diff --git a/src/networkpolicy/networkPolicy.go b/src/networkpolicy/networkPolicy.go index 6e629c9e..a6b4e038 100644 --- a/src/networkpolicy/networkPolicy.go +++ b/src/networkpolicy/networkPolicy.go @@ -1816,19 +1816,19 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods [] ePolicy, iPolicy := buildNewKnoxEgressPolicy(), buildNewKnoxIngressPolicy() // 1.1 Set the endpoint selector - ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) - iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) + ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) + iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) // 1.2 Set the to/from Endpoint selector egress := types.Egress{} ingress := types.Ingress{} - egress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) - ingress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) + egress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) + ingress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) if log.SrcNamespace != log.DstNamespace { // cross namespace policy - egress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace - ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace + egress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace + ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace } // 1.3 Set the dst port/protocol @@ -1854,8 +1854,8 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods [] ePolicy.Spec.Egress = append(ePolicy.Spec.Egress, egress) iPolicy.Spec.Ingress = append(iPolicy.Spec.Ingress, ingress) - ePolicy.Metadata["namespace"] = log.SrcNamespace - iPolicy.Metadata["namespace"] = log.DstNamespace + ePolicy.Metadata["namespace"] = log.DstNamespace + iPolicy.Metadata["namespace"] = log.SrcNamespace egressPolicy = &ePolicy ingressPolicy = &iPolicy diff --git a/src/plugin/k8sNetwork.go b/src/plugin/k8sNetwork.go index 49e0df8c..488baf22 100644 --- a/src/plugin/k8sNetwork.go +++ b/src/plugin/k8sNetwork.go @@ -27,7 +27,9 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN k8NetPol.Kind = types.K8sNwPolicyKind k8NetPol.Name = knp.Metadata["name"] k8NetPol.Namespace = knp.Metadata["namespace"] - k8NetPol.Labels = knp.Spec.Selector.MatchLabels + k8NetPol.Spec.PodSelector = metav1.LabelSelector{ + MatchLabels: knp.Spec.Selector.MatchLabels, + } if len(knp.Spec.Egress) > 0 { for _, eg := range knp.Spec.Egress { @@ -50,14 +52,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN Type: intstr.Int, IntVal: int32(portVal), }, - Protocol: &protocol, - } - } else { - port = nv1.NetworkPolicyPort{ - Protocol: &protocol, } } + if protocol != "" { + port.Protocol = &protocol + } + if len(eg.MatchLabels) > 0 { to = nv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{ @@ -69,11 +70,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN egressRule.To = nil } - egressRule.Ports = append(egressRule.Ports, port) + if portVal == 0 && protocol == "" { + continue + } + egressRule.Ports = append(egressRule.Ports, port) k8NetPol.Spec.Egress = append(k8NetPol.Spec.Egress, egressRule) } - k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeEgress)) } @@ -98,14 +101,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN Type: intstr.Int, IntVal: int32(portVal), }, - Protocol: &protocol, - } - } else { - port = nv1.NetworkPolicyPort{ - Protocol: &protocol, } } + if protocol != "" { + port.Protocol = &protocol + } + if len(ing.MatchLabels) > 0 { from = nv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{ @@ -117,14 +119,16 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN ingressRule.From = nil } - ingressRule.Ports = append(ingressRule.Ports, port) + if portVal == 0 && protocol == "" { + continue + } + ingressRule.Ports = append(ingressRule.Ports, port) k8NetPol.Spec.Ingress = append(k8NetPol.Spec.Ingress, ingressRule) } k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeIngress)) } - k8NetPol.Spec.PodSelector.MatchLabels = k8NetPol.Labels res = append(res, k8NetPol) } diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go index 5ace5568..9bf0300a 100644 --- a/src/plugin/kubearmor.go +++ b/src/plugin/kubearmor.go @@ -603,7 +603,7 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL } destPod, destLabels, destNs := cluster.ExtractPodSvcInfoFromIP(ip, kalog.ClusterName, pods, services) - if ip != destPod && strings.Contains(destPod, "pod") { + if ip != destPod && (strings.Contains(destPod, "pod") || strings.Contains(destPod, "svc")) { locKnoxLog.DstPodName = strings.Split(destPod, "/")[1] locKnoxLog.DstReservedLabels = strings.Split(destLabels, ",") locKnoxLog.DstNamespace = destNs @@ -613,7 +613,8 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL locKnoxLog.SynFlag = true } else if strings.Contains(kalog.Data, "SYS_BIND") { var port string - locKnoxLog.Protocol = libs.IPProtocolUDP + // TODO : Identify a way to get protocol from kubearmor + // locKnoxLog.Protocol = libs.IPProtocolUDP resSlice := strings.Split(kalog.Resource, " ") for _, v := range resSlice { @@ -636,6 +637,10 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL locKnoxLog.Action = "Allow" } + if locKnoxLog.Protocol == 0 && locKnoxLog.DstPort == 0 && len(locKnoxLog.DstReservedLabels) == 0 { + continue + } + results = append(results, locKnoxLog) }