From 6af9ebca1b621b14e2903e8163c61f379e6dd2ef Mon Sep 17 00:00:00 2001 From: seungsoo-lee Date: Wed, 20 Jan 2021 10:50:33 +0000 Subject: [PATCH 1/3] Update cluster_name in policy Description Fixes: #0 --- database/mysql/init/flow_management.sql | 3 +- src/core/configManager.go | 7 +---- src/core/networkPolicy.go | 40 +++++++++--------------- src/libs/k8shandler.go | 41 +++++++++++++++++++++++++ src/libs/mysqlHandler.go | 17 +++++----- 5 files changed, 67 insertions(+), 41 deletions(-) diff --git a/database/mysql/init/flow_management.sql b/database/mysql/init/flow_management.sql index e73e9c34..11f4053f 100644 --- a/database/mysql/init/flow_management.sql +++ b/database/mysql/init/flow_management.sql @@ -31,17 +31,16 @@ CREATE TABLE IF NOT EXISTS `network_flow` ( CREATE TABLE IF NOT EXISTS `discovered_policy` ( `id` int NOT NULL AUTO_INCREMENT, - `apiVersion` varchar(20) DEFAULT NULL, `kind` varchar(20) DEFAULT NULL, `name` varchar(50) DEFAULT NULL, + `cluster_name` varchar(50) DEFAULT NULL, `namespace` varchar(50) DEFAULT NULL, `type` varchar(10) DEFAULT NULL, `rule` varchar(30) DEFAULT NULL, `status` varchar(10) DEFAULT NULL, `outdated` varchar(50) DEFAULT NULL, `spec` JSON DEFAULT NULL, - `generatedTime` int DEFAULT NULL, PRIMARY KEY (`id`) ); diff --git a/src/core/configManager.go b/src/core/configManager.go index d9a745a1..7b17831c 100644 --- a/src/core/configManager.go +++ b/src/core/configManager.go @@ -110,12 +110,7 @@ func LoadDefaultConfig() { // ignoring flows skipNamespacesStr := libs.GetEnv("IGNORING_SELECTOR_NAMESPACES", "") igFlow1 := types.IgnoringFlows{IgSelectorNamespaces: strings.Split(skipNamespacesStr, "|")} - igFlow2 := types.IgnoringFlows{ - IgSelectorLabels: []string{"pod-template-hash", - "controller-revision-hash", // from istana robot-shop - "statefulset.kubernetes.io/pod-name"}, // from istana robot-shop - } - Cfg.IgnoringFlows = []types.IgnoringFlows{igFlow1, igFlow2} + Cfg.IgnoringFlows = []types.IgnoringFlows{igFlow1} // aggregation level Cfg.L3AggregationLevel = 3 diff --git a/src/core/networkPolicy.go b/src/core/networkPolicy.go index 57645d17..19cc9bc3 100644 --- a/src/core/networkPolicy.go +++ b/src/core/networkPolicy.go @@ -1002,21 +1002,6 @@ func mergingSrcByLabels(perDstSrcLabel map[Dst][]SrcSimple) map[Dst][]string { // == Step 2: Replacing Src to Labeled == // // ====================================== // -// isIgnoringFlowLabels Function -func isIgnoringFlowLabels(label string) bool { - for _, igFlows := range Cfg.IgnoringFlows { - if igFlows.IgSelectorLabels == nil { - continue - } - - if libs.ContainsElement(igFlows.IgSelectorLabels, strings.Split(label, "=")[0]) { - return true - } - } - - return false -} - // getMergedLabels Function func getMergedLabels(namespace, podName string, pods []types.Pod) string { mergedLabels := "" @@ -1029,9 +1014,7 @@ func getMergedLabels(namespace, podName string, pods []types.Pod) string { for _, label := range pod.Labels { /* TODO: do we need to skip the hash labels? */ - if !isIgnoringFlowLabels(label) { - labels = append(labels, label) - } + labels = append(labels, label) } sort.Slice(labels, func(i, j int) bool { @@ -1481,6 +1464,7 @@ func mergingDstByLabels(mergedSrcPerMergedProtoDst map[string][]MergedPortDst, p // generatePolicyName Function func generatePolicyName(networkPolicies []types.KnoxNetworkPolicy) []types.KnoxNetworkPolicy { + clusterName := libs.GetClusterName() autoPolicyNames := []string{} newPolicies := []types.KnoxNetworkPolicy{} @@ -1507,6 +1491,7 @@ func generatePolicyName(networkPolicies []types.KnoxNetworkPolicy) []types.KnoxN autoPolicyNames = append(autoPolicyNames, newName) newPolicies[i].Metadata["name"] = newName + newPolicies[i].Metadata["cluster_name"] = clusterName } return newPolicies @@ -1688,17 +1673,20 @@ func StartToDiscoveryWorker() { // insert discovered policies to db libs.InsertDiscoveredPolicies(Cfg.ConfigDB, newPolicies) - // retrieve the latest policies from the db - policies := libs.GetNetworkPolicies(Cfg.ConfigDB, namespace, "latest") + if strings.Contains(Cfg.DiscoveredPolicyTo, "file") { + + // retrieve the latest policies from the db + policies := libs.GetNetworkPolicies(Cfg.ConfigDB, namespace, "latest") - // convert knoxPolicy to CiliumPolicy - // ciliumPolicies := plugin.ConvertKnoxPoliciesToCiliumPolicies(services, policies) + // convert knoxPolicy to CiliumPolicy + ciliumPolicies := plugin.ConvertKnoxPoliciesToCiliumPolicies(services, policies) - // write discovered policies to files - // libs.WriteCiliumPolicyToYamlFile(namespace, ciliumPolicies) + // write discovered policies to files + libs.WriteCiliumPolicyToYamlFile(namespace, ciliumPolicies) - // write discovered policies to files - libs.WriteKnoxPolicyToYamlFile(namespace, policies) + // write