Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add various CEL to label conversions #78

Merged
merged 2 commits into from
Mar 12, 2024
Merged

feat: Add various CEL to label conversions #78

merged 2 commits into from
Mar 12, 2024

Conversation

seungsoo-lee
Copy link
Collaborator

Description

Fixes # (issue)

Does this PR introduce a breaking change?

Checklist

  • PR title follows the <type>: <description> convention
  • I use conventional commits in my commit messages
  • I have updated the documentation accordingly
  • I Keep It Small and Simple: The smaller the PR is, the easier it is to review and have it merged
  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Additional information for reviewer

Mention if this PR is part of any design or a continuation of previous PRs

nam-jaehyun
nam-jaehyun approved these changes Mar 12, 2024
View reviewed changes
Copy link

@nam-jaehyun nam-jaehyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@seungsoo-lee seungsoo-lee removed the request for review from anurag-rajawat March 12, 2024 10:00
@anurag-rajawat
Copy link
Collaborator

I'm not sure why but when I applied the cel-multi-si-sib-namespaced.yaml file then no nimbuspolicy was generated.

2024-03-12T15:25:51+05:30       INFO    SecurityIntent found    {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "SecurityIntent": {"name":"pkg-mgr-exec-multiple-nsscoped"}, "namespace": "", "name": "pkg-mgr-exec-multiple-nsscoped", "reconcileID": "ba331bbf-8941-4d0b-8ccc-d39f9378850e", "SecurityIntent.Name": "pkg-mgr-exec-multiple-nsscoped"}
2024-03-12T15:25:51+05:30       INFO    SecurityIntent found    {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "SecurityIntent": {"name":"unauthorized-sa-token-access-multiple-nsscoped"}, "namespace": "", "name": "unauthorized-sa-token-access-multiple-nsscoped", "reconcileID": "d59b6189-d1e5-491a-a7c2-3517b8ec129c", "SecurityIntent.Name": "unauthorized-sa-token-access-multiple-nsscoped"}
2024-03-12T15:25:51+05:30       INFO    SecurityIntent found    {"controller": "securityintent", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntent", "SecurityIntent": {"name":"dns-manipulation-multiple-nsscoped"}, "namespace": "", "name": "dns-manipulation-multiple-nsscoped", "reconcileID": "b1f45411-7a3a-4803-a9a7-dd041eddf0a4", "SecurityIntent.Name": "dns-manipulation-multiple-nsscoped"}
2024-03-12T15:25:51+05:30       INFO    SecurityIntentBinding found     {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"multiple-sis-nsscoped-binding","namespace":"default"}, "namespace": "default", "name": "multiple-sis-nsscoped-binding", "reconcileID": "b08afa03-566f-4e89-8128-7d2f78a0d195", "SecurityIntentBinding.Name": "multiple-sis-nsscoped-binding", "SecurityIntentBinding.Namespace": "default"}
2024-03-12T15:25:51+05:30       INFO    Building NimbusPolicy   {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"multiple-sis-nsscoped-binding","namespace":"default"}, "namespace": "default", "name": "multiple-sis-nsscoped-binding", "reconcileID": "b08afa03-566f-4e89-8128-7d2f78a0d195"}
2024-03-12T15:25:51+05:30       INFO    Processing CEL expressions      {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"multiple-sis-nsscoped-binding","namespace":"default"}, "namespace": "default", "name": "multiple-sis-nsscoped-binding", "reconcileID": "b08afa03-566f-4e89-8128-7d2f78a0d195", "Namespace": "default"}
2024-03-12T15:25:51+05:30       INFO    Error evaluating CEL expression for pod {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"multiple-sis-nsscoped-binding","namespace":"default"}, "namespace": "default", "name": "multiple-sis-nsscoped-binding", "reconcileID": "b08afa03-566f-4e89-8128-7d2f78a0d195", "PodName": "loki-0", "error": "no such key: app"}
2024-03-12T15:25:51+05:30       INFO    Abort NimbusPolicy creation as no labels matched the CEL expressions    {"controller": "securityintentbinding", "controllerGroup": "intent.security.nimbus.com", "controllerKind": "SecurityIntentBinding", "SecurityIntentBinding": {"name":"multiple-sis-nsscoped-binding","namespace":"default"}, "namespace": "default", "name": "multiple-sis-nsscoped-binding", "reconcileID": "b08afa03-566f-4e89-8128-7d2f78a0d195"}

I've following workloads on my k8s default namespace:

NAME                        READY   STATUS    RESTARTS         AGE     LABELS
nginx-7854ff8877-lrt2k      2/2     Running   10 (5m33s ago)   5h33m   app=nginx,pod-template-hash=7854ff8877,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=nginx,service.istio.io/canonical-revision=latest
sleep-7656cf8794-j55cw      2/2     Running   12 (5m33s ago)   22h     app=sleep,pod-template-hash=7656cf8794,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=sleep,service.istio.io/canonical-revision=latest
httpbin-65975d4c6f-8g47x    2/2     Running   12 (5m33s ago)   22h     app=httpbin,pod-template-hash=65975d4c6f,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=httpbin,service.istio.io/canonical-revision=v1,version=v1
httpd-5c98f79dfc-nb767      2/2     Running   10 (5m33s ago)   5h33m   app=httpd,pod-template-hash=5c98f79dfc,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=httpd,service.istio.io/canonical-revision=latest
notsleep-5c785bc478-b8zpr   2/2     Running   12 (5m33s ago)   22h     app=notsleep,pod-template-hash=5c785bc478,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=notsleep,service.istio.io/canonical-revision=latest
loki-0                      2/2     Running   18 (5m33s ago)   25h     app.kubernetes.io/component=single-binary,app.kubernetes.io/instance=loki,app.kubernetes.io/name=loki,app.kubernetes.io/part-of=memberlist,apps.kubernetes.io/pod-index=0,controller-revision-hash=loki-86c5868897,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=loki,service.istio.io/canonical-revision=latest,statefulset.kubernetes.io/pod-name=loki-0

Why did it try to match with loki pod instead of the nginx one?

nam-jaehyun

This comment was marked as duplicate.

Sign in to view

nam-jaehyun

This comment was marked as duplicate.

Sign in to view

@anurag-rajawat
Copy link
Collaborator

@seungsoo-lee I think here instead of using break we should use continue to match labels.

@seungsoo-lee
Copy link
Collaborator Author

@seungsoo-lee I think here instead of using break we should use continue to match labels.

updated

anurag-rajawat
anurag-rajawat approved these changes Mar 12, 2024
View reviewed changes
Copy link
Collaborator

@anurag-rajawat anurag-rajawat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm approving it now but we also need tests to verify the handling of CEL.

@seungsoo-lee seungsoo-lee merged commit 317cb20 into 5GSEC:main Mar 12, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nam-jaehyun nam-jaehyun nam-jaehyun approved these changes

@anurag-rajawat anurag-rajawat anurag-rajawat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@seungsoo-lee @anurag-rajawat @nam-jaehyun @b0m313