Merge pull request #81 from IBM/develop

Release 0.0.3
IBM · Sep 28, 2020 · 8f01686 · 8f01686
2 parents d66c099 + bdfb424
commit 8f01686
Show file tree

Hide file tree

Showing 224 changed files with 11,561 additions and 5,455 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,62 @@
+# Integrity Enforcer (IE)
+
+Integrity Enforcer is a tool for built-in preventive integrity control for regulated cloud workloads. It includes signature based configuration drift prevention based on [Admission Webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) on Kubernetes cluster.
+
+## Goal
+
+The goal of Integrity Enforcer is to provide assurance of the integrity of Kubernetes resources.  
+
+Resources on a Kubernetes cluster are defined in various form of artifacts such as YAML files, Helm charts, Operator, etc., but those artifacts may be altered maliciously or unintentionally before deploying them to cluster. 
+This could be an integrity issue. For example, some artifact may be modified to inject malicous scripts and configurations inside in stealthy manner, then admininstrator may be in risk of deploying it without knowing the falsification.
+
+Integrity Enforcer (IE) provides signature-based assurance of integrity for Kubernetes resources at cluster side. IE works as an Admission Controller which handles all incoming Kubernetes admission requests, verifies if the requests attached a signature, and blocks any unauthorized requests according to the enforce policy before actually persisting in etcd. IE will helps cluster adminstrator to ensure
+- Allow to deploy authorized application pakcages only
+- Allow to use signed deployment params only
+- Zero-drift in resource configuration unless allowed explicitly
+- Perform all integrity verification on cluster (admission controller, not in client side)
+- Handle variations in application packaging and deployment (Helm /Operator /YAML / OLM Channel) with no modification in app installer
+
+
+![Scenario](./docs/ie-scenario.png)
+
+## Quick Start
+See [Quick Start](./docs/README_QUICK.md)
+
+## Supported Platforms
+
+Integrity Enforcer works as Kubernetes Admission Controller using Mutating Admission Webhook, and it can run on any Kubernetes cluster by design. 
+IE can be deployed with operator. We have verified the feasibility on the following platforms:
+
+- [RedHat OpenShift 4.5](https://www.openshift.com/)
+- [RedHat OpenShift 4.3 on IBM Cloud (ROKS)](https://www.openshift.com/products/openshift-ibm-cloud)
+- [IBM Kuberenetes Service (IKS)](https://www.ibm.com/cloud/container-service/) 1.17.12
+- [Minikube v1.18.2](https://kubernetes.io/docs/setup/learning-environment/minikube/)
+
+
+## How Integrity Enforcer works
+- Resources to be protected in each namespace can be defined in the custom resource called `ResourceProtectionProfile`. For example, the following snippet shows an example definition of protected resources in a namespace. This `ResourceProtectionProfile` resource includes the matching rule for specifiying resources to such as ConfigMap, Depoloyment, and Service in a namespace `secure-ns`, which is protected by IE, so any matched request to create/update those resources are verified with signature.  (see [Define Protected Resources](./docs/README_FOR_RESOURCE_PROTECTION_PROFILE.md))
+
+  ```yaml
+  apiVersion: research.ibm.com/v1alpha1
+  kind: ResourceProtectionProfile
+  metadata:
+    name: sample-rpp
+  spec:
+    rules:
+    - match:
+      - namespace: secure-ns
+        kind: ConfigMap
+      - namespace: secure-ns
+        kind: Deployment
+      - namespace: secure-ns
+        kind: Service
+  ```
+
+- Adminssion request to the protected resources is blocked at Mutating Admission Webhook, and the request is allowed only when the valid signature on the resource in the request is provided.
+- Signer can be defined for each namespace independently. Signer for cluster-scope resources can be also defined. (see [Sign Policy](./docs/README_CONFIG_SIGNER_POLICY.md).)
+- Signature is provided in the form of separate signature resource or annotation attached to the resource. (see [How to Sign Resources](./docs/README_RESOURCE_SIGNATURE.md))
+- Integrity Enforcer admission controller is installed in a dedicated namespace (e.g. `integrity-enforcer-ns` in this document). It can be installed by operator. (see [Integrity Enforcer Custom Resource](./docs/README_IE_OPERATOR_CR.md) for detail install options.)
+
+
+## Quick Start
+See [Quick Start](./docs/README_QUICK.md)
diff --git a/develop/deploy/ie-admin-rbac.yaml b/develop/deploy/ie-admin-rbac.yaml
@@ -0,0 +1,67 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ie-admin-role