discovered policies to files + libs.WriteKnoxPolicyToYamlFile(namespace, policies) + } log.Info().Msgf("Policy discovery done for namespace: [%s], [%d] policies discovered", namespace, len(newPolicies)) } else { diff --git a/src/libs/k8shandler.go b/src/libs/k8shandler.go index 6a3cfaa7..058711bc 100644 --- a/src/libs/k8shandler.go +++ b/src/libs/k8shandler.go @@ -156,6 +156,10 @@ func GetNamespaces() []string { // == Container Group (Pod) == // // =========================== // +var skipLabelKey []string = []string{"pod-template-hash", // common k8s hash label + "controller-revision-hash", // from istana robot-shop + "statefulset.kubernetes.io/pod-name"} // from istana robot-shop + // GetPods Function func GetPods() []types.Pod { results := []types.Pod{} @@ -181,6 +185,11 @@ func GetPods() []types.Pod { } for k, v := range pod.Labels { + // skip hash or microservice default label key + if ContainsElement(skipLabelKey, k) { + continue + } + group.Labels = append(group.Labels, k+"="+v) } @@ -383,3 +392,35 @@ func GetEndpoints() []types.Endpoint { return results } + +// GetClusterName ... (GKE only) +func GetClusterName() string { + client := ConnectK8sClient() + if client == nil { + return "default" + } + + // get pods from k8s api client + configMaps, err := client.CoreV1().ConfigMaps("kube-system").List(context.Background(), metav1.ListOptions{}) + if err != nil { + log.Error().Msg(err.Error()) + return "default" + } + + for _, configMap := range configMaps.Items { + if configMap.GetName() == "gke-metrics-agent-conf" { + for _, v := range configMap.Data { + lines := strings.Split(v, "\n") + for _, line := range lines { + if strings.Contains(line, "cluster_name:") { + name := strings.TrimSpace(line) + clusterName := strings.Split(name, ": ")[1] + return clusterName + } + } + } + } + } + + return "default" +} diff --git a/src/libs/mysqlHandler.go b/src/libs/mysqlHandler.go index 1b4379da..4759021c 100644 --- a/src/libs/mysqlHandler.go +++ b/src/libs/mysqlHandler.go @@ -166,7 +166,7 @@ func GetNetworkPoliciesFromMySQL(cfg types.ConfigDB, namespace, status string) ( for results.Next() { policy := types.KnoxNetworkPolicy{} - var name, namespace, policyType, rule, status string + var name, clusterName, namespace, policyType, rule, status string specByte := []byte{} spec := types.Spec{} @@ -174,6 +174,7 @@ func GetNetworkPoliciesFromMySQL(cfg types.ConfigDB, namespace, status string) ( &policy.APIVersion, &policy.Kind, &name, + &clusterName, &namespace, &policyType, &rule, @@ -190,11 +191,12 @@ func GetNetworkPoliciesFromMySQL(cfg types.ConfigDB, namespace, status string) ( } policy.Metadata = map[string]string{ - "name": name, - "namespace": namespace, - "type": policyType, - "rule": rule, - "status": status, + "name": name, + "cluster_name": clusterName, + "namespace": namespace, + "type": policyType, + "rule": rule, + "status": status, } policy.Spec = spec @@ -240,7 +242,7 @@ func UpdateOutdatedPolicyFromMySQL(cfg types.ConfigDB, outdatedPolicy string, la // insertDiscoveredPolicy function func insertDiscoveredPolicy(cfg types.ConfigDB, db *sql.DB, policy types.KnoxNetworkPolicy) error { - stmt, err := db.Prepare("INSERT INTO " + cfg.TableDiscoveredPolicy + "(apiVersion,kind,name,namespace,type,rule,status,outdated,spec,generatedTime) values(?,?,?,?,?,?,?,?,?,?)") + stmt, err := db.Prepare("INSERT INTO " + cfg.TableDiscoveredPolicy + "(apiVersion,kind,name,cluster_name,namespace,type,rule,status,outdated,spec,generatedTime) values(?,?,?,?,?,?,?,?,?,?,?)") if err != nil { return err } @@ -255,6 +257,7 @@ func insertDiscoveredPolicy(cfg types.ConfigDB, db *sql.DB, policy types.KnoxNet _, err = stmt.Exec(policy.APIVersion, policy.Kind, policy.Metadata["name"], + policy.Metadata["cluster_name"], policy.Metadata["namespace"], policy.Metadata["type"], policy.Metadata["rule"], From 718a9b46324674b765d972b7f8d6ebc3e2eff0ae Mon Sep 17 00:00:00 2001 From: seungsoo-lee Date: Wed, 20 Jan 2021 13:37:05 +0000 Subject: [PATCH 2/3] Update ignoring flows Description Fixes: #102 --- scripts/startService.sh | 4 +- src/core/configManager.go | 8 +- src/core/networkPolicy.go | 116 ++++++++++++++++++++-- src/plugin/cilium.go | 19 +++- src/protos/v1/config/config.pb.go | 155 +++++++++++++++--------------- src/protos/v1/config/config.proto | 10 +- src/types/configData.go | 12 +-- 7 files changed, 217 insertions(+), 107 deletions(-) diff --git a/scripts/startService.sh b/scripts/startService.sh index 8168d4d9..2dd09163 100755 --- a/scripts/startService.sh +++ b/scripts/startService.sh @@ -37,6 +37,6 @@ export DISCOVERY_POLICY_TYPES=1 export DISCOVERY_RULE_TYPES=1 # skip namepsace info -export IGNORING_SELECTOR_NAMESPACES="kube-system|knox-auto-policy|cilium|hipster" +export IGNORING_NAMESPACES="kube-system|knox-auto-policy|cilium|hipster" -$KNOX_AUTO_HOME/src/knoxAutoPolicy \ No newline at end of file +$KNOX_AUTO_HOME/src/knoxAutoPolicy diff --git a/src/core/configManager.go b/src/core/configManager.go index 7b17831c..8e22c622 100644 --- a/src/core/configManager.go +++ b/src/core/configManager.go @@ -12,6 +12,9 @@ import ( // Cfg ... var Cfg types.Configuration +// SkipNamespaces ... +var SkipNamespaces []string + func init() { // initially, default -> applied LoadDefaultConfig() @@ -108,9 +111,8 @@ func LoadDefaultConfig() { Cfg.CIDRBits = 32 // ignoring flows - skipNamespacesStr := libs.GetEnv("IGNORING_SELECTOR_NAMESPACES", "") - igFlow1 := types.IgnoringFlows{IgSelectorNamespaces: strings.Split(skipNamespacesStr, "|")} - Cfg.IgnoringFlows = []types.IgnoringFlows{igFlow1} + skipNamespacesStr := libs.GetEnv("IGNORING_NAMESPACES", "") + SkipNamespaces = strings.Split(skipNamespacesStr, "|") // aggregation level Cfg.L3AggregationLevel = 3 diff --git a/src/core/networkPolicy.go b/src/core/networkPolicy.go index 19cc9bc3..4e65bd25 100644 --- a/src/core/networkPolicy.go +++ b/src/core/networkPolicy.go @@ -1573,19 +1573,112 @@ func DiscoverNetworkPolicies(namespace string, // == Preprocessing == // // ==================== // -// IgnoringNamespace func -func IgnoringNamespace(namespace string) bool { - for _, igFlows := range Cfg.IgnoringFlows { - if igFlows.IgSelectorNamespaces == nil { - continue +// getHaveToCheckItems func +func getHaveToCheckItems(igFlows types.IgnoringFlows) int { + check := 0 + + if igFlows.IgSourceNamespace != "" { + check = check | 1<<0 // 1 + } + + if len(igFlows.IgSourceLabels) > 0 { + check = check | 1<<1 // 2 + } + + if igFlows.IgDestinationNamespace != "" { + check = check | 1<<2 // 4 + } + + if len(igFlows.IgDestinationLabels) > 0 { + check = check | 1<<3 // 8 + } + + if igFlows.IgProtocol != "" { + check = check | 1<<4 // 16 + } + + if igFlows.IgPortNumber != "" { + check = check | 1<<5 // 32 + } + + return check +} + +// containLabels func +func containLabels(cni string, igLabels []string, flowLabels []string) bool { + prefix := "" + + if cni == "cilium" { + prefix = "k8s:" + } + + for _, label := range igLabels { + label = prefix + label + + if !libs.ContainsElement(flowLabels, label) { + return false } + } - if libs.ContainsElement(igFlows.IgSelectorNamespaces, namespace) { - return true + return true +} + +// PrefilterFlows func +func PrefilterFlows(flows []*flow.Flow) []*flow.Flow { + filteredFlows := []*flow.Flow{} + + for _, flow := range flows { + ignored := false + + for _, igFlow := range Cfg.IgnoringFlows { + checkItems := getHaveToCheckItems(igFlow) + + checkedItems := 0 + + // 1. check src namespace + if (checkItems&1 > 0) && igFlow.IgSourceNamespace == flow.Source.Namespace { + checkedItems = checkedItems | 1<<0 + } + + // 2. check src pod labels + if (checkItems&2 > 0) && containLabels("cilium", igFlow.IgSourceLabels, flow.Source.Labels) { + checkedItems = checkedItems | 1<<1 + } + + // 3. check dest namespace + if (checkItems&4 > 0) && igFlow.IgDestinationNamespace == flow.Destination.Namespace { + checkedItems = checkedItems | 1<<2 + } + + // 4. check dest pod labels + if (checkItems&8 > 0) && containLabels("cilium", igFlow.IgDestinationLabels, flow.Destination.Labels) { + checkedItems = checkedItems | 1<<3 + } + + // 5. check protocol + if (checkItems&16 > 0) && flow.GetL4() != nil && plugin.GetProtocolStr(flow.GetL4()) == igFlow.IgProtocol { + checkedItems = checkedItems | 1<<4 + } + + // 6. check port number + if (checkItems&32 > 0) && flow.GetL4() != nil { + if strings.Contains(flow.GetL4().String(), igFlow.IgPortNumber) { + checkedItems = checkedItems | 1<<5 + } + } + + if checkItems == checkedItems { + ignored = true + break + } + } + + if !ignored { + filteredFlows = append(filteredFlows, flow) } } - return false + return filteredFlows } // GetCiliumFlows func @@ -1627,6 +1720,9 @@ func StartToDiscoveryWorker() { return } + // filter ignoring network flows + networkFlows = PrefilterFlows(networkFlows) + // get k8s services services := libs.GetServices() @@ -1650,8 +1746,8 @@ func StartToDiscoveryWorker() { // iterate each namespace for _, namespace := range namespaces { - // skip namespace - if IgnoringNamespace(namespace) { + // skip uninterested namespaces + if libs.ContainsElement(SkipNamespaces, namespace) { continue } diff --git a/src/plugin/cilium.go b/src/plugin/cilium.go index 0575c47a..eb81659f 100644 --- a/src/plugin/cilium.go +++ b/src/plugin/cilium.go @@ -61,8 +61,8 @@ func getL4Ports(l4 *flow.Layer4) (int, int) { } } -// getProtocol function -func getProtocol(l4 *flow.Layer4) int { +// GetProtocol function +func GetProtocol(l4 *flow.Layer4) int { if l4.GetTCP() != nil { return 6 } else if l4.GetUDP() != nil { @@ -74,6 +74,19 @@ func