feat(core)!: Introduce two new CRDs and update existing ones

.gitignore

@@ -7,7 +7,6 @@
 *.dylib
 bin
 Dockerfile.cross
-nimbus-kubearmor
 
 # Test binary, build with `go test -c`
 *.test

Dockerfile

@@ -17,6 +17,7 @@ RUN go mod download
 # Copy the go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
+COPY internal/ internal/
 COPY pkg/ pkg/
 
 # Build

Makefile

@@ -54,7 +54,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./pkg/..."
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
 
 .PHONY: fmt
 fmt: ## Run go fmt against code.
@@ -181,4 +181,4 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest

PROJECT

@@ -26,4 +26,20 @@ resources:
   kind: NimbusPolicy
   path: github.com/5GSEC/nimbus/api/v1
   version: v1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: security.nimbus.com
+  group: intent
+  kind: ClusterNimbusPolicy
+  path: github.com/5GSEC/nimbus/api/v1
+  version: v1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: security.nimbus.com
+  group: intent
+  kind: ClusterSecurityIntentBinding
+  path: github.com/5GSEC/nimbus/api/v1
+  version: v1
 version: "3"

api/v1/clusternimbuspolicy_types.go

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy
+type ClusterNimbusPolicySpec struct {
+	Selector    CwSelector    `json:"selector"`
+	NimbusRules []NimbusRules `json:"rules"`
+}
+
+// ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy
+type ClusterNimbusPolicyStatus struct {
+	Status string `json:"status"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster,shortName="cwnp"
+//+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status"
+
+// ClusterNimbusPolicy is the Schema for the clusternimbuspolicies API
+type ClusterNimbusPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterNimbusPolicySpec   `json:"spec,omitempty"`
+	Status ClusterNimbusPolicyStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterNimbusPolicyList contains a list of ClusterNimbusPolicy
+type ClusterNimbusPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterNimbusPolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ClusterNimbusPolicy{}, &ClusterNimbusPolicyList{})
+}

api/v1/clustersecurityintentbinding_types.go

@@ -0,0 +1,59 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type CwResource struct {
+	Kind        string            `json:"kind"`
+	Name        string            `json:"name"`
+	Namespace   string            `json:"namespace,omitempty"`
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+}
+
+type CwSelector struct {
+	Resources []CwResource `json:"resources,omitempty"`
+	CEL       []string     `json:"cel,omitempty"`
+}
+
+// ClusterSecurityIntentBindingSpec defines the desired state of ClusterSecurityIntentBinding
+type ClusterSecurityIntentBindingSpec struct {
+	Intents  []MatchIntent `json:"intents"`
+	Selector CwSelector    `json:"selector"`
+}
+
+// ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding
+type ClusterSecurityIntentBindingStatus struct {
+	Status string `json:"status"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status"
+//+kubebuilder:resource:scope=Cluster,shortName="csib"
+//+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterSecurityIntentBinding is the Schema for the clustersecurityintentbindings API
+type ClusterSecurityIntentBinding struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterSecurityIntentBindingSpec   `json:"spec,omitempty"`
+	Status ClusterSecurityIntentBindingStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterSecurityIntentBindingList contains a list of ClusterSecurityIntentBinding
+type ClusterSecurityIntentBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecurityIntentBinding `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ClusterSecurityIntentBinding{}, &ClusterSecurityIntentBindingList{})
+}

api/v1/nimbuspolicy_types.go

@@ -7,14 +7,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // NimbusPolicySpec defines the desired state of NimbusPolicy
 type NimbusPolicySpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// Selector specifies the target resources to which the policy applies
 	Selector NimbusSelector `json:"selector"`
 
