Selectors

Selectors are used in various places to scope policies, rules, and actions. Spyderbat's selectors based on Kubernetes Labels and Selectors.

Selector Primitives

Spyderbat's selectors offer set-based selector primitives.

* Matches the syntax from Kubernetes
** Unique to Spyderbat's Selectors

Expressions

Expressions have 3 fields: key, operator, and values. They allow you to define set-based groupings.

Example:

matchExpressions:
- key: app
  operator: In
  values: [apache, mysql]

In the example above whatever is being matched on, must have a label with a key app and the value of that label must be either apache or mysql.

Operators

Operators define how the set-based expression is to be evaluated.

Pod and Namespace Selectors

Pod and Namespace selectors are defined the exact same way that Kubernetes Pod and Namespace selectors are. Both resources types can have user-defined labels that allow them to be grouped by selectors.

The labels are found within the Pod and Namespace object yaml.

Supported Primitives

Examples:

podSelector:
  matchLabels:
    app: apache
  matchExpressions:
  - {key: tier, operator: In, values: [frontend, backend]}
  - {key: test, operator: DoesNotExist}

namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
  matchExpressions:
  - {key: dedicated-node, operator: Exists}

Other Selectors

The following selectors are Custom to Spyderbat's environment. They add an additional level on granularity to scoping operations.

Supported Primitives

Cluster Selector

The Cluster Selector allows for scoping by Kubernetes Cluster. Field values may be wildcarded with an * character.

Supported Fields

Description

Example:

clusterSelector:
  matchFields:
    name: demo-cluster

Machine Selector

The Machine Selector allows for scoping my Machine. A machine in this context is a device with the Spyderbat Nano Agent installed.

Supported Fields

Description

Example:

machineSelector:
  matchFieldsExpressions:
  - {key: hostname, operator: In, values: [test_node, staging_node]}

Container Selector

The Container Selector allows for scoping by fields associated with containers.

Supported Fields

Description

Example:

containerSelector:
  matchFields:
    image: docker.io/apache

Service Selector

The Service Selector allows for scoping by fields associated with Linux Services

Supported Fields

Description

Example:

serviceSelector:
  matchFields:
    cgroup: systemd:/system.slice/nano-agent.service

Trace Selector

The Trace Selector is used by Trace Suppression Policies to suppress Spydertraces within a specific scope.

Supported Fields

Description

Example:

traceSelector:
  matchFields:
    triggerClass: redflag/proc/command/high_severity/suspicious/netcat

User Selector

The User Selector is used by Trace Suppression Policies to suppress Spydertraces triggered by a specific user or users.

Supported Fields

Description

Example:

userSelector:
  matchFieldsExpressions:
  - {key: user, operator: NotIn, values: [admin, root]}

Process Selector

The Process Selector is used to scope by fields associated with a Linux Process.

Supported Fields

Description

processSelector:
  matchFields:
    exe: /bin/bash

Last updated 5 months ago