add rule CRD and update cluster role permissions

Signed-off-by: Matthias Bertschy <[email protected]>

Author: matthyx

charts/kubescape-operator/crds/rules.crd.yaml

@@ -0,0 +1,127 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: rules.kubescape.io
+spec:
+  group: kubescape.io
+  names:
+    kind: Rules
+    listKind: RulesList
+    plural: rules
+    singular: rule
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              properties:
+                rules:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      enabled:
+                        type: boolean
+                        description: "Whether the rule is enabled"
+                      id:
+                        type: string
+                        description: "Unique identifier for the rule"
+                      name:
+                        type: string
+                        description: "Name of the rule"
+                      description:
+                        type: string
+                        description: "Description of the rule"
+                      expressions:
+                        type: object
+                        properties:
+                          message:
+                            type: string
+                            description: "Message expression"
+                          unique_id:
+                            type: string
+                            description: "Unique identifier expression"
+                          rule_expression:
+                            type: array
+                            items:
+                              type: object
+                              properties:
+                                event_type:
+                                  type: string
+                                  enum:
+                                    - "exec"
+                                    - "open"
+                                    - "capabilities"
+                                    - "dns"
+                                    - "network"
+                                    - "syscall"
+                                    - "randomx"
+                                    - "symlink"
+                                    - "hardlink"
+                                    - "ssh"
+                                    - "http"
+                                    - "ptrace"
+                                    - "iouring"
+                                    - "fork"
+                                    - "exit"
+                                    - "procfs"
+                                  description: "Type of event this expression handles"
+                                expression:
+                                  type: string
+                                  description: "The rule expression string"
+                              required:
+                                - event_type
+                                - expression
+                        required:
+                          - message
+                          - unique_id
+                          - rule_expression
+                      profile_dependency:
+                        type: integer
+                        enum: [0, 1, 2]
+                        description: "Profile dependency level (0=Required, 1=Optional, 2=NotRequired)"
+                      severity:
+                        type: integer
+                        description: "Severity level of the rule"
+                      support_policy:
+                        type: boolean
+                        description: "Whether the rule supports rule policy enforcement"
+                        default: false
+                      tags:
+                        type: array
+                        items:
+                          type: string
+                        description: "Tags associated with the rule"
+                      state:
+                        type: object
+                        additionalProperties: true
+                        description: "State information for the rule"
+                      agent_version_requirement:
+                        type: string
+                        description: "Agent version requirement to evaluate this rule (supports semver ranges like ~1.0, >=1.2.0, etc.)"
+                    required:
+                      - enabled
+                      - id
+                      - name
+                      - description
+                      - expressions
+                      - profile_dependency
+                      - severity
+                      - support_policy
+                      - tags
+              required:
+                - rules
+      subresources:
+        status: {}

charts/kubescape-operator/templates/node-agent/clusterrole.yaml

@@ -42,4 +42,7 @@ rules:
 - apiGroups: ["events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "get"]
+- apiGroups: ["kubescape.io"]
+  resources: ["rules"]
+  verbs: ["list", "watch"]
 {{- end }}

charts/kubescape-operator/templates/node-agent/daemonset.yaml

@@ -228,6 +228,8 @@ spec:
             - name: MULTIPLY
               value: "true"
             {{- end }}
+            - name: AGENT_VERSION
+              value: "{{ .Values.nodeAgent.image.tag }}"
             {{- range .Values.nodeAgent.env }}
             - name: {{ .name }}
             {{- if .value }}

charts/kubescape-operator/templates/node-agent/daemonsets.yaml

@@ -231,6 +231,8 @@ spec:
             - name: MULTIPLY
               value: "true"
             {{- end }}
+            - name: AGENT_VERSION
+              value: "{{ .Values.nodeAgent.image.tag }}"
             {{- range .Values.nodeAgent.env }}
             - name: {{ .name }}
             {{- if .value }}

charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml

@@ -29,58 +29,29 @@ spec:
       {{- end }}
   rules:
     - ruleName: "Unexpected process launched"
-    - ruleName: "Unexpected file access"
-      parameters:
-        ignoreMounts: true
-        ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"]
-        includePrefixes: [ "/etc", "/var/spool/cron/", "/var/log/", "/var/run/", "/dev/shm/", "/run/", "/var/www/", "/var/lib/docker/", "/opt/", "/usr/local/", "/app/", "/.dockerenv", "/proc/self/environ", "/var/lib/kubelet/", "/etc/cni/net.d/", "/var/run/secrets/kubernetes.io/", "/var/run/secrets/kubernetes.io/serviceaccount/", "/run/containerd/", "/run/flannel/", "/run/calico/"]
-    - ruleName: "Unexpected system call"
-    - ruleName: "Unexpected capability used"
-    - ruleName: "Unexpected domain request"
-    - ruleName: "Unexpected Service Account Token Access"
-    - ruleName: "Kubernetes Client Executed"
-    - ruleName: "Exec from malicious source"
-    - ruleName: "Kernel Module Load"
-    - ruleName: "Exec Binary Not In Base Image"
-    # - ruleName: "Malicious SSH Connection"
-    - ruleName: "Fileless Execution"
-    - ruleName: "XMR Crypto Mining Detection"
-    - ruleName: "Exec from mount"
+    - ruleName: "Files Access Anomalies in container"
+    - ruleName: "Syscalls Anomalies in container"
+    - ruleName: "Linux Capabilities Anomalies in container"
+    - ruleName: "DNS Anomalies in container"
+    - ruleName: "Unexpected service account token access"
+    - ruleName: "Workload uses Kubernetes API unexpectedly"
+    - ruleName: "Process executed from malicious source"
+    - ruleName: "Process tries to load a kernel module"
+    - ruleName: "Drifted process executed"
+    - ruleName: "Disallowed ssh connection"
+    - ruleName: "Fileless execution detected"
+    - ruleName: "Crypto miner launched"
+    - ruleName: "Process executed from mount"
     - ruleName: "Crypto Mining Related Port Communication"
     - ruleName: "Crypto Mining Domain Communication"
     - ruleName: "Read Environment Variables from procfs"
     - ruleName: "eBPF Program Load"
-    - ruleName: "Symlink Created Over Sensitive File"
+    - ruleName: "Soft link created over sensitive file"
     - ruleName: "Unexpected Sensitive File Access"
-    - ruleName: "Hardlink Created Over Sensitive File"
+    - ruleName: "Hard link created over sensitive file"
     - ruleName: "Exec to pod"
     - ruleName: "Port forward"
-    # - ruleName: "Unexpected Egress Network Traffic"
+    - ruleName: "Unexpected Egress Network Traffic"
     - ruleName: "Malicious Ptrace Usage"
-    - ruleName: "Cross-Site Scripting (XSS) Attempt"
-    - ruleName: "SQL Injection Attempt"
-    - ruleName: "Server-Side Request Forgery Attack Attempt"
-    - ruleName: "Remote File Inclusion Attack Attempt"
-    - ruleName: "Local File Inclusion Attempt"
-    - ruleName: "XML External Entity Attack Attempt"
-    - ruleName: "Server-Side Template Injection Attack"
-    - ruleName: "Command Injection Attempt"
-    - ruleName: "Unexpected Exec Source"
-    - ruleName: "Unexpected Open Source"
-    - ruleName: "Unexpected Symlink Source"
-    - ruleName: "Unexpected Hardlink Source"
     - ruleName: "Unexpected io_uring Operation Detected"
-    - ruleName: "ReDoS Attack"
-    - ruleName: "Prototype Pollution Attack"
-    - ruleName: "Execution of base64 Encoded Command"
-    - ruleName: "Execution of interpreter command"
-    - ruleName: "Code Sharing Site Access"
-    - ruleName: "Web Application File Write Access"
-    - ruleName: "Cron Job File Created or Modified"
-    - ruleName: "Hidden File Created"
-    - ruleName: "Reverse Shell Patterens Detected"
-    - ruleName: "Unauthorized IMDS Connection Attempt"
-    - ruleName: "Credentials Detection Attempts"
-    - ruleName: "HTTP Request Smuggling Attempt"
-    - ruleName: "P2P Tracker Connection Created"
 {{- end }}