From 2671abc98c66c3112d1721c8a6a757596c2f4037 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Thu, 28 May 2026 21:41:46 -0400 Subject: [PATCH] add tetragon policies Signed-off-by: gwg313 --- management/platform-apps/audiobookshelf.yaml | 1 - .../policies/block-tmp-execution.yaml | 37 ------------------- platform/tetragon/policies/kustomization.yaml | 9 ++++- .../tracingpolicy-network-connections.yaml | 8 ++++ .../tracingpolicy-privilege-escalation.yaml | 9 +++++ .../tracingpolicy-sensitive-binaries.yaml | 29 +++++++++++++++ .../tracingpolicy-sensitive-file-access.yaml | 25 +++++++++++++ .../policies/tracingpolicy-shell-spawn.yaml | 24 ++++++++++++ 8 files changed, 103 insertions(+), 39 deletions(-) delete mode 100644 platform/tetragon/policies/block-tmp-execution.yaml create mode 100644 platform/tetragon/policies/tracingpolicy-network-connections.yaml create mode 100644 platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml create mode 100644 platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml create mode 100644 platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml create mode 100644 platform/tetragon/policies/tracingpolicy-shell-spawn.yaml diff --git a/management/platform-apps/audiobookshelf.yaml b/management/platform-apps/audiobookshelf.yaml index a5811d1..30fc6fc 100644 --- a/management/platform-apps/audiobookshelf.yaml +++ b/management/platform-apps/audiobookshelf.yaml @@ -20,4 +20,3 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true - - ServerSideApply=true diff --git a/platform/tetragon/policies/block-tmp-execution.yaml b/platform/tetragon/policies/block-tmp-execution.yaml deleted file mode 100644 index 5eb7812..0000000 --- a/platform/tetragon/policies/block-tmp-execution.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: block-tmp-execution - namespace: kube-system -spec: - podSelector: - matchExpressions: - - key: "io.kubernetes.pod.namespace" - operator: "NotIn" - values: - - kube-system - - kube-public - - kube-node-lease - - argocd - - kyverno - - cilium-ingress - - cilium-secrets - - cert-manager - - sealed-secrets - - nfs-subdir-external-provisioner - kprobes: - - call: "sys_execve" - syscall: true - args: - - index: 0 - type: "string" - selectors: - - matchArgs: - - index: 0 - operator: "Prefix" - values: - - "/tmp/" - - "/var/tmp/" - - "/dev/shm/" - matchActions: - - action: Sigkill diff --git a/platform/tetragon/policies/kustomization.yaml b/platform/tetragon/policies/kustomization.yaml index b672498..81730b6 100644 --- a/platform/tetragon/policies/kustomization.yaml +++ b/platform/tetragon/policies/kustomization.yaml @@ -2,4 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - block-tmp-execution.yaml + - tracingpolicy-shell-spawn.yaml + - tracingpolicy-network-connections.yaml + - tracingpolicy-sensitive-binaries.yaml + - tracingpolicy-privilege-escalation.yaml + - tracingpolicy-sensitive-file-access.yaml + +commonLabels: + app.kubernetes.io/part-of: tetragon-policies diff --git a/platform/tetragon/policies/tracingpolicy-network-connections.yaml b/platform/tetragon/policies/tracingpolicy-network-connections.yaml new file mode 100644 index 0000000..82bd777 --- /dev/null +++ b/platform/tetragon/policies/tracingpolicy-network-connections.yaml @@ -0,0 +1,8 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: detect-network-connections +spec: + tracepoints: + - subsystem: tcp + event: tcp_connect diff --git a/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml b/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml new file mode 100644 index 0000000..0c9e394 --- /dev/null +++ b/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml @@ -0,0 +1,9 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: detect-privilege-escalation +spec: + kprobes: + - call: "commit_creds" + syscall: false + return: true diff --git a/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml b/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml new file mode 100644 index 0000000..d45fee7 --- /dev/null +++ b/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml @@ -0,0 +1,29 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: detect-sensitive-binary-execution +spec: + kprobes: + - call: "security_bprm_check" + syscall: false + + selectors: + - matchBinaries: + - operator: In + values: + - /usr/bin/curl + - /usr/bin/wget + - /usr/bin/nc + - /usr/bin/netcat + - /usr/bin/nmap + - /usr/bin/socat + - /usr/bin/ssh + - /usr/sbin/iptables + - /usr/bin/apt + - /usr/bin/apt-get + + args: + - index: 0 + type: string + + return: true diff --git a/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml b/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml new file mode 100644 index 0000000..977e93a --- /dev/null +++ b/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml @@ -0,0 +1,25 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: detect-sensitive-file-access +spec: + kprobes: + - call: "security_file_open" + syscall: false + + selectors: + - matchArgs: + - index: 0 + operator: Prefix + values: + - /etc/shadow + - /etc/passwd + - /root + - /proc/kcore + - /var/run/secrets/kubernetes.io + + args: + - index: 0 + type: string + + return: true diff --git a/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml b/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml new file mode 100644 index 0000000..180dfc9 --- /dev/null +++ b/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml @@ -0,0 +1,24 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: detect-shell-spawn +spec: + kprobes: + - call: "security_bprm_check" + syscall: false + + selectors: + - matchBinaries: + - operator: In + values: + - /bin/sh + - /bin/bash + - /bin/dash + - /bin/ash + - /busybox/sh + + args: + - index: 0 + type: string + + return: true