Ingest NetworkPolicies & SecurityContexts (SCAM+SPAM) for threat modelling #27
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set
Reference
Motstandskraft/spam#27
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
Expand SCAM (the in-cluster agent) and SPAM ingestion to collect Kubernetes NetworkPolicies and Deployment/Pod SecurityContexts (and related posture resources), so SPAM can reason about the threat model of a workload — not just what runs and whether it's exposed, but how well it's contained.
What exists today
Snapshotreconciliation records. Schema:scam/.docs/records.md; collectors inscam/internal/collector/.validKindsinspam/api/internal/scam/models.go:170excludes them.cluster_record(JSONB blob, upsert by identity, tombstone via snapshots),clusters(identity = kube-system namespace UID + ROR binding),cluster_sessions(liveness). Rollups:cluster_summary,cluster_image_inventory(db/cluster_summary_view.go).db/host_exposure_view.go. Threat scoring exists at asset level (assetrisk/score.go) but has no containment/posture inputs.Proposed scope
SCAM side (new collectors)
networking.k8s.io/v1): pod selector, ingress/egress rules, namespace/pod/IPBlock peers, ports. Also detect "default-deny" presence per namespace.runAsNonRoot,runAsUser,privileged,allowPrivilegeEscalation,readOnlyRootFilesystem,capabilitiesadd/drop,seccompProfile, host namespaces (hostNetwork/hostPID/hostIPC),hostPathvolume mounts.validKinds.SPAM side
validKinds; store incluster_record(JSONB — no migration needed for new fields, per design philosophy).assetrisk.Signals(new fields): e.g.RunsPrivileged,RunsAsRoot,NoNetworkPolicy(no default-deny / no policy selecting the pod),HostNamespaceUse,WritableRootFS,OverbroadCapabilities. These become trust/containment inputs to the threat model — currently the score has none.Edge cases / decisions
cluster_recordchurn concerns (strip volatile fields, snapshot reconciliation).get/list/watchon netpol + (if RBAC) rbac resources — Helm chart update + least-privilege review.Tasks
.docs/records.md; Helm RBAC updatevalidKinds; ingest/store (JSONB)assetrisk.Signals; decide context-vs-escalationRelates to: asset-risk threat scoring; cluster ACL (posture reads must respect
clusterACLFilter).