Merge pull request #910 from dsalaza4/main

feat(back): #909 secure kubernetes
fluidattacks · Sep 14, 2022 · c1b92cf · c1b92cf
2 parents 2e99767 + d847fda
commit c1b92cf
Show file tree

Hide file tree

Showing 6 changed files with 188 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -253,6 +253,7 @@ Real life projects that run entirely on [Makes][makes]:
     - [testPython](#testpython)
     - [testTerraform](#testterraform)
   - [Security](#security)
+    - [secureKubernetesWithRbacPolice](#securekuberneteswithrbacpolice)
     - [securePythonWithBandit](#securepythonwithbandit)
   - [Deploy](#deploy)
     - [computeOnAwsBatch](#computeonawsbatch)
@@ -1608,6 +1609,64 @@ Example invocation: `$ m . /testTerraform/module2`
 
 ## Security
 
+### secureKubernetesWithRbacPolice
+
+Secure Kubernetes clusters with [rbac-police][rbac-police].
+
+Types:
+
+- secureKubernetesWithRbacPolice (`attrsOf kubernetesWithRbacPolice`): Optional.
+  Defaults to `{ }`.
+- kubernetesWithRbacPolice (`submodule`):
+
+  - severity (`str`):
+    Only evaluate policies with severity >= threshold.
+    Defaults to `Low`.
+
+  - setup (`listOf package`):
+    [Makes Environment][makes_environment]
+    or [Makes Secrets][makes_secrets]
+    to `source` (as in Bash's `source`)
+    before anything else.
+    Defaults to `[ ]`.
+
+Example `makes.nix`:
+
+```nix
+{ outputs
+, secretsForAwsFromGitlab
+, secretsForKubernetesConfigFromAws
+, secureKubernetesWithRbacPolice
+, ...
+}:
+{
+  secretsForAwsFromGitlab = {
+    makesProd = {
+      roleArn = "arn:aws:iam::123456789012:role/prod";
+      duration = 7200;
+      retries = 30;
+    };
+  };
+  secretsForKubernetesConfigFromAws = {
+    makes = {
+      cluster = "makes-k8s";
+      region = "us-east-1";
+    };
+  };
+  secureKubernetesWithRbacPolice = {
+    makes = {
+      severity = "Low";
+      setup = [
+        outputs."/secretsForAwsFromGitlab/makesProd"
+        outputs."/secretsForKubernetesConfigFromAws/makes"
+      ];
+    };
+  };
+}
+```
+
+Example invocation: `$ m . /secureKubernetesWithRbacPolice/makes`
+
 ### securePythonWithBandit
 
 Secure Python code with [Bandit][bandit].
@@ -1725,6 +1784,7 @@ Types:
     or [Makes Secrets][makes_secrets]
     to `source` (as in Bash's `source`)
     before anything else.
+    Defaults to `[ ]`.
   - vcpus (`ints.positive`):
     Amount of virtual CPUs that is reserved for the job.
 
@@ -5445,6 +5505,8 @@ Project leaders:
   [Python Packaging Index (PyPI)][python_pypi]
 - [rake]: https://github.com/ruby/rake
   [Rake][rake]
+- [rbac-police]: https://github.com/PaloAltoNetworks/rbac-police
+  [rbac-police][rbac-police]
 - [reproducible_builds]: https://reproducible-builds.org/
   [Reproducible Builds][reproducible_builds]
 - [rpath]: https://en.wikipedia.org/wiki/Rpath

diff --git a/src/args/agnostic.nix b/src/args/agnostic.nix
@@ -96,6 +96,7 @@
     managePorts = import ./manage-ports/default.nix self;
     patchShebangs = import ./patch-shebangs/default.nix self;
     removePrefix = self.__nixpkgs__.lib.removePrefix;
+    secureKubernetesWithRbacPolice = import ./secure-kubernetes-with-rbac-police/default.nix self;
     securePythonWithBandit = import ./secure-python-with-bandit/default.nix self;
     sortAscii = builtins.sort (a: b: a < b);
     sortAsciiCaseless = builtins.sort (a: b: self.__nixpkgs__.lib.toLower a < self.__nixpkgs__.lib.toLower b);

diff --git a/src/args/secure-kubernetes-with-rbac-police/default.nix b/src/args/secure-kubernetes-with-rbac-police/default.nix
@@ -0,0 +1,45 @@
+{
+  __nixpkgs__,
+  fetchGithub,
+  fetchUrl,
+  isLinux,
+  makeScript,
+  ...
+}: {
+  name,
+  setup,
+  severity,
+  ...
+}: let
+  bin =
+    if isLinux
+    then
+      fetchUrl {
+        url = "https://github.com/PaloAltoNetworks/rbac-police/releases/download/v1.0.1/rbac-police_v1.0.1_linux_amd64";
+        sha256 = "0k4dvc9r165q9lwidnks0vm7kqzi55l29p6iw9xy9l3982saihvi";
+      }
+    else
+      fetchUrl {
+        url = "https://github.com/PaloAltoNetworks/rbac-police/releases/download/v1.0.1/rbac-police_v1.0.1_darwin_amd64";
+        sha256 = "16bi40pj2gq22w3b04bsfmh2iy2ax4jh8349lvpwm9rckkhrkg91";
+      };
+  repo = fetchGithub {
+    owner = "PaloAltoNetworks";
+    repo = "rbac-police";
+    rev = "ffe47f709a747fc92cbeeb2eec688b4ea544b958";
+    sha256 = "0hna14rwkfadqq2higzz033hkdpxpnzi5vg340xsk50ipr41g689";
+  };
+in
+  makeScript {
+    name = "secure-kubernetes-with-rbac-police-for-${name}";
+    replace = {
+      __argBin__ = bin;
+      __argRepo__ = repo;
+      __argSeverity__ = severity;
+    };
+    searchPaths = {
+      bin = [__nixpkgs__.jq];
+      source = setup;
+    };
+    entrypoint = ./entrypoint.sh;
+  }
diff --git a/src/args/secure-kubernetes-with-rbac-police/entrypoint.sh b/src/args/secure-kubernetes-with-rbac-police/entrypoint.sh
@@ -0,0 +1,36 @@
+# shellcheck shell=bash
+
+function evaluate {
+  local output="${1}"
+  local evaluated
+  local passed
+
+  : \
+    && if ! echo "${output}" | jq -rec &> /dev/null; then
+      warn "Kubernetes cluster could not be reached." \
+        && error "${output}"
+    fi \
+    && evaluated="$(echo "${output}" | jq -rec .summary.evaluated)" \
+    && passed="$(echo "${output}" | jq -rec .summary.passed)" \
+    && echo "${output}" | jq -re \
+    && if [ "${passed}" != "${evaluated}" ]; then
+      return 1
+    fi
+}
+
+function main {
+  local bin
+  local output
+
+  : \
+    && bin="$(mktemp)" \
+    && copy "__argBin__" "${bin}" \
+    && chmod +x "${bin}" \
+    && pushd "__argRepo__" \
+    && output="$("${bin}" "eval" "lib/" -s "__argSeverity__" 2>&1)" \
+    && popd \
+    && evaluate "${output}" \
+    || return 1
+}
+
+main "${@}"
diff --git a/src/evaluator/modules/default.nix b/src/evaluator/modules/default.nix
@@ -46,6 +46,7 @@
     (import ./secrets-for-gpg-from-env/default.nix args)
     (import ./secrets-for-kubernetes-config-from-aws/default.nix args)
     (import ./secrets-for-terraform-from-env/default.nix args)
+    (import ./secure-kubernetes-with-rbac-police/default.nix args)
     (import ./secure-python-with-bandit/default.nix args)
     (import ./taint-terraform/default.nix args)
     (import ./test-python/default.nix args)

diff --git a/src/evaluator/modules/secure-kubernetes-with-rbac-police/default.nix b/src/evaluator/modules/secure-kubernetes-with-rbac-police/default.nix
@@ -0,0 +1,43 @@
+{
+  __toModuleOutputs__,
+  secureKubernetesWithRbacPolice,
+  ...
+}: {
+  config,
+  lib,
+  ...
+}: let
+  type = lib.types.submodule (_: {
+    options = {
+      setup = lib.mkOption {
+        default = [];
+        type = lib.types.listOf lib.types.package;
+      };
+      severity = lib.mkOption {
+        default = "Low";
+        type = lib.types.str;
+      };
+    };
+  });
+  output = name: {
+    setup,
+    severity,
+  }: {
+    name = "/secureKubernetesWithRbacPolice/${name}";
+    value = secureKubernetesWithRbacPolice {
+      inherit name;
+      inherit setup;
+      inherit severity;
+    };
+  };
+in {
+  options = {
+    secureKubernetesWithRbacPolice = lib.mkOption {
+      default = {};
+      type = lib.types.attrsOf type;
+    };
+  };
+  config = {
+    outputs = __toModuleOutputs__ output config.secureKubernetesWithRbacPolice;
+  };
+}