From ebeb19267b5dd00fd3af1b63056b4f67a4ef38f1 Mon Sep 17 00:00:00 2001 From: Eswar Rajan <89014588+seswarrajan@users.noreply.github.com> Date: Tue, 3 Jan 2023 15:34:59 +0530 Subject: [PATCH] Add podSelector.MatchLables to labels in Spec (#641) * Add podSelector.MatchLables to labels in Spec * Port and protocol values addition on valid data * Ignore empty policies * Correct egress/ingress rule Signed-off-by: Eswar Rajan Subramanian --- src/networkpolicy/networkPolicy.go | 16 +++++++------- src/plugin/k8sNetwork.go | 34 +++++++++++++++++------------- src/plugin/kubearmor.go | 9 ++++++-- 3 files changed, 34 insertions(+), 25 deletions(-) diff --git a/src/networkpolicy/networkPolicy.go b/src/networkpolicy/networkPolicy.go index 6e629c9e..a6b4e038 100644 --- a/src/networkpolicy/networkPolicy.go +++ b/src/networkpolicy/networkPolicy.go @@ -1816,19 +1816,19 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods [] ePolicy, iPolicy := buildNewKnoxEgressPolicy(), buildNewKnoxIngressPolicy() // 1.1 Set the endpoint selector - ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) - iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) + ePolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) + iPolicy.Spec.Selector.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) // 1.2 Set the to/from Endpoint selector egress := types.Egress{} ingress := types.Ingress{} - egress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) - ingress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) + egress.MatchLabels = getEndpointMatchLabels(log.SrcPodName, pods) + ingress.MatchLabels = getEndpointMatchLabels(log.DstPodName, pods) if log.SrcNamespace != log.DstNamespace { // cross namespace policy - egress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace - ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace + egress.MatchLabels["io.kubernetes.pod.namespace"] = log.SrcNamespace + ingress.MatchLabels["io.kubernetes.pod.namespace"] = log.DstNamespace } // 1.3 Set the dst port/protocol @@ -1854,8 +1854,8 @@ func convertKnoxNetworkLogToKnoxNetworkPolicy(log *types.KnoxNetworkLog, pods [] ePolicy.Spec.Egress = append(ePolicy.Spec.Egress, egress) iPolicy.Spec.Ingress = append(iPolicy.Spec.Ingress, ingress) - ePolicy.Metadata["namespace"] = log.SrcNamespace - iPolicy.Metadata["namespace"] = log.DstNamespace + ePolicy.Metadata["namespace"] = log.DstNamespace + iPolicy.Metadata["namespace"] = log.SrcNamespace egressPolicy = &ePolicy ingressPolicy = &iPolicy diff --git a/src/plugin/k8sNetwork.go b/src/plugin/k8sNetwork.go index 49e0df8c..488baf22 100644 --- a/src/plugin/k8sNetwork.go +++ b/src/plugin/k8sNetwork.go @@ -27,7 +27,9 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN k8NetPol.Kind = types.K8sNwPolicyKind k8NetPol.Name = knp.Metadata["name"] k8NetPol.Namespace = knp.Metadata["namespace"] - k8NetPol.Labels = knp.Spec.Selector.MatchLabels + k8NetPol.Spec.PodSelector = metav1.LabelSelector{ + MatchLabels: knp.Spec.Selector.MatchLabels, + } if len(knp.Spec.Egress) > 0 { for _, eg := range knp.Spec.Egress { @@ -50,14 +52,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN Type: intstr.Int, IntVal: int32(portVal), }, - Protocol: &protocol, - } - } else { - port = nv1.NetworkPolicyPort{ - Protocol: &protocol, } } + if protocol != "" { + port.Protocol = &protocol + } + if len(eg.MatchLabels) > 0 { to = nv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{ @@ -69,11 +70,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN egressRule.To = nil } - egressRule.Ports = append(egressRule.Ports, port) + if portVal == 0 && protocol == "" { + continue + } + egressRule.Ports = append(egressRule.Ports, port) k8NetPol.Spec.Egress = append(k8NetPol.Spec.Egress, egressRule) } - k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeEgress)) } @@ -98,14 +101,13 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN Type: intstr.Int, IntVal: int32(portVal), }, - Protocol: &protocol, - } - } else { - port = nv1.NetworkPolicyPort{ - Protocol: &protocol, } } + if protocol != "" { + port.Protocol = &protocol + } + if len(ing.MatchLabels) > 0 { from = nv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{ @@ -117,14 +119,16 @@ func ConvertKnoxNetPolicyToK8sNetworkPolicy(clustername, namespace string, knoxN ingressRule.From = nil } - ingressRule.Ports = append(ingressRule.Ports, port) + if portVal == 0 && protocol == "" { + continue + } + ingressRule.Ports = append(ingressRule.Ports, port) k8NetPol.Spec.Ingress = append(k8NetPol.Spec.Ingress, ingressRule) } k8NetPol.Spec.PolicyTypes = append(k8NetPol.Spec.PolicyTypes, nv1.PolicyType(nv1.PolicyTypeIngress)) } - k8NetPol.Spec.PodSelector.MatchLabels = k8NetPol.Labels res = append(res, k8NetPol) } diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go index 5ace5568..9bf0300a 100644 --- a/src/plugin/kubearmor.go +++ b/src/plugin/kubearmor.go @@ -603,7 +603,7 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL } destPod, destLabels, destNs := cluster.ExtractPodSvcInfoFromIP(ip, kalog.ClusterName, pods, services) - if ip != destPod && strings.Contains(destPod, "pod") { + if ip != destPod && (strings.Contains(destPod, "pod") || strings.Contains(destPod, "svc")) { locKnoxLog.DstPodName = strings.Split(destPod, "/")[1] locKnoxLog.DstReservedLabels = strings.Split(destLabels, ",") locKnoxLog.DstNamespace = destNs @@ -613,7 +613,8 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL locKnoxLog.SynFlag = true } else if strings.Contains(kalog.Data, "SYS_BIND") { var port string - locKnoxLog.Protocol = libs.IPProtocolUDP + // TODO : Identify a way to get protocol from kubearmor + // locKnoxLog.Protocol = libs.IPProtocolUDP resSlice := strings.Split(kalog.Resource, " ") for _, v := range resSlice { @@ -636,6 +637,10 @@ func ConvertKubeArmorNetLogToKnoxNetLog(kaNwLogs []*pb.Log) []types.KnoxNetworkL locKnoxLog.Action = "Allow" } + if locKnoxLog.Protocol == 0 && locKnoxLog.DstPort == 0 && len(locKnoxLog.DstReservedLabels) == 0 { + continue + } + results = append(results, locKnoxLog) }