vigilant
vigilant is a Kubernetes security controller.
What It Does
vigilant ensures the following for every Namespace in your Kubernetes cluster:
- the Namespace has the label
name
$ kubectl get namespaces --show-labels
NAME STATUS AGE LABELS
default Active 2m42s name=default
kube-public Active 2m42s name=kube-public
kube-system Active 2m42s name=kube-system
This faciliates the use of the namespaceSelector in NetworkPolicy objects.
For example, this NetworkPolicy can be applied without having to manually add the label name=web-app to the web-app Namespace:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web-app
namespace: pgsql
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
app: postgres-10
ingress:
- from:
- namespaceSelector:
matchLabels:
name: web-app
- the Namespace has a default NetworkPolicy that denies all ingress and egress traffic:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: example
spec:
policyTypes:
- Ingress
- Egress
podSelector: {}
ingress: []
egress:
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
This policy will apply to all Pods in the Namespace and only permit outbound DNS traffic.
How It Works
vigilant is a DecoratorController.
It is registered with the metacontroller and watches for the creation of Namespace objects. When a new namespace is created, the metacontroller sends a POST request to vigilant at its /sync endpoint. vigilant returns the name label and NetworkPolicy to add to the namespace which is done by the metacontroller.
$ kubectl -n metacontroller logs metacontroller-0 --tail=12
I0124 21:47:31.633272 1 controller.go:423] DecoratorController knsc: sync Namespace /kube-system
I0124 21:47:31.636532 1 controller.go:423] DecoratorController knsc: sync Namespace /default
I0124 21:47:31.638269 1 controller.go:423] DecoratorController knsc: sync Namespace /kube-public
I0124 21:47:31.638274 1 controller.go:508] DecoratorController knsc: updating Namespace /kube-system
I0124 21:47:31.642925 1 controller.go:508] DecoratorController knsc: updating Namespace /default
I0124 21:47:31.644319 1 controller.go:508] DecoratorController knsc: updating Namespace /kube-public
I0124 21:47:31.646605 1 manage_children.go:246] Namespace kube-system: creating NetworkPolicy kube-system/default-deny-all
I0124 21:47:31.646648 1 manage_children.go:246] Namespace default: creating NetworkPolicy default/default-deny-all
I0124 21:47:31.647014 1 manage_children.go:246] Namespace kube-public: creating NetworkPolicy kube-public/default-deny-all
I0124 21:47:31.653321 1 controller.go:423] DecoratorController knsc: sync Namespace /metacontroller
I0124 21:47:31.655149 1 controller.go:508] DecoratorController knsc: updating Namespace /metacontroller
I0124 21:47:31.658274 1 manage_children.go:246] Namespace metacontroller: creating NetworkPolicy metacontroller/default-deny-all
Prerequisites
vigilant requires the metacontroller add-on running in your Kubernetes cluster.
Usage
Deploy vigilant:
$ kubectl apply -f https://raw.githubusercontent.com/bincyber/vigilant/master/manifests/deployment.yaml
Register the DecoratorController with the metacontroller:
$ kubectl apply -f https://github.com/bincyber/vigilant/blob/master/manifests/decoratorcontroller.yaml
Verify that namespaces have had a name label added to them:
$ kubectl get namespaces --show-labels
Verify that a NetworkPolicy has been added to each namespace:
$ kubectl get networkpolicy --all-namespaces