: - any: - - resources: - names: [target-name] - kinds: [target-kind] - namespaces: [target-namespace] - matchLabels: - [key: value] - cel: - - xxxx - intent: - action: block/audit/allow - mode: strict - type: system/network - resource: [] - - matchPaths: - - path: /etc/shadow - - path: /etc/subuid - - path: /etc/subgid - - matchCapabilities: - - capability: net_raw - - matchSyscalls: - - syscall: - - unlink - - key: "ingress" - val: ["0.0.0.0/0-6379"] \ No newline at end of file diff --git a/test/v1/policy/cnp/policy-redis.yaml b/test/v1/policy/cnp/policy-redis.yaml deleted file mode 100644 index 6635ce5f..00000000 --- a/test/v1/policy/cnp/policy-redis.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: cnp-redis-ingress-deny-traffic-to-port-6379 - namespace: default -spec: - description: "Don’t allow any outside traffic to the Redis port" - endpointSelector: - matchLabels: - app: redis - ingressDeny: - - fromCIDRSet: - - cidr: 0.0.0.0/0 - toPorts: - - ports: - - port: "6379" \ No newline at end of file diff --git a/test/v1/policy/cnp/policy-risky.yaml b/test/v1/policy/cnp/policy-risky.yaml deleted file mode 100644 index 96e692bc..00000000 --- a/test/v1/policy/cnp/policy-risky.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: cnp-adjusted-network-policy - namespace: multiubuntu -spec: - endpointSelector: - matchLabels: - group: "group-1" - container: "ubuntu-1" - egress: - - toCIDR: - - 10.0.0.0/8 - - 192.168.0.0/16 - - 172.16.0.0/12 - toPorts: - - ports: - - port: "1" - protocol: TCP - - port: "65535" - protocol: TCP diff --git a/test/v1/policy/hsp/policy-accessed-shadow-file.yaml b/test/v1/policy/hsp/policy-accessed-shadow-file.yaml deleted file mode 100644 index 46021c27..00000000 --- a/test/v1/policy/hsp/policy-accessed-shadow-file.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorHostPolicy -metadata: - name: hsp-cve-2018-18955 -spec: - message: "Alert! Someone Accessed shadow file" - tags: ["CVE-2018-18955", "EDB-ID:45886", "Gid-Uid"] - nodeSelector: - matchLabels: - kubernetes.io/hostname: master # Change with your host name - file: - severity: 6 - matchPaths: - - path: /etc/shadow - - path: /etc/subuid - - path: /etc/subgid - action: Block \ No newline at end of file diff --git a/test/v1/policy/hsp/policy-bug-block.yaml b/test/v1/policy/hsp/policy-bug-block.yaml deleted file mode 100644 index 0a1a3bab..00000000 --- a/test/v1/policy/hsp/policy-bug-block.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -#apiVersion: security.kubearmor.com/v1 -#kind: KubeArmorHostPolicy -#metadata: -# name: hsp-cve-2020-8559-bug-block -#spec: -# tags: ["CVE", "unvalidated-redirect-requests-attack", "CVE-2020-8559"] -# message: "Alert! move, copy and kill command executed on host machine" -# nodeSelector: -# matchLabels: -# kubernetes.io/arch: amd64 -# process: -# severity: 7 -# matchPatterns: -# - pattern: /**/mv -# - pattern: /**/cp -# - pattern: /**/kill -# action: Block - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorHostPolicy -metadata: - name: hsp-cve-2020-8559-bug-block -spec: - tags: ["CVE", "unvalidated-redirect-requests-attack", "CVE-2020-8559"] - message: "Alert! move, copy and kill command executed in test folder" - nodeSelector: - matchLabels: - kubernetes.io/arch: amd64 - process: - severity: 7 - matchPatterns: - - pattern: /usr/bin/mv - - pattern: /usr/bin/cp - - pattern: /usr/bin/kill - action: Block - - - diff --git a/test/v1/policy/ksp/policy-audit-all-unlink.yaml b/test/v1/policy/ksp/policy-audit-all-unlink.yaml deleted file mode 100644 index 80443097..00000000 --- a/test/v1/policy/ksp/policy-audit-all-unlink.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: audit-all-unlink - namespace: default -spec: - selector: - matchLabels: - container: ubuntu-1 - syscalls: - matchSyscalls: - - syscall: - - unlink - action: - Audit diff --git a/test/v1/policy/ksp/policy-cap-net-raw-block.yaml b/test/v1/policy/ksp/policy-cap-net-raw-block.yaml deleted file mode 100644 index a11512c9..00000000 --- a/test/v1/policy/ksp/policy-cap-net-raw-block.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-ubuntu-1-cap-net-raw-block - namespace: multiubuntu -spec: - severity: 1 - selector: - matchLabels: - container: ubuntu-1 - capabilities: - matchCapabilities: - - capability: net_raw - action: - Block diff --git a/test/v1/policy/ksp/policy-file-dir-allow-from-source-path.yaml b/test/v1/policy/ksp/policy-file-dir-allow-from-source-path.yaml deleted file mode 100644 index e3ac76e6..00000000 --- a/test/v1/policy/ksp/policy-file-dir-allow-from-source-path.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-ubuntu-3-file-dir-allow-from-source-path - namespace: multiubuntu -spec: - severity: 10 - message: "a critical directory was accessed" - tags: - - WARNING - selector: - matchLabels: - container: ubuntu-3 - file: - matchDirectories: - - dir: /credentials/ - fromSource: - - path: /bin/cat - action: - Allow \ No newline at end of file diff --git a/test/v1/policy/ksp/policy-net-icmp-audit.yaml b/test/v1/policy/ksp/policy-net-icmp-audit.yaml deleted file mode 100644 index 51118811..00000000 --- a/test/v1/policy/ksp/policy-net-icmp-audit.