Coder Social home page Coder Social logo

armosec / kubecop Goto Github PK

View Code? Open in Web Editor NEW
33.0 33.0 4.0 3.25 MB

Runtime detection and response for malicious events in Kubernetes workloads

License: Apache License 2.0

Dockerfile 0.31% Makefile 0.37% Go 81.20% Shell 3.91% Python 13.12% Smarty 1.08%

kubecop's People

Contributors

amitschendel avatar bezbran avatar dependabot[bot] avatar slashben avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

slashben orange-777 remiminnebo

kubecop's Issues

Update docs

we now able to use rule ID/rule tags in binding

Develop performance tests

  1. Create a cluster with a single node
  2. Deploy prometheus with node exporter
  3. Deploy kubecop
  4. Run Nginx web application and create high load - then capture kubecop load
  5. Run Elasticsearch and create high load - then capture kubecop load

Add usable properties to the event and failed rule structs

Background

As a SecOps engineer, when I see an alret, I want to silent it or silent similar alerts by similar labels

  1. Source code location of the rule (commit+file+line).
  2. Application profile identifier (namespace+name)
  3. rule binding identifier (namespace+name)
  4. WL details (namespace + kind + name)
  5. Internal alert properties like:
  • Process full path
  • PID
  • syscall
  • Full path of not white listed object
  • etc.

Details

Source field

Point to the README of the specific rule so when the user clicks he will see description of the rule

Patch proposal

We want to include the fix proposal in the AlertManager message:

  1. Either add lines to application profile
  2. RuleBinding
  3. Silencing the alert

Wrap pprof unable to pull data exception in system test 

E1220 09:49:38.038858   89254 portforward.go:409] an error occurred forwarding 6060 -> 6060: error forwarding port 6060 to pod e52a0f5cfdbcc82342666c3d7292e7409646728b10a6497a8c4ca20e93fe3aea, uid : exit status 1: 2023/12/20 07:49:38 socat[57476] E connect(5, AF=2 127.0.0.1:6060, 16): Connection refused                                                                        error: lost connection to pod                                                                                                                                                               Exception in thread Thread-2 (record):                                                                                                                                                      Traceback (most recent call last):                                                                                                                                                            File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen                                                                                                         httplib_response = self._make_request(                                                                                                                                                    File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request                                                                                                   six.raise_from(e, None)                                                                                                                                                                   File "<string>", line 3, in raise_from                                                                                                                                                      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request                                                                                                   httplib_response = conn.getresponse()                                                                                                                                                     File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse                                                                                                                          response.begin()                                                                                                                                                                          File "/usr/lib/python3.10/http/client.py", line 318, in begin                                                                                                                                 version, status, reason = self._read_status()                                                                                                                                             File "/usr/lib/python3.10/http/client.py", line 287, in _read_status                                                                                                                          raise RemoteDisconnected("Remote end closed connection without"                                                                                                                         http.client.RemoteDisconnected: Remote end closed connection without response                                                                                                                                                                                                                                                                                                           During handling of the above exception, another exception occurred:                                                                                                                                                                                                                                                                                                                     Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 756, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 532, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/lib/python3/dist-packages/six.py", line 718, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
    six.raise_from(e, None)
  File "<string>", line 3, in raise_from
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    httplib_response = conn.getresponse()
  File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
    response.begin()
  File "/usr/lib/python3.10/http/client.py", line 318, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python3.10/http/client.py", line 287, in _read_status
    raise RemoteDisconnected("Remote end closed connection without"
urllib3.exceptions.ProtocolError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 953, in run
    self._target(*self._args, **self._kwargs)
  File "/home/amit/armo/kubecop/system-tests/pprof.py", line 29, in record
    response = requests.get(url)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 544, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 657, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Created file 100 times
Created file 600 times
Created file 1100 times
Created file 1600 times
Created file 2100 times
Created file 2600 times
Created file 3100 times
Created file 3600 times
Created file 4100 times
Created file 4600 times
Created file 5100 times
Created file 5600 times
Created file 6100 times
Created file 6600 times
Created file 7100 times
Created file 7600 times
Created file 8100 times
Created file 8600 times
Created file 9100 times
Created file 9600 times
Waiting 300 seconds to GC to run

Implementing basic system test scenario: application install and testing rule enforcement

The goal of this test is to make sure both rules that need application profile and others that does not are enforced after a new application install:

  1. Install a new workload
  2. Generate an event that should trigger a rule that does not need application profile, make sure that an alert is fired
  3. Wait for the final application profile to be generated
  4. Generate an event that should trigger an application profile rule, make sure that an alert is fired

Open rule to skip alerting on mounted volumes

Open whitelisting rule should be configurable to skip validation on file open events that are happening in a path that is mounted from a volume.

This is an optional feature (by default on)

UnexpectedService account access rule

Add a rule that alerts when the container accesses service account token (/run/secrets/kubernetes.io/serviceaccount) when the application profile does not show access to it
It should be critical issue

ARM support

Add build support for ARM linux images in the release process

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.