Rule alert beta version (#427)

* node agent exporters config Signed-off-by: Amir Malka <[email protected]> * updated maintainers and home URL Signed-off-by: Amir Malka <[email protected]> * adding alertCRD chart Signed-off-by: David Wertenteil <[email protected]> * fixed URL Signed-off-by: David Wertenteil <[email protected]> * check crd scope mutual exclusive Signed-off-by: David Wertenteil <[email protected]> * using test image Signed-off-by: David Wertenteil <[email protected]> * use ks namespace Signed-off-by: David Wertenteil <[email protected]> * update image Signed-off-by: David Wertenteil <[email protected]> * fixed relevantCVEServiceEnabled Signed-off-by: David Wertenteil <[email protected]> * update node-agent image Signed-off-by: David Wertenteil <[email protected]> * update node-agent Signed-off-by: David Wertenteil <[email protected]> * update image Signed-off-by: David Wertenteil <[email protected]> * adding test basic_incident_presented Signed-off-by: David Wertenteil <[email protected]> * update image Signed-off-by: David Wertenteil <[email protected]> * update version Signed-off-by: Amir Malka <[email protected]> * fix Signed-off-by: Amir Malka <[email protected]> --------- Signed-off-by: Amir Malka <[email protected]> Signed-off-by: David Wertenteil <[email protected]> Co-authored-by: Amir Malka <[email protected]>
kubescape · Apr 17, 2024 · 2bf21be · 2bf21be
1 parent 7e8acca
commit 2bf21be
Show file tree

Hide file tree

Showing 14 changed files with 331 additions and 82 deletions.
diff --git a/.github/workflows/02-e2e-test.yaml b/.github/workflows/02-e2e-test.yaml
@@ -83,7 +83,8 @@ jobs:
               synchronizer_reconciliation,
               synchronizer_proxy,
               # synchronizer_kubescape_crds, 
-              synchronizer_race_condition 
+              synchronizer_race_condition,
+              basic_incident_presented
             ]
 
     runs-on: ubuntu-latest

diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml
@@ -9,14 +9,14 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.18.10
+version: 1.18.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 
-appVersion: 1.18.10
+appVersion: 1.18.11
 
 maintainers:
 - name: Ben Hirschberg
@@ -31,5 +31,18 @@ maintainers:
 - name: Matthias Bertschy
   email: [email protected]
   url: https://www.linkedin.com/in/matthias-bertschy-b427b815/
+- name: Amir Malka
+  email: [email protected]
+  url: https://www.linkedin.com/in/amirmalka
 