@@ -30,113 +24,27 @@ type NimbusSelector struct {
 
 // NimbusRules represents a single policy rule with an ID, type, description, and detailed rule configurations.
 type NimbusRules struct {
-	Id          string `json:"id"`
+	ID          string `json:"id"`
 	Type        string `json:"type,omitempty"`
 	Description string `json:"description,omitempty"`
-	Rule        []Rule `json:"rule"`
+	Rule        Rule   `json:"rule"`
 }
 
 type Rule struct {
-	RuleAction string `json:"action"`
-
-	// Network: MatchProtocols
-	MatchProtocols []MatchProtocol `json:"matchProtocols,omitempty"`
-
-	// Process: MatchPaths, MatchDirectories, MatchPatterns
-	// File: MatchPaths, MatchDirectories,  MatchPatterns
-	MatchPaths       []MatchPath      `json:"matchPaths,omitempty"`
-	MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
-	MatchPatterns    []MatchPattern   `json:"matchPatterns,omitempty"`
-
-	// Capabilities: MatchCapabilities
-	MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"`
-
-	// Syscalls: MatchSyscalls
-	MatchSyscalls     []MatchSyscall     `json:"matchSyscalls,omitempty"`
-	MatchSyscallPaths []MatchSyscallPath `json:"matchSyscallPaths,omitempty"`
-
-	FromCIDRSet []CIDRSet `json:"fromCIDRSet,omitempty"`
-	ToPorts     []ToPort  `json:"toPorts,omitempty"`
-}
-
-// CIDRSet defines CIDR ranges for network policies
-type CIDRSet struct {
-	CIDR string `json:"cidr,omitempty"`
-}
-
-// ToPort defines ports and protocols for network policies
-type ToPort struct {
-	Ports []Port `json:"ports,omitempty"`
-}
-
-// Port defines a network port and its protocol
-type Port struct {
-	Port     string `json:"port,omitempty"`
-	Protocol string `json:"protocol,omitempty"`
-}
-
-// MatchProtocol defines a protocol for network policies
-type MatchProtocol struct {
-	Protocol string `json:"protocol,omitempty"`
-}
-
-// MatchPath defines a path for process or file policies
-type MatchPath struct {
-	Path string `json:"path,omitempty"`
-}
-
-// MatchDirectory defines a directory for process or file policies
-type MatchDirectory struct {
-	Directory  string             `json:"dir,omitempty"`
-	FromSource []NimbusFromSource `json:"fromSource,omitempty"`
-}
-
-// MatchPattern defines a pattern for process policies
-type MatchPattern struct {
-	Pattern string `json:"pattern,omitempty"`
-}
-
-// MatchSyscall defines a syscall for syscall policies
-type MatchSyscall struct {
-	Syscalls   []string            `json:"syscalls,omitempty"`
-	FromSource []SyscallFromSource `json:"fromSource,omitempty"`
-}
-
-type MatchSyscallPath struct {
-	Path       string              `json:"path,omitempty"`
-	Recursive  bool                `json:"recursive,omitempty"`
-	Syscalls   []string            `json:"syscall,omitempty"`
-	FromSource []SyscallFromSource `json:"fromSource,omitempty"`
-}
-
-type SyscallFromSource struct {
-	Path string `json:"path,omitempty"`
-	Dir  string `json:"dir,omitempty"`
-}
-
-// MatchCapability defines a capability for capabilities policies
-type MatchCapability struct {
-	Capability string             `json:"capability,omitempty"`
-	FromSource []NimbusFromSource `json:"fromSource,omitempty"`
-}
-
-// FromSource defines a source path for directory-based policies
-type NimbusFromSource struct {
-	Path string `json:"path,omitempty"`
+	RuleAction string              `json:"action"`
+	Mode       string              `json:"mode"`
+	Params     map[string][]string `json:"params,omitempty"`
 }
 
 // NimbusPolicyStatus defines the observed state of NimbusPolicy
 type NimbusPolicyStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	PolicyStatus string `json:"status"`
+	Status string `json:"status"`
 }
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
+//+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status"
 //+kubebuilder:resource: shortName="np"
-//+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NimbusPolicy is the Schema for the nimbuspolicies API
 type NimbusPolicy struct {