defenseunicorns · TristanHoladay · Mar 7, 2024 · Feb 9, 2024 · Feb 9, 2024 · Feb 9, 2024
@@ -0,0 +1,47 @@
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: neuvector
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - Disallow_Host_Namespaces
+        - Disallow_Privileged
+        - Require_Non_Root_User
+        - Drop_All_Capabilities
+        - Restrict_HostPath_Write
+        - Restrict_Volume_Types
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-enforcer-pod.*"
+
+    - policies:
+        - Disallow_Privileged
+        - Require_Non_Root_User
+        - Drop_All_Capabilities
+        - Restrict_HostPath_Write
+        - Restrict_Volume_Types
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-controller-pod.*"
+
+    - policies:
+        - Drop_All_Capabilities
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-prometheus-exporter-pod.*"
+
+
+  # Neuvector mounts the following hostPaths as writeable:
+  # `/var/neuvector`: for Neuvector's buffering and persistent state
+
+
+  # Neuvector requires HostPath volume types
+  # Neuvector mounts the following hostPaths:
+  # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+  # `/var/run`: communication to docker daemon
+  # `/proc`: monitoring of processes for malicious activity
+  # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
+  # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
+
@@ -1,13 +1,17 @@
 ## UDS Operator
 
-The UDS Operator manages the lifecycle of UDS Package CRs and their corresponding resources (e.g. NetworkPolicies, Istio VirtualServices, etc.). The operator uses [Pepr](https://pepr.dev) to bind the watch operations to the enqueue and reconciler. The operator is responsible for:
+The UDS Operator manages the lifecycle of UDS Package CRs and their corresponding resources (e.g. NetworkPolicies, Istio VirtualServices, etc.) as well UDS Exemption CRs. The operator uses [Pepr](https://pepr.dev) to bind the watch operations to the enqueue and reconciler. The operator is responsible for:
 
+#### Package
 - enabling Istio sidecar injection in namespaces where the CR is deployed
 - establishing default-deny ingress/egress network policies
 - creating a layered allow-list based approach on top of the default deny network policies including some basic defaults such as Istio requirements and DNS egress
 - providing targeted remote endpoints network policies such as `KubeAPI` and `CloudMetadata` to make policies more DRY and provide dynamic bindings where a static definition is not possible
 - creating Istio Virtual Services & related ingress gateway network policies
 
+#### Exemption
+- updating the policies Pepr store with registered exemptions 
+
 ### Example UDS Package CR
 
 ```yaml
@@ -41,21 +45,62 @@ spec:
         description: "Tempo"
 ```
 
+### Example UDS Exemption CR
+
+```yaml
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: neuvector
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - Disallow_Host_Namespaces
+        - Disallow_Privileged
+        - Require_Non_Root_User
+        - Drop_All_Capabilities
+        - Restrict_HostPath_Write
+        - Restrict_Volume_Types
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-enforcer-pod.*"
+
+    - policies:
+        - Disallow_Privileged
+        - Require_Non_Root_User
+        - Drop_All_Capabilities
+        - Restrict_HostPath_Write
+        - Restrict_Volume_Types
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-controller-pod.*"
+
+    - policies:
+        - Drop_All_Capabilities
+      matcher:
+        namespace: neuvector
+        name: "^neuvector-prometheus-exporter-pod.*"  
+```
+
 ### Key Files and Folders
 
 ```bash
 .
-├── controllers          # Core business logic called by the reconciler
-│   ├── istio            # Manages Istio VirtualServices and sidecar injection for UDS Packages/Namespace
-│   └── network          # Manages default and generated NetworkPolicies for UDS Packages/Namespace
+├── controllers             # Core business logic called by the reconciler
+│   ├── exemptions          # Manages updating Pepr store with exemptions from UDS Exemption
+│   ├── istio               # Manages Istio VirtualServices and sidecar injection for UDS Packages/Namespace
+│   └── network             # Manages default and generated NetworkPolicies for UDS Packages/Namespace
 ├── crd
-│   ├── generated        # Type files generated by `uds run -f src/pepr/tasks.yaml gen-crds`
-│   ├── sources          # CRD source files
-│   ├── register.ts      # Registers the UDS Package CRD with the Kubernetes API
-│   └── validator.ts     # Validates UDS Package CRs with Pepr
-├── enqueue.ts           # Serializes UDS Package CRs for processing by the reconciler
-├── index.ts             # Entrypoint for the UDS Operator
-└── reconciler.ts        # Reconciles UDS Package CRs via the controllers
+│   ├── generated           # Type files generated by `uds run -f src/pepr/tasks.yaml gen-crds`
+│   ├── sources             # CRD source files
+│   ├── exmpt-validator.ts  # Validates UDS Exemption CRs with Pepr
+│   ├── migrate.ts          # Migrates older versions of UDS Package CRs to new version
+│   ├── register.ts         # Registers the UDS Package CRD with the Kubernetes API
+│   └── validator.ts        # Validates UDS Package CRs with Pepr
+├── enqueue.ts              # Serializes UDS Package CRs for processing by the reconciler
+├── index.ts                # Entrypoint for the UDS Operator
+└── reconciler.ts           # Reconciles UDS Package CRs via the controllers
 ```
 
 ### Flow

@@ -0,0 +1,87 @@
+import { afterAll, beforeAll, describe, expect, it, jest } from "@jest/globals";
+import { Store } from "../../../policies/common";
+import { processExemptions } from "./exemptions";
+import { Policy } from "../../crd";
+import { Exemption } from "../../crd/generated/exemption-v1alpha1";
+
+const mockStore = new Map<string, string>();
+const enforcerMatcher = { namespace: "neuvector", name: "^neuvector-enforcer-pod.*" };
+const controllerMatcher = { namespace: "neuvector", name: "^neuvector-controller-pod.*" };
+const prometheusMatcher = { namespace: "neuvector", name: "^neuvector-prometheus-exporter-pod.*" };
+const mockExemption = {
+  spec: {
+    exemptions: [
+      {
+        matcher: enforcerMatcher,
+        policies: ["Disallow_Privileged", "Drop_All_Capabilities"],
+      },
+      {
+        matcher: controllerMatcher,
+        policies: ["Disallow_Privileged", "Drop_All_Capabilities"],
+      },
+      {
+        matcher: prometheusMatcher,
+        policies: ["Drop_All_Capabilities"],
+      },
+    ],
+  },
+};
+
+describe("Test Exemptions Controller", () => {
+  beforeAll(() => {
+    jest.spyOn(Store, "getItem").mockImplementation((key: string) => {
+      return mockStore.get(key) || null;
+    });
+
+    jest.spyOn(Store, "setItem").mockImplementation((key: string, val: string) => {
+      mockStore.set(key, val);
+    });
+  });
+
+  afterAll(() => {
+    mockStore.clear();
+    jest.restoreAllMocks();
+  });
+
+  it("Add exemptions for the first time", async () => {
+    await processExemptions(mockExemption as Exemption);
+    expect(Store.getItem(Policy.DisallowPrivileged)).toEqual(
+      `[${JSON.stringify(enforcerMatcher)},${JSON.stringify(controllerMatcher)}]`,
+    );
+    expect(Store.getItem(Policy.DropAllCapabilities)).toEqual(
+      `[${JSON.stringify(enforcerMatcher)},${JSON.stringify(controllerMatcher)},${JSON.stringify(
+        prometheusMatcher,
+      )}]`,
+    );
+  });
+
+  it("Tries to add same exemptions again and doesn't", async () => {
+    await processExemptions(mockExemption as Exemption);
+    expect(Store.getItem(Policy.DisallowPrivileged)).toEqual(
+      `[${JSON.stringify(enforcerMatcher)},${JSON.stringify(controllerMatcher)}]`,
+    );
+    expect(Store.getItem(Policy.DropAllCapabilities)).toEqual(
+      `[${JSON.stringify(enforcerMatcher)},${JSON.stringify(controllerMatcher)},${JSON.stringify(
+        prometheusMatcher,
+      )}]`,
+    );
+  });
+
+  it("Removes exemptions when CR updates", async () => {
+    const mockExemption2 = {
+      spec: {
+        exemptions: [
+          ...mockExemption.spec.exemptions,
+          { matcher: enforcerMatcher, policies: ["Disallow_Privileged"] },
+        ],
+      },
+    };
+    await processExemptions(mockExemption2 as Exemption);
+    expect(Store.getItem(Policy.DisallowPrivileged)).toEqual(
+      `[${JSON.stringify(enforcerMatcher)},${JSON.stringify(controllerMatcher)}]`,
+    );
+    expect(Store.getItem(Policy.DropAllCapabilities)).toEqual(
+      `[${JSON.stringify(controllerMatcher)},${JSON.stringify(prometheusMatcher)}]`,
+    );
+  });
+});
@@ -0,0 +1,114 @@
+import { Log } from "pepr";
+import { policies } from "../../../policies/index";
+import { Matcher, Policy, UDSExemption } from "../../crd";
+
+// Remove leading and trailing '/' if added by user to matcher name
+function removeRegexSlash(name: string) {
+  if (name[0] === "/" && name[name.length - 1] === "/") {
+    name = name.slice(1, name.length - 1);
+  }
+  return name;
+}
+
+// *** Using setItemAndWait() ***
+
+// Add Exemptions to Pepr store as "policy": "[{matcher}]"
+// export async function addExemptions(exmpt: UDSExemption) {
+//   const t0 = performance.now();
+//   const { Store } = policies;
+//   if (exmpt.spec && exmpt.spec.exemptions) {
+//     for (const e of exmpt.spec.exemptions) {
+//       const name = removeRegexSlash(e.matcher.name);
+//       for (const p of e.policies) {
+//         const exemptionList = JSON.parse(Store.getItem(p) || "[]");
