add tetragon policies

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-28 21:41:46 -04:00
parent baa0216960
commit 2671abc98c
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
8 changed files with 103 additions and 39 deletions

View file

@ -20,4 +20,3 @@ spec:
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ServerSideApply=true

View file

@ -1,37 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-tmp-execution
namespace: kube-system
spec:
podSelector:
matchExpressions:
- key: "io.kubernetes.pod.namespace"
operator: "NotIn"
values:
- kube-system
- kube-public
- kube-node-lease
- argocd
- kyverno
- cilium-ingress
- cilium-secrets
- cert-manager
- sealed-secrets
- nfs-subdir-external-provisioner
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
selectors:
- matchArgs:
- index: 0
operator: "Prefix"
values:
- "/tmp/"
- "/var/tmp/"
- "/dev/shm/"
matchActions:
- action: Sigkill

View file

@ -2,4 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- block-tmp-execution.yaml - tracingpolicy-shell-spawn.yaml
- tracingpolicy-network-connections.yaml
- tracingpolicy-sensitive-binaries.yaml
- tracingpolicy-privilege-escalation.yaml
- tracingpolicy-sensitive-file-access.yaml
commonLabels:
app.kubernetes.io/part-of: tetragon-policies

View file

@ -0,0 +1,8 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-network-connections
spec:
tracepoints:
- subsystem: tcp
event: tcp_connect

View file

@ -0,0 +1,9 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-privilege-escalation
spec:
kprobes:
- call: "commit_creds"
syscall: false
return: true

View file

@ -0,0 +1,29 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-sensitive-binary-execution
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
selectors:
- matchBinaries:
- operator: In
values:
- /usr/bin/curl
- /usr/bin/wget
- /usr/bin/nc
- /usr/bin/netcat
- /usr/bin/nmap
- /usr/bin/socat
- /usr/bin/ssh
- /usr/sbin/iptables
- /usr/bin/apt
- /usr/bin/apt-get
args:
- index: 0
type: string
return: true

View file

@ -0,0 +1,25 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-sensitive-file-access
spec:
kprobes:
- call: "security_file_open"
syscall: false
selectors:
- matchArgs:
- index: 0
operator: Prefix
values:
- /etc/shadow
- /etc/passwd
- /root
- /proc/kcore
- /var/run/secrets/kubernetes.io
args:
- index: 0
type: string
return: true

View file

@ -0,0 +1,24 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-shell-spawn
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
selectors:
- matchBinaries:
- operator: In
values:
- /bin/sh
- /bin/bash
- /bin/dash
- /bin/ash
- /busybox/sh
args:
- index: 0
type: string
return: true