Skip to content
a security controller for Kubernetes
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
manifests
Dockerfile
LICENSE
Makefile
README.md
go.mod
go.sum
main.go
main_test.go

README.md

vigilant

License Go Version Layers CircleCI

vigilant is a Kubernetes security controller.

What It Does

vigilant ensures the following for every Namespace in your Kubernetes cluster:

  1. the Namespace has the label name
$ kubectl get namespaces --show-labels

NAME          STATUS   AGE     LABELS
default       Active   2m42s   name=default
kube-public   Active   2m42s   name=kube-public
kube-system   Active   2m42s   name=kube-system

This faciliates the use of the namespaceSelector in NetworkPolicy objects.

For example, this NetworkPolicy can be applied without having to manually add the label name=web-app to the web-app Namespace:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-app
  namespace: pgsql
spec:
  policyTypes:
  - Ingress
  podSelector:
    matchLabels:
      app: postgres-10
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: web-app
  1. the Namespace has a default NetworkPolicy that denies all ingress and egress traffic:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: example
spec:
  policyTypes:
  - Ingress
  - Egress
  podSelector: {}
  ingress: []
  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP

This policy will apply to all Pods in the Namespace and only permit outbound DNS traffic.

How It Works

vigilant is a DecoratorController.

It is registered with the metacontroller and watches for the creation of Namespace objects. When a new namespace is created, the metacontroller sends a POST request to vigilant at its /sync endpoint. vigilant returns the name label and NetworkPolicy to add to the namespace which is done by the metacontroller.

$ kubectl -n metacontroller logs metacontroller-0 --tail=12

I0124 21:47:31.633272       1 controller.go:423] DecoratorController knsc: sync Namespace /kube-system
I0124 21:47:31.636532       1 controller.go:423] DecoratorController knsc: sync Namespace /default
I0124 21:47:31.638269       1 controller.go:423] DecoratorController knsc: sync Namespace /kube-public
I0124 21:47:31.638274       1 controller.go:508] DecoratorController knsc: updating Namespace /kube-system
I0124 21:47:31.642925       1 controller.go:508] DecoratorController knsc: updating Namespace /default
I0124 21:47:31.644319       1 controller.go:508] DecoratorController knsc: updating Namespace /kube-public
I0124 21:47:31.646605       1 manage_children.go:246] Namespace kube-system: creating NetworkPolicy kube-system/default-deny-all
I0124 21:47:31.646648       1 manage_children.go:246] Namespace default: creating NetworkPolicy default/default-deny-all
I0124 21:47:31.647014       1 manage_children.go:246] Namespace kube-public: creating NetworkPolicy kube-public/default-deny-all
I0124 21:47:31.653321       1 controller.go:423] DecoratorController knsc: sync Namespace /metacontroller
I0124 21:47:31.655149       1 controller.go:508] DecoratorController knsc: updating Namespace /metacontroller
I0124 21:47:31.658274       1 manage_children.go:246] Namespace metacontroller: creating NetworkPolicy metacontroller/default-deny-all

Prerequisites

vigilant requires the metacontroller add-on running in your Kubernetes cluster.

Usage

Deploy vigilant:

$ kubectl apply -f https://raw.githubusercontent.com/bincyber/vigilant/master/manifests/deployment.yaml

Register the DecoratorController with the metacontroller:

$ kubectl apply -f https://github.com/bincyber/vigilant/blob/master/manifests/decoratorcontroller.yaml

Verify that namespaces have had a name label added to them:

$ kubectl get namespaces --show-labels

Verify that a NetworkPolicy has been added to each namespace:

$ kubectl get networkpolicy --all-namespaces
You can’t perform that action at this time.