getProtocol(l4 *flow.Layer4) int { } } +// GetProtocolStr function +func GetProtocolStr(l4 *flow.Layer4) string { + if l4.GetTCP() != nil { + return "tcp" + } else if l4.GetUDP() != nil { + return "udp" + } else if l4.GetICMPv4() != nil { + return "icmp" + } else { + return "unknown" // unknown? + } +} + // getReservedLabelIfExist function func getReservedLabelIfExist(labels []string) string { for _, label := range labels { @@ -164,7 +177,7 @@ func ConvertCiliumFlowToKnoxLog(flow *flow.Flow, dnsToIPs map[string][]string) ( // get L4 if flow.L4 != nil { - log.Protocol = getProtocol(flow.L4) + log.Protocol = GetProtocol(flow.L4) if log.Protocol == 6 && flow.L4.GetTCP() != nil { // if tcp, log.SynFlag = isSynFlagOnly(flow.L4.GetTCP()) } diff --git a/src/protos/v1/config/config.pb.go b/src/protos/v1/config/config.pb.go index 0034ac30..2c49a49b 100644 --- a/src/protos/v1/config/config.pb.go +++ b/src/protos/v1/config/config.pb.go @@ -257,12 +257,12 @@ func (m *ConfigCiliumHubble) GetHubblePort() string { } type IgnoringFlows struct { - IgSelectorNamespaces []string `protobuf:"bytes,1,rep,name=ig_selector_namespaces,json=igSelectorNamespaces,proto3" json:"ig_selector_namespaces,omitempty"` + IgSelectorNamespace string `protobuf:"bytes,1,opt,name=ig_selector_namespace,json=igSelectorNamespace,proto3" json:"ig_selector_namespace,omitempty"` IgSelectorLabels []string `protobuf:"bytes,2,rep,name=ig_selector_labels,json=igSelectorLabels,proto3" json:"ig_selector_labels,omitempty"` - IgTargetNamespaces []string `protobuf:"bytes,3,rep,name=ig_target_namespaces,json=igTargetNamespaces,proto3" json:"ig_target_namespaces,omitempty"` + IgTargetNamespace string `protobuf:"bytes,3,opt,name=ig_target_namespace,json=igTargetNamespace,proto3" json:"ig_target_namespace,omitempty"` IgTargetLabels []string `protobuf:"bytes,4,rep,name=ig_target_labels,json=igTargetLabels,proto3" json:"ig_target_labels,omitempty"` - IgProtocols []string `protobuf:"bytes,5,rep,name=ig_protocols,json=igProtocols,proto3" json:"ig_protocols,omitempty"` - IgPortNumbers []string `protobuf:"bytes,6,rep,name=ig_port_numbers,json=igPortNumbers,proto3" json:"ig_port_numbers,omitempty"` + IgProtocol string `protobuf:"bytes,5,opt,name=ig_protocol,json=igProtocol,proto3" json:"ig_protocol,omitempty"` + IgPortNumber string `protobuf:"bytes,6,opt,name=ig_port_number,json=igPortNumber,proto3" json:"ig_port_number,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -293,11 +293,11 @@ func (m *IgnoringFlows) XXX_DiscardUnknown() { var xxx_messageInfo_IgnoringFlows proto.InternalMessageInfo -func (m *IgnoringFlows) GetIgSelectorNamespaces() []string { +func (m *IgnoringFlows) GetIgSelectorNamespace() string { if m != nil { - return m.IgSelectorNamespaces + return m.IgSelectorNamespace } - return nil + return "" } func (m *IgnoringFlows) GetIgSelectorLabels() []string { @@ -307,11 +307,11 @@ func (m *IgnoringFlows) GetIgSelectorLabels() []string { return nil } -func (m *IgnoringFlows) GetIgTargetNamespaces() []string { +func (m *IgnoringFlows) GetIgTargetNamespace() string { if m != nil { - return m.IgTargetNamespaces + return m.IgTargetNamespace } - return nil + return "" } func (m *IgnoringFlows) GetIgTargetLabels() []string { @@ -321,23 +321,23 @@ func (m *IgnoringFlows) GetIgTargetLabels() []string { return nil } -func (m *IgnoringFlows) GetIgProtocols() []string { +func (m *IgnoringFlows) GetIgProtocol() string { if m != nil { - return m.IgProtocols + return m.IgProtocol } - return nil + return "" } -func (m *IgnoringFlows) GetIgPortNumbers() []string { +func (m *IgnoringFlows) GetIgPortNumber() string { if m != nil { - return m.IgPortNumbers + return m.IgPortNumber } - return nil + return "" } type Config struct { ConfigName string `protobuf:"bytes,1,opt,name=config_name,json=configName,proto3" json:"config_name,omitempty"` - Staus int32 `protobuf:"varint,2,opt,name=staus,proto3" json:"staus,omitempty"` + Status int32 `protobuf:"varint,2,opt,name=status,proto3" json:"status,omitempty"` ConfigDb *ConfigDB `protobuf:"bytes,3,opt,name=config_db,json=configDb,proto3" json:"config_db,omitempty"` ConfigCiliumHubble *ConfigCiliumHubble `protobuf:"bytes,4,opt,name=config_cilium_hubble,json=configCiliumHubble,proto3" json:"config_cilium_hubble,omitempty"` OperationMode int32 `protobuf:"varint,5,opt,name=operation_mode,json=operationMode,proto3" json:"operation_mode,omitempty"` @@ -391,9 +391,9 @@ func (m *Config) GetConfigName() string { return "" } -func (m *Config) GetStaus() int32 { +func (m *Config) GetStatus() int32 { if m != nil { - return m.Staus + return m.Status } return 0 } @@ -524,63 +524,62 @@ func init() { } var fileDescriptor_a49a8d8549545cb5 = []byte{ - // 913 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x9c, 0x56, 0x6f, 