+//         exemptionList.push({ namespace: e.matcher.namespace, name: name });
+//         await Store.setItemAndWait(p, JSON.stringify(exemptionList));
+//       }
+//     }
+//   }
+//   const t1 = performance.now();
+//   Log.debug(`Time to complete exemption write: ${t1 - t0}`);
+// }
+
+function isAlreadyAdded(matchers: Matcher[], name: string) {
+  for (const m of matchers) {
+    if (m.name === name) {
+      return true;
+    }
+  }
+}
+
+const policyList = Object.values(Policy);
+
+// *** Use Local Map to then Update Store ***
+// Add Exemptions to Pepr store as "policy": "[{matcher}]"
+export async function processExemptions(exmpt: UDSExemption) {
+  const t0 = performance.now();
+  const { Store } = policies;
+
+  // Aggregate matchers for each policy into local Map
+  const exemptionMap = new Map<Policy, Matcher[]>();
+  const exemptions = exmpt.spec?.exemptions ?? [];
+
+  // Iterate through each policy
+  for (const p of policyList) {
+    exemptionMap.set(p, JSON.parse(Store.getItem(p) || "[]"));
+
+    // Iterate through all exemption blocks
+    for (const e of exemptions) {
+      const matchers = exemptionMap.get(p) ?? [];
+      const name = removeRegexSlash(e.matcher.name);
+
+      if (e.policies.includes(p)) {
+        // Do additional checks if policy already has matchers
+        if (matchers.length > 0) {
+          if (isAlreadyAdded(matchers, name)) {
+            continue;
+          } else {
+            matchers.push({ namespace: e.matcher.namespace, name: name });
+            exemptionMap.set(p, matchers);
+          }
+        } else {
+          // Else add to policy for the first time
+          exemptionMap.set(p, [{ namespace: e.matcher.namespace, name: name }]);
+        }
+      } else {
+        // check if matcher should be removed from this policy because no longer in CR
+        for (const m of matchers) {
+          if (m.name === name) {
+            Log.debug(`Removing ${name} from ${p}`);
+            exemptionMap.set(
+              p,
+              matchers.filter(m => m.name !== name),
+            );
+          }
+        }
+      }
+    }
+  }
+
+  // Iterate through local Map and update Store
+  for (const [k, v] of exemptionMap.entries()) {
+    Log.debug(`Adding to policy ${k}: ${v}`);
+    Store.setItem(k, JSON.stringify(v));
+  }
+
+  const t1 = performance.now();
+  Log.debug(`Time to complete exemption write: ${t1 - t0}`);
+}
+
+export async function removeExemptions(exmpt: UDSExemption) {
+  const { Store } = policies;
+
+  if (exmpt.spec && exmpt.spec.exemptions) {
+    for (const e of exmpt.spec.exemptions) {
+      const name = removeRegexSlash(e.matcher.name);
+      for (const p of e.policies) {
+        const exemptionList: Matcher[] = JSON.parse(Store.getItem(p) || "[]");
+        //filter matchers, returning those that do not match current exemption.matcher.name
+        const filteredList = exemptionList.filter(m => m.name !== name);
+        await Store.setItemAndWait(p, JSON.stringify(filteredList));
+      }
+    }
+  }
+}
diff --git a/src/pepr/operator/crd/exmpt-validator.ts b/src/pepr/operator/crd/exmpt-validator.ts
@@ -0,0 +1,30 @@
+import { PeprValidateRequest } from "pepr";
+
+import { UDSExemption } from ".";
+
+const validNS = "uds-policy-exemptions";
+
+export async function exmptValidator(req: PeprValidateRequest<UDSExemption>) {
+  const exmpt = req.Raw;
+  const ns = exmpt.metadata?.namespace;
+
+  if (ns !== validNS) {
+    return req.Deny(`Invalid namespace ${ns}; must be ${validNS}`);
+  }
+
+  const exemptions = exmpt.spec?.exemptions ?? [];
+  if (exemptions.length === 0) {
+    return req.Deny("Invalid number of exemptions: must have at least 1");
+  }
+
+  // Check that each matcher name is valid regex
+  for (const e of exemptions) {
+    try {
+      new RegExp(e.matcher.name);
+    } catch (err) {
+      return req.Deny(`Invalid regular expression pattern for ${e.matcher.name}: ${err}`);
+    }
+  }
+
+  return req.Approve();
+}