rename rules to policies

README.md

@@ -27,14 +27,14 @@ The Nasp kernel module comes with a user space [CLI](./cli/) written in Go. The
 The agent is the server side of the CLI. It is responsible for the following:
 
 - communicates with the kernel module directly
-- parses policy rule files and loads them to the kernel module
+- parses policy files and loads them to the kernel module
 - signs CSR requests generated by the kernel module
 - adds metadata from the host environment to enrich process data. (e.g. Kubernetes, AWS, etc...)
 
 Usage:
 
 ```bash
-sudo nasp agent --rules-path $(pwd)/nasp.d/rules --sd-path $(pwd)/nasp.d/services
+sudo nasp agent --policies-path $(pwd)/nasp.d/policies --services-path $(pwd)/nasp.d/services
 ```
 
 ## Development
@@ -54,7 +54,7 @@ GOOS=linux make build
 ### Run the agent on the Lima guest
 
 ```bash
-sudo ./bin/nasp agent --rules-path $(pwd)/nasp.d/rules --sd-path $(pwd)/nasp.d/services
+sudo ./bin/nasp agent --policies-path $(pwd)/nasp.d/policies --services-path $(pwd)/nasp.d/services
 ```
 
 ## Community

deploy/nasp.service

@@ -3,7 +3,7 @@ Description=NASP Agent Service
 After=network.target
 
 [Service]
-ExecStart=/usr/bin/nasp agent --config /etc/nasp/config.yaml --rules-path /etc/nasp/rules/ --sd-path /etc/nasp/services/
+ExecStart=/usr/bin/nasp agent --config /etc/nasp/config.yaml --policies-path /etc/nasp/policies --services-path /etc/nasp/services
 Restart=always
 User=root
 Group=root

internal/cli/cmd/agent/agent.go

@@ -58,16 +58,16 @@ func NewCommand(c cli.CLI) *cobra.Command {
 	}
 
 	cmd.Flags().String("kernel-module-device", "/dev/nasp", "Device for the Nasp kernel module")
-	cmd.Flags().StringSlice("rules-path", nil, "Rules path")
-	cmd.Flags().StringSlice("sd-path", nil, "Service discovery definition path")
+	cmd.Flags().StringSlice("policies-path", nil, "Path to file or directory for policy definitions")
+	cmd.Flags().StringSlice("services-path", nil, "Path to file or directory for service definitions")
 	cmd.Flags().String("trust-domain", config.DefaultTrustDomain, "Trust domain")
 	cmd.Flags().Duration("default-cert-ttl", config.DefaultCertTTLDuration, "Default certificate TTL")
 	cmd.Flags().String("ca-pem-path", "", "Path for CA pem")
 
 	cli.BindCMDFlags(c.Viper(), cmd)
 
 	cmd.AddCommand(NewAugmentCommand(c))
-	cmd.AddCommand(NewGenerateRuleCommand(c))
+	cmd.AddCommand(NewGeneratePolicyCommand(c))
 
 	return cmd
 }
@@ -140,10 +140,10 @@ func (c *agentCommand) run(cmd *cobra.Command) error {
 		}
 	})
 
-	// service discovery loader
+	// Static service definitions loader
 	eventBus.Subscribe(messenger.MessengerStartedTopic, func(topic string, _ bool) {
 		go func() {
-			l := service.NewFileLoader(c.cli.Viper().GetStringSlice("agent.sdPath"), service.FileLoadWithLogger(logger))
+			l := service.NewFileLoader(c.cli.Viper().GetStringSlice("agent.servicesPath"), service.FileLoadWithLogger(logger))
 			if err := l.Run(cmd.Context(), func(entries service.Services) {
 				if j, err := json.MarshalIndent(entries, "", "  "); err != nil {
 					c.cli.Logger().Error(err, "could not marshal module config")
@@ -159,18 +159,18 @@ func (c *agentCommand) run(cmd *cobra.Command) error {
 		}()
 	})
 
-	// rules loader
+	// Static policy definitions loader
 	eventBus.Subscribe(messenger.MessengerStartedTopic, func(topic string, _ bool) {
 		go func() {
 			r := policy.NewFileLoader(
-				c.cli.Viper().GetStringSlice("agent.rulesPath"),
+				c.cli.Viper().GetStringSlice("agent.policiesPath"),
 				logger,
 				policy.FileLoaderWithTemplateFunc(policy.NewPolicyTemplater(policy.PolicyTemplateValues{
 					TrustDomain: c.cli.Configuration().Agent.TrustDomain,
 				}, c.cli.Logger()).Execute,
 				))
 			if err := r.Run(cmd.Context(), func(r policy.Policies) {
-				logger.Info("rule count", "count", len(r))
+				logger.Info("policy count", "count", len(r))
 
 				r.Organize()
 
@@ -183,11 +183,11 @@ func (c *agentCommand) run(cmd *cobra.Command) error {
 				}, "", "  ")
 
 				msg := messenger.NewCommand(messenger.Command{
-					Command: "load_rules",
+					Command: "load_policies",
 					Code:    y,
 				})
 
-				logger.Info("sending rules to kernel")
+				logger.Info("sending policies to kernel")
 				eventBus.Publish(messenger.MessageOutgoingTopic, msg)
 			}); err != nil {
 				errChan <- err

internal/cli/cmd/agent/rule.go → internal/cli/cmd/agent/generate_policy.go

@@ -55,12 +55,12 @@ var defaultLabels = []string{
 	"docker:image:name",
 }
 
-type generateRuleCommand struct {
+type generatePolicyCommand struct {
 	cli  cli.CLI
-	opts *generateRuleOptions
+	opts *generatePolicyOptions
 }
 
-type generateRuleOptions struct {
+type generatePolicyOptions struct {
 	labels           []string
 	additionalLabels []string
 	dnsNames         []string
@@ -69,16 +69,16 @@ type generateRuleOptions struct {
 	disableMTLS      bool
 }
 
-func NewGenerateRuleCommand(c cli.CLI) *cobra.Command {
-	command := &generateRuleCommand{
+func NewGeneratePolicyCommand(c cli.CLI) *cobra.Command {
+	command := &generatePolicyCommand{
 		cli:  c,
-		opts: &generateRuleOptions{},
+		opts: &generatePolicyOptions{},
 	}
 
 	cmd := &cobra.Command{
-		Use:               "generate-identity-rule <pid> <workload ID>",
-		Aliases:           []string{"gr"},
-		Short:             "Generate identity rule for a given process",
+		Use:               "generate-policy <pid> <workload ID>",
+		Aliases:           []string{"gp"},
+		Short:             "Generate policy for a given process",
 		SilenceErrors:     true,
 		SilenceUsage:      true,
 		DisableAutoGenTag: true,
@@ -110,7 +110,7 @@ func NewGenerateRuleCommand(c cli.CLI) *cobra.Command {
 	return cmd
 }
 
-func (c *generateRuleCommand) run(cmd *cobra.Command, args []string) error {
+func (c *generatePolicyCommand) run(cmd *cobra.Command, args []string) error {
 	collector := collectors.GetMetadataCollector(c.cli.Configuration().Agent.MetadataCollectors, c.cli.Logger())
 
 	pid, err := strconv.Atoi(args[0])
@@ -125,7 +125,7 @@ func (c *generateRuleCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	rule := &core.Policy{
+	policy := &core.Policy{
 		Selectors: []*structpb.Struct{
 			{
 				Fields: make(map[string]*structpb.Value),
@@ -143,22 +143,22 @@ func (c *generateRuleCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	if c.opts.disableMTLS {
-		rule.Connection.Mtls = core.Policy_Connection_DISABLE
+		policy.Connection.Mtls = core.Policy_Connection_DISABLE
 	}
 
 	for _, label := range md.GetLabelsSlice() {
 		if !c.matchLabel(label.Name) {
 			continue
 		}
 
-		rule.Selectors[0].Fields[label.Name] = structpb.NewStringValue(label.Value)
+		policy.Selectors[0].Fields[label.Name] = structpb.NewStringValue(label.Value)
 	}
 
-	if len(rule.Selectors[0].Fields) == 0 {
+	if len(policy.Selectors[0].Fields) == 0 {
 		return errors.New("could not find selectors")
 	}
 
-	jsonBytes, err := protojson.Marshal(rule)
+	jsonBytes, err := protojson.Marshal(policy)
 	if err != nil {
 		return errors.WrapIf(err, "could not marshal json")
 	}
@@ -173,7 +173,7 @@ func (c *generateRuleCommand) run(cmd *cobra.Command, args []string) error {
 	return err
 }
 
-func (c *generateRuleCommand) matchLabel(label string) bool {
+func (c *generatePolicyCommand) matchLabel(label string) bool {
 	for _, l := range append(c.opts.labels, c.opts.additionalLabels...) {
 		if strings.HasSuffix(l, "*") && strings.HasPrefix(label, l[:len(l)-1]) {
 			return true

internal/policy/policy.go

@@ -50,10 +50,10 @@ type Policy struct {
 	Egress      Policies                 `json:"egress,omitempty"`
 }
 
-func (r Policies) Organize() {
-	sort.SliceStable(r, func(i, j int) bool {
-		for _, sel := range r[i].Selectors {
-			for _, sel2 := range r[j].Selectors {
+func (p Policies) Organize() {
+	sort.SliceStable(p, func(i, j int) bool {
+		for _, sel := range p[i].Selectors {
+			for _, sel2 := range p[j].Selectors {
 				if reflect.DeepEqual(sel, sel2) {
 					continue
 				}
@@ -67,11 +67,11 @@ func (r Policies) Organize() {
 		return false
 	})
 
-	for k, rule := range r {
-		rule := rule
+	for k, policy := range p {
+		policy := policy
 
-		rule.Position = k
-		rule.Egress.Organize()
+		policy.Position = k
+		policy.Egress.Organize()
 	}
 }
 

nasp.d/policies/sample.yaml

@@ -0,0 +1,9 @@
+# Policies are used to identify workloads and specify their properties.
+# See https://nasp.io/docs/concepts/policy for more information.
+# - selectors:
+#   - process:name: [nginx]
+#     destination:port: 8000
+#   certificate:
+#     workloadID: sample/nginx
+#   connection:
+#     mtls: DISABLE

nasp.d/services/sample.yaml

@@ -1,6 +1,7 @@
 # Sample Service discovery configuration file.
 # See https://nasp.io/docs/concepts/service-registry-entry for more information.
 # - addresses:
-#   - localhost:8000
+#   - address: localhost
+#     port: 8000
 #   labels:
 #     app:label: nginx

pkg/util/file_content_loader.go

@@ -81,11 +81,11 @@ func (r *fileContentLoader) Run(ctx context.Context, h FileContentLoadedFunc) er
 			return nil
 		case <-watcher.Events:
 			if err := r.load(h); err != nil {
-				r.logger.Error(err, "error during rules reload")
+				r.logger.Error(err, "could not load")
 			}
 		case err := <-watcher.Errors:
 			if err != nil {
-				r.logger.Error(err, "error at watcher")
+				r.logger.Error(err, "could not watch")
 			}
 		}
 	}