Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Security monitoring the CrownLabs service with eBPF #325

Open
giorio94 opened this issue Oct 16, 2020 · 0 comments
Open

[Feature] Security monitoring the CrownLabs service with eBPF #325

giorio94 opened this issue Oct 16, 2020 · 0 comments
Labels
kind/epic kind/feature New feature or request sig/operations

Comments

@giorio94
Copy link
Member

Is your feature request related to a problem? Please describe.
At the moment, the VMs spawned by the CrownLabs service are characterized by no limitations in the connections that can be established towards the Internet (besides those introduced by the campus firewalls), possibly allowing malicious/inappropriate traffic (either on purpose or due to misbehaving software).

This feature request proposes to tackle the problem from two orthogonal points of view:

  1. Prevention: set-up and configure a firewall on the physical nodes (VMs are considered completely untrusted as users may have root access) to limit the connections that can be established. For instance, limit connection only to certain well-known ports, as well as leverage publicly available blacklists to exclude malicious/inappropriate websites/IPs.

  2. Auditing/Reaction: implement a solution to track the user-level connections that are established from/to the VMs. Hence, in case a security-relevant event is raised by the IT department, it would be possible to identify the originator of that traffic. In addition, this solution would also be useful for monitoring, analyzing when the VMs are actually used.

Describe the solution you'd like
It is proposed to leverage eBPF as a technology to perform low-overhead in-kernel traffic analysis. Specifically:

  1. Prevention: the usage of polycube [1] and in particular the firewall service [2] to block undesired traffic.
  2. Auditing/Reaction: the monitoring of the TCP sessions should be performed using eBPF, logging the identifiers of the sessions established at each instant. A user-space component (probably a kubernetes operator), should then be used to save the mappings between IPs and the actual service/owner.

Additional context
As kubernetes network providers/load balancers may perform natting, it is necessary to first analyze which IP addresses are visible and the ones that are masked, in order to identify the best "hook" points to implement these solutions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/epic kind/feature New feature or request sig/operations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@giorio94