-home: https://www.armosec.io/
+home: https://kubescape.io/
+
+dependencies:
+  - name: kubescape-alert-crd
+    version: 0.0.1
+    repository: "file://./charts/clustered-crds"
+    condition: alertCRD.scopeClustered
+  - name: kubescape-alert-crd-ns
+    version: 0.0.1
+    repository: "file://./charts/namespaced-crds"
+    condition: alertCRD.scopeNamespaced
diff --git a/charts/kubescape-operator/charts/clustered-crds/Chart.yaml b/charts/kubescape-operator/charts/clustered-crds/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: kubescape-alert-crd
+description: A Helm chart CRDs required by Kubescape Runtime Security detection
+
+type: application
+
+version: 0.0.1
+
+appVersion: "0.0.1"
diff --git a/...erator/crds/runtime-rule-binding.crd.yaml → ...d-crds/crds/runtime-rule-binding.crd.yaml b/...erator/crds/runtime-rule-binding.crd.yaml → ...d-crds/crds/runtime-rule-binding.crd.yaml
diff --git a/charts/kubescape-operator/charts/clustered-crds/values.yaml b/charts/kubescape-operator/charts/clustered-crds/values.yaml
diff --git a/charts/kubescape-operator/charts/namespaced-crds/Chart.yaml b/charts/kubescape-operator/charts/namespaced-crds/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: kubescape-alert-crd-ns
+description: A Helm chart CRDs required by Kubescape Runtime Security detection
+
+type: application
+
+version: 0.0.1
+
+appVersion: "0.0.1"
diff --git a/charts/kubescape-operator/charts/namespaced-crds/crds/runtime-rule-binding.crd.yaml b/charts/kubescape-operator/charts/namespaced-crds/crds/runtime-rule-binding.crd.yaml
@@ -0,0 +1,167 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: runtimerulealertbindings.kubescape.io
+spec:
+  group: kubescape.io
+  names:
+    kind: RuntimeRuleAlertBinding
+    plural: runtimerulealertbindings
+    shortNames:
+    - rab
+    singular: runtimerulealertbinding
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              namespaceSelector:
+                properties:
+                  matchExpressions:
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        operator:
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                type: object
+              podSelector:
+                properties:
+                  matchExpressions:
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        operator:
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                type: object
+              rules:
+                items:
+                  oneOf:
+                  - not:
+                      anyOf:
+                      - required:
+                        - ruleID
+                      - required:
+                        - ruleName
+                    required:
+                    - ruleTags
+                  - not:
+                      anyOf:
+                      - required:
+                        - ruleTags
+                      - required:
+                        - ruleName
+                    required:
+                    - ruleID
+                  - not:
+                      anyOf:
+                      - required:
+                        - ruleTags
+                      - required:
+                        - ruleID
+                    required:
+                    - ruleName
+                  properties:
+                    parameters:
+                      additionalProperties: true
+                      type: object
+                    ruleID:
+                      enum:
+                      - R0001
+                      - R0002
+                      - R0003
+                      - R0004
+                      - R0005
+                      - R0006
+                      - R0007
+                      - R1000
+                      - R1001
+                      - R1002
+                      - R1003
+                      - R1004
+                      - R1005
+                      - R1006
+                      - R1007
+                      - R1008
+                      - R1009
+                      type: string
+                    ruleName:
+                      enum:
+                      - Unexpected process launched
+                      - Unexpected file access
+                      - Unexpected system call
+                      - Unexpected capability used
+                      - Unexpected domain request
+                      - Unexpected Service Account Token Access
+                      - Kubernetes Client Executed
+                      - Exec from malicious source
+                      - Exec Binary Not In Base Image
+                      - Kernel Module Load
+                      - Malicious SSH Connection
+                      - Exec from mount
+                      - Fileless Execution
+                      - Unshare System Call usage
+                      - XMR Crypto Mining Detection
+                      - Crypto Mining Domain Communication
+                      - Crypto Mining Related Port Communication
+                      type: string
+                    ruleTags:
+                      items:
+                        enum:
+                        - base image
+                        - binary
+                        - capabilities
+                        - connection
+                        - crypto
+                        - dns
+                        - escape
+                        - exec
+                        - kernel
+                        - load
+                        - malicious
+                        - miners
+                        - module
+                        - mount
+                        - network
+                        - open
+                        - port
+                        - signature
+                        - ssh
+                        - syscall
+                        - token
+                        - unshare
+                        - whitelisted
+                        type: string
+                      type: array
+                    severity:
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/kubescape-operator/charts/namespaced-crds/values.yaml b/charts/kubescape-operator/charts/namespaced-crds/values.yaml
diff --git a/charts/kubescape-operator/templates/_helpers.tpl b/charts/kubescape-operator/templates/_helpers.tpl
@@ -1,3 +1,8 @@
+{{/* validate alertCRD.scopeClustered and alertCRD.scopeNamespaced are mutual exclusive */}}
+{{- if and .Values.alertCRD.scopeClustered .Values.alertCRD.scopeNamespaced }}
+{{- fail "alertCRD.scopeClustered and alertCRD.scopeNamespaced cannot both be true" }}
+{{- end }}
+
 {{- define "checksums" -}}
 capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | sha256sum }}
 cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | sha256sum }}
@@ -53,7 +58,7 @@ kubevuln:
 kubevulnScheduler:
   enabled: {{ and $configurations.submit (eq .Values.capabilities.vulnerabilityScan "enable") }}
 nodeAgent:
-  enabled: {{ (eq .Values.capabilities.relevancy "enable") }}
+  enabled: {{ or (eq .Values.capabilities.relevancy "enable") (eq .Values.capabilities.runtimeObservability "enable") (eq .Values.capabilities.networkPolicyService "enable") }}
 operator:
   enabled: true
 otelCollector:

