feature(k8s): policy k8s compatible

deploy/helm/tracee/templates/tracee-policies.yaml

@@ -7,38 +7,42 @@ metadata:
     {{- include "tracee.labels" . | nindent 4 }}
 data:
   signatures.yaml: |-
-    name: signature_events
-    description: traces all signature events
-    scope:
-      - global
-    rules:
-      - event: stdio_over_socket
-      - event: k8s_api_connection
-      - event: aslr_inspection
-      - event: proc_mem_code_injection
-      - event: docker_abuse
-      - event: scheduled_task_mod
-      - event: ld_preload
-      - event: cgroup_notify_on_release
-      - event: default_loader_mod
-      - event: sudoers_modification
-      - event: sched_debug_recon
-      - event: system_request_key_mod
-      - event: cgroup_release_agent
-      - event: rcd_modification
-      - event: core_pattern_modification
-      - event: proc_kcore_read
-      - event: proc_mem_access
-      - event: hidden_file_created
-      - event: anti_debugging
-      - event: ptrace_code_injection
-      - event: process_vm_write_inject
-      - event: disk_mount
-      - event: dynamic_code_loading
-      - event: fileless_execution
-      - event: illegitimate_shell
-      - event: kernel_module_loading
-      - event: k8s_cert_theft
-      - event: proc_fops_hooking
-      - event: syscall_hooking
-      - event: dropped_executable
+    apiVersion: aquasecurity.github.io/v1beta1
+    kind: TraceePolicy
+    metadata:
+      name: signature_events
+      description: traces all signature events
+    spec:
+      scope:
+        - global
+      rules:
+        - event: stdio_over_socket
+        - event: k8s_api_connection
+        - event: aslr_inspection
+        - event: proc_mem_code_injection
+        - event: docker_abuse
+        - event: scheduled_task_mod
+        - event: ld_preload
+        - event: cgroup_notify_on_release
+        - event: default_loader_mod
+        - event: sudoers_modification
+        - event: sched_debug_recon
+        - event: system_request_key_mod
+        - event: cgroup_release_agent
+        - event: rcd_modification
+        - event: core_pattern_modification
+        - event: proc_kcore_read
+        - event: proc_mem_access
+        - event: hidden_file_created
+        - event: anti_debugging
+        - event: ptrace_code_injection
+        - event: process_vm_write_inject
+        - event: disk_mount
+        - event: dynamic_code_loading
+        - event: fileless_execution
+        - event: illegitimate_shell
+        - event: kernel_module_loading
+        - event: k8s_cert_theft
+        - event: proc_fops_hooking
+        - event: syscall_hooking
+        - event: dropped_executable

deploy/kubernetes/tracee/tracee.yaml

@@ -9,41 +9,45 @@ metadata:
   name: tracee-policies
 data:
   signatures.yaml: |-
-    name: signature_events
-    description: traces all signature events
-    scope:
-      - global
-    rules:
-      - event: stdio_over_socket
-      - event: k8s_api_connection
-      - event: aslr_inspection
-      - event: proc_mem_code_injection
-      - event: docker_abuse
-      - event: scheduled_task_mod
-      - event: ld_preload
-      - event: cgroup_notify_on_release
-      - event: default_loader_mod
-      - event: sudoers_modification
-      - event: sched_debug_recon
-      - event: system_request_key_mod
-      - event: cgroup_release_agent
-      - event: rcd_modification
-      - event: core_pattern_modification
-      - event: proc_kcore_read
-      - event: proc_mem_access
-      - event: hidden_file_created
-      - event: anti_debugging
-      - event: ptrace_code_injection
-      - event: process_vm_write_inject
-      - event: disk_mount
-      - event: dynamic_code_loading
-      - event: fileless_execution
-      - event: illegitimate_shell
-      - event: kernel_module_loading
-      - event: k8s_cert_theft
-      - event: proc_fops_hooking
-      - event: syscall_hooking
-      - event: dropped_executable
+    apiVersion: aquasecurity.github.io/v1beta1
+    kind: TraceePolicy
+    metadata:
+      name: signature_events
+      description: traces all signature events
+    spec:
+      scope:
+        - global
+      rules:
+        - event: stdio_over_socket
+        - event: k8s_api_connection
+        - event: aslr_inspection
+        - event: proc_mem_code_injection
+        - event: docker_abuse
+        - event: scheduled_task_mod
+        - event: ld_preload
+        - event: cgroup_notify_on_release
+        - event: default_loader_mod
+        - event: sudoers_modification
+        - event: sched_debug_recon
+        - event: system_request_key_mod
+        - event: cgroup_release_agent
+        - event: rcd_modification
+        - event: core_pattern_modification
+        - event: proc_kcore_read
+        - event: proc_mem_access
+        - event: hidden_file_created
+        - event: anti_debugging
+        - event: ptrace_code_injection
+        - event: process_vm_write_inject
+        - event: disk_mount
+        - event: dynamic_code_loading
+        - event: fileless_execution
+        - event: illegitimate_shell
+        - event: kernel_module_loading
+        - event: k8s_cert_theft
+        - event: proc_fops_hooking
+        - event: syscall_hooking
+        - event: dropped_executable
 ---
 apiVersion: v1
 kind: ConfigMap

docs/docs/events/overview.md

@@ -18,12 +18,15 @@ Tracing `execve` events with [policies]:
 
 ```
 cat <<EOF >sample_policy.yaml
-name: sample policy
-description: traces execve events
-scope:
-  - global
-rules:
-  - event: execve
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: sample policy
+spec:
+	scope:
+	  - global
+	rules:
+	  - event: execve
 EOF
 ```
 

docs/docs/policies/index.md

@@ -10,21 +10,24 @@ You can load multiple (up to 64) policies into Tracee using the --policy flag pr
 Following is a sample policy:
 
 ```yaml
-name: overview policy
-description: sample overview policy
-scope:
-  - global
-rules:
-  - event: dropped_executable
-  - event: security_file_open
-    filters:
-        - args.pathname=/tmp/*
-  - event: sched_process_exec
-    filters: 
-        - uid=0
-  - event: close
-    filters:
-        - retval!=0
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: overview policy
+spec:
+	scope:
+	  - global
+	rules:
+	  - event: dropped_executable
+	  - event: security_file_open
+	    filters:
+		- args.pathname=/tmp/*
+	  - event: sched_process_exec
+	    filters: 
+		- uid=0
+	  - event: close
+	    filters:
+		- retval!=0
 ```
 
