Add podSelector.MatchLables to labels in Spec (accuknox#641)

* Add podSelector.MatchLables to labels in Spec
* Port and protocol values addition on valid data
* Ignore empty policies
* Correct egress/ingress rule
Signed-off-by: Eswar Rajan Subramanian <eswar@accuknox.com>

src/networkpolicy/networkPolicy.go

@@ -1816,19 +1816,19 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods []
 		ePolicy, iPolicy := buildNewKnoxEgressPolicy(), buildNewKnoxIngressPolicy()
 
 		// 1.1 Set the endpoint selector
-		ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods)
-		iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods)
+		ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods)
+		iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods)
 
 		// 1.2 Set the to/from Endpoint selector
 		egress := types.Egress{}
 		ingress := types.Ingress{}
-		egress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods)
-		ingress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods)
+		egress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods)
+		ingress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods)
 
 		if log.SrcNamespace != log.DstNamespace {
 			// cross namespace policy
-			egress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace
-			ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace
+			egress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace
+			ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace
 		}
 
 		// 1.3 Set the dst port/protocol
@@ -1854,8 +1854,8 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods []
 		ePolicy.Spec.Egress = append(ePolicy.Spec.Egress, egress)
 		iPolicy.Spec.Ingress = append(iPolicy.Spec.Ingress, ingress)
 
-		ePolicy.Metadata["namespace"] = log.SrcNamespace
-		iPolicy.Metadata["namespace"] = log.DstNamespace
+		ePolicy.Metadata["namespace"] = log.DstNamespace
+		iPolicy.Metadata["namespace"] = log.SrcNamespace
 
 		egressPolicy = &ePolicy
 		ingressPolicy = &iPolicy

src/plugin/k8sNetwork.go

@@ -27,7 +27,9 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN
 		k8NetPol.Kind = types.K8sNwPolicyKind
 		k8NetPol.Name = knp.Metadata["name"]
 		k8NetPol.Namespace = knp.Metadata["namespace"]
-		k8NetPol.Labels = knp.Spec.Selector.MatchLabels
+		k8NetPol.Spec.PodSelector = metav1.LabelSelector{
+			MatchLabels: knp.Spec.Selector.MatchLabels,
+		}
 
 		if len(knp.Spec.Egress) > 0 {
 			for _, eg := range knp.Spec.Egress {
@@ -50,14 +52,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN
 							Type:   intstr.Int,
 							IntVal: int32(portVal),
 						},
-						Protocol: &protocol,
-					}
-				} else {
-					port = nv1.NetworkPolicyPort{
-						Protocol: &protocol,
 					}
 				}
 
+				if protocol != "" {
+					port.Protocol = &protocol
+				}
+
 				if len(eg.MatchLabels) > 0 {
 					to = nv1.NetworkPolicyPeer{
 						PodSelector: &metav1.LabelSelector{
@@ -69,11 +70,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN
 					egressRule.To = nil
 				}
 
-				egressRule.Ports = append(egressRule.Ports, port)
+				if portVal == 0 && protocol == "" {
+					continue
+				}
 
+				egressRule.Ports = append(egressRule.Ports, port)
 				k8NetPol.Spec.Egress = append(k8NetPol.Spec.Egress, egressRule)
 			}
-
 			k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeEgress))
 		}
 
@@ -98,14 +101,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN
 							Type:   intstr.Int,
 							IntVal: int32(portVal),
 						},
-						Protocol: &protocol,
-					}
-				} else {
-					port = nv1.NetworkPolicyPort{
-						Protocol: &protocol,
 					}
 				}
 
+				if protocol != "" {
+					port.Protocol = &protocol
+				}
+
 				if len(ing.MatchLabels) > 0 {
 					from = nv1.NetworkPolicyPeer{
 						PodSelector: &metav1.LabelSelector{
@@ -117,14 +119,16 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN
 					ingressRule.From = nil
 				}
 
-				ingressRule.Ports = append(ingressRule.Ports, port)
+				if portVal == 0 && protocol == "" {
+					continue
+				}
 
+				ingressRule.Ports = append(ingressRule.Ports, port)
 				k8NetPol.Spec.Ingress = append(k8NetPol.Spec.Ingress, ingressRule)
 			}
 			k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeIngress))
 		}
 
-		k8NetPol.Spec.PodSelector.MatchLabels = k8NetPol.Labels
 		res = append(res, k8NetPol)
 	}
 

src/plugin/kubearmor.go

@@ -603,7 +603,7 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL
 			}
 			destPod, destLabels, destNs := cluster.ExtractPodSvcInfoFromIP(ip, kalog.ClusterName, pods, services)
 
-			if ip != destPod && strings.Contains(destPod, "pod") {
+			if ip != destPod && (strings.Contains(destPod, "pod") || strings.Contains(destPod, "svc")) {
 				locKnoxLog.DstPodName = strings.Split(destPod, "/")[1]
 				locKnoxLog.DstReservedLabels = strings.Split(destLabels, ",")
 				locKnoxLog.DstNamespace = destNs
@@ -613,7 +613,8 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL
 			locKnoxLog.SynFlag = true
 		} else if strings.Contains(kalog.Data, "SYS_BIND") {
 			var port string
-			locKnoxLog.Protocol = libs.IPProtocolUDP
+			// TODO : Identify a way to get protocol from kubearmor
+			// locKnoxLog.Protocol = libs.IPProtocolUDP
 
 			resSlice := strings.Split(kalog.Resource, " ")
 			for _, v := range resSlice {
@@ -636,6 +637,10 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL
 			locKnoxLog.Action = "Allow"
 		}
 
+		if locKnoxLog.Protocol == 0 && locKnoxLog.DstPort == 0 && len(locKnoxLog.DstReservedLabels) == 0 {
+			continue
+		}
+
 		results = append(results, locKnoxLog)
 	}