WIP: Psp rules support #682
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/kind rule-create |
|
@mstemm thanks! It needs a rebase on top of the master to catch the falco fields checksum, but I'm sure you already know this 😄 |
mstemm
force-pushed
the
psp-rules-support
branch
from
837fdc9
to
1056ab4
Compare
mstemm
force-pushed
the
psp-rules-support
branch
from
3a768d5
to
180e4cb
Compare
Add a new item that can be in brackets for a field: port ranges. They are a mix of digits, ':', and ','. The current grammar allows any mix without strictly checking pairs of ports separated by : and joined by ,.
ka.req.container.host_{pid,ipc}: returns value of host{PID,IPC} for pod
spec.
ka.req.container.host_port.within: given a list of port ranges expressed
as "min:max,min2:max2", return true if all ports specified for a pod are
within those ranges. The work is in
k8s_audit_filter_check::check_host_port_within which iterates over the
containers to find each hostPort and match against the ranges.
Matches everything currently defined in the template.
A working template for the following PSP properties: - privileged - hostPID - hostIPC - hostNetwork - hostPorts
New field ka.req.volume_types.within checks the set of volume types against a list of allowed types and returns true if all volume types are in the allowed list.
Compares volume types against an allowed set.
Used for a comma-separated list of paths.
This will be easier once we're getting the values from yaml.
ka.req.volume.any_hostpath is identical to ka.req.volume.hostpath, seeing if any hostPath path matches the provided prefix. (You can now specify a list of prefixes separated by commas). ka.req.volume.all_hostpath checks if *all* hostPaths match the provided set of prefixes.
Uses ka.req.volume.all_hostpath to ensure that all hostPath paths match the provided allowed set of paths.
When rules are enabled in the falco engine, the argument to
enable_rule() is a regex pattern. That causes problems if the rule name
itself contains regex characters like '(', etc.
To fix this, escape special characters in rule names to create the
pattern passed to enable_rule().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
New test has a rule name containing all ESCMAScript regex chars and ensures that the rule matches the events. The test code itself needed to also escape special characters from patterns when searching falco's output. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add rules for readOnlyRootFilesystem, runAsUser + MustRunAs, runAsUser + MustRunAsNonRoot, and runAsGroup + MustRunAs.
Add tests for readOnlyRootFilesystem, runAsUser+MustRunAs, runAsUser+MustRunAsNonRoot, runAsGroup+MustRunAs.
mstemm
force-pushed
the
psp-rules-support
branch
from
862820c
to
70d615a
Compare
Json event filterchecks now extract an array of values instead of a single string value. This allows changing a lot of filter checks that were really performing set comparison operators ka.req.container.host_port.within, ka.req.volume.any_hostpath, etc to just perform set comparison operations. This also changes json_event_filter_check::compare to work primarily on sets instead of single values. CONTAINS/IN look for subsets between the extracted and rhs values, and a new operator INTERSECTS looks for any set intersection. Aliases now have separate steps for custom extraction from a json object to an array of strings (things like plucking custom values from an array of objects, etc) and indexing. Most indexing should be eliminated and replaced with (simpler) custom extraction. The aliases themselves still need to be changed to work with extraction + indexing functions instead of a single formatting function.
Allow nested/recursive navigation of the object by default, start of general-purpose extracted values which can be strings, ints, or pairs of ints that act as ranges.
This is mostly complete and removes unnecessary filterchecks that were actually working as comparison operators. Remaining work: 1. Finish implementing the default extraction function 2. Update templates to switch over to set/equality operators instead of old filterchecks 3. Get build working 4. Fix automated tests
This version works, but there's a mismatch in how m_field is handled when extracting and resolving tokens.
No tests result in errors any longer. 20/74 tests are still failing, though.
The remaining failures are host path matching against prefixes.
Some regressions in the normal k8s audit unit tests, though. I think I just need to adapt some of the new filter fields to match their new semantics.
Instead of a hard-coded image list, use an annotation on the psp object "falco-rules-psp-images".
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Any specific area of the project related to this PR?
/area engine
/area rules
What this PR does / why we need it:
We've heard from some users that it would be desirable to have a way to "test" a K8s Pod Security Policy (PSP) to see if it has good coverage, before actually enabling the PSP. Once a PSP is in place, it can prevent pods from running, which can be disruptive.
This adds support for reading a K8s Pod Security Policy (PSP) and converting it to a set of falco rules. These rules can check the conditions specified in the PSP without actually preventing pods from running. This could be a valuable step in development of PSPs.
This adds new command line options
--psp <path>and--psp_save [<path>]. When a psp is provided using--psp, it will be internally converted to a set of falco rules that check the conditions of the PSP and loaded into the falco engine. If you wish to save the set of converted falco rules, you can save them using--psp_save.Many of these rules depend on K8s Audit support, so you'll need to enable and configure K8s Audit in your cluster to fully test a PSP.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?: