stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/kubernetes-boundary-extraction-for-reachability-and-proof-analysis.md

2.7 KiB
Raw Blame History

Kubernetes Boundary Extraction for Reachability and Proof Analysis

Module

Scanner

Status

IMPLEMENTED

Description

Extracts network boundary information from Kubernetes Ingress, Service, and NetworkPolicy manifests to determine external exposure, cluster exposure level, and network controls (WAF/rate-limiting). Feeds boundary data into the reachability graph and produces boundary proof for internet-facing vs internal-only path classification. Priority 200 in extractor pipeline.

Implementation Details

  • Kubernetes Boundary Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/K8sBoundaryExtractor.cs - K8sBoundaryExtractor (implements IBoundaryProofExtractor) extracts boundary info from Kubernetes Ingress, Service, and NetworkPolicy manifests
  • Boundary Extraction Framework:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IBoundaryProofExtractor.cs - IBoundaryProofExtractor interface defining the boundary extraction contract
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs - BoundaryExtractionContext provides context (manifest files, image metadata) for extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/CompositeBoundaryExtractor.cs - CompositeBoundaryExtractor composes multiple extractors (K8s, API Gateway, IaC) into a pipeline
  • Related Extractors:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs - API gateway boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs - Infrastructure-as-code boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs - Rich graph integration for boundary data
  • DI Registration: src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs

E2E Test Plan

  • Provide a Kubernetes Ingress manifest referencing a scanned service and verify the K8s boundary extractor identifies it as internet-facing
  • Provide a Kubernetes NetworkPolicy that restricts ingress to specific namespaces and verify the extractor classifies the service as internal-only
  • Verify WAF annotations on Ingress resources (e.g., nginx WAF, ModSecurity) are detected as network controls
  • Verify the composite boundary extractor aggregates results from K8s, API Gateway, and IaC extractors
  • Verify boundary proof is produced and feeds into the reachability graph for path classification
  • Verify Kubernetes Services without Ingress or LoadBalancer type are classified as cluster-internal