security-policy-operator

command module

v0.0.0-...-e2f1ce5 Latest Latest Go to latest Published: Jan 30, 2020 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/h-r-k-matsumoto/security-policy-operator

Links

Open Source Insights

README ¶

Security Policy Operator

IMPORTANT: Currently,Config Connector is available. You shoud use to it.

The Goal is to opearation Google Cloud Armor Security Policies as a resource of Kubernetes.
Manage SecurityPolicy without using gcloud command.

In the case of the example below, Security Policy Operator realizes management only with yaml.
https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig

It has the following configuration.

This is implementation of Kubernetes Custom Resrouce Definitions.
Remember that GKE has Servive Broker.
Development using Kubebuilder.

How to use

Requirements

This is a requirements to operate Security Policy Operator.

Google Kubernetes Engine only.
it works with the service account granted the securityadmin role.
1. Click CREATE SERVICE ACCOUNT button on the Service Account view.
2. Specify a Service Account Name.
3. Select Role "Compute Engine → Compute Security Admin".
4. Download the json private key file.

Install

Create a namespace to install Security Policy Operator.

$ kubectl apply -f https://raw.githubusercontent.com/h-r-k-matsumoto/security-policy-operator/master/dist/prepared.yaml
namespace/security-policy-operator-system created
$

Create a secret from json file.

$ kubectl create secret generic security-policy-operator-key -n security-policy-operator-system --from-file=key.json=PATH-TO-KEY-FILE.json
secret/security-policy-operator-key created
$

Install Security Policy Operator.

$ kubectl apply -f https://raw.githubusercontent.com/h-r-k-matsumoto/security-policy-operator/master/dist/install.yaml
customresourcedefinition.apiextensions.k8s.io/securitypolicies.cloudarmor.matsumo.dev created
deployment.extensions/security-policy-operator-controller-manager created
service/security-policy-operator-controller-manager-metrics-service created
rolebinding.rbac.authorization.k8s.io/security-policy-operator-leader-election-rolebinding created
clusterrole.rbac.authorization.k8s.io/security-policy-operator-manager-role created
clusterrolebinding.rbac.authorization.k8s.io/security-policy-operator-manager-rolebinding created
clusterrole.rbac.authorization.k8s.io/security-policy-operator-proxy-role created
clusterrolebinding.rbac.authorization.k8s.io/security-policy-operator-proxy-rolebinding created
$

Easy to use

Create sample Security Policy.

$ kubectl apply -f https://raw.githubusercontent.com/h-r-k-matsumoto/security-policy-operator/master/config/samples/cloudarmor_v1beta1_securitypolicy.yaml
securitypolicy.cloudarmor.matsumo.dev "securitypolicy-sample" configured
$

Delete sample Security Policy.

$ kubectl delete -f https://raw.githubusercontent.com/h-r-k-matsumoto/security-policy-operator/master/config/samples/cloudarmor_v1beta1_securitypolicy.yaml
securitypolicy.cloudarmor.matsumo.dev "securitypolicy-sample" deleted
$

Usecase

Blacklist management with Kubernetes Custom Resource

$ kubectl apply -f https://raw.githubusercontent.com/h-r-k-matsumoto/security-policy-operator/master/config/samples/cloudarmor-full-package.yaml
namespace/cloud-armor-how-to created
securitypolicy.cloudarmor.matsumo.dev/securitypolicy-sample created
deployment.apps/my-deployment created
backendconfig.cloud.google.com/my-backend-config created
service/my-service created
ingress.extensions/my-ingress created
$

$ kubectl get ingress -n cloud-armor-how-to
NAME         HOSTS   ADDRESS                PORTS   AGE
my-ingress   *       {INGRESS_IP_ADDRESS}   80      92s
$

$ curl http://${INGRESS_IP_ADDRESS}
Hello, world!
Version: 1.0.0
Hostname: my-deployment-8445f8f8b6-rdtjg
$

$ gcloud beta compute security-policies describe ca-how-to-security-policy
---
description: policy for Google Cloud Armor how-to topic
kind: compute#securityPolicy
labelFingerprint: 42WmSpB8rSM=
name: ca-how-to-security-policy
rules:
- action: deny(404)
  description: Deny traffic from 192.0.2.0/24.
  kind: compute#securityPolicyRule
  match:
    config:
      srcIpRanges:
      - 192.0.2.0/24
    versionedExpr: SRC_IPS_V1
  preview: false
  priority: 1000
- action: allow
  description: This is default action
  kind: compute#securityPolicyRule
  match:
    config:
      srcIpRanges:
      - '*'
    versionedExpr: SRC_IPS_V1
  preview: false
  priority: 2147483647
$

$ kubectl describe  securitypolicy -n cloud-armor-how-to securitypolicy-sample
Name:         securitypolicy-sample
Namespace:    cloud-armor-how-to
Labels:       <none>
API Version:  cloudarmor.matsumo.dev/v1beta1
Kind:         SecurityPolicy
Metadata:
 ...
Spec:
  Default Action:  allow
  Description:     policy for Google Cloud Armor how-to topic
  Name:            ca-how-to-security-policy
  Rules:
    Action:       deny(404)
    Description:  Deny traffic from 192.0.2.0/24.
    Priority:     1000
    Src Ip Ranges:
      192.0.2.0/24
Status:
Events:  <none>
$

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1beta1 Package v1beta1 contains API Schema definitions for the cloudarmor v1beta1 API group +kubebuilder:object:generate=true +groupName=cloudarmor.matsumo.dev	Package v1beta1 contains API Schema definitions for the cloudarmor v1beta1 API group +kubebuilder:object:generate=true +groupName=cloudarmor.matsumo.dev
controllers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL