Project Description
Idea is to predefine a set of security policies for popular container applications just for example MySQL, Nginx etc..., with these predefined security policies, users can just download unpack it to use. No need to worry too much about detailed security settings/configurations for this application container. The policies could be any policies that Kubernetes supported and/or NeuVector supported.
Today, there are security policies being supported by Kubernetes like NetworkPolicy, there are extended policies like KubeWarden admission control policies, there are advanced security policy like NeuVector's L7 network policy, process & file policy etc... All these policies are providing functions to secure a Kubernetes environment. From end user point of view, it is good but not convenient enough to use unless users are security experts. So idea is, we could create many predefined security policies for many popular container applications, define these as a Kubernetes standard format like CRD extension just for example. Make these the building blocks coupled with the app images, so when users pull a container, a security policy can be imported at same time. The basic security settings (baseline) will be in place right away. If NeuVector was installed already then the enforcement is in place as well. Most of the users will have basic security in place by doing almost nothing. (of course, if it's necessary, users can still customize or fine tune the predefined templates.)
Security needs to be easy to use but still strong enough to protect, a lot of security postures/configurations/policies could be already defined when this application container image is created. These security manifest is different per apps but it is relatively stable per container as well. So, if we can create or generate security policy templates for popular application images, eventually make some of solid ones a built-in template, or even grow to be a hosted security policy hub. It could be a new critical way to secure Kubernetes world.
Goal for this Hackweek
Study this deeper, choose a few popular applications and make a prototype/demo to proof the concept.
Resources
Some of the policies might not be a good fit to be profiled as manifest. Here we will be focusing on relatively stable application security posture/configuration/runtime policies. Starting point could be look into these:
https://open-docs.neuvector.com/policy/overview
https://kubernetes.io/docs/concepts/services-networking/network-policies/
No Hackers yet
Looking for hackers with the skills:
This project is part of:
Hack Week 23
Activity
Comments
Be the first to comment!
Similar Projects
Port NeuVector zero-trust security functions to host/VM by feih
Project Description
Today, NeuVector on...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...
mikrolite - a cli to create lighweight Kubernetes clusters using microvms by rcase
[comment]: # (Please use the project descriptio...
A CLI for Harvester by mohamed.belgaied
[comment]: # Harvester does not officially come...
RKE2/K3S working on IBM Power by tkelly
[comment]: # (Please use the project descriptio...
A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon
[comment]: # (Please use the project descriptio...
Exploring DPDK within containers by paolodepa
Project Description
Containerization is h...
Containerized home mirror by lkocman
I'm running a simple home mirror, but I managed...
Hangar: tool for mirror container images & generate rancher image lists. by StarryWang
Project Description
Hangar is a tool for ...
Building a container bootloader by flonnegren
[comment]: # (Please use the project descriptio...
Port NeuVector zero-trust security functions to host/VM by feih
Project Description
Today, NeuVector on...