Project Description

Idea is to predefine a set of security policies for popular container applications just for example MySQL, Nginx etc..., with these predefined security policies, users can just download unpack it to use. No need to worry too much about detailed security settings/configurations for this application container. The policies could be any policies that Kubernetes supported and/or NeuVector supported.

Today, there are security policies being supported by Kubernetes like NetworkPolicy, there are extended policies like KubeWarden admission control policies, there are advanced security policy like NeuVector's L7 network policy, process & file policy etc... All these policies are providing functions to secure a Kubernetes environment. From end user point of view, it is good but not convenient enough to use unless users are security experts. So idea is, we could create many predefined security policies for many popular container applications, define these as a Kubernetes standard format like CRD extension just for example. Make these the building blocks coupled with the app images, so when users pull a container, a security policy can be imported at same time. The basic security settings (baseline) will be in place right away. If NeuVector was installed already then the enforcement is in place as well. Most of the users will have basic security in place by doing almost nothing. (of course, if it's necessary, users can still customize or fine tune the predefined templates.)

Security needs to be easy to use but still strong enough to protect, a lot of security postures/configurations/policies could be already defined when this application container image is created. These security manifest is different per apps but it is relatively stable per container as well. So, if we can create or generate security policy templates for popular application images, eventually make some of solid ones a built-in template, or even grow to be a hosted security policy hub. It could be a new critical way to secure Kubernetes world.

Goal for this Hackweek

Study this deeper, choose a few popular applications and make a prototype/demo to proof the concept.

Resources

Some of the policies might not be a good fit to be profiled as manifest. Here we will be focusing on relatively stable application security posture/configuration/runtime policies. Starting point could be look into these:

https://open-docs.neuvector.com/policy/overview

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://docs.kubewarden.io/writing-policies

https://kyverno.io/docs/kyverno-policies/

Looking for hackers with the skills:

security kubernetes containers neuvector kubewarden

This project is part of:

Hack Week 23

Activity

  • 4 months ago: amunoz liked this project.
  • 4 months ago: heidi.bronson liked this project.
  • 4 months ago: feih added keyword "kubewarden" to this project.
  • 4 months ago: feih added keyword "neuvector" to this project.
  • 4 months ago: feih added keyword "containers" to this project.
  • 4 months ago: feih added keyword "kubernetes" to this project.
  • 4 months ago: feih added keyword "security" to this project.
  • 4 months ago: feih originated this project.

  • Comments

    Be the first to comment!

    Similar Projects

    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...


    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a ...


    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    RKE2/K3S working on IBM Power by tkelly

    [comment]: # (Please use the project descriptio...


    mikrolite - a cli to create lighweight Kubernetes clusters using microvms by rcase

    [comment]: # (Please use the project descriptio...


    Exploring DPDK within containers by paolodepa

    Project Description

    Containerization is h...


    Forklift - Text based GUI utility for dealing with containers by andreabenini

    [comment]: # (Please use the project descriptio...


    Package MONAI Machine Learning Models for Medical Applications by jordimassaguerpla

    Project Description

    MONAI Deploy aims to ...


    Containerized home mirror by lkocman

    I'm running a simple home mirror, but I managed...


    Building a container bootloader by flonnegren

    [comment]: # (Please use the project descriptio...


    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...