feat(openprotection): publish active-rule open-protection union as ConfigMap#385
Open
matthyx wants to merge 3 commits into
Open
feat(openprotection): publish active-rule open-protection union as ConfigMap#385matthyx wants to merge 3 commits into
matthyx wants to merge 3 commits into
Conversation
Modernize the operator's armoapi-go from v0.0.673 to v0.0.719 to pick up the rule open-protection types (armotypes.OpenMatchers / UnionOpenProtection, ProfileDataRequired schema). This unblocks a follow-up watcher that resolves RuntimeRuleAlertBinding selectors against the rule library and publishes the union of profileDataRequired.opens for the storage apiserver. The bump is additive: node-agent (v0.3.38) and storage (v0.0.239) compile unchanged against the newer armoapi, so no coordinated bump is required here. go build, go vet, and the watcher test suite all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
…rotection
Add github.com/armosec/rulelibrary (open-protection union helper) and let MVS
pull its direct requirements forward:
- node-agent v0.3.38 -> v0.3.98-...
- storage v0.0.239 -> v0.0.268
The only API drift is a constant rename in k8s-interface's instanceidhandler
helpers (same label strings): {Kind,Name,Namespace}MetadataKey ->
Related{Kind,Name,Namespace}MetadataKey. Updated containerprofilewatcher and its
test accordingly.
This is the dependency groundwork for the open-protection watcher (next commit),
which resolves RuntimeRuleAlertBinding selectors against the rule library and
publishes the union of profileDataRequired.opens as a ConfigMap.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
…nfigMap
Add a watcher that keeps the storage apiserver's collapse-protection in sync
with the cluster's active runtime rules (design B: active-CRD union).
The operator watches RuntimeRuleAlertBinding, resolves the rules each binding
activates (by id/name/tags) against the versioned rule library
(armosec/rulelibrary), computes the union of those rules'
profileDataRequired.opens (armotypes.OpenMatchers), and publishes it as a single
ConfigMap (key "openProtection"). The storage apiserver polls that ConfigMap and
pins the matched sensitive prefixes to literal during profile collapse so
anomaly rules such as R0010 ("unexpected /etc/shadow access") keep working. This
is the producer side of "operator writes one object, storage refreshes
periodically"; the reader lives in kubescape/storage.
Design notes:
- Independent of the admission controller: runs its own dynamic watcher so
protection works regardless of admission config. Gated by the new
openProtectionConfigMapName config (empty = disabled).
- Reconciles are debounced (coalesce the initial LIST burst) and idempotent
(canonical, sorted/de-duplicated JSON; skip the write when unchanged, both in
the watcher and the publisher).
- No bindings -> empty union (no over-pinning). Deleting the last binding that
pinned a prefix drops it on the next reconcile.
Resolving selectors in the library (not node-agent's rule engine) keeps the set
scoped to actually-active rules. Unit tests cover selector extraction, the
union end-to-end against the embedded library (R0010 -> /etc/shadow),
idempotence, empty/delete transitions, and the ConfigMap publisher
(create/update/skip-unchanged) via a fake clientset.
NOTE: depends on rulelibrary pkg/rules (PR #93), pinned here to its branch
commit. Landing requires #93 merged and rulelibrary tagged with a release that
contains pkg/rules; until then `go mod tidy` will try to resolve rulelibrary to
the older release tag that lacks the package.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
matthyx
force-pushed
the
feat/bump-armoapi-rule-openprotection
branch
from
e953a9e to
c5fb1fb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an open-protection watcher — the in-cluster producer side of rule-aware collapse protection (design B: active-CRD union). Stacked on #384.
The operator watches
RuntimeRuleAlertBinding, resolves the rules each binding activates (by id/name/tags) against the versioned rule library (armosec/rulelibrary), computes the union of those rules'profileDataRequired.opens(armotypes.OpenMatchers), and publishes it as a single ConfigMap (keyopenProtection). The storage apiserver polls that ConfigMap and pins the matched sensitive prefixes to literal during profile collapse, so anomaly rules such as R0010 ("unexpected/etc/shadowaccess") keep working through profile generalisation.Reader side (consumer): kubescape/storage PR #335.
Design
openProtectionConfigMapNameconfig (empty = disabled).resourceVersionchurn).Commits
chore(deps): pull in rulelibrary + bump node-agent/storage— MVS pulls node-agent v0.3.38→v0.3.98 and storage v0.0.239→v0.0.268 (rulelibrary's direct requires). Only API drift: a constant rename in k8s-interface'sinstanceidhandlerhelpers ({Kind,Name,Namespace}MetadataKey→Related{…}MetadataKey, same label strings).feat(openprotection): publish active-rule open-protection union as ConfigMap— theopenprotectionpackage + main wiring + config gate.Verification
go build ./...— cleango vet ./...— cleango test ./openprotection/... ./config/... ./watcher/...— pass (selector extraction; union end-to-end against the embedded library R0010 →/etc/shadow; idempotence; empty/delete transitions; ConfigMap publisher create/update/skip-unchanged via fake clientset)Depends on rulelibrary
pkg/rules(armosec/rulelibrary#93), pinned here to its branch commitc246d47. Merge blocker: #93 must be merged and rulelibrary tagged with a release that containspkg/rules, then this PR repins to that tag. Until thengo mod tidyresolves rulelibrary to the older release tag (v0.0.71) that lacks the package — CI tidy will fail. Also merge #384 first (this is stacked on it).🤖 Generated with Claude Code