diff --git a/charts/kubescape-operator/templates/node-agent/configmap.yaml b/charts/kubescape-operator/templates/node-agent/configmap.yaml
@@ -13,7 +13,7 @@ data:
   config.json: |
     {
         "applicationProfileServiceEnabled": {{ $configurations.runtimeObservability }},
-        "relevantCVEServiceEnabled": true,
+        "relevantCVEServiceEnabled": {{ eq .Values.capabilities.relevancy "enable" }},
         "prometheusExporterEnabled": {{ eq .Values.nodeAgent.config.prometheusExporter "enable" }},
         "runtimeDetectionEnabled": {{ eq .Values.capabilities.runtimeDetection "enable" }},
         "networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }},
@@ -22,7 +22,10 @@ data:
         "updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}",
         "maxSniffingTimePerContainer": "{{ .Values.nodeAgent.config.maxLearningPeriod }}",
         "exporters": {
-          "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }}
+          "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }},
+          "alertManagerExporterUrls": {{- .Values.nodeAgent.config.alertManagerExporterUrls | toJson }},
+          "stdoutExporter": {{- .Values.nodeAgent.config.stdoutExporter }},
+          "syslogExporterURL": "{{- .Values.nodeAgent.config.syslogExporterURL }}"
         }
     }
 ---

diff --git a/charts/kubescape-operator/templates/node-agent/default-rule-binding-namespaced.yaml b/charts/kubescape-operator/templates/node-agent/default-rule-binding-namespaced.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.alertCRD.installDefault .Values.alertCRD.scopeNamespaced }}
+apiVersion: kubescape.io/v1
+kind: RuntimeRuleAlertBinding
+metadata:
+  name: all-rules-default-namespace
+  namespace: {{ .Values.ksNamespace }}
+spec:
+  rules:
+    - ruleName: "Unexpected process launched"
+    - ruleName: "Unexpected file access"
+      parameters:
+        ignoreMounts: true
+        ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"]
+    - ruleName: "Unexpected system call"
+    - ruleName: "Unexpected capability used"
+    - ruleName: "Unexpected domain request"
+    - ruleName: "Unexpected Service Account Token Access"
+    - ruleName: "Kubernetes Client Executed"
+    - ruleName: "Exec from malicious source"
+    - ruleName: "Kernel Module Load"
+    - ruleName: "Exec Binary Not In Base Image"
+    - ruleName: "Malicious SSH Connection"
+    - ruleName: "Fileless Execution"
+    - ruleName: "XMR Crypto Mining Detection"
+    - ruleName: "Exec from mount"
+    - ruleName: "Crypto Mining Related Port Communication"
+    - ruleName: "Crypto Mining Domain Communication"
+{{- end }}
+
diff --git a/charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml b/charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml
@@ -1,11 +1,10 @@
-# {{- if .Values.installDefaultAlertRuleBinding }}
+{{- if and .Values.alertCRD.installDefault .Values.alertCRD.scopeClustered }}
 apiVersion: kubescape.io/v1
 kind: RuntimeRuleAlertBinding
 metadata:
   name: all-rules-all-pods
 spec:
   namespaceSelector:
-  # exclude K8s system namespaces
     matchExpressions:
       - key: "kubernetes.io/metadata.name"
         operator: "NotIn"
@@ -14,12 +13,8 @@ spec:
         - "kube-public"
         - "kube-node-lease"
         - "kubeconfig"
-  # podSelector:
-  #   matchExpressions:
-  #     - key: "app.kubernetes.io/name"
-  #       operator: "NotIn"
-  #       values:
-  #       - {{ include "..name" . }}
+        - "gmp-system"
+        - "gmp-public"
   rules:
     - ruleName: "Unexpected process launched"
     - ruleName: "Unexpected file access"
@@ -40,5 +35,4 @@ spec:
     - ruleName: "Exec from mount"
     - ruleName: "Crypto Mining Related Port Communication"
     - ruleName: "Crypto Mining Domain Communication"
-
-# {{- end }}
+{{- end }}