From 804ba988cfd50536eafb0fcf2d6e5800102c00f5 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Thu, 13 Jun 2024 17:39:44 +0800 Subject: [PATCH 1/3] Fix authPolicy remove Signed-off-by: Zhonghu Xu --- .../security/authorization_help.go | 22 + pkg/auth/policy_store.go | 46 +- pkg/auth/policy_store_test.go | 4 +- pkg/auth/rbac.go | 35 +- pkg/auth/rbac_test.go | 1718 ++++++++--------- 5 files changed, 878 insertions(+), 947 deletions(-) create mode 100644 api/v2/workloadapi/security/authorization_help.go diff --git a/api/v2/workloadapi/security/authorization_help.go b/api/v2/workloadapi/security/authorization_help.go new file mode 100644 index 000000000..eccd34d18 --- /dev/null +++ b/api/v2/workloadapi/security/authorization_help.go @@ -0,0 +1,22 @@ +/* + * Copyright 2024 The Kmesh Authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package security + +// ResourceName returns the unique key of Workload. +func (x *Authorization) ResourceName() string { + return x.GetNamespace() + "/" + x.GetName() +} diff --git a/pkg/auth/policy_store.go b/pkg/auth/policy_store.go index 0415293a0..278bc9757 100644 --- a/pkg/auth/policy_store.go +++ b/pkg/auth/policy_store.go @@ -27,7 +27,7 @@ import ( type policyStore struct { // byKey maintains a mapping of ns/name to policy - byKey map[string]authPolicy + byKey map[string]*security.Authorization // byNamespace maintains a mapping of namespace (or "" for global) to policy names byNamespace map[string]sets.Set[string] @@ -35,28 +35,24 @@ type policyStore struct { rwLock sync.RWMutex } -func newPolicystore() *policyStore { +func newPolicyStore() *policyStore { return &policyStore{ - byKey: make(map[string]authPolicy), + byKey: make(map[string]*security.Authorization), byNamespace: make(map[string]sets.Set[string]), } } -func (ps *policyStore) updatePolicy(auth *security.Authorization) error { - if auth == nil { +func (ps *policyStore) updatePolicy(authPolicy *security.Authorization) error { + if authPolicy == nil { return nil } + key := authPolicy.ResourceName() - authPolicy := authPolicy{ - auth, - } - key := authPolicy.Key() - + ps.rwLock.Lock() + defer ps.rwLock.Unlock() var ns string switch authPolicy.GetScope() { case security.Scope_WORKLOAD_SELECTOR: - ps.rwLock.Lock() - defer ps.rwLock.Unlock() // only update 'byKey' cache for Scope_WORKLOAD_SELECTOR ps.byKey[key] = authPolicy return nil @@ -68,9 +64,6 @@ func (ps *policyStore) updatePolicy(auth *security.Authorization) error { return fmt.Errorf("invalid scope %v of authorization policy", authPolicy.GetScope()) } - ps.rwLock.Lock() - defer ps.rwLock.Unlock() - if s, ok := ps.byNamespace[ns]; !ok { ps.byNamespace[ns] = sets.New(key) } else { @@ -89,6 +82,8 @@ func (ps *policyStore) removePolicy(policyKey string) { log.Warnf("Auth policy key %s does not exist in byKey", policyKey) return } + // remove authPolicy from byKey + delete(ps.byKey, policyKey) var ns string switch authPolicy.Scope { @@ -96,6 +91,8 @@ func (ps *policyStore) removePolicy(policyKey string) { ns = "" case security.Scope_NAMESPACE: ns = authPolicy.GetNamespace() + default: + return } // remove authPolicy key from byNamespace @@ -105,26 +102,15 @@ func (ps *policyStore) removePolicy(policyKey string) { delete(ps.byNamespace, ns) } } - - // remove authPolicy from byKey - delete(ps.byKey, policyKey) } -// getByNamesapce returns a copied set of policy name in namespace, or an empty set if namespace not exists -func (ps *policyStore) getByNamesapce(namespace string) sets.Set[string] { +// getByNamespace returns a copied set of policy name in namespace, or an empty set if namespace not exists +func (ps *policyStore) getByNamespace(namespace string) []string { ps.rwLock.RLock() defer ps.rwLock.RUnlock() if s, ok := ps.byNamespace[namespace]; ok { - return s.Copy() + return s.UnsortedList() } - return sets.New[string]() -} - -type authPolicy struct { - *security.Authorization -} - -func (ap *authPolicy) Key() string { - return fmt.Sprintf("%s/%s", ap.GetNamespace(), ap.GetName()) + return nil } diff --git a/pkg/auth/policy_store_test.go