0x6f, 0x1b, 0x35, - 0x18, 0xd7, 0x9a, 0x25, 0x4b, 0x9c, 0x25, 0xcb, 0xbc, 0x8e, 0x1e, 0x4c, 0x15, 0x23, 0x12, 0x68, - 0x48, 0xa8, 0x61, 0x6d, 0x61, 0x12, 0x1a, 0x42, 0xed, 0xa2, 0xb1, 0xa1, 0xae, 0x54, 0x69, 0xfa, - 0x06, 0x5e, 0x58, 0xf7, 0xc7, 0xbd, 0x98, 0x39, 0xe7, 0xc3, 0xf6, 0x65, 0xe4, 0x2b, 0xf0, 0x11, - 0xf8, 0x36, 0x7c, 0x13, 0x3e, 0x0a, 0x8f, 0x1f, 0x3b, 0xd7, 0xb0, 0x54, 0x4c, 0xea, 0x9b, 0xed, - 0xfc, 0xfb, 0x17, 0xdf, 0xe3, 0xe7, 0xf1, 0x95, 0xec, 0x96, 0x5a, 0x59, 0x65, 0x46, 0x8b, 0xa7, - 0xa3, 0x54, 0x15, 0x97, 0x22, 0x0f, 0xff, 0xed, 0x21, 0x4e, 0x3b, 0x8b, 0xa7, 0x7b, 0x1e, 0x18, - 0xfe, 0x4a, 0x7a, 0x2f, 0xf0, 0x69, 0xc2, 0x7f, 0xaf, 0xb8, 0xb1, 0xf4, 0x53, 0xd2, 0xf5, 0x14, - 0x2b, 0xe2, 0x39, 0x8f, 0x6e, 0x3d, 0xbe, 0xf5, 0xa4, 0x33, 0x21, 0x1e, 0x3a, 0x05, 0x84, 0x7e, - 0x49, 0x5a, 0x7e, 0x15, 0x35, 0x80, 0xeb, 0xee, 0xdf, 0xdf, 0xab, 0xd3, 0xf6, 0x42, 0x54, 0x10, - 0x0c, 0xdf, 0x90, 0xfe, 0x2a, 0xdc, 0x94, 0xaa, 0x30, 0x9c, 0x0e, 0x48, 0x63, 0x6e, 0xf2, 0x90, - 0xea, 0x1e, 0xd7, 0xe2, 0xb6, 0x1e, 0x37, 0xfe, 0x3f, 0xee, 0xcf, 0x2d, 0xd2, 0xf6, 0xd0, 0xf8, - 0x98, 0x3e, 0x22, 0x9d, 0x2c, 0x61, 0x99, 0x16, 0x0b, 0xae, 0x43, 0x5e, 0x3b, 0x4b, 0xc6, 0xb8, - 0xa6, 0x3b, 0xe4, 0x0e, 0x90, 0x33, 0x65, 0x2c, 0xa4, 0x3a, 0xaa, 0x95, 0x25, 0xaf, 0x60, 0x15, - 0x88, 0x52, 0x69, 0x8b, 0xbb, 0x47, 0xe2, 0x0c, 0x56, 0x81, 0xa8, 0x0c, 0x84, 0xdd, 0x5e, 0x11, - 0x17, 0xa6, 0x8e, 0x2a, 0x63, 0x63, 0xa2, 0x66, 0xed, 0x80, 0x55, 0x20, 0xb0, 0x48, 0xad, 0x15, - 0x81, 0x05, 0xfa, 0x8a, 0x50, 0x1b, 0x27, 0x92, 0xb3, 0x82, 0xdb, 0x77, 0x4a, 0xbf, 0x65, 0x97, - 0x52, 0xbd, 0x8b, 0xee, 0xa0, 0x66, 0x80, 0xcc, 0xa9, 0x27, 0x5e, 0x02, 0x4e, 0xbf, 0x25, 0x3b, - 0x5e, 0x9d, 0x09, 0x93, 0x2a, 0xd8, 0x3c, 0xcf, 0x60, 0x7f, 0x52, 0xa4, 0xcb, 0xa8, 0x8d, 0x96, - 0x87, 0x48, 0x8f, 0x6b, 0xf6, 0x0c, 0xc9, 0xe1, 0x94, 0x50, 0x5f, 0x8b, 0x17, 0x42, 0x8a, 0x6a, - 0xfe, 0xaa, 0x4a, 0x40, 0x45, 0x77, 0x09, 0x99, 0xe1, 0x13, 0xab, 0xb4, 0x0c, 0x65, 0xe9, 0x78, - 0xe4, 0x42, 0x4b, 0x77, 0xb8, 0x81, 0xc6, 0x12, 0xf8, 0xda, 0x04, 0x87, 0x2b, 0xc3, 0xf0, 0xaf, - 0x2d, 0xd2, 0x7b, 0x9d, 0x17, 0x4a, 0x8b, 0x22, 0x77, 0xdb, 0x33, 0xf4, 0x90, 0x7c, 0x04, 0xbd, - 0x60, 0xb8, 0xe4, 0xa9, 0x55, 0x1a, 0xdf, 0xd7, 0x94, 0x71, 0xca, 0x0d, 0xa4, 0x37, 0xc0, 0xbd, - 0x2d, 0xf2, 0xf3, 0x40, 0x9e, 0xd6, 0x9c, 0xab, 0xc1, 0xba, 0x4b, 0xc6, 0x09, 0x97, 0x06, 0x4f, - 0x18, 0x6a, 0x70, 0xe5, 0x38, 0x41, 0x9c, 0x7e, 0x4d, 0x20, 0x85, 0xd9, 0x58, 0xe7, 0xdc, 0xae, - 0xff, 0x42, 0x03, 0xf5, 0x90, 0x34, 0x45, 0x6a, 0x2d, 0xff, 0x09, 0x19, 0x5c, 0x39, 0x42, 0xfa, - 0x6d, 0x54, 0xf7, 0x57, 0xea, 0x90, 0xfd, 0x19, 0xb9, 0x0b, 0x4a, 0xec, 0xfb, 0x54, 0x49, 0x77, - 0x88, 0x4e, 0xd5, 0x15, 0xf9, 0xd9, 0x0a, 0xa2, 0x5f, 0x90, 0x7b, 0x4e, 0x02, 0xef, 0xcf, 0x8a, - 0x6a, 0x9e, 0x70, 0x6d, 0xe0, 0x44, 0x9d, 0xaa, 0x07, 0x2a, 0x40, 0x4f, 0x3d, 0x38, 0xfc, 0xa7, - 0x45, 0x5a, 0xbe, 0xe6, 0x1f, 0x9e, 0x92, 0x6d, 0xd2, 0x34, 0x36, 0xae, 0x0c, 0xd6, 0xb8, 0x39, - 0xf1, 0x0b, 0x78, 0xd1, 0x4e, 0xb0, 0x65, 0x49, 0x18, 0x9f, 0x07, 0x1b, 0xfd, 0x3e, 0x3e, 0x9e, - 0xb4, 0x3d, 0x30, 0x4e, 0xe8, 0xcf, 0x64, 0x3b, 0x38, 0x52, 0x3c, 0x67, 0xe6, 0x0f, 0x0b, 0x9b, - 0xb4, 0xbb, 0xbf, 0xbb, 0x61, 0x5e, 0xef, 0x86, 0x09, 0x4d, 0x37, 0x3b, 0xe4, 0x73, 0xd2, 0x57, - 0x25, 0xd7, 0xb1, 0x15, 0xaa, 0x60, 0x73, 0x95, 0x71, 0x6c, 0xeb, 0xe6, 0xa4, 0x57, 0xa3, 0x6f, - 0x00, 0xa4, 0xfb, 0xe4, 0x61, 0xaa, 0x55, 0xf1, 0x9b, 0x4a, 0x98, 0x15, 0x73, 0xce, 0x44, 0x61, - 0xb9, 0x5e, 0xc4, 0x32, 0xf4, 0xfa, 0x83, 0x40, 0x4e, 0x81, 0x7b, 0x1d, 0x28, 0xfa, 0x9c, 0x3c, - 0x52, 0x05, 0xf7, 0xfa, 0xda, 0xe8, 0x7b, 0x00, 0x62, 0xc3, 0x04, 0xec, 0x80, 0xc4, 0xb9, 0x7e, - 0xf2, 0xe6, 0xf3, 0x15, 0xed, 0x8e, 0x74, 0x35, 0x30, 0x52, 0xe5, 0xec, 0x52, 0xab, 0x79, 0x98, - 0x80, 0x7e, 0xc0, 0x4f, 0x54, 0xfe, 0x12, 0x50, 0xd7, 0x2e, 0x1b, 0xc3, 0xc2, 0xac, 0x8a, 0x3a, - 0xa8, 0xa6, 0xd9, 0x7b, 0xa3, 0x32, 0x55, 0x6e, 0x2c, 0x82, 0x2c, 0x13, 0x3a, 0x22, 0x7e, 0x2c, - 0x3c, 0x32, 0x16, 0xda, 0xf5, 0xf8, 0xca, 0xb4, 0xac, 0xf3, 0x96, 0x25, 0x74, 0x60, 0x17, 0x6b, - 0x53, 0xff, 0xdc, 0x32, 0x24, 0x3a, 0x6e, 0x7d, 0x1b, 0x4b, 0xa6, 0x2b, 0x18, 0x2a, 0xef, 0xb9, - 0x8b, 0x9e, 0x7a, 0x1b, 0xcb, 0x09, 0x50, 0xde, 0x01, 0x77, 0x56, 0x2a, 0x32, 0xcd, 0x12, 0x61, - 0x4d, 0xd4, 0x43, 0x59, 0xdb, 0x01, 0xc7, 0xb0, 0xa6, 0x3f, 0x10, 0x68, 0x5d, 0x3f, 0x79, 0x78, - 0x63, 0x98, 0xa8, 0x8f, 0x17, 0x62, 0xb4, 0x76, 0xc6, 0xff, 0x19, 0x4d, 0xd7, 0x9e, 0xeb, 0x93, - 0x0a, 0xfb, 0x91, 0x07, 0x2c, 0xce, 0x73, 0xcd, 0x73, 0x7f, 0xbc, 0x92, 0x2f, 0xb8, 0x8c, 0xee, - 0xf9, 0xfd, 0xc8, 0x83, 0xa3, 0x2b, 0xea, 0xc4, 0x31, 0xe8, 0x38, 0xbc, 0xc6, 0x31, 0x08, 0x8e, - 0xc3, 0x6b, 0x1d, 0xcf, 0xae, 0x71, 0xdc, 0x0f, 0x8e, 0x67, 0x1b, 0x0e, 0xb8, 0x09, 0x66, 0xd6, - 0x96, 0xee, 0x3e, 0x62, 0x76, 0xa6, 0xb9, 0x99, 0x29, 