5GSEC · b0m313 · Jun 17, 2024
diff --git a/examples/coco/1-kcp-origin.yaml b/examples/coco/1-kcp-origin.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-runtimeclass
+spec:
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-runtimeclass-to-deployment
+    match:
+      resources:
+        kinds:
+        - Deployment
+    mutate:
+      targets:
+        - apiVersion: apps/v1
+          kind: Deployment
+      patchStrategicMerge:
+        spec:
+          template:
+            spec:
+              runtimeClassName: kata-qemu
diff --git a/examples/coco/2-kcp-snp.yaml b/examples/coco/2-kcp-snp.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-runtimeclass
+spec:
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-runtimeclass-to-deployment
+    match:
+      resources:
+        kinds:
+        - Deployment
+    mutate:
+      targets:
+        - apiVersion: apps/v1
+          kind: Deployment
+      patchStrategicMerge:
+        spec:
+          template:
+            spec:
+              runtimeClassName: kata-qemu-snp
diff --git a/examples/coco/3-kcp-label.yaml b/examples/coco/3-kcp-label.yaml
@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-runtimeclass
+spec:
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-runtimeclass-to-deployment
+    match:
+      resources:
+        kinds:
+        - Deployment
+        selector:
+          matchLabels:
+            app: nginx-test
+    mutate:
+      targets:
+        - apiVersion: apps/v1
+          kind: Deployment
+      patchStrategicMerge:
+        spec:
+          template:
+            spec:
+              runtimeClassName: kata-qemu-snp
diff --git a/examples/coco/csib-si-coco.yaml b/examples/coco/csib-si-coco.yaml
@@ -0,0 +1,25 @@
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: coco-workload
+spec:
+  intent:
+    id: cocoWorkload
+    description: "Ensure workload is encryted by running the specified workload in a Confidential VM"
+    action: Block
+---
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: ClusterSecurityIntentBinding
+metadata:
+  name: coco-workload-binding
+spec:
+  intents:
+    - name: coco-workload
+  selector:
+    nsSelector:
+      matchNames:
+        - default
+    workloadSelector:
+      matchLabels:
+        app: nginx-test
+
diff --git a/examples/coco/k8s-nginx-coco-deploy.yaml b/examples/coco/k8s-nginx-coco-deploy.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-test-coco
+  labels:
+    app: nginx-coco
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-coco
+  template:
+    metadata:
+      labels:
+        app: nginx-coco
+    spec:
+      containers:
+      - name: nginx-coco
+        image: 1hcoj/nginx
diff --git a/examples/coco/k8s-nginx-test-deploy.yaml b/examples/coco/k8s-nginx-test-deploy.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-test
+  labels:
+    app: nginx-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-test
+  template:
+    metadata:
+      labels:
+        app: nginx-test
+    spec:
+      containers:
+      - name: nginx-test
+        image: 1hcoj/nginx
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -20,6 +20,7 @@ const (
 	DisallowChRoot            = "disallowChRoot"
 	DisallowCapabilities      = "disallowCapabilities"
 	ExploitPFA                = "PreventExecutionFromTempOrLogsFolders"
+	CocoWorkload              = "cocoWorkload"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -46,6 +47,10 @@ var KyvIds = []string{
 	EscapeToHost,
 }
 
+var CocoIds = []string{
+	CocoWorkload,
+}
+
 // IsIdSupportedBy determines whether a given ID is supported by a security engine.
 func IsIdSupportedBy(id, securityEngine string) bool {
 	switch strings.ToLower(securityEngine) {
@@ -55,6 +60,8 @@ func IsIdSupportedBy(id, securityEngine string) bool {
 		return in(id, NetPolIDs)
 	case "kyverno":
 		return in(id, KyvIds)
+	case "coco":
+		return in(id, CocoIds)
 	default:
 		return false
 	}

diff --git a/pkg/adapter/nimbus-coco/Makefile b/pkg/adapter/nimbus-coco/Makefile
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+# Image URL to use all building/pushing image targets
+IMG ?= 5gsec/nimbus-coco
+# Image Tag to use all building/pushing image targets
+TAG ?= v0.1
+
+CONTAINER_TOOL ?= docker
+BINARY ?= bin/nimbus-coco
+
+build:
+	@go build -ldflags="-w" -o ${BINARY}  main.go
+
+run: build
+	@./${BINARY}
+
+.PHONY: docker-build
+docker-build:
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
+
+.PHONY: docker-push
+docker-push:
+	$(CONTAINER_TOOL) push ${IMG}:${TAG}
+	$(CONTAINER_TOOL) push ${IMG}:latest
+
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx:
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
+	$(CONTAINER_TOOL) buildx use project-v3-builder
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross ../../../ || { $(CONTAINER_TOOL) buildx rm project-v3-builder; rm Dockerfile.cross; exit 1; }
+	- $(CONTAINER_TOOL) buildx rm project-v3-builder
+	rm Dockerfile.cross
diff --git a/pkg/adapter/nimbus-coco/go.mod b/pkg/adapter/nimbus-coco/go.mod
@@ -0,0 +1,5 @@
+module github.com/5GSEC/nimbus/pkg/adapter/nimbus-coco
+
+go 1.22.0
+
+replace github.com/5GSEC/nimbus => ../../../../nimbus
diff --git a/pkg/adapter/nimbus-coco/main.go b/pkg/adapter/nimbus-coco/main.go
@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2023 Authors of Nimbus
+
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/5GSEC/nimbus/pkg/adapter/nimbus-coco/manager"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+func main() {
+	ctrl.SetLogger(zap.New())
+	logger := ctrl.Log
+
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	ctrl.LoggerInto(ctx, logger)
+
+	go func() {
+		termChan := make(chan os.Signal)
+		signal.Notify(termChan, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
+		<-termChan
+		logger.Info("Shutdown signal received, waiting for all workers to finish")
+		cancelFunc()
+		logger.Info("All workers finished, shutting down")
+	}()
+
+	logger.Info("Coco adapter started")
+	manager.Run(ctx)
+}