-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wip: introduce RuntimeSecurityPolicy #2523
base: main
Are you sure you want to change the base?
Commits on Jun 6, 2024
-
pkg/k8s: add RuntimeSecurityPolicy type
RuntimeSecurityPolicy are meant to be accessible and user-friendly policies to configure Tetragon. Those policies are then translated to lower level TracingPolicy. This is the cluster-wide resource, a namespaced one will follow. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 6c2540b - Browse repository at this point
Copy the full SHA 6c2540bView commit details -
autochore: make crds for RuntimeSecurityPolicy
Generate the k8s files for the newly added RuntimeSecurityPolicy CRD. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e1b89bc - Browse repository at this point
Copy the full SHA e1b89bcView commit details -
pkg/k8s: add secondary RuntimeSecurityPolicy types
This adds the Runtime Security Policy to the CRD list (to be used by the operator) as well as the RuntimeSecurity and RuntimeSecurityPolicyList to the known types. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 9822245 - Browse repository at this point
Copy the full SHA 9822245View commit details -
helm: allow API access to RuntimeSecurityPolicy
Allow API access to RuntimeSecurityPolicy, both for the agent and the operator. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 49b60a3 - Browse repository at this point
Copy the full SHA 49b60a3View commit details -
pkg/option: add EnableRuntimeSecurityPolicyCRD flag
This flag allows to disable the RuntimeSecurityPolicyCRD (since it's enabled by default) to make it possible to run Tetragon in k8s context without the CRD. Note: now that we have multiple CRDs like that, we may want to group all of that behind the same "EnableCRDs" flags. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 4e7ea99 - Browse repository at this point
Copy the full SHA 4e7ea99View commit details -
tetragon: wait for RuntimeSecurityPolicy CRD
Add the RuntimeSecurityPolicy CRD to the list that the agent waits to find when it starts. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 1f787af - Browse repository at this point
Copy the full SHA 1f787afView commit details -
pkg/runtimesecuritypolicy: policy translation
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 4e8eba4 - Browse repository at this point
Copy the full SHA 4e8eba4View commit details -
pkg/runtimesecuritypolicy: add tests for ToTracingPolicy
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d290598 - Browse repository at this point
Copy the full SHA d290598View commit details -
runtimesecuritypolicy: add validator and apply defaults
Also add common helpers like FromYAML(). Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 3c4122f - Browse repository at this point
Copy the full SHA 3c4122fView commit details -
pkg/runtimesecuritypolicy: add validation tests
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 4215d80 - Browse repository at this point
Copy the full SHA 4215d80View commit details -
pkg/runtimesecuritypolicy: add a semantic validator
This validators is used after the CRD validation step is already done for more in-depth validation. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for ef8d47b - Browse repository at this point
Copy the full SHA ef8d47bView commit details -
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 7a4ef4c - Browse repository at this point
Copy the full SHA 7a4ef4cView commit details -
Run `make codegen` to generate code with for the new API. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 92e0c2f - Browse repository at this point
Copy the full SHA 92e0c2fView commit details -
pkg/grpc: handle and translate RuntimeSecurityEvent
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for babfc0a - Browse repository at this point
Copy the full SHA babfc0aView commit details -
DONOTMERGE runtimesecuritypolicy: add watcher
TODO, finish this commit, need to write update part. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 93eb3e1 - Browse repository at this point
Copy the full SHA 93eb3e1View commit details -
tetra: add runtimesecuritypolicy converter
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e586d2c - Browse repository at this point
Copy the full SHA e586d2cView commit details -
pkg/k8s: add omitempty to TracingPolicy fields
Optional fields should use omitempty as a JSON tag so that when we generated a policy, it's not required to put the zero value. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 29dbd92 - Browse repository at this point
Copy the full SHA 29dbd92View commit details -
cmd/tetragon: add a RuntimeSecurityPolicy via flag
Also add common helpers like FromFile(). Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for eb9b550 - Browse repository at this point
Copy the full SHA eb9b550View commit details