Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Would like to see Cilium CRDs recognized by Kubescape/rego. #1397

Open
distributethe6ix opened this issue Sep 20, 2023 · 7 comments
Open

Would like to see Cilium CRDs recognized by Kubescape/rego. #1397

distributethe6ix opened this issue Sep 20, 2023 · 7 comments
Labels
feature New feature or request

Comments

@distributethe6ix
Copy link

distributethe6ix commented Sep 20, 2023
edited

Overview

I would like to have the ability to run kubescape scan control C-0260 -v and have kubescape recognize the CiliumNetworkPolicy CRD.

Here's a sample YAML:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: deny-all
  namespace: default
spec:
  endpointSelector:
    matchLabels: {}
  ingress: []
  egress: []

Problem

Kubernetes offers a simple NetworkPolicy CRD but is limited in functionality and doesn't completely provide all the necessary controls and policy capabilities that most CNIs would. This is a base functionality. If a Platform Engineer leverages the Cilium CNI, and uses its native CRDs, Kubescape won't recognize this configuration.

Solution

If Kubescape's rego configuration can honour the CiliumNetworkPolicy CRD, this will allow for C-0260 to pass, with a simple Deny-all policy.

Alternatives

Additional context
@distributethe6ix distributethe6ix added the feature New feature or request label Sep 20, 2023
@alegrey91
Copy link
Collaborator

Hi @distributethe6ix , thanks for raising the problem. We should definitely start supporting Cilium and Calico network policies as well, since they are widely used.
WDYT @dwertent, @matthyx?

@dwertent
Copy link
Contributor

dwertent commented Sep 21, 2023
edited

Great idea.
@YiscahLevySilas1 Can you work on this? Please make sure to add the cilium.io/v2, ciliumnetworkpolicies to the Kubescape RBAC.

@slashben, @yossi77 we should consider this with the NP generation capability.

@gyoza
Copy link

gyoza commented Jan 9, 2024

Ahh this would be great please.. I just added a bunch of CNPs because of the kubescape report and was dismayed when nothing changed after I added them all lol :D

@slashben
Copy link
Contributor

@dwertent maybe a mentee can work on this?

@VaibhavMalik4187
Copy link
Contributor

Definitely sounds like an interesting project :)

@dwertent
Copy link
Contributor

@slashben Yossi has generating cilium and calico NP up his sleeve. Maybe we should add the controls support as part of that epic.

@slashben
Copy link
Contributor

slashben commented Feb 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gyoza @alegrey91 @VaibhavMalik4187 @distributethe6ix @slashben @dwertent