0x99, 0x45, 0x14, 0xf5, 0x03, 0xc7, 0xc0, - 0xbd, 0x34, 0x5d, 0xe1, 0xfb, 0x7f, 0x6f, 0x91, 0xae, 0x6f, 0xe4, 0x73, 0xb8, 0x1e, 0x38, 0xfd, - 0x8e, 0x34, 0x8e, 0xb2, 0x8c, 0x46, 0x9b, 0x1f, 0x05, 0xff, 0xb9, 0xfa, 0xe4, 0xe3, 0x6b, 0x98, - 0xf0, 0xad, 0x01, 0xef, 0x8f, 0xdc, 0xde, 0xcc, 0xfb, 0x3d, 0x69, 0x5d, 0x94, 0x59, 0x6c, 0xf9, - 0x8d, 0xed, 0x63, 0x68, 0xec, 0x9b, 0xda, 0x9f, 0x93, 0xe6, 0x51, 0x59, 0xca, 0xe5, 0x8d, 0xdc, - 0xc7, 0xdf, 0xfc, 0x72, 0x90, 0x0b, 0x0b, 0xf7, 0x04, 0xf0, 0xf3, 0x51, 0x9c, 0xa6, 0xd5, 0xdb, - 0x42, 0xfd, 0x31, 0x72, 0xff, 0x1c, 0x55, 0x56, 0xf9, 0x16, 0x1e, 0xbd, 0xff, 0x17, 0x42, 0xd2, - 0x42, 0xe4, 0xe0, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x75, 0xc0, 0xea, 0x45, 0x3c, 0x08, 0x00, - 0x00, + // 907 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x9c, 0x56, 0xdd, 0x6e, 0x1b, 0x45, + 0x14, 0x56, 0x93, 0xc6, 0xb5, 0xc7, 0xb5, 0x71, 0x26, 0x6d, 0xb3, 0x50, 0x45, 0x54, 0x16, 0x48, + 0x45, 0x42, 0x36, 0x4d, 0x02, 0x95, 0x50, 0x11, 0x4a, 0x6a, 0x95, 0x16, 0xa5, 0x21, 0x72, 0x9c, + 0x1b, 0xb8, 0x18, 0xed, 0xcf, 0x64, 0x3d, 0x74, 0xbc, 0xb3, 0xcc, 0xcc, 0xba, 0xf8, 0x15, 0xb8, + 0xe4, 0x8d, 0x78, 0x15, 0x9e, 0x84, 0x33, 0x67, 0x66, 0x1d, 0x37, 0x8e, 0xa8, 0x94, 0x9b, 0x64, + 0xe7, 0xfb, 0xce, 0xf7, 0x65, 0xf6, 0xfc, 0x6d, 0xc8, 0x5e, 0xa9, 0x95, 0x55, 0x66, 0x38, 0x7f, + 0x36, 0x4c, 0x55, 0x71, 0x29, 0xf2, 0xf0, 0x6b, 0x80, 0x38, 0x6d, 0xcd, 0x9f, 0x0d, 0x3c, 0xd0, + 0xff, 0x8d, 0x74, 0x5e, 0xe2, 0xd3, 0x98, 0xff, 0x51, 0x71, 0x63, 0xe9, 0xe7, 0xa4, 0xed, 0x29, + 0x56, 0xc4, 0x33, 0x1e, 0xdd, 0x79, 0x72, 0xe7, 0x69, 0x6b, 0x4c, 0x3c, 0x74, 0x0a, 0x08, 0xfd, + 0x8a, 0x34, 0xfc, 0x29, 0xda, 0x04, 0xae, 0xbd, 0xbf, 0x3d, 0x58, 0xba, 0x0d, 0x82, 0x55, 0x08, + 0xe8, 0xbf, 0x25, 0xdd, 0xda, 0xdc, 0x94, 0xaa, 0x30, 0x9c, 0xf6, 0xc8, 0xe6, 0xcc, 0xe4, 0xc1, + 0xd5, 0x3d, 0xae, 0xd8, 0x6d, 0x3c, 0xd9, 0xfc, 0x7f, 0xbb, 0xbf, 0x36, 0x48, 0xd3, 0x43, 0xa3, + 0x63, 0xfa, 0x98, 0xb4, 0xb2, 0x84, 0x65, 0x5a, 0xcc, 0xb9, 0x0e, 0x7e, 0xcd, 0x2c, 0x19, 0xe1, + 0x99, 0xee, 0x92, 0x7b, 0x40, 0x4e, 0x95, 0xb1, 0xe0, 0xea, 0xa8, 0x46, 0x96, 0xbc, 0x86, 0x53, + 0x20, 0x4a, 0xa5, 0x2d, 0xde, 0x1e, 0x89, 0x33, 0x38, 0x05, 0xa2, 0x32, 0x60, 0x76, 0xb7, 0x26, + 0x2e, 0xcc, 0xd2, 0xaa, 0x8c, 0x8d, 0x89, 0xb6, 0x96, 0x0a, 0x38, 0x05, 0x02, 0x93, 0xd4, 0xa8, + 0x09, 0x4c, 0xd0, 0xd7, 0x84, 0xda, 0x38, 0x91, 0x9c, 0x15, 0xdc, 0xbe, 0x57, 0xfa, 0x1d, 0xbb, + 0x94, 0xea, 0x7d, 0x74, 0x0f, 0x63, 0x7a, 0xc8, 0x9c, 0x7a, 0xe2, 0x15, 0xe0, 0xf4, 0x3b, 0xb2, + 0xeb, 0xa3, 0x33, 0x61, 0x52, 0x05, 0x97, 0xe7, 0x19, 0xdc, 0x4f, 0x8a, 0x74, 0x11, 0x35, 0x51, + 0xf2, 0x10, 0xe9, 0xd1, 0x92, 0x3d, 0x43, 0xb2, 0x3f, 0x21, 0xd4, 0xe7, 0xe2, 0xa5, 0x90, 0xa2, + 0x9a, 0xbd, 0xae, 0x12, 0x88, 0xa2, 0x7b, 0x84, 0x4c, 0xf1, 0x89, 0x55, 0x5a, 0x86, 0xb4, 0xb4, + 0x3c, 0x72, 0xa1, 0xa5, 0x2b, 0x6e, 0xa0, 0x31, 0x05, 0x3e, 0x37, 0x41, 0xe1, 0xd2, 0xd0, 0xff, + 0x7b, 0x83, 0x74, 0xde, 0xe4, 0x85, 0xd2, 0xa2, 0xc8, 0xdd, 0xf5, 0x0c, 0xdd, 0x27, 0x0f, 0xa1, + 0x17, 0x0c, 0x97, 0x3c, 0xb5, 0x4a, 0xe3, 0xfb, 0x9a, 0x32, 0x4e, 0xeb, 0xce, 0xd8, 0x11, 0xf9, + 0x79, 0xe0, 0x4e, 0x6b, 0xca, 0x65, 0x60, 0x55, 0x23, 0xe3, 0x84, 0x4b, 0x83, 0xf5, 0x85, 0x0c, + 0x5c, 0x09, 0x4e, 0x10, 0xa7, 0x03, 0x02, 0x26, 0xcc, 0xc6, 0x3a, 0xe7, 0x76, 0xc5, 0xdf, 0xd7, + 0x67, 0x5b, 0xe4, 0x13, 0x64, 0xae, 0xdc, 0x9f, 0x92, 0xde, 0x55, 0x7c, 0xf0, 0xbe, 0x8b, 0xde, + 0xdd, 0x3a, 0x38, 0x38, 0xc3, 0xeb, 0x42, 0x24, 0xf6, 0x7c, 0xaa, 0x64, 0xa8, 0x1f, 0x11, 0xf9, + 0x59, 0x40, 0xe8, 0x17, 0xa4, 0xeb, 0x02, 0xe0, 0xcd, 0x59, 0x51, 0xcd, 0x12, 0x28, 0xbe, 0x2f, + 0xe5, 0x7d, 0x88, 0x01, 0xf0, 0x14, 0xb1, 0xfe, 0xbf, 0x0d, 0xd2, 0xf0, 0xb9, 0xfe, 0xf8, 0x74, + 0x3c, 0x22, 0x0d, 0x63, 0x63, 0x5b, 0x19, 0x4c, 0xee, 0xd6, 0x38, 0x9c, 0xe8, 0x37, 0xa4, 0x15, + 0x84, 0x59, 0x12, 0x06, 0x67, 0x67, 0xad, 0xd3, 0x47, 0xc7, 0xe3, 0xa6, 0x07, 0x46, 0x09, 0xfd, + 0x85, 0x3c, 0x08, 0x8a, 0x14, 0x2b, 0xcc, 0x7c, 0x99, 0xb0, 0x3d, 0xdb, 0xfb, 0x7b, 0x6b, 0xe2, + 0xd5, 0x3e, 0x18, 0xd3, 0x74, 0xbd, 0x37, 0xbe, 0x24, 0x5d, 0x55, 0x72, 0x1d, 0x5b, 0xa1, 0x0a, + 0x36, 0x53, 0x19, 0xc7, 0x84, 0x6c, 0x8d, 0x3b, 0x4b, 0xf4, 0x2d, 0x80, 0xae, 0xe0, 0xa9, 0x56, + 0xc5, 0xef, 0x2a, 0x61, 0x56, 0xcc, 0x38, 0x13, 0x85, 0xe5, 0x7a, 0x1e, 0xcb, 0x90, 0x9a, 0x9d, + 0x40, 0x4e, 0x80, 0x7b, 0x13, 0x28, 0xfa, 0x82, 0x3c, 0x56, 0x05, 0xf7, 0xf1, 0x4b, 0xa1, 0xaf, + 0x3f, 0xd8, 0x86, 0xde, 0xdf, 0x85, 0x10, 0xa7, 0xfa, 0xd9, 0x8b, 0xcf, 0x6b, 0xda, 0x15, 0xb4, + 0x1e, 0x15, 0xa9, 0x72, 0x76, 0xa9, 0xd5, 0x2c, 0xf4, 0x7e, 0x37, 0xe0, 0x27, 0x2a, 0x7f, 0x05, + 0x28, 0x64, 0xf1, 0xc1, 0xda, 0x98, 0x30, 0xab, 0xa2, 0x16, 0x46, 0xd3, 0xec, 0xda, 0x90, 0x4c, + 0x94, 0x1b, 0x88, 0x10, 0x96, 0x09, 0x1d, 0x11, 0x3f, 0x10, 0x1e, 0x19, 0x09, 0x4d, 0x0f, 0xc9, + 