+  namespace: integrity-enforcer-ns
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - integrityenforcers
+    - enforcerconfigs
+    - signpolicies
+    verbs:
+    - create
+    - delete
+    - update
+    - get
+    - list
+    - watch
+    - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ie-admin-cluster-role
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - resourceprotectionprofiles
+    - resourcesignatures
+    - clusterresourceprotectionprofiles
+    verbs:
+    - create
+    - delete
+    - update
+    - get
+    - list
+    - watch
+    - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: ie-admin-rolebinding
+    namespace: integrity-enforcer-ns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ie-admin-role
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:masters
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: ie-admin-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ie-admin-cluster-role
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:masters
diff --git a/develop/local-deploy/crds/research.ibm.com_v1alpha1_integrityenforcer_cr_local.yaml b/develop/local-deploy/crds/research.ibm.com_v1alpha1_integrityenforcer_cr_local.yaml
@@ -4,39 +4,55 @@ metadata:
   name: integrity-enforcer-server
 spec:
   affinity: {}
-  enforcePolicy:
-    allowedByRule: []
-    allowedChange: []
-    allowedForInternalRequest: []
-    allowedSigner:
-    - request:
-        namespace: '*'
-      subject:
-        commonName: "ClusterAdmin"
-    - request:
-        namespace: '*'
-      subject:
-        email: "[email protected]"
-    enforce:
-    - namespace: '*'
-    ignoreRequest: []
-    permitIfCreator: []
-    permitIfVerifiedOwner: []
   enforcerConfig:
+    verifyType: pgp # x509
+    plugin:
+    - name: helm
+      enabled: false
+    signPolicy:
+      policies:
+      - namespaces:
+        - "*"
+        signers:
+        - "ClusterSigner"
+        - "HelmClusterSigner"
+      - scope: Cluster
+        signers:
+        - "ClusterSigner"
+        - "HelmClusterSigner"
+      signers:
+      - name: "ClusterSigner"
+        subjects:
+        - commonName: "ClusterAdmin"
+      - name: "HelmClusterSigner"
+        subjects:
+        - email: [email protected]
+    ieResource: "research.ibm.com"
+    ieAdminUserGroup: "system:masters,system:cluster-admins"
+    ignore:
+    - kind: Event
+    - kind: Lease
+    - kind: Endpoints
+    - kind: TokenReview
+    - kind: SubjectAccessReview
+    - kind: SelfSubjectAccessReview
+    patch:
+      enabled: true
     log:
       consoleLog:
         enabled: true
         inScope:
         - namespace: '*'
+        - namespace: '-'
       contextLog:
         enabled: true
         inScope:
         - namespace: '*'
+        - namespace: '-'
       logLevel: trace
-    patch:
-      enabled: true
   enforcerConfigCrName: ie-config
-  globalConfig: {}
+  globalConfig: 
+    detectionMode: false
   imagePullSecrets: []
   certPoolConfig:
     createIfNotExist: false
@@ -56,6 +72,9 @@ spec:
       indexPrefix: ac-log
       port: 9200
       scheme: http
+    http:
+      enabled: false
+      endpoint: http://sample-http-server:8093/api
     esSecretName: es-tls-certs
     image: ie-logging:local
     imagePullPolicy: IfNotPresent
@@ -81,6 +100,11 @@ spec:
       runAsUser: 1000580000
     securityContextConstraintsName:  ie-scc
     serviceAccountName: ie-sa
+    ieAdminSubjects:
+      - apiGroup: rbac.authorization.k8s.io
+        kind: Group
+        name: system:masters
+    autoIEAdminRoleCreationDisabled: false
   selector:
     app: ie-server
   server:
@@ -99,8 +123,18 @@ spec:
         cpu: 200m
         memory: 256Mi
     securityContext: {}
-  signatureNamespace: ie-sign
-  policyNamespace: ie-policy
   webhookConfigName: ie-webhook-config
   webhookServerTlsSecretName: ie-server-tls
   webhookServiceName: ie-server
+  webhookNamespacedResource:
+    apiGroups: ["*"]
+    apiVersions: ["*"]
+    resources: ["*"]
+  webhookClusterResource:
+    apiGroups: ["*"]
+    apiVersions: ["*"]
+    resources: 
+    - podsecuritypolicies
+    - clusterrolebindings
+    - clusterroles
+    - clusterresourceprotectionprofiles
diff --git a/develop/local-deploy/operator_local.yaml b/develop/local-deploy/operator_local.yaml
@@ -16,7 +16,7 @@ spec:
       containers:
         - name: integrity-enforcer-operator
           # Replace this with the built image name
-          image: integrity-enforcer-operator:0.0.1
+          image: integrity-enforcer-operator:0.0.3
           command:
           - integrity-enforcer-operator
           imagePullPolicy: IfNotPresent

