Merge pull request #1916 from rksharma95/feat-recommend-csp

feat(operator): add recommended policies feature to operator

deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: kubearmorconfigs.operator.kubearmor.com
 spec:
   group: operator.kubearmor.com
@@ -25,20 +24,27 @@ spec:
         description: KubeArmorConfig is the Schema for the KubeArmorConfigs API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
             description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
             properties:
+              alertThrottling:
+                type: boolean
               defaultCapabilitiesPosture:
                 enum:
                 - audit
@@ -127,12 +133,37 @@ spec:
                     - Never
                     type: string
                 type: object
-              seccompEnabled:
-                type: boolean
-              alertThrottling:
-                type: boolean
               maxAlertPerSec:
                 type: integer
+              recommendedPolicies:
+                properties:
+                  enable:
+                    type: boolean
+                  excludePolicy:
+                    items:
+                      type: string
+                    type: array
+                  matchExpressions:
+                    items:
+                      properties:
+                        key:
+                          enum:
+                          - namespace
+                          type: string
+                        operator:
+                          enum:
+                          - In
+                          - NotIn
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              seccompEnabled:
+                type: boolean
               throttleSec:
                 type: integer
               tls:
@@ -156,19 +187,13 @@ spec:
               message:
                 type: string
               phase:
-                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
-                  of cluster Important: Run "make" to regenerate code after modifying
-                  this file'
+                description: |-
+                  INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+                  Important: Run "make" to regenerate code after modifying this file
                 type: string
             type: object
         type: object
     served: true
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

deployments/operator/operator.yaml

@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: kubearmorconfigs.operator.kubearmor.com
 spec:
   group: operator.kubearmor.com
@@ -24,20 +23,27 @@ spec:
         description: KubeArmorConfig is the Schema for the KubeArmorConfigs API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
             description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
             properties:
+              alertThrottling:
+                type: boolean
               defaultCapabilitiesPosture:
                 enum:
                 - audit
@@ -126,12 +132,37 @@ spec:
                     - Never
                     type: string
                 type: object
-              seccompEnabled:
-                type: boolean
-              alertThrottling:
-                type: boolean
               maxAlertPerSec:
                 type: integer
+              recommendedPolicies:
+                properties:
+                  enable:
+                    type: boolean
+                  excludePolicy:
+                    items:
+                      type: string
+                    type: array
+                  matchExpressions:
+                    items:
+                      properties:
+                        key:
+                          enum:
+                          - namespace
+                          type: string
+                        operator:
+                          enum:
+                          - In
+                          - NotIn
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              seccompEnabled:
+                type: boolean
               throttleSec:
                 type: integer
               tls:
@@ -155,22 +186,16 @@ spec:
               message:
                 type: string
               phase:
-                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
-                  of cluster Important: Run "make" to regenerate code after modifying
-                  this file'
+                description: |-
+                  INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+                  Important: Run "make" to regenerate code after modifying this file
                 type: string
             type: object
         type: object
     served: true
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -290,6 +315,14 @@ rules:
   - list
   - watch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - security.kubearmor.com
   resources:
@@ -388,6 +421,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

pkg/KubeArmorOperator/Dockerfile

@@ -35,6 +35,7 @@ COPY $OPERATOR_DIR/enforcer enforcer
 COPY $OPERATOR_DIR/k8s k8s
 COPY $OPERATOR_DIR/runtime runtime
 COPY $OPERATOR_DIR/seccomp seccomp
+COPY $OPERATOR_DIR/recommend recommend
 
 # Build
 RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o operator cmd/operator/main.go

pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go

@@ -4,6 +4,7 @@
 package v1
 
 import (
+	securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -30,11 +31,21 @@ type Tls struct {
 	RelayExtraIpAddresses []string `json:"extraIpAddresses,omitempty"`
 }
 
+type RecommendedPolicies struct {
+	Enable bool `json:"enable,omitempty"`
+
+	MatchExpressions []securityv1.MatchExpressionsType `json:"matchExpressions,omitempty"`
+
+	ExcludePolicy []string `json:"excludePolicy,omitempty"`
+}
+
 // KubeArmorConfigSpec defines the desired state of KubeArmorConfig
 type KubeArmorConfigSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
+	// +kubebuilder:validation:optional
+	RecommendedPolicies RecommendedPolicies `json:"recommendedPolicies,omitempty"`
 	// +kubebuilder:validation:optional
 	DefaultFilePosture PostureType `json:"defaultFilePosture,omitempty"`
 	// +kubebuilder:validation:optional

pkg/KubeArmorOperator/cmd/operator/main.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"path/filepath"
 
+	secv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/client/clientset/versioned"
 	opv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/clientset/versioned"
 	controllers "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/internal/controller"
 	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/k8s"
@@ -28,6 +29,7 @@ var PathPrefix string
 var DeploymentName string
 var ExtClient *apiextensionsclientset.Clientset
 var Opv1Client *opv1client.Clientset
+var Secv1Client *secv1client.Clientset
 var InitDeploy bool
 var LogLevel string
 
@@ -45,14 +47,15 @@ var Cmd = &cobra.Command{
 		K8sClient = k8s.NewClient(*Logger, KubeConfig)
 		ExtClient = k8s.NewExtClient(*Logger, KubeConfig)
 		Opv1Client = k8s.NewOpv1Client(*Logger, KubeConfig)
+		Secv1Client = k8s.NewSecv1Client(*Logger, KubeConfig)
 		//Initialise k8sClient for all child commands to inherit
 		if K8sClient == nil {
 			return errors.New("couldn't create k8s client")
 		}
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		nodeWatcher := controllers.NewClusterWatcher(K8sClient, Logger, ExtClient, Opv1Client, PathPrefix, DeploymentName, InitDeploy)
+		nodeWatcher := controllers.NewClusterWatcher(K8sClient, Logger, ExtClient, Opv1Client, Secv1Client, PathPrefix, DeploymentName, InitDeploy)
 		go nodeWatcher.WatchConfigCrd()
 		nodeWatcher.WatchNodes()
 

pkg/KubeArmorOperator/common/defaults.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	deployments "github.com/kubearmor/KubeArmor/deployments/get"
+	securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1"
 	opv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -124,6 +125,20 @@ var (
 	AlertThrottling       bool   = true
 	DefaultMaxAlertPerSec string = "10"
 	DefaultThrottleSec    string = "30"
+
+	// recommend policies
+	RecommendedPolicies opv1.RecommendedPolicies = opv1.RecommendedPolicies{
+		MatchExpressions: []securityv1.MatchExpressionsType{
+			{
+				Key:      "namespace",
+				Operator: "NotIn",
+				Values: []string{
+					"kube-system",
+					"kubearmor",
+				},
+			},
+		},
+	}
 )
 
 var ConfigMapData = map[string]string{