Nephio - HackMD

# Nephio ## Setup https://github.com/nephio-project/docs/blob/main/install-guide/README.md Followed by https://github.com/nephio-project/docs/blob/main/user-guide/exercises.md OR Run Scripts in `/test-infra/e2e/tests/*.sh` in there numbered order Run karmor install in each of the clusters. (regional, edge-01) ``` karmor install --kubeconfig $HOME/.kube/regional-kubeconfig karmor install --kubeconfig $HOME/.kube/edge01-kubeconfig ``` Change kubearmor default posture namespace annotation to block ```sh kubectl annotate ns free6gc-cp kubearmor-network-posture=block --kubeconfig $HOME/.kube/regional-kubeconfig kubectl annotate ns free6gc-cp kubearmor-file-posture=block --kubeconfig $HOME/.kube/regional-kubeconfig kubectl annotate ns ueransim kubearmor-network-posture=block --kubeconfig $HOME/.kube/edge01-kubeconfig kubectl annotate ns ueransim kubearmor-file-posture=block --kubeconfig $HOME/.kube/edge01-kubeconfig ``` ## Secure Regional Cluster Elements - Configure access to regional cluster ``` kubectl get secret regional-kubeconfig -o jsonpath='{.data.value}' | base64 -d > $HOME/.kube/regional-kubeconfig export KUBECONFIG=$HOME/.kube/config:$HOME/.kube/regional-kubeconfig ``` - Enable access to WebUI ``` ssh ubuntu@152.67.2.130 \ -L 5000:localhost:5000 \ kubectl --kubeconfig /home/ubuntu/.kube/regional-kubeconfig \ port-forward --namespace=free5gc-cp svc/webui-service 5000 ``` You should be able to WebUI on http://localhost:5000 now. WebUI is the source of all the inputs and is the main point of external interaction in control plane. WebUI interacts with other control plane NFs. It has a configuration file in `/free5gc/config` which contains address to interact with other components. Policy to secure webui app. ```yaml apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: free5gc-webui-towards5gs-free5gc-webui-network-least-perm namespace: free5gc-cp spec: action: Allow process: matchDirectories: - dir: / recursive: true file: matchDirectories: - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true action: Block - dir: /free5gc/config/ recursive: true action: Block - dir: / recursive: true - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true fromSource: - path: /free5gc/webconsole/webconsole - dir: /free5gc/config/ recursive: true fromSource: - path: /free5gc/webconsole/webconsole network: matchProtocols: - protocol: tcp fromSource: - path: /free5gc/webconsole/webconsole - protocol: udp fromSource: - path: /free5gc/webconsole/webconsole - protocol: icmp fromSource: - path: /free5gc/webconsole/webconsole - protocol: raw fromSource: - path: /free5gc/webconsole/webconsole message: Alert! Unknown Network Access selector: matchLabels: nf: webui project: free5gc severity: 5 ``` ### Expected Behaviour Can access everything on http://localhost:5000 ### Trigger Violation ``` cat /free5gc/config wget udm-nudm/nudm-sdm/v1/imsi-208930000000003/am-data?plmn-id=%7B%22mcc%22%3A%22208%22%2C%22mnc%22%3A%2293%22%7D -O- ``` Permission Denied with alerts ## Securing gNodeB https://fight.mitre.org/techniques/FGT5032/ Policy: ```yaml apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ueransimgnb-towards5gs-free5gc-gnb-least-perm namespace: ueransim spec: action: Allow process: matchDirectories: - dir: / recursive: true file: matchDirectories: - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true action: Block - dir: /ueransim/config/ recursive: true action: Block - dir: / recursive: true - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true fromSource: - path: /ueransim/build/nr-gnb - dir: /ueransim/config/ recursive: true fromSource: - path: /ueransim/build/nr-gnb network: matchProtocols: - protocol: tcp fromSource: - path: /ueransim/build/nr-gnb - protocol: udp fromSource: - path: /ueransim/build/nr-gnb - protocol: icmp fromSource: - path: /ueransim/build/nr-gnb - protocol: raw fromSource: - path: /ueransim/build/nr-gnb message: Alert! Sensitive Access selector: matchLabels: app: ueransim component: gnb severity: 5 ``` ### Expected Behaviour ``` ./ueransim/build/nr-cli -d # CLI Works as expected ``` UE can ping DNN ``` UE_POD=$(kubectl --kubeconfig $HOME/.kube/edge01-kubeconfig get pods -n ueransim -l app=ueransim -l component=ue -o jsonpath='{.items[0].metadata.name}') kubectl --kubeconfig $HOME/.kube/edge01-kubeconfig -n ueransim exec -it $UE_POD -- /bin/bash -c "ping -I uesimtun0 172.0.0.1" ``` ### Policy Violations ``` cat /ueransim/config/ ping UE? ``` ![](https://hackmd.io/_uploads/S1anvDQ02.png)