Skip to content

add rule CRD and update cluster role permissions #754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

add rule CRD and update cluster role permissions #754

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2fed718
add rule CRD and update cluster role permissions
matthyx Oct 13, 2025
6833991
Switching to camelCase
amitschendel Oct 20, 2025
655c656
Adding missing chart
amitschendel Oct 26, 2025
2daefb1
Fixing version
amitschendel Oct 26, 2025
6902b4b
Updating rules
amitschendel Oct 29, 2025
5d39457
fix default-rules.yaml
matthyx Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions charts/dependency_chart/rules-crds/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v2
name: kubescape-rules-crd
description: A Helm chart CRDs for Kubescape rules

type: application

version: 0.0.1

appVersion: "0.0.1"
110 changes: 110 additions & 0 deletions charts/dependency_chart/rules-crds/crds/rules.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: rules.kubescape.io
spec:
group: kubescape.io
names:
kind: Rules
listKind: RulesList
plural: rules
singular: rule
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
properties:
rules:
type: array
items:
type: object
properties:
enabled:
type: boolean
description: "Whether the rule is enabled"
id:
type: string
description: "Unique identifier for the rule"
name:
type: string
description: "Name of the rule"
description:
type: string
description: "Description of the rule"
expressions:
type: object
properties:
message:
type: string
description: "Message expression"
uniqueId:
type: string
description: "Unique identifier expression"
ruleExpression:
type: array
items:
type: object
properties:
eventType:
type: string
description: "Type of event this expression handles"
expression:
type: string
description: "The rule expression string"
required:
- eventType
- expression
required:
- message
- uniqueId
- ruleExpression
profileDependency:
type: integer
enum: [0, 1, 2]
description: "Profile dependency level (0=Required, 1=Optional, 2=NotRequired)"
severity:
type: integer
description: "Severity level of the rule"
supportPolicy:
type: boolean
description: "Whether the rule supports rule policy enforcement"
default: false
tags:
type: array
items:
type: string
description: "Tags associated with the rule"
state:
type: object
additionalProperties: true
description: "State information for the rule"
agentVersionRequirement:
type: string
description: "Agent version requirement to evaluate this rule (supports semver ranges like ~1.0, >=1.2.0, etc.)"
required:
- enabled
- id
- name
- description
- expressions
- profileDependency
- severity
- supportPolicy
- tags
required:
- rules
subresources:
status: {}
Empty file added charts/dependency_chart/rules-crds/values.yaml
View file
Open in desktop
Empty file.
4 changes: 2 additions & 2 deletions charts/kubescape-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ type: application
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)

version: 1.29.9
version: 1.29.10

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.

appVersion: 1.29.9
appVersion: 1.29.10

maintainers:
- name: Ben Hirschberg
Expand Down
123 changes: 123 additions & 0 deletions charts/kubescape-operator/crds/rules.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: rules.kubescape.io
spec:
group: kubescape.io
names:
kind: Rules
listKind: RulesList
plural: rules
singular: rule
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
properties:
rules:
type: array
items:
type: object
properties:
enabled:
type: boolean
description: "Whether the rule is enabled"
id:
type: string
description: "Unique identifier for the rule"
name:
type: string
description: "Name of the rule"
description:
type: string
description: "Description of the rule"
expressions:
type: object
properties:
message:
type: string
description: "Message expression"
uniqueId:
type: string
description: "Unique identifier expression"
ruleExpression:
type: array
items:
type: object
properties:
eventType:
type: string
description: "Type of event this expression handles"
expression:
type: string
description: "The rule expression string"
required:
- eventType
- expression
required:
- message
- uniqueId
- ruleExpression
profileDependency:
type: integer
enum: [0, 1, 2]
description: "Profile dependency level (0=Required, 1=Optional, 2=NotRequired)"
severity:
type: integer
description: "Severity level of the rule"
supportPolicy:
type: boolean
description: "Whether the rule supports rule policy enforcement"
default: false
tags:
type: array
items:
type: string
description: "Tags associated with the rule"
state:
type: object
additionalProperties: true
description: "State information for the rule"
agentVersionRequirement:
type: string
description: "Agent version requirement to evaluate this rule (supports semver ranges like ~1.0, >=1.2.0, etc.)"
isTriggerAlert:
type: boolean
description: "Whether the rule is a trigger alert"
default: true
mitreTechnique:
type: string
description: "MITRE technique associated with the rule"
mitreTactic:
type: string
description: "MITRE tactic associated with the rule"
required:
- enabled
- id
- name
- description
- expressions
- profileDependency
- severity
- supportPolicy
- tags
- isTriggerAlert
- mitreTechnique
- mitreTactic
required:
- rules
subresources:
status: {}
3 changes: 3 additions & 0 deletions charts/kubescape-operator/templates/node-agent/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,7 @@ rules:
- apiGroups: ["events.k8s.io"]
resources: ["events"]
verbs: ["create", "patch", "get"]
- apiGroups: ["kubescape.io"]
resources: ["rules"]
verbs: ["list", "watch"]
{{- end }}
2 changes: 2 additions & 0 deletions charts/kubescape-operator/templates/node-agent/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,8 @@ spec:
- name: MULTIPLY
value: "true"
{{- end }}
- name: AGENT_VERSION
value: "{{ .Values.nodeAgent.image.tag }}"
{{- range .Values.nodeAgent.env }}
- name: {{ .name }}
{{- if .value }}
Expand Down
2 changes: 2 additions & 0 deletions charts/kubescape-operator/templates/node-agent/daemonsets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,8 @@ spec:
- name: MULTIPLY
value: "true"
{{- end }}
- name: AGENT_VERSION
value: "{{ .Values.nodeAgent.image.tag }}"
{{- range .Values.nodeAgent.env }}
- name: {{ .name }}
{{- if .value }}
Expand Down
61 changes: 16 additions & 45 deletions charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,58 +29,29 @@ spec:
{{- end }}
rules:
- ruleName: "Unexpected process launched"
- ruleName: "Unexpected file access"
parameters:
ignoreMounts: true
ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"]
includePrefixes: [ "/etc", "/var/spool/cron/", "/var/log/", "/var/run/", "/dev/shm/", "/run/", "/var/www/", "/var/lib/docker/", "/opt/", "/usr/local/", "/app/", "/.dockerenv", "/proc/self/environ", "/var/lib/kubelet/", "/etc/cni/net.d/", "/var/run/secrets/kubernetes.io/", "/var/run/secrets/kubernetes.io/serviceaccount/", "/run/containerd/", "/run/flannel/", "/run/calico/"]
- ruleName: "Unexpected system call"
- ruleName: "Unexpected capability used"
- ruleName: "Unexpected domain request"
- ruleName: "Unexpected Service Account Token Access"
- ruleName: "Kubernetes Client Executed"
- ruleName: "Exec from malicious source"
- ruleName: "Kernel Module Load"
- ruleName: "Exec Binary Not In Base Image"
# - ruleName: "Malicious SSH Connection"
- ruleName: "Fileless Execution"
- ruleName: "XMR Crypto Mining Detection"
- ruleName: "Exec from mount"
- ruleName: "Files Access Anomalies in container"
- ruleName: "Syscalls Anomalies in container"
- ruleName: "Linux Capabilities Anomalies in container"
- ruleName: "DNS Anomalies in container"
- ruleName: "Unexpected service account token access"
- ruleName: "Workload uses Kubernetes API unexpectedly"
- ruleName: "Process executed from malicious source"
- ruleName: "Process tries to load a kernel module"
- ruleName: "Drifted process executed"
- ruleName: "Disallowed ssh connection"
- ruleName: "Fileless execution detected"
- ruleName: "Crypto miner launched"
- ruleName: "Process executed from mount"
- ruleName: "Crypto Mining Related Port Communication"
- ruleName: "Crypto Mining Domain Communication"
- ruleName: "Read Environment Variables from procfs"
- ruleName: "eBPF Program Load"
- ruleName: "Symlink Created Over Sensitive File"
- ruleName: "Soft link created over sensitive file"
- ruleName: "Unexpected Sensitive File Access"
- ruleName: "Hardlink Created Over Sensitive File"
- ruleName: "Hard link created over sensitive file"
- ruleName: "Exec to pod"
- ruleName: "Port forward"
# - ruleName: "Unexpected Egress Network Traffic"
- ruleName: "Unexpected Egress Network Traffic"
- ruleName: "Malicious Ptrace Usage"
- ruleName: "Cross-Site Scripting (XSS) Attempt"
- ruleName: "SQL Injection Attempt"
- ruleName: "Server-Side Request Forgery Attack Attempt"
- ruleName: "Remote File Inclusion Attack Attempt"
- ruleName: "Local File Inclusion Attempt"
- ruleName: "XML External Entity Attack Attempt"
- ruleName: "Server-Side Template Injection Attack"
- ruleName: "Command Injection Attempt"
- ruleName: "Unexpected Exec Source"
- ruleName: "Unexpected Open Source"
- ruleName: "Unexpected Symlink Source"
- ruleName: "Unexpected Hardlink Source"
- ruleName: "Unexpected io_uring Operation Detected"
- ruleName: "ReDoS Attack"
- ruleName: "Prototype Pollution Attack"
- ruleName: "Execution of base64 Encoded Command"
- ruleName: "Execution of interpreter command"
- ruleName: "Code Sharing Site Access"
- ruleName: "Web Application File Write Access"
- ruleName: "Cron Job File Created or Modified"
- ruleName: "Hidden File Created"
- ruleName: "Reverse Shell Patterens Detected"
- ruleName: "Unauthorized IMDS Connection Attempt"
- ruleName: "Credentials Detection Attempts"
- ruleName: "HTTP Request Smuggling Attempt"
- ruleName: "P2P Tracker Connection Created"
{{- end }}
Loading
Loading