rulebindingmanager

package
v0.2.219 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2025 License: Apache-2.0 Imports: 5 Imported by: 2

README

runtime rule alert binding

In order to determine which rules should be applied to which workloads, we need to bind the rules to the workloads. This is done by creating a RuntimeRuleAlertBinding object that binds a Rule to certain pods. This is a CRD needed to be created by the user. The RuntimeRuleAlertBinding object is inspired by K8s native policies and bindings, such as NetworkPolicy and ValidatingAdmissionPolicyBinding objects and so it contains the following fields:

  • namespaceSelector - a selector that selects the namespaces that the rule should be applied to. If not specified, the rule will be applied to all namespaces.
  • podSelector - a selector that selects the pods that the rule should be applied to. If not specified, the rule will be applied to all pods.
  • rules - a list of rules that should be applied to the selected pods.

Each rule in the list contains the following fields:

  • ruleName (mandatory) - the name of the rule to be applied.
  • severity -(optional) the severity of the alert that will be generated if the rule is violated. Each rule has a default severity, but it can be overridden by the user.
  • parameters - (optional) a list of parameters that can be passed to the rule. Each rule has a default set of parameters, but it can be overridden by the user.

Example

The first step is to apply the RuntimeRuleAlertBinding CRD to the cluster:

kubectl apply -f chart/kubecop/crds/runtime-rule-binding.crd.yaml

The second step is to create the RuntimeRuleAlertBinding object:

apiVersion: kubescape.io/v1
kind: RuntimeRuleAlertBinding
metadata:
  name: single-rule-for-app-nginx-default-ns
spec:
  namespaceSelector:
    matchLabels:
      kubernetes.io/metadata.name: default
  podSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - nginx
  rules:
    - ruleName: "Unexpected process launched"

In the above example, we bind the rule Unexpected process launched to the pods in the namespace default. The rule will be applied to all the pods that are labeled with app: nginx in the namespace default.

how does it work?

Once the user applies a change to a RuntimeRuleAlertBinding object or any container in the cluster is created/updated/deleted, the KubeCop will be notified and will update the rules that are applied to each pod. The KubeCop will then apply the rules to the pods and will generate alerts if needed.

So there are 2 flows that can trigger the KubeCop to apply the rules to the pods:

  1. The user applies a change to a RuntimeRuleAlertBinding object. Those changes are handled by the RuleBindingK8sStore.
  2. A container in the cluster is created/updated/deleted. Those changes usually handled by the Engine.

In the 1st flow, the RuleBindingK8sStore will notify the subscribers (callback functions) about the change. Then the subsciber will get list of pods it needs to apply the rules to. For each pod, the subscriber will call GetRulesForPod to ask the RuleBindingK8sStore for the rules that should be applied to the pod.

In the 2nd flow, the watcher of the container, usually the Engine, will call GetRulesForPod to ask the RuleBindingK8sStore for the rules that should be applied to the pod.

Then the caller of the GetRulesForPod will handle the rules for the pod.

If more than one RuntimeRuleAlertBinding object is applied to the pod, the rules will be aggregated together.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Actions

type Actions int
const (
	Added   Actions = 0
	Removed Actions = 1
)

type RuleBindingCache

type RuleBindingCache interface {
	ListRulesForPod(namespace, name string) []ruleengine.RuleEvaluator
	AddNotifier(*chan RuleBindingNotify)
	GetRuleCreator() ruleengine.RuleCreator
}

type RuleBindingCacheMock

type RuleBindingCacheMock struct {
}

func (*RuleBindingCacheMock) AddNotifier

func (r *RuleBindingCacheMock) AddNotifier(_ *chan RuleBindingNotify)

func (*RuleBindingCacheMock) GetRuleCreator added in v0.2.178

func (r *RuleBindingCacheMock) GetRuleCreator() ruleengine.RuleCreator

func (*RuleBindingCacheMock) ListRulesForPod

func (r *RuleBindingCacheMock) ListRulesForPod(_, _ string) []ruleengine.RuleEvaluator

type RuleBindingNotify

type RuleBindingNotify struct {
	Pod    corev1.Pod
	Action Actions
}

func NewRuleBindingNotifierImpl

func NewRuleBindingNotifierImpl(action Actions, pod corev1.Pod) RuleBindingNotify

func RuleBindingNotifierImplWithK8s

func RuleBindingNotifierImplWithK8s(k8sClient k8sclient.K8sClientInterface, action Actions, namespace, name string) (RuleBindingNotify, error)

func (*RuleBindingNotify) GetAction

func (r *RuleBindingNotify) GetAction() Actions

func (*RuleBindingNotify) GetPod

func (r *RuleBindingNotify) GetPod() *corev1.Pod

Directories

Path Synopsis
v1

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL