Skip to content
This repository has been archived by the owner on Sep 19, 2024. It is now read-only.
/ camblet Public archive

Fine-grained, zero-trust workload identity & access control​

License

Notifications You must be signed in to change notification settings

cisco-open/camblet

Repository files navigation

Camblet

Introduction

Camblet is a set of projects, which in tandem are capable of enhancing plain old TCP sockets in a frictionless way, so that application developers can focus on their business logic instead of dealing with the complexity of TLS, mTLS, and other security-related concerns. It is doing this seamlessly, no code changes or re-compilations or re-deployments are required. You only have to configure Camblet itself, and it will do the rest.

The features are the following:

  • providing zero-trust identity for UNIX TCP sockets through mTLS
  • access control, authorization and authentication (through OPA)
  • providing frictionless TLS termination for those TCP sockets
  • supporting every Linux-based machine (bare-metal, vanilla VM, Kubernetes, etc... you name it)

This repository contains the source code of the camblet multi-purpose binary for controlling the camblet-driver, which is a kernel module that does the processing of the user traffic.

Architecture

Camblet's architecture consists of currently 2 different components: the kernel module and the agent. This will change in the future, we plan to add a control plane, but the current architecture is the following:

Camblet architecture

Components

The Camblet kernel module comes with a user space CLI written in Go. The kernel module exposes a character device: /dev/camblet, which is opened by the agent, and the CLI talks with the agent. One usually runs this CLI on the Linux host itself.

Agent (server)

The agent is the server side of the CLI. It is responsible for the following:

  • communicates with the kernel module directly
  • parses policy files and loads them to the kernel module
  • generates certificates to act as a CA
  • signs CSR requests generated by the kernel module
  • adds metadata from the host environment to enrich process data. (e.g. Kubernetes, AWS, etc...)
  • traces the logs of the kernel module per process

Usage:

sudo camblet agent --policies-path $(pwd)/camblet.d/policies --services-path $(pwd)/camblet.d/services

Development

Development environment

Our primary development environment is Lima since it supports x86_64 and ARM as well. Follow the instructions for camblet-driver for setting up the development environment.

Build

The CLI is written in Go, so you need to have a Go development environment set up. The CLI is built with the help of Makefile, so you need to have make installed as well.

GOOS=linux make build

Run the agent on the Lima guest

sudo ./build/camblet agent --policies-path $(pwd)/camblet.d/policies --services-path $(pwd)/camblet.d/services

Community

Join our community on Slack, and then find us on the Camblet channel for more fun!