Skip to content

Commit

Permalink
Merge pull request #8 from kondukto-io/feature/opa-support
Browse files Browse the repository at this point in the history 
Feature/opa support
  • Loading branch information
@ckalpakoglu
ckalpakoglu authored Apr 4, 2024
2 parents 891cd49 + 35bbe8e commit 8ef74c4
Show file tree
Hide file tree
Showing 27 changed files with 5,235 additions and 3,642 deletions.
3 changes: 1 addition & 2 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# ignore .txt
*.txt
# ignore bin
kntrl
# ignore object files
internal/**/*.o
internal/**/*x86.go
Expand All @@ -10,4 +9,4 @@ dist/
\.idea/
\.vscode/

.DS_Store
.DS_Store
31 changes: 24 additions & 7 deletions Readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
![kntrl logo](./docs/img/kntrl_logo.png) <!-- markdownlint-disable-line first-line-heading -->

# Kntrl

`kntrl` is an eBPF based runtime agent that monitors and prevents anomalous behaviour defined by you on your pipeline. kntrl achieves this by monitoring kernel calls, and denying access as soon as your defined behaviour is detected. Refer to this [presentation](https://docs.google.com/presentation/d/1nmbqGfIxp9UyxlfT5EJyQsEWtQaXVoWD9Qjj1MJevuk/edit?usp=sharing) to dive deeper into how we are achieving what kntrl does.

It can work as a single binary (`kntrl`) or with a docker runner (`docker.io/kondukto/kntrl:0.1.0`).
Expand All @@ -28,7 +26,7 @@ You can start using kntrl agent by simply running the following command:

```yaml
- name: kntrl agent
run: sudo ./kntrl run --mode=monitor --hosts=download.kondukto.io,${{ env.GITHUB_ACTIONS_URL }}
run: sudo ./kntrl run --mode=monitor --allowed-hosts=download.kondukto.io,${{ env.GITHUB_ACTIONS_URL }} --allowed-ips=10.0.2.3
```
OR with the docker:
Expand All @@ -41,7 +39,7 @@ OR with the docker:
--cgroupns=host \
--volume=/sys/kernel/debug:/sys/kernel/debug:ro \
--volume /tmp:/tmp \
--rm docker.io/kondukto/kntrl:0.1.0 run --mode=trace --hosts=kondukto.io,download.kondukto.io
--rm docker.io/kondukto/kntrl:0.1.0 run --mode=trace --allowed-hosts=kondukto.io,download.kondukto.io
```

This action will deploy kntrl into any GitHub Actions build.
Expand Down Expand Up @@ -73,8 +71,10 @@ The agent supports the following parameters:
| Name | Default | Description |
| ------------------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `mode` | monitor | kntrl for detected behaviours (monitor or prevent/trace) |
| `hosts` | | allowed host list. IP or hostname (192.168.0.100, example.com, .github.com) |
| `level` | info | level of detail for logging (info, debug) |
| `allowed-hosts` | | allowed host list. (example.com, .github.com) |
| `allowed-ips` | | allowed IP list. (192.168.0.100, 1.1.1.1) |
| `allow-local-ranges` | true | allow access to local IP ranges |
| `allow-github-meta` | false | allow access to GitHub meta IP ranges (https://api.github.com/meta) |
| `output-file` | `/tmp/kntrl.out` | report file | |

### Running kntrl on monitoring mode
Expand Down Expand Up @@ -102,7 +102,24 @@ The agent supports the following parameters:
--volume=/sys/kernel/debug:/sys/kernel/debug:ro \
--volume /tmp:/tmp \
--rm docker.io/kondukto/kntrl:0.1.0 \
--mode=trace --hosts=download.kondukto.io, .github.com
--mode=trace --allowed-hosts=download.kondukto.io, .github.com
```

## Open Policy Agent (OPA) Rules
`kntrl` supports an OPA-based policy engine to determine whether the event should be blocked or not. All the policy rules are stored under the bundle/kntrl/ directory.

An example rego rule:
```
package kntrl.network["is_local_ip_addr"]
import rego.v1
policy if {
ipaddr := input.daddr
local_ranges := ["192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8", "0.0.0.0/32"]
net.cidr_contains(local_ranges[_], ipaddr)
data.allow_local_ip_ranges == true
}
```

## Reporting
Expand Down
6 changes: 6 additions & 0 deletions bundle/.manifest
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"roots": ["kntrl","assets"],
"metadata": {
"name": "kntrl"
}
}
Loading

0 comments on commit 8ef74c4

Please sign in to comment.