Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RS-1843] DPI Snort rules configurable via intrusiondetection CR. #3488

Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions api/v1/intrusiondetection_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,49 @@ type IntrusionDetectionSpec struct {
// IntrusionDetectionControllerDeployment configures the IntrusionDetection Controller Deployment.
// +optional
IntrusionDetectionControllerDeployment *IntrusionDetectionControllerDeployment `json:"intrusionDetectionControllerDeployment,omitempty"`

// DeepPacketInspectionDaemonset configures the DPI Daemonset
// +optional
DeepPacketInspectionDaemonset *DeepPacketInspectionDaemonset `json:"deepPacketInspectionDaemonset,omitempty"`
}

type DeepPacketInspectionDaemonset struct {
bartolini marked this conversation as resolved.
Show resolved Hide resolved
// DPIDaemonsetSpec configures the DPI Daemonset
// +optional
Spec *DPIDaemonsetSpec `json:"spec,omitempty"`
}

type DPIDaemonsetSpec struct {
// Template specifies DPI Daemonset Template
// +optional
Template *DPIDaemonsetTemplate `json:"template,omitempty"`
}

type DPIDaemonsetTemplate struct {
// Spec specifies DPI Daemonset Template Spec
// +optional
Spec *DPIDaemonsetTemplateSpec `json:"spec,omitempty"`
}

type DPIDaemonsetTemplateSpec struct {
// List of DPI Daemonset Init containers definitions
// +kubebuilder:validation:MaxItems=1
InitContainers []DPIDaemonsetInitContainer `json:"initContainers,omitempty"`
}

type DPIDaemonsetInitContainer struct {
// Name is an enum that identifies the init container by its name.
// +kubebuilder:validation:Enum=snort-rules
Name string `json:"name"`
bartolini marked this conversation as resolved.
Show resolved Hide resolved

// Image name for the init container
Image string `json:"image"`
bartolini marked this conversation as resolved.
Show resolved Hide resolved

// Resources allows customization of limits and requests for compute resources such as cpu and memory.
// If specified, this overrides the init container's resources.
// If omitted, the default values will be used for the init container's resources.
// +optional
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
}

type AnomalyDetectionSpec struct {
Expand Down
107 changes: 107 additions & 0 deletions api/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

91 changes: 91 additions & 0 deletions pkg/crds/operator/operator.tigera.io_intrusiondetections.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,97 @@ spec:
- resourceRequirements
type: object
type: array
deepPacketInspectionDaemonset:
description: DeepPacketInspectionDaemonset configures the DPI Daemonset
properties:
spec:
description: DPIDaemonsetSpec configures the DPI Daemonset
properties:
template:
description: Template specifies DPI Daemonset Template
properties:
spec:
description: Spec specifies DPI Daemonset Template Spec
properties:
initContainers:
description: List of DPI Daemonset Init containers
definitions
items:
properties:
image:
description: Image name for the init container
type: string
name:
description: Name is an enum that identifies
the init container by its name.
enum:
- snort-rules
type: string
resources:
description: |-
Resources allows customization of limits and requests for compute resources such as cpu and memory.
If specified, this overrides the init container's resources.
If omitted, the default values will be used for the init container's resources.
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
required:
- image
- name
type: object
maxItems: 1
type: array
type: object
type: object
type: object
type: object
intrusionDetectionControllerDeployment:
description: IntrusionDetectionControllerDeployment configures the
IntrusionDetection Controller Deployment.
Expand Down
76 changes: 68 additions & 8 deletions pkg/render/intrusiondetection/dpi/dpi.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,16 @@ import (
)

const (
DeepPacketInspectionNamespace = "tigera-dpi"
DeepPacketInspectionName = "tigera-dpi"
DeepPacketInspectionPolicyName = networkpolicy.TigeraComponentPolicyPrefix + DeepPacketInspectionName
DefaultMemoryLimit = "1Gi"
DefaultMemoryRequest = "100Mi"
DefaultCPULimit = "1"
DefaultCPURequest = "100m"
DeepPacketInspectionLinseedRBACName = "tigera-dpi-linseed-permissions"
DeepPacketInspectionNamespace = "tigera-dpi"
DeepPacketInspectionName = "tigera-dpi"
DeepPacketInspectionPolicyName = networkpolicy.TigeraComponentPolicyPrefix + DeepPacketInspectionName
DefaultMemoryLimit = "1Gi"
DefaultMemoryRequest = "100Mi"
DefaultCPULimit = "1"
DefaultCPURequest = "100m"
DeepPacketInspectionLinseedRBACName = "tigera-dpi-linseed-permissions"
DeepPacketInspectionSnortRulesVolumeName = "snort-cache"
DeepPacketInspectionSnortRulesVolumePath = "/usr/etc/snort/rules"
)

type DPIConfig struct {
Expand Down Expand Up @@ -180,6 +182,25 @@ func (d *dpiComponent) dpiDaemonset() *appsv1.DaemonSet {
if d.cfg.TyphaNodeTLS.NodeSecret.UseCertificateManagement() {
initContainers = append(initContainers, d.cfg.TyphaNodeTLS.NodeSecret.InitContainer(DeepPacketInspectionNamespace))
}
if d.dpiInitContainers() {
for _, initContainer := range d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset.Spec.Template.Spec.InitContainers {
container := corev1.Container{
Name: initContainer.Name,
Image: initContainer.Image,
ImagePullPolicy: render.ImagePullPolicy(),
VolumeMounts: []corev1.VolumeMount{
{
Name: DeepPacketInspectionSnortRulesVolumeName,
MountPath: DeepPacketInspectionSnortRulesVolumePath,
},
},
}
if initContainer.Resources != nil {
container.Resources = *initContainer.Resources
}
initContainers = append(initContainers, container)
}
}

podTemplate := &corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -262,6 +283,19 @@ func (d *dpiComponent) dpiVolumes() []corev1.Volume {
})
}

if d.dpiInitContainers() {
// if DPI init container is present we must include the empty dir volume
// the volume is used to store customer's Snort rule files.
volumes = append(volumes,
corev1.Volume{
Name: DeepPacketInspectionSnortRulesVolumeName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
)
}

return volumes
}

Expand Down Expand Up @@ -309,6 +343,18 @@ func (d *dpiComponent) dpiVolumeMounts() []corev1.VolumeMount {
MountPath: render.LinseedVolumeMountPath,
})
}
if d.dpiInitContainers() {
// if DPI init container is present we must include the empty dir volume
// the volume is used to store customer's Snort rule files.
// the contents of the volume is controlled by the DPI init container.
volumeMounts = append(volumeMounts,
corev1.VolumeMount{
Name: DeepPacketInspectionSnortRulesVolumeName,
MountPath: DeepPacketInspectionSnortRulesVolumePath,
ReadOnly: true,
},
)
}
return volumeMounts
}

Expand Down Expand Up @@ -516,3 +562,17 @@ func (d *dpiComponent) dpiAllowTigeraPolicy() *v3.NetworkPolicy {
},
}
}

func (d *dpiComponent) dpiInitContainers() bool {
switch {
case d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset == nil:
return false
case d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset.Spec == nil:
return false
case d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset.Spec.Template == nil:
return false
case d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset.Spec.Template.Spec.InitContainers == nil:
return false
}
return len(d.cfg.IntrusionDetection.Spec.DeepPacketInspectionDaemonset.Spec.Template.Spec.InitContainers) > 0
}
Loading
Loading