 This policy applies to any workload (global) and will log the dropped_executable, security_file_open, sched_process_exec and close events. Several filters are set to log only specific events:

docs/docs/policies/rules.md

@@ -12,14 +12,17 @@ Events support three types of filters: `context`, `arguments` and `return value`
 Context is data which is collected along the event. They can be filtered like:
 
 ```yaml
-name: sample_context_filter
-description: sample context filter
-scope:
-    - global
-rules:
-    event: sched_process_exec
-    filters:
-        - pid=1000
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: sample_context_filter
+spec:
+	scope:
+	    - global
+	rules:
+	    event: sched_process_exec
+	    filters:
+		- pid=1000
 ```
 
 The context filters supported are:
@@ -182,14 +185,17 @@ filters:
 Events have arguments, which can be filtered. 
 
 ```yaml
-name: sample_argument_filter
-description: sample argument filter
-scope:
-    - global
-rules:
-    event: security_file_open
-    filters:
-        - args.pathname=/tmp*
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: sample_argument_filter
+spec:
+	scope:
+	    - global
+	rules:
+	    event: security_file_open
+	    filters:
+		- args.pathname=/tmp*
 ```
 
 Arguments can be found on the respective event definition, in this case [security_file_open](https://github.com/aquasecurity/tracee/blob/main/pkg/events/events.goL5293-L529), or the user can test the event output in CLI before defining a policy, e.g:
@@ -207,12 +213,15 @@ tracee -e security_file_open --output json
 Return values can also be filtered.
 
 ```yaml
-name: sample_return_value
-description: sample return filter
-scope:
-    - global
-rules:
-    event: close
-    filters:
-        - retval!=0
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: sample_return_value
+spec:
+	scope:
+	    - global
+	rules:
+	    event: close
+	    filters:
+		- retval!=0
 ```

docs/tutorials/k8s-policies.md

@@ -56,41 +56,44 @@ Data
 ====
 signatures.yaml:
 ----
-name: signature_events
-description: traces all signature events
-scope:
-  - global
-rules:
-  - event: stdio_over_socket
-  - event: k8s_api_connection
-  - event: aslr_inspection
-  - event: proc_mem_code_injection
-  - event: docker_abuse
-  - event: scheduled_task_mod
-  - event: ld_preload
-  - event: cgroup_notify_on_release
-  - event: default_loader_mod
-  - event: sudoers_modification
-  - event: sched_debug_recon
-  - event: system_request_key_mod
-  - event: cgroup_release_agent
-  - event: rcd_modification
-  - event: core_pattern_modification
-  - event: proc_kcore_read
-  - event: proc_mem_access
-  - event: hidden_file_created
-  - event: anti_debugging
-  - event: ptrace_code_injection
-  - event: process_vm_write_inject
-  - event: disk_mount
-  - event: dynamic_code_loading
-  - event: fileless_execution
-  - event: illegitimate_shell
-  - event: kernel_module_loading
-  - event: k8s_cert_theft
-  - event: proc_fops_hooking
-  - event: syscall_hooking
-  - event: dropped_executable
+apiVersion: aquasecurity.github.io/v1beta1
+kind: TraceePolicy
+metadata:
+	name: signature_events
+spec:
+	scope:
+	  - global
+	rules:
+	  - event: stdio_over_socket
+	  - event: k8s_api_connection
+	  - event: aslr_inspection
+	  - event: proc_mem_code_injection
+	  - event: docker_abuse
+	  - event: scheduled_task_mod
+	  - event: ld_preload
+	  - event: cgroup_notify_on_release
+	  - event: default_loader_mod
+	  - event: sudoers_modification
+	  - event: sched_debug_recon
+	  - event: system_request_key_mod
+	  - event: cgroup_release_agent
+	  - event: rcd_modification
+	  - event: core_pattern_modification
+	  - event: proc_kcore_read
+	  - event: proc_mem_access
+	  - event: hidden_file_created
+	  - event: anti_debugging
+	  - event: ptrace_code_injection
+	  - event: process_vm_write_inject
+	  - event: disk_mount
+	  - event: dynamic_code_loading
+	  - event: fileless_execution
+	  - event: illegitimate_shell
+	  - event: kernel_module_loading
+	  - event: k8s_cert_theft
+	  - event: proc_fops_hooking
+	  - event: syscall_hooking
+	  - event: dropped_executable
 ```
 
 But let's supposed we also need tracee to trace all `execve` events, for it we need to change the configmap `tracee-policies` adding a new policy.
@@ -107,12 +110,15 @@ To add a new policy for tracking execve events, append the following YAML block
 
 ```yaml
 events.yaml: |-
-  name: execve_event
-  description: traces all execve events
-  scope:
-    - global
-  rules:
-    - event: execve
+  apiVersion: aquasecurity.github.io/v1beta1
+  kind: TraceePolicy
+  metadata:
+	  name: execve_event
+  spec:
+	  scope:
+	    - global
+	  rules:
+	    - event: execve
 ```
 Save and close the file. The changes will be applied automatically.