-
Notifications
You must be signed in to change notification settings - Fork 80
/
policy.go
212 lines (172 loc) · 4.65 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
// SPDX-License-Identifier: Apache-2.0
// Copyright 2021 Authors of KubeArmor
package vm
import (
"bytes"
"context"
"encoding/json"
"fmt"
"net/http"
"os"
"path/filepath"
"regexp"
"strings"
"time"
v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
pb "github.com/kubearmor/KubeArmor/protobuf"
"google.golang.org/grpc"
"sigs.k8s.io/yaml"
)
const (
// KubeArmorPolicy is the Kind used for KubeArmor container policies
KubeArmorPolicy = "KubeArmorPolicy"
// KubeArmorHostPolicy is the Kind used for KubeArmor host policies
KubeArmorHostPolicy = "KubeArmorHostPolicy"
// CiliumNetworkPolicy is the Kind used for Cilium network policies
CiliumNetworkPolicy = "CiliumNetworkPolicy"
// CiliumClusterwideNetworkPolicy is the Kind used for Cilium network policies
CiliumClusterwideNetworkPolicy = "CiliumClusterwideNetworkPolicy"
)
// PolicyOptions are optional configuration for kArmor vm policy
type PolicyOptions struct {
GRPC string
}
func sendPolicyOverGRPC(o PolicyOptions, policyEventData []byte, kind string) error {
gRPC := ""
if o.GRPC != "" {
gRPC = o.GRPC
} else {
if val, ok := os.LookupEnv("KUBEARMOR_SERVICE"); ok {
gRPC = val
} else {
gRPC = "localhost:32767"
}
}
conn, err := grpc.Dial(gRPC, grpc.WithInsecure())
if err != nil {
return err
}
client := pb.NewPolicyServiceClient(conn)
req := pb.Policy{
Policy: policyEventData,
}
if kind == KubeArmorHostPolicy {
resp, err := client.HostPolicy(context.Background(), &req)
if err != nil {
return fmt.Errorf("failed to send policy")
}
fmt.Printf("Policy %s \n", resp.Status)
return nil
}
resp, err := client.ContainerPolicy(context.Background(), &req)
if err != nil {
return fmt.Errorf("failed to send policy")
}
fmt.Printf("Policy %s \n", resp.Status)
return nil
}
func sendPolicyOverHTTP(address string, kind string, policyEventData []byte) error {
timeout := time.Duration(5 * time.Second)
client := http.Client{
Timeout: timeout,
}
var url string
if kind == KubeArmorHostPolicy {
url = address + "/policy/kubearmor"
} else {
url = address + "/policy/cilium"
}
request, err := http.NewRequest("POST", url, bytes.NewBuffer(policyEventData))
request.Header.Set("Content-type", "application/json")
if err != nil {
return fmt.Errorf("failed to send policy")
}
resp, err := client.Do(request)
if err != nil {
return fmt.Errorf("failed to send policy")
}
defer func() {
if err := resp.Body.Close(); err != nil {
kg.Warnf("Error closing http stream %s\n", err)
}
}()
fmt.Println("Success")
return nil
}
// PolicyHandling Function recives path to YAML file with the type of event and emits an Host Policy Event to KubeArmor gRPC/HTTP Server
func PolicyHandling(t string, path string, o PolicyOptions, httpAddress string, isKvmsEnv bool) error {
var k struct {
Kind string `json:"kind"`
}
policyFile, err := os.ReadFile(filepath.Clean(path))
if err != nil {
return err
}
policies := strings.Split(string(policyFile), "---")
for _, policy := range policies {
if matched, _ := regexp.MatchString("^\\s*$", policy); matched {
continue
}
js, err := yaml.YAMLToJSON([]byte(policy))
if err != nil {
return err
}
err = json.Unmarshal(js, &k)
if err != nil {
return err
}
var containerPolicy tp.K8sKubeArmorPolicy
var hostPolicy tp.K8sKubeArmorHostPolicy
var networkPolicy v2.CiliumNetworkPolicy
var policyEvent interface{}
if k.Kind == KubeArmorHostPolicy {
err = json.Unmarshal(js, &hostPolicy)
if err != nil {
return err
}
policyEvent = tp.K8sKubeArmorHostPolicyEvent{
Type: t,
Object: hostPolicy,
}
} else if k.Kind == KubeArmorPolicy {
err = json.Unmarshal(js, &containerPolicy)
if err != nil {
return err
}
policyEvent = tp.K8sKubeArmorPolicyEvent{
Type: t,
Object: containerPolicy,
}
} else if k.Kind == CiliumNetworkPolicy || k.Kind == CiliumClusterwideNetworkPolicy {
err = json.Unmarshal(js, &networkPolicy)
if err != nil {
return err
}
if networkPolicy.Spec == nil {
continue
}
policyEvent = NetworkPolicyRequest{
Type: t,
Object: networkPolicy,
}
}
policyEventData, err := json.Marshal(policyEvent)
if err != nil {
return err
}
if isKvmsEnv {
// Non-K8s control plane with kvmservice, hence send policy over HTTP
if err = sendPolicyOverHTTP(httpAddress, k.Kind, policyEventData); err != nil {
return err
}
} else {
// Systemd mode, hence send policy over gRPC
if err = sendPolicyOverGRPC(o, policyEventData, k.Kind); err != nil {
return err
}
}
}
return nil
}