0xa3, 0x5a, 0xb4, 0x58, 0xfa, 0x2d, 0x4a, 0x6e, 0xa2, 0x36, 0xe6, 0x66, 0xf9, 0xe7, 0x16, 0xc1, + 0xd1, 0x71, 0xab, 0xd7, 0x58, 0x30, 0x5d, 0xc1, 0x38, 0x79, 0xcd, 0x7d, 0xd4, 0x2c, 0xaf, 0xb1, + 0x18, 0x03, 0xe5, 0x15, 0xb0, 0xad, 0x52, 0x91, 0x69, 0x96, 0x08, 0x6b, 0xa2, 0x0e, 0x86, 0x35, + 0x1d, 0x70, 0x0c, 0x67, 0xfa, 0xa3, 0xeb, 0x42, 0x3f, 0x73, 0xb8, 0x2b, 0x4c, 0xd4, 0xc5, 0x55, + 0x18, 0xad, 0xd4, 0xf8, 0x83, 0xa1, 0x1c, 0x77, 0xc4, 0x07, 0x33, 0x0a, 0xf7, 0x91, 0x07, 0x2c, + 0xce, 0x73, 0xcd, 0x73, 0x5f, 0x5e, 0xc9, 0xe7, 0x5c, 0x46, 0x9f, 0xf8, 0xfb, 0xc8, 0x83, 0xa3, + 0x2b, 0xea, 0xc4, 0x31, 0xa8, 0x38, 0xbc, 0x41, 0xd1, 0x0b, 0x8a, 0xc3, 0x1b, 0x15, 0xcf, 0x6f, + 0x50, 0x6c, 0x07, 0xc5, 0xf3, 0x35, 0x05, 0x6c, 0x81, 0xa9, 0xb5, 0xa5, 0xdb, 0x44, 0xcc, 0x4e, + 0x35, 0x37, 0x53, 0x25, 0xb3, 0x88, 0x62, 0x7c, 0xcf, 0x31, 0xb0, 0x91, 0x26, 0x35, 0xbe, 0xff, + 0xcf, 0x06, 0x69, 0xfb, 0x46, 0x3e, 0x87, 0xd5, 0xc0, 0xe9, 0xf7, 0x64, 0xf3, 0x28, 0xcb, 0x68, + 0xb4, 0xfe, 0x39, 0xf0, 0x1f, 0xaa, 0xcf, 0x3e, 0xbd, 0x81, 0x09, 0x5f, 0x19, 0xd0, 0xfe, 0xc4, + 0xed, 0xed, 0xb4, 0x3f, 0x90, 0xc6, 0x45, 0x99, 0xc5, 0x96, 0xdf, 0x5a, 0x3e, 0x82, 0xc6, 0xbe, + 0xad, 0xfc, 0x05, 0xd9, 0x3a, 0x2a, 0x4b, 0xb9, 0xb8, 0x95, 0xfa, 0xf8, 0xdb, 0x5f, 0x0f, 0x72, + 0x61, 0x61, 0x4f, 0x00, 0x3f, 0x1b, 0xc6, 0x69, 0x5a, 0xbd, 0x2b, 0xd4, 0x9f, 0x43, 0xf7, 0xe3, + 0xa8, 0xb2, 0xca, 0xb7, 0xf0, 0xf0, 0xfa, 0xff, 0x06, 0x49, 0x03, 0x91, 0x83, 0xff, 0x02, 0x00, + 0x00, 0xff, 0xff, 0x33, 0x00, 0x52, 0xa9, 0x36, 0x08, 0x00, 0x00, } diff --git a/src/protos/v1/config/config.proto b/src/protos/v1/config/config.proto index 58aed417..d5c3cf52 100644 --- a/src/protos/v1/config/config.proto +++ b/src/protos/v1/config/config.proto @@ -43,17 +43,17 @@ message ConfigCiliumHubble { } message IgnoringFlows { - repeated string ig_selector_namespaces = 1; + string ig_selector_namespace = 1; repeated string ig_selector_labels = 2; - repeated string ig_target_namespaces = 3; + string ig_target_namespace = 3; repeated string ig_target_labels = 4; - repeated string ig_protocols = 5; - repeated string ig_port_numbers = 6; + string ig_protocol = 5; + string ig_port_number = 6; } message Config { string config_name = 1; - int32 staus = 2; + int32 status = 2; ConfigDB config_db = 3; ConfigCiliumHubble config_cilium_hubble = 4; diff --git a/src/types/configData.go b/src/types/configData.go index 6b6bc419..b359c9fb 100644 --- a/src/types/configData.go +++ b/src/types/configData.go @@ -22,12 +22,12 @@ type ConfigCiliumHubble struct { // IgnoringFlows ... type IgnoringFlows struct { - IgSelectorNamespaces []string `json:"ig_selector_namespaces,omitempty" bson:"ig_selector_namespaces,omitempty"` - IgSelectorLabels []string `json:"ig_selector_labels,omitempty" bson:"ig_selector_labels,omitempty"` - IgTargetNamespaces []string `json:"ig_target_namespaces,omitempty" bson:"ig_target_namespaces,omitempty"` - IgTargetLabels []string `json:"ig_target_labels,omitempty" bson:"ig_target_labels,omitempty"` - IgProtocols []string `json:"ig_protocols,omitempty" bson:"ig_protocols,omitempty"` - IgPortNumbers []string `json:"ig_port_numbers,omitempty" bson:"ig_port_numbers,omitempty"` + IgSourceNamespace string `json:"ig_source_namespace,omitempty" bson:"ig_source_namespace,omitempty"` + IgSourceLabels []string `json:"ig_source_labels,omitempty" bson:"ig_source_labels,omitempty"` + IgDestinationNamespace string `json:"ig_destination_namespace,omitempty" bson:"ig_destination_namespace,omitempty"` + IgDestinationLabels []string `json:"ig_destination_labels,omitempty" bson:"ig_destination_labels,omitempty"` + IgProtocol string `json:"ig_protocol,omitempty" bson:"ig_protocol,omitempty"` + IgPortNumber string `json:"ig_port_number,omitempty" bson:"ig_port_number,omitempty"` } // Configuration ... From 54a8586b4e45359141623edbd7cb9632d06120a2 Mon Sep 17 00:00:00 2001 From: seungsoo-lee Date: Thu, 21 Jan 2021 05:48:31 +0000 Subject: [PATCH 3/3] Update ignoring flows/policy/rule types Description Fixes: #102 --- src/core/configManager.go | 2 +- src/core/networkPolicy.go | 65 ++++++++++++++++++++++++++++++--------- 2 files changed, 51 insertions(+), 16 deletions(-) diff --git a/src/core/configManager.go b/src/core/configManager.go index 8e22c622..a1b3d294 100644 --- a/src/core/configManager.go +++ b/src/core/configManager.go @@ -105,7 +105,7 @@ func LoadDefaultConfig() { // discovery types Cfg.DiscoveryPolicyTypes = libs.GetEnvInt("DISCOVERY_POLICY_TYPES", 3) - Cfg.DiscoveryPolicyTypes = libs.GetEnvInt("DISCOVERY_RULE_TYPES", 1) + Cfg.DiscoveryRuleTypes = libs.GetEnvInt("DISCOVERY_RULE_TYPES", 511) // cidr bits Cfg.CIDRBits = 32 diff --git a/src/core/networkPolicy.go b/src/core/networkPolicy.go index 4e65bd25..665facd7 100644 --- a/src/core/networkPolicy.go +++ b/src/core/networkPolicy.go @@ -31,6 +31,17 @@ const ( Ingress = 2 EgressIngress = 3 + // discovery rule type + matchLabels = 1 << 0 // 1 + toPorts = 1 << 1 // 2 + toHTTPs = 1 << 2 // 4 + toCIDRs = 1 << 3 // 8 + toEntities = 1 << 4 // 16 + toServices = 1 << 5 // 32 + toFQDNs = 1 << 6 // 64 + fromCIDRs = 1 << 7 // 128 + fromEntities = 1 << 8 // 256 + // status StatusRunning = "running" StatusIdle = "idle" @@ -621,10 +632,15 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP egressRule := types.Egress{} - // ================= // - // L3/L4 label-based // - // ================= // + // ==================== // + // build L3 label-based // + // ==================== // if dst.MatchLabels != "" { + // check matchLabels rule + if Cfg.DiscoveryRuleTypes&matchLabels == 0 { + continue + } + egressPolicy.Metadata["rule"] = "matchLabels" egressRule.MatchLabels = map[string]string{} @@ -679,7 +695,11 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP if !strings.Contains(egressPolicy.Metadata["rule"], "toHTTPs") { egressPolicy.Metadata["rule"] = egressPolicy.Metadata["rule"] + "+toHTTPs" } - egressRule.ToHTTPs = append(egressRule.ToHTTPs, httpRule) + + // check toHTTPs rule + if Cfg.DiscoveryRuleTypes&toHTTPs > 0 { + egressRule.ToHTTPs = append(egressRule.ToHTTPs, httpRule) + } } } } @@ -687,15 +707,20 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP if !strings.Contains(egressPolicy.Metadata["rule"], "toPorts") { egressPolicy.Metadata["rule"] = egressPolicy.Metadata["rule"] + "+toPorts" } - egressRule.ToPorts = dst.ToPorts + + // check toPorts rule + if Cfg.DiscoveryRuleTypes&toPorts > 0 { + egressRule.ToPorts = dst.ToPorts + } } + // check egress egressPolicy.Spec.Egress = append(egressPolicy.Spec.Egress, egressRule) - if Cfg.DiscoveryPolicyTypes&Egress > 0 { networkPolicies = append(networkPolicies, egressPolicy) } + // check ingress if Cfg.DiscoveryPolicyTypes&Ingress > 0 && dst.Namespace != "kube-system" { ingressPolicy := buildNewIngressPolicyFromEgressPolicy(egressRule, egressPolicy.Spec.Selector) ingressPolicy.Spec.Ingress[0].MatchLabels["k8s:io.kubernetes.pod.namespace"] = namespace @@ -712,20 +737,26 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP cidr := types.SpecCIDR{ CIDRs: cidrSlice, } - egressRule.ToCIDRs = []types.SpecCIDR{cidr} - if len(dst.ToPorts) > 0 { + // check toCIDRs rule + if Cfg.DiscoveryRuleTypes&toCIDRs > 0 { + egressRule.ToCIDRs = []types.SpecCIDR{cidr} + } + + // check toPorts rule + if len(dst.ToPorts) > 0 && Cfg.DiscoveryRuleTypes&toPorts > 0 { egressPolicy.Metadata["rule"] = egressPolicy.Metadata["rule"] + "+toPorts" egressRule.ToPorts = dst.ToPorts } + // check egress egressPolicy.Spec.Egress = append(egressPolicy.Spec.Egress, egressRule) - if Cfg.DiscoveryPolicyTypes&Egress > 0 { networkPolicies = append(networkPolicies, egressPolicy) } - if Cfg.DiscoveryPolicyTypes&Ingress > 0 { + // check ingress & fromCIDRs rule + if Cfg.DiscoveryPolicyTypes&Ingress > 0 && Cfg.DiscoveryRuleTypes&fromCIDRs > 0 { // add ingress policy ingressPolicy := buildNewIngressPolicyFromSameSelector(namespace, egressPolicy.Spec.Selector) ingressPolicy.Metadata["rule"] = "toCIDRs" @@ -746,7 +777,10 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP // =============== // // build FQDN rule // // =============== // - if Cfg.DiscoveryPolicyTypes&Egress > 0 { + + // check egress & toFQDNs rule + if Cfg.DiscoveryPolicyTypes&Egress > 0 && Cfg.DiscoveryRuleTypes&toFQDNs > 0 { + sort.Strings(dst.Additionals) fqdn := types.SpecFQDN{ MatchNames: dst.Additionals, @@ -773,12 +807,13 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP egressRule.ToEndtities = dst.Additionals egressPolicy.Spec.Egress = append(egressPolicy.Spec.Egress, egressRule) - if Cfg.DiscoveryPolicyTypes&Egress > 0 { + // check egress & toEntities rule + if Cfg.DiscoveryPolicyTypes&Egress > 0 && Cfg.DiscoveryRuleTypes&toEntities > 0 { networkPolicies = append(networkPolicies, egressPolicy) } - // add ingress policy - if Cfg.DiscoveryPolicyTypes&Ingress > 0 { + // check ingress & fromEntities rule + if Cfg.DiscoveryPolicyTypes&Ingress > 0 && Cfg.DiscoveryRuleTypes&fromEntities > 0 { ingressPolicy := buildNewIngressPolicyFromSameSelector(namespace, egressPolicy.Spec.Selector) ingressPolicy.Metadata["rule"] = "fromEntities" ingressRule := types.Ingress{} @@ -792,7 +827,7 @@ func buildNetworkPolicies(namespace string, services []types.Service, mergedSrcP // ================== // // build Service rule // // ================== // - if Cfg.DiscoveryPolicyTypes&Egress > 0 { + if Cfg.DiscoveryPolicyTypes&Egress > 0 && Cfg.DiscoveryRuleTypes&toServices > 0 { // to external services (NOT internal k8s service) // to affect this policy, we need a service, an endpoint respectively service := types.SpecService{