diff --git a/develop/scripts/build_images.sh b/develop/scripts/build_images.sh
@@ -36,20 +36,20 @@ if [ -z "$IE_REPO_ROOT" ]; then
 fi
 
 SERVICE_NAME=ie-server
-IMAGE_REMOTE=integrityenforcer/ie-server:0.0.1
+IMAGE_REMOTE=integrityenforcer/ie-server:0.0.3
 IMAGE_LOCAL=ie-server:local
 BASEDIR=./deployment
 DOCKERFILE=./image/Dockerfile
 
 LOGG_BASEDIR=${IE_REPO_ROOT}/logging/
-LOGG_IMAGE_REMOTE=integrityenforcer/ie-logging:0.0.1
+LOGG_IMAGE_REMOTE=integrityenforcer/ie-logging:0.0.3
 LOGG_IMAGE_LOCAL=ie-logging:local
 
 OPERATOR_BASEDIR=${IE_REPO_ROOT}/operator/
 OPERATOR_IMAGE_NAME=integrity-enforcer-operator
 OPERATOR_IMAGE_REPO=integrityenforcer
-CSV_VERSION_LOCAL=0.0.1
-CSV_VERSION=0.0.1
+CSV_VERSION_LOCAL=0.0.3
+CSV_VERSION=0.0.3
 OPERATOR_IMAGE_LOCAL=${OPERATOR_IMAGE_NAME}:${CSV_VERSION_LOCAL}
 OPERATOR_IMAGE_REMOTE=${OPERATOR_IMAGE_REPO}/${OPERATOR_IMAGE_NAME}:${CSV_VERSION}
 

diff --git a/develop/scripts/push_images.sh b/develop/scripts/push_images.sh
@@ -25,20 +25,20 @@ if [ -z "$IE_REPO_ROOT" ]; then
 fi
 
 SERVICE_NAME=ie-server
-IMAGE_REMOTE=integrityenforcer/ie-server:0.0.1
+IMAGE_REMOTE=integrityenforcer/ie-server:0.0.3
 IMAGE_LOCAL=ie-server:local
 BASEDIR=./deployment
 DOCKERFILE=./image/Dockerfile
 
 LOGG_BASEDIR=${IE_REPO_ROOT}/logging/
-LOGG_IMAGE_REMOTE=integrityenforcer/ie-logging:0.0.1
+LOGG_IMAGE_REMOTE=integrityenforcer/ie-logging:0.0.3
 LOGG_IMAGE_LOCAL=ie-logging:local
 
 OPERATOR_BASEDIR=${IE_REPO_ROOT}/operator/
 OPERATOR_IMAGE_NAME=integrity-enforcer-operator
 OPERATOR_IMAGE_REPO=integrityenforcer
-CSV_VERSION_LOCAL=0.0.1
-CSV_VERSION=0.0.1
+CSV_VERSION_LOCAL=0.0.3
+CSV_VERSION=0.0.3
 OPERATOR_IMAGE_LOCAL=${OPERATOR_IMAGE_NAME}:${CSV_VERSION_LOCAL}
 OPERATOR_IMAGE_REMOTE=${OPERATOR_IMAGE_REPO}/${OPERATOR_IMAGE_NAME}:${CSV_VERSION}
 

diff --git a/develop/signservice/develop/scripts/build_images.sh b/develop/signservice/develop/scripts/build_images.sh
@@ -36,7 +36,7 @@ if [ -z "$IE_REPO_ROOT" ]; then
 fi
 
 SS_BASEDIR=${IE_REPO_ROOT}/develop/signservice/signservice/
-SS_IMAGE_REMOTE=integrityenforcer/ie-signservice:0.0.1
+SS_IMAGE_REMOTE=integrityenforcer/ie-signservice:0.0.3
 SS_IMAGE_LOCAL=signservice:dev
 
 SS_OPERATOR_BASEDIR=${IE_REPO_ROOT}/develop/signservice/signservice-operator/

diff --git a/develop/signservice/develop/scripts/create-apply-signature.sh b/develop/signservice/develop/scripts/create-apply-signature.sh
@@ -1,4 +1,18 @@
 #!/bin/bash
+#
+# Copyright 2020 IBM Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 if ! [ -x "$(command -v curl)" ]; then
     echo 'Error: curl is not installed.' >&2

diff --git a/develop/signservice/develop/scripts/create-signature.sh b/develop/signservice/develop/scripts/create-signature.sh
@@ -1,4 +1,18 @@
 #!/bin/bash
+#
+# Copyright 2020 IBM Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 if ! [ -x "$(command -v curl)" ]; then
     echo 'Error: curl is not installed.' >&2
@@ -50,7 +64,7 @@ if [[ "$status_code" -ne 200 ]] ; then
 fi
 
 file_option="'yaml=@"$YAML_PATH"'"
-url_option="'"$SIGNSERVICE_URL"/sign?signer="$SIGNER_STRING"&namespace="$RESOURCE_NS"&scope="$SCOPE_STRING"'"
+url_option="'"$SIGNSERVICE_URL"/pgpsign?signer="$SIGNER_STRING"&namespace="$RESOURCE_NS"&scope="$SCOPE_STRING"'"
 
 rsig_yaml=`sh -c "curl -sk -X POST -F ${file_option} ${url_option}"`
 

diff --git a/develop/signservice/develop/scripts/delete-signature.sh b/develop/signservice/develop/scripts/delete-signature.sh
@@ -1,4 +1,18 @@
 #!/bin/bash
+#
+# Copyright 2020 IBM Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 if ! [ -x "$(command -v curl)" ]; then
     echo 'Error: curl is not installed.' >&2