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-ubuntu-5-net-icmp-audit - namespace: multiubuntu -spec: - severity: 8 - selector: - matchLabels: - container: ubuntu-5 - network: - matchProtocols: - - protocol: icmp - action: - Audit \ No newline at end of file diff --git a/test/v1/policy/ksp/policy-path-block.yaml b/test/v1/policy/ksp/policy-path-block.yaml deleted file mode 100644 index 8781778f..00000000 --- a/test/v1/policy/ksp/policy-path-block.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-group-1-proc-path-block - namespace: multiubuntu -spec: - selector: - matchLabels: - group: group-1 - process: - matchPaths: - - path: /bin/sleep - action: - Block \ No newline at end of file diff --git a/test/v1/policy/ksp/policy-proc-dir-block.yaml b/test/v1/policy/ksp/policy-proc-dir-block.yaml deleted file mode 100644 index 30ffe514..00000000 --- a/test/v1/policy/ksp/policy-proc-dir-block.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-ubuntu-1-proc-dir-block - namespace: multiubuntu -spec: - selector: - matchLabels: - container: ubuntu-1 - process: - matchDirectories: - - dir: /sbin/ - action: - Block \ No newline at end of file diff --git a/test/v2/bindings/network/binding-redis.yaml b/test/v2/bindings/network/binding-redis.yaml deleted file mode 100644 index 5fb13343..00000000 --- a/test/v2/bindings/network/binding-redis.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntentBinding -metadata: - name: net-redis-ingress-deny - namespace: default -spec: - intents: - - name: deny-any-to-redis-port - selector: - any: - - resources: - kind: Pod - matchLabels: - app: "redis" - namespace: default diff --git a/test/v2/bindings/system/binding-path-block.yaml b/test/v2/bindings/system/binding-path-block.yaml deleted file mode 100644 index ce6942fc..00000000 --- a/test/v2/bindings/system/binding-path-block.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntentBinding -metadata: - name: sys-proc-path-sleep-block - namespace: multiubuntu -spec: - intents: - - name: group-1-proc-path-sleep-block - selector: - any: - - resources: - kind: Pod - namespace: multiubuntu - matchLabels: - group: group-1 \ No newline at end of file diff --git a/test/v2/clusterscoped/multiple-si-sib.yaml b/test/v2/clusterscoped/multiple-si-sib.yaml deleted file mode 100644 index bd6eb7d8..00000000 --- a/test/v2/clusterscoped/multiple-si-sib.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: pkg-mgr-exec-global -spec: - intent: - id: swDeploymentTools - description: "Do not allow the execution of package managers inside the containers" - action: Block - mode: strict ---- -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: unauthorized-nef-access-global -spec: - intent: - id: unAuthorizedNEFAccess - action: Block - mode: strict ---- -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: dns-manipulation-global -spec: - intent: - id: dnsManipulation - action: Block ---- -apiVersion: intent.security.nimbus.com/v1 -kind: ClusterSecurityIntentBinding -metadata: - name: multiple-sis-binding-global -spec: - intents: - - name: pkg-mgr-exec-global - - name: unauthorized-nef-access-global - - name: dns-manipulation-global - selector: - resources: - - kind: Deployment # What else it can be? DS,Sts? - name: nginx - namespace: default - - kind: Deployment - name: ubuntu-1-deployment - namespace: multiubuntu diff --git a/test/v2/clusterscoped/si-sib.yaml b/test/v2/clusterscoped/si-sib.yaml deleted file mode 100644 index 7f319542..00000000 --- a/test/v2/clusterscoped/si-sib.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2023 Authors of Nimbus - -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: pkg-mgr-exec-single-global -spec: - intent: - id: swDeploymentTools - description: "Do not allow execution of package managers inside the containers" - action: Block - mode: Strict ---- -apiVersion: intent.security.nimbus.com/v1 -kind: ClusterSecurityIntentBinding -metadata: - name: pkg-mgr-exec-single-global-binding -spec: - intents: - - name: pkg-mgr-exec-single-global - selector: - resources: - - kind: Deployment - name: nginx - namespace: default \ No newline at end of file diff --git a/test/v2/intents/network/intent-redis.yaml b/test/v2/intents/network/intent-redis.yaml deleted file mode 100644 index 487ddd12..00000000 --- a/test/v2/intents/network/intent-redis.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: deny-any-to-redis-port - namespace: default -spec: - intent: - id: net-port-exec - description: "Don’t allow any outside traffic to the Redis port" - action: Block - mode: Strict - params: - - fromCIDRSet: - - cidr: 0.0.0.0/0 - - toPorts: - - ports: - - port: "6379" - protocol: tcp diff --git a/test/v2/intents/system/intent-path-block.yaml b/test/v2/intents/system/intent-path-block.yaml deleted file mode 100644 index 2f6dbf39..00000000 --- a/test/v2/intents/system/intent-path-block.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: intent.security.nimbus.com/v1 -kind: SecurityIntent -metadata: - name: group-1-proc-path-sleep-block - namespace: multiubuntu -spec: - intent: - id: sys-proc-paths - description: "block the execution of '/bin/sleep'" - action: Block - mode: Strict - params: - - matchPaths: - - path: /bin/sleep \ No newline at end of file