Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: introduce RuntimeSecurityPolicy #2523

Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

wip: introduce RuntimeSecurityPolicy #2523

wants to merge 18 commits into from

Commits on Jun 6, 2024

  1. pkg/k8s: add RuntimeSecurityPolicy type 

    RuntimeSecurityPolicy are meant to be accessible and user-friendly
policies to configure Tetragon. Those policies are then translated to
lower level TracingPolicy.

This is the cluster-wide resource, a namespaced one will follow.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    6c2540b View commit details
    Browse the repository at this point in the history

  2. autochore: make crds for RuntimeSecurityPolicy 

    Generate the k8s files for the newly added RuntimeSecurityPolicy CRD.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    e1b89bc View commit details
    Browse the repository at this point in the history

  3. pkg/k8s: add secondary RuntimeSecurityPolicy types 

    This adds the Runtime Security Policy to the CRD list (to be used by the
operator) as well as the RuntimeSecurity and RuntimeSecurityPolicyList
to the known types.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    9822245 View commit details
    Browse the repository at this point in the history

  4. helm: allow API access to RuntimeSecurityPolicy 

    Allow API access to RuntimeSecurityPolicy, both for the agent and the
operator.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    49b60a3 View commit details
    Browse the repository at this point in the history

  5. pkg/option: add EnableRuntimeSecurityPolicyCRD flag 

    This flag allows to disable the RuntimeSecurityPolicyCRD (since it's
enabled by default) to make it possible to run Tetragon in k8s context
without the CRD.

Note: now that we have multiple CRDs like that, we may want to group all
of that behind the same "EnableCRDs" flags.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    4e7ea99 View commit details
    Browse the repository at this point in the history

  6. tetragon: wait for RuntimeSecurityPolicy CRD 

    Add the RuntimeSecurityPolicy CRD to the list that the agent waits to
find when it starts.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    1f787af View commit details
    Browse the repository at this point in the history

  7. pkg/runtimesecuritypolicy: policy translation 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    4e8eba4 View commit details
    Browse the repository at this point in the history

  8. pkg/runtimesecuritypolicy: add tests for ToTracingPolicy 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    d290598 View commit details
    Browse the repository at this point in the history

  9. runtimesecuritypolicy: add validator and apply defaults 

    Also add common helpers like FromYAML().

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    3c4122f View commit details
    Browse the repository at this point in the history

  10. pkg/runtimesecuritypolicy: add validation tests 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    4215d80 View commit details
    Browse the repository at this point in the history

  11. pkg/runtimesecuritypolicy: add a semantic validator 

    This validators is used after the CRD validation step is already done
for more in-depth validation.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    ef8d47b View commit details
    Browse the repository at this point in the history

  12. api: add RuntimeSecurityEvent 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    7a4ef4c View commit details
    Browse the repository at this point in the history

  13. autochore: make codegen 

    Run `make codegen` to generate code with for the new API.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    92e0c2f View commit details
    Browse the repository at this point in the history

  14. pkg/grpc: handle and translate RuntimeSecurityEvent 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    babfc0a View commit details
    Browse the repository at this point in the history

  15. DONOTMERGE runtimesecuritypolicy: add watcher 

    TODO, finish this commit, need to write update part.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    93eb3e1 View commit details
    Browse the repository at this point in the history

  16. tetra: add runtimesecuritypolicy converter 

    Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    e586d2c View commit details
    Browse the repository at this point in the history

  17. pkg/k8s: add omitempty to TracingPolicy fields 

    Optional fields should use omitempty as a JSON tag so that when we
generated a policy, it's not required to put the zero value.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    29dbd92 View commit details
    Browse the repository at this point in the history

  18. cmd/tetragon: add a RuntimeSecurityPolicy via flag 

    Also add common helpers like FromFile().

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
    @mtardy
    mtardy committed Jun 6, 2024
    Configuration menu
    Copy the full SHA
    eb9b550 View commit details
    Browse the repository at this point in the history