b/pkg/auth/policy_store_test.go index eb875eec5..a52df02d9 100644 --- a/pkg/auth/policy_store_test.go +++ b/pkg/auth/policy_store_test.go @@ -77,7 +77,7 @@ func Test_policyStore_updatePolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - ps := newPolicystore() + ps := newPolicyStore() if err := ps.updatePolicy(tt.args.auth); (err != nil) != tt.wantErr { t.Errorf("policyStore.updatePolicy() error = %v, wantErr %v", err, tt.wantErr) } @@ -109,7 +109,7 @@ func Test_policyStore_removePolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - ps := newPolicystore() + ps := newPolicyStore() ps.removePolicy(tt.args.policyKey) }) } diff --git a/pkg/auth/rbac.go b/pkg/auth/rbac.go index fc339c6bf..85d8a3b6d 100644 --- a/pkg/auth/rbac.go +++ b/pkg/auth/rbac.go @@ -70,7 +70,7 @@ type rbacConnection struct { func NewRbac(workloadObj *bpf.BpfKmeshWorkload, workloadCache cache.WorkloadCache) *Rbac { return &Rbac{ - policyStore: newPolicystore(), + policyStore: newPolicyStore(), workloadCache: workloadCache, bpfWorkload: workloadObj, } @@ -160,14 +160,16 @@ func (r *Rbac) RemovePolicy(policyKey string) { } func (r *Rbac) doRbac(conn *rbacConnection) bool { - var dstWorkload *workloadapi.Workload - if len(conn.dstIp) > 0 { - var networkAddress cache.NetworkAddress - networkAddress.Network = conn.dstNetwork - networkAddress.Address, _ = netip.AddrFromSlice(conn.dstIp) - dstWorkload = r.workloadCache.GetWorkloadByAddr(networkAddress) + var networkAddress cache.NetworkAddress + networkAddress.Network = conn.dstNetwork + networkAddress.Address, _ = netip.AddrFromSlice(conn.dstIp) + dstWorkload := r.workloadCache.GetWorkloadByAddr(networkAddress) + // If no workload found, deny + if dstWorkload == nil { + return false } + // TODO: maybe cache them for performance issue allowPolicies, denyPolicies := r.aggregate(dstWorkload) // 1. If there is ANY deny policy, deny the request @@ -193,17 +195,14 @@ func (r *Rbac) doRbac(conn *rbacConnection) bool { return false } -func (r *Rbac) aggregate(workload *workloadapi.Workload) (allowPolicies, denyPolicies []authPolicy) { - allowPolicies = make([]authPolicy, 0) - denyPolicies = make([]authPolicy, 0) +func (r *Rbac) aggregate(workload *workloadapi.Workload) (allowPolicies, denyPolicies []*security.Authorization) { + allowPolicies = make([]*security.Authorization, 0) + denyPolicies = make([]*security.Authorization, 0) - // Collect policy names from workload, global namespace and namespace - policyNames := r.policyStore.getByNamesapce("").UnsortedList() - if workload != nil { - policyNames = append(append(policyNames, - r.policyStore.getByNamesapce(workload.Namespace).UnsortedList()...), - workload.GetAuthorizationPolicies()...) - } + // Collect policy names from workload, namespace and global(root namespace) + policyNames := workload.GetAuthorizationPolicies() + policyNames = append(policyNames, r.policyStore.getByNamespace(workload.Namespace)...) + policyNames = append(policyNames, r.policyStore.getByNamespace("")...) for _, policyName := range policyNames { if policy, ok := r.policyStore.byKey[policyName]; ok { @@ -217,7 +216,7 @@ func (r *Rbac) aggregate(workload *workloadapi.Workload) (allowPolicies, denyPol return } -func matches(conn *rbacConnection, policy authPolicy) bool { +func matches(conn *rbacConnection, policy *security.Authorization) bool { if policy.GetRules() == nil { return false } diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index 2b051fd2a..af6fc84d6 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -34,27 +34,25 @@ const ( ) var ( - policy1 = authPolicy{ - &security.Authorization{ - Name: "_name", - Namespace: "_namespace", - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 1}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy1 = &security.Authorization{ + Name: "_name", + Namespace: "_namespace", + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 1}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, @@ -65,37 +63,35 @@ var ( }, } - policy2_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 123, 0}, - Length: 