diff --git a/KUBERNETES.md b/KUBERNETES.md index 1efaa0fd..b92d3a45 100644 --- a/KUBERNETES.md +++ b/KUBERNETES.md @@ -173,12 +173,12 @@ ko apply -f ./config/deploy/guard-service.yaml ### Install guard-service from released images and yamls ```sh -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/gateAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/serviceAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/guardiansCrd.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/gateAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/serviceAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/guardiansCrd.yaml -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/create-knative-secrets.yaml -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/guard-service.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/create-knative-secrets.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/guard-service.yaml ``` ## Deploying a pod with a Security-Guard sidecar diff --git a/hack/kind/deployKind.sh b/hack/kind/deployKind.sh index 5d3578a7..5078bbfa 100755 --- a/hack/kind/deployKind.sh +++ b/hack/kind/deployKind.sh @@ -46,15 +46,15 @@ kubectl create namespace knative-serving kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml #Create K8s resources CRD, ServiceAccounts etc. -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/gateAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/serviceAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/guardiansCrd.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/gateAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/serviceAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/guardiansCrd.yaml # start create-secrets -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/create-secrets.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/create-secrets.yaml # start guard-service -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/guard-service.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/guard-service.yaml # wait for keys to be ready kubectl wait --namespace knative-serving --for=condition=complete job/create-knative-secrets --timeout=120s @@ -68,10 +68,10 @@ REPLACE_NAME="s/ name: knative-serving-certs/ name: default-serving-certs/" kubectl get secret knative-serving-certs --namespace=knative-serving -o yaml |sed "${REPLACE_NS}" |sed "${REPLACE_NAME}" |sed "s/ selfLink: .*/ /"|sed "s/ uid: .*/ /" |sed "s/ resourceVersion: .*/ /" |kubectl apply -f - #add hellowworld - protected using a guard sidecar (the recommended pattern) -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/secured-helloworld.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/secured-helloworld.yaml #add myapp - protected using a separate guard pod (non-recommended pattern) -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/secured-layered-myapp.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/secured-layered-myapp.yaml #cleanup rm $CONFIG diff --git a/hack/kind/deployKnativeKind.sh b/hack/kind/deployKnativeKind.sh index bae87f0b..14a1b2e7 100755 --- a/hack/kind/deployKnativeKind.sh +++ b/hack/kind/deployKnativeKind.sh @@ -20,19 +20,19 @@ export KO_DOCKER_REPO=ko.local kn quickstart kind -n k8s --install-serving #Create K8s resources CRD, ServiceAccounts etc. -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/gateAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/serviceAccount.yaml -kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.5/config/resources/guardiansCrd.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/gateAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/serviceAccount.yaml +kubectl apply -f https://raw.githubusercontent.com/knative-sandbox/security-guard/release-0.6/config/resources/guardiansCrd.yaml # Kind seem to sometime need some extra time sleep 10 # adjust knative to use guard -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/queue-proxy.yaml -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/config-features.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/queue-proxy.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/config-features.yaml # start guard-service -kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.5.0/guard-service.yaml +kubectl apply -f https://github.com/knative-sandbox/security-guard/releases/download/v0.6.0/guard-service.yaml # Activate internal encryption kubectl patch configmap config-network -n knative-serving --type=merge -p '{"data": {"internal-encryption": "true"}}' diff --git a/pkg/guard-gate/gate.go b/pkg/guard-gate/gate.go index 87177b3e..cd9d9616 100644 --- a/pkg/guard-gate/gate.go +++ b/pkg/guard-gate/gate.go @@ -28,7 +28,7 @@ import ( pi "knative.dev/security-guard/pkg/pluginterfaces" ) -const plugVersion string = "0.5" +const plugVersion string = "0.6" const plugName string = "guard" const ( @@ -74,6 +74,7 @@ func (p *plug) ApproveRequest(req *http.Request) (*http.Request, error) { // Req s.screenEnvelop(ticks) + s.screenPod() s.screenRequest(req) s.screenRequestBody(req) @@ -117,6 +118,7 @@ func (p *plug) ApproveResponse(req *http.Request, resp *http.Response) (*http.Re s.screenResponse(resp, ticks) s.screenResponseBody(resp) s.screenEnvelop(ticks) + s.screenPod() if p.gateState.shouldBlock() && (s.hasAlert() || p.gateState.hasAlert()) { p.gateState.addStat("BlockOnResponse")