Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature(k8s): policy k8s compatible #3330

Merged
merged 1 commit into from
Jul 25, 2023
Merged

feature(k8s): policy k8s compatible #3330

merged 1 commit into from
Jul 25, 2023

Conversation

josedonizetti
Copy link
Collaborator

@josedonizetti josedonizetti commented Jul 20, 2023
edited
Loading

1. Explain what the PR does

Fix #3322

This PR is changing policies to be compatible with Kubernetes. So a user will be able to use the same policy on the filesystem and also as a future Kubernetes CRD.

Before the policy was:

name: dig
description: traces dns events from the dig binary
scope: 
  - binary=/usr/bin/dig
rules:
  - event: net_packet_dns_request        
  - event: net_packet_dns_response

After this PR it will be:

apiVersion: aquasecurity.github.io/v1beta1
kind: TraceePolicy
metadata:
  name: dig
  annotations:
    description: traces dns events from the dig binary
spec:
  scope: 
    - binary=/usr/bin/dig
  rules:
    - event: net_packet_dns_request        
    - event: net_packet_dns_response

This PR also makes policies versioned, so if can be backward compatible if we decide to extend/change it later.
I also made descriptions non mandatory, as we don't have description under metadata, due to a future CRD implementation, and annotations are not required in kubernetes.

2. Explain how to test it

Try one of the examples policies.

3. Other comments

This PR will break the CNDR e2e tests, so if I'll be creating a PR to fix the tests prior to merging this if approved.

@josedonizetti josedonizetti force-pushed the k8s-compatible-policy branch 8 times, most recently from 8739305 to a8267a4 Compare July 23, 2023 14:45
@josedonizetti josedonizetti marked this pull request as ready for review July 23, 2023 18:31
yanivagman
yanivagman approved these changes Jul 24, 2023
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

docs/docs/events/overview.md
apiVersion: aquasecurity.github.io/v1beta1
kind: TraceePolicy
metadata:
name: sample policy
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not directly related to this PR but we should consider enforcing policy names without spaces (which may cause parsing issues when listed in the event output), and maybe also limit its size

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created an issue to keep track of it #3333

@josedonizetti josedonizetti mentioned this pull request Jul 24, 2023
Closed
@josedonizetti josedonizetti merged commit 7372ab2 into aquasecurity:main Jul 25, 2023
27 checks passed
@josedonizetti josedonizetti deleted the k8s-compatible-policy branch July 25, 2023 07:21
@itaysk itaysk mentioned this pull request Oct 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

Assignees

@josedonizetti josedonizetti

Labels
area/flags area/kubernetes area/testing area/UX kind/documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

k8s compatible configuration
2 participants
@josedonizetti @yanivagman