24, - }, + policy2_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 0}, + Length: 24, }, - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 124, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 125, 0}, - Length: 24, - }, + { + Address: []byte{192, 168, 123, 0}, + Length: 24, + }, + }, + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 124, 0}, + Length: 24, + }, + { + Address: []byte{192, 168, 125, 0}, + Length: 24, }, }, }, @@ -106,37 +102,35 @@ var ( }, } - policy2_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 124, 0}, - Length: 24, - }, + policy2_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 0}, + Length: 24, }, - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 125, 0}, - Length: 24, - }, + { + Address: []byte{192, 168, 124, 0}, + Length: 24, + }, + }, + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 0}, + Length: 24, + }, + { + Address: []byte{192, 168, 125, 0}, + Length: 24, }, }, }, @@ -147,33 +141,31 @@ var ( }, } - policy2_3_deny = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 167, 0, 0}, - Length: 16, - }, - { - Address: []byte{192, 169, 0, 0}, - Length: 16, - }, + policy2_3_deny = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 167, 0, 0}, + Length: 16, }, - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 0, 0}, - Length: 16, - }, + { + Address: []byte{192, 169, 0, 0}, + Length: 16, + }, + }, + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 0, 0}, + Length: 16, }, }, }, @@ -184,23 +176,21 @@ var ( }, } - policy2_3_allow = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 0, 0}, - Length: 16, - }, + policy2_3_allow = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 0, 0}, + Length: 16, }, }, }, @@ -211,23 +201,21 @@ var ( }, } - policy2_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + policy2_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -238,27 +226,25 @@ var ( }, } - policy3_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 10}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy3_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 10}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, }, }, @@ -269,27 +255,25 @@ var ( }, } - policy3_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 11}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 12}, - Length: 32, - }, + policy3_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 11}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 12}, + Length: 32, }, }, }, @@ -300,37 +284,35 @@ var ( }, } - policy3_3_deny = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 123, 0}, - Length: 24, - }, + policy3_3_deny = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 0}, + Length: 24, }, - NotSourceIps: []*security.Address{ - { - Address: []byte{192, 168, 124, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 125, 0}, - Length: 24, - }, + { + Address: []byte{192, 168, 123, 0}, + Length: 24, + }, + }, + NotSourceIps: []*security.Address{ + { + Address: []byte{192, 168, 124, 0}, + Length: 24, + }, + { + Address: []byte{192, 168, 125, 0}, + Length: 24, }, }, }, @@ -341,37 +323,35 @@ var ( }, } - policy3_3_allow = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 123, 0}, - Length: 24, - }, + policy3_3_allow = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 0}, + Length: 24, }, - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 124, 0}, - Length: 24, - }, - { - Address: []byte{192, 168, 125, 0}, - Length: 24, - }, + { + Address: []byte{192, 168, 123, 0}, + Length: 24, + }, + }, + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 124, 0}, + Length: 24, + }, + { + Address: []byte{192, 168, 125, 0}, + Length: 24, }, }, }, @@ -382,27 +362,25 @@ var ( }, } - policy3_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 11}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 12}, - Length: 32, - }, + policy3_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 11}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 12}, + Length: 32, }, }, }, @@ -413,20 +391,18 @@ var ( }, } - policy4_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationPorts: []uint32{8888, 8889}