New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Would like to see Cilium CRDs recognized by Kubescape/rego. #1397
Comments
Hi @distributethe6ix , thanks for raising the problem. We should definitely start supporting Cilium and Calico network policies as well, since they are widely used. |
Great idea. @slashben, @yossi77 we should consider this with the NP generation capability. |
Ahh this would be great please.. I just added a bunch of CNPs because of the kubescape report and was dismayed when nothing changed after I added them all lol :D |
@dwertent maybe a mentee can work on this? |
Definitely sounds like an interesting project :) |
@slashben Yossi has generating cilium and calico NP up his sleeve. Maybe we should add the controls support as part of that epic. |
Yes, but I am not sure what controls. Do you mean those that check if a
workload has a bound network policy?
…On Mon, Feb 12, 2024 at 7:34 AM David Wertenteil ***@***.***> wrote:
@slashben <https://github.com/slashben> Yossi has generating cilium and
calico NP up his sleeve. Maybe we should add the controls support as part
of that epic.
—
Reply to this email directly, view it on GitHub
<#1397 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AODLOPXKG2MAIRMBIZJ3BW3YTGSWLAVCNFSM6AAAAAA473GK7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZYGA4DOMZTGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Overview
I would like to have the ability to run
kubescape scan control C-0260 -v
and have kubescape recognize the CiliumNetworkPolicy CRD.Here's a sample YAML:
Problem
Kubernetes offers a simple NetworkPolicy CRD but is limited in functionality and doesn't completely provide all the necessary controls and policy capabilities that most CNIs would. This is a base functionality. If a Platform Engineer leverages the Cilium CNI, and uses its native CRDs, Kubescape won't recognize this configuration.
Solution
If Kubescape's rego configuration can honour the CiliumNetworkPolicy CRD, this will allow for C-0260 to pass, with a simple Deny-all policy.
Alternatives
Additional context
The text was updated successfully, but these errors were encountered: