Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Least Permissive Policies for OAI (Nephio based) #1065

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Least Permissive Policies for OAI (Nephio based) #1065

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
253d558
Least perm policies for oai
PrimalPimmy Dec 17, 2024
73dbd34
space fix
PrimalPimmy Dec 17, 2024
2918386
Added 5G core zero trust policies
PrimalPimmy Jan 7, 2025
0a1c2d6
Updated policies
PrimalPimmy Jan 9, 2025
1d06070
Updated policies
PrimalPimmy Jan 10, 2025
69c3eea
spell mistake
PrimalPimmy Jan 22, 2025
67a2951
Some fixes
PrimalPimmy Jan 23, 2025
de8e35d
Some fixes
PrimalPimmy Jan 23, 2025
3feb2f2
Some fixes
PrimalPimmy Jan 23, 2025
76d6d60
Some fixes
PrimalPimmy Jan 23, 2025
31245df
Major name change
PrimalPimmy Jan 23, 2025
cb9a5d2
nrf fix
PrimalPimmy Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-amf-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-amf-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-amf/etc/
recursive: true
action: Block
- dir: /openair-amf/etc/
recursive: true
fromSource:
- path: /openair-amf/bin/oai_amf
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-amf/bin/oai_amf
matchPaths:
- path: /openair-amf/etc/amf.yaml
action: Block
- path: /openair-amf/etc/amf.yaml
fromSource:
- path: /openair-amf/bin/oai_amf


network:
matchProtocols:
- fromSource:
- path: /openair-amf/bin/oai_amf
protocol: raw
- fromSource:
- path: /openair-amf/bin/oai_amf
protocol: tcp
- fromSource:
- path: /openair-amf/bin/oai_amf
protocol: udp
process:
matchPaths:
- path: /openair-amf/bin/oai_amf
selector:
matchLabels:
workload.nephio.org/oai: amf
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-ausf-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-ausf-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-ausf/etc/
recursive: true
action: Block
- dir: /openair-ausf/etc/
recursive: true
fromSource:
- path: /openair-ausf/bin/oai_ausf
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-ausf/bin/oai_ausf
matchPaths:
- path: /openair-ausf/etc/ausf.yaml
action: Block
- path: /openair-ausf/etc/ausf.yaml
fromSource:
- path: /openair-ausf/bin/oai_ausf


network:
matchProtocols:
- fromSource:
- path: /openair-ausf/bin/oai_ausf
protocol: raw
- fromSource:
- path: /openair-ausf/bin/oai_ausf
protocol: tcp
- fromSource:
- path: /openair-ausf/bin/oai_ausf
protocol: udp
process:
matchPaths:
- path: /openair-ausf/bin/oai_ausf
selector:
matchLabels:
workload.nephio.org/oai: ausf
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-nrf-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-nrf-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-nrf/etc/
recursive: true
action: Block
- dir: /openair-nrf/etc/
recursive: true
fromSource:
- path: /openair-nrf/bin/oai_nrf
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-nrf/bin/oai_nrf
matchPaths:
- path: /openair-nrf/etc/nrf.yaml
action: Block
- path: /openair-nrf/etc/nrf.yaml
fromSource:
- path: /openair-nrf/bin/oai_nrf


network:
matchProtocols:
- fromSource:
- path: /openair-nrf/bin/oai_nrf
protocol: raw
- fromSource:
- path: /openair-nrf/bin/oai_nrf
protocol: tcp
- fromSource:
- path: /openair-nrf/bin/oai_nrf
protocol: udp
process:
matchPaths:
- path: /openair-nrf/bin/oai_nrf
selector:
matchLabels:
workload.nephio.org/oai: nrf
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-smf-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-smf-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-smf/etc/
recursive: true
action: Block
- dir: /openair-smf/etc/
recursive: true
fromSource:
- path: /openair-smf/bin/oai_smf
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-smf/bin/oai_smf
matchPaths:
- path: /openair-smf/etc/smf.yaml
action: Block
- path: /openair-smf/etc/smf.yaml
fromSource:
- path: /openair-smf/bin/oai_smf


network:
matchProtocols:
- fromSource:
- path: /openair-smf/bin/oai_smf
protocol: raw
- fromSource:
- path: /openair-smf/bin/oai_smf
protocol: tcp
- fromSource:
- path: /openair-smf/bin/oai_smf
protocol: udp
process:
matchPaths:
- path: /openair-smf/bin/oai_smf
selector:
matchLabels:
workload.nephio.org/oai: smf
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-udm-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-udm-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-udm/etc/
recursive: true
action: Block
- dir: /openair-udm/etc/
recursive: true
fromSource:
- path: /openair-udm/bin/oai_udm
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-udm/bin/oai_udm
matchPaths:
- path: /openair-udm/etc/udm.yaml
action: Block
- path: /openair-udm/etc/udm.yaml
fromSource:
- path: /openair-udm/bin/oai_udm


network:
matchProtocols:
- fromSource:
- path: /openair-udm/bin/oai_udm
protocol: raw
- fromSource:
- path: /openair-udm/bin/oai_udm
protocol: tcp
- fromSource:
- path: /openair-udm/bin/oai_udm
protocol: udp
process:
matchPaths:
- path: /openair-udm/bin/oai_udm
selector:
matchLabels:
workload.nephio.org/oai: udm
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-udr-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-udr-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-udr/etc/
recursive: true
action: Block
- dir: /openair-udr/etc/
recursive: true
fromSource:
- path: /openair-udr/bin/oai_udr
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-udr/bin/oai_udr
matchPaths:
- path: /openair-udr/etc/udr.yaml
action: Block
- path: /openair-udr/etc/udr.yaml
fromSource:
- path: /openair-udr/bin/oai_udr


network:
matchProtocols:
- fromSource:
- path: /openair-udr/bin/oai_udr
protocol: raw
- fromSource:
- path: /openair-udr/bin/oai_udr
protocol: tcp
- fromSource:
- path: /openair-udr/bin/oai_udr
protocol: udp
process:
matchPaths:
- path: /openair-udr/bin/oai_udr
selector:
matchLabels:
workload.nephio.org/oai: udr
severity: 1
51 changes: 51 additions & 0 deletions 5gsec/oai-core/ksp-core-upf-zero-trust.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-core-upf-zero-trust
namespace: oai-core
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
- dir: /openair-upf/etc/
recursive: true
action: Block
- dir: /openair-upf/etc/
recursive: true
fromSource:
- path: /openair-upf/bin/oai_upf
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Block
message: unauthorized access to kubernetes service account
- dir: /run/secrets/kubernetes.io/serviceaccount/
action: Allow
fromSource:
- path: /openair-upf/bin/oai_upf
matchPaths:
- path: /openair-upf/etc/upf.yaml
action: Block
- path: /openair-upf/etc/upf.yaml
fromSource:
- path: /openair-upf/bin/oai_upf


network:
matchProtocols:
- fromSource:
- path: /openair-upf/bin/oai_upf
protocol: raw
- fromSource:
- path: /openair-upf/bin/oai_upf
protocol: tcp
- fromSource:
- path: /openair-upf/bin/oai_upf
protocol: udp
process:
matchPaths:
- path: /openair-upf/bin/oai_upf
selector:
matchLabels:
workload.nephio.org/oai: upf
severity: 1
21 changes: 21 additions & 0 deletions 5gsec/oai-core/kyverno-core-readonly-volume-mounts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: kyverno-core-readonly-volume-mounts
spec:
validationFailureAction: enforce
rules:
- name: check-readonly-volumes
match:
resources:
kinds:
- Pod
namespaces:
- oai-core
validate:
message: "All volume mounts must be read-only."
pattern:
spec:
containers:
- volumeMounts:
- readOnly: true
Loading