README
¶
workload-security-guard
Summary
This project adds a workload security gate to a kubernetes service.
It is loaded as an extension to a go proxy using rtplugs.
Once loaded, it monitors the proxied requests and responses.
If the proxy runs a a sidecar conatiner, the pod can also be monitored.
A Guardian CRD incldues the Gate specifications and controlls the Gate behaviour.
guardui can be used to enable user interaction with the Guardian CRD
guard can be used to auto learn the appropriate specifications ans drastically reduce or in some cases eliminate the required user interaction.
Security
The Gate makes it hard to deliver an exploit to be used against a vulnerability embedded as part of the service or its dependencies. As a general rule, an attacker wil be required to build a dedicated delivery mechanism to explore options for detecting and exploiting vulnerabilities for each service and will not be able to use common statistical attacks patterns.
This is achieved thanks to a find grain filtering performed against each value delivered to the service.
Additional filtering enable identification of indicators that the service is misused.
Overall the solution offers both visibility into the security of the service as well as the ability to block both known patterns and unknown patterns (using a zero day exploit).
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pkg
|
|
|
apis/wsecurity/v1
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
|
generated/clientset/guardians
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
generated/clientset/guardians/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
generated/clientset/guardians/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
generated/clientset/guardians/typed/wsecurity/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
generated/clientset/guardians/typed/wsecurity/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
examples/create-update-delete-deployment
Note: the example only works with the code within the same release/branch.
|
Note: the example only works with the code within the same release/branch. |
|
examples/dynamic-create-update-delete-deployment
Note: the example only works with the code within the same release/branch.
|
Note: the example only works with the code within the same release/branch. |
|
examples/fake-client
Package fakeclient contains examples on how to use fakeclient in tests.
|
Package fakeclient contains examples on how to use fakeclient in tests. |
|
examples/in-cluster-client-configuration
Note: the example only works with the code within the same release/branch.
|
Note: the example only works with the code within the same release/branch. |
|
examples/out-of-cluster-client-configuration
Note: the example only works with the code within the same release/branch.
|
Note: the example only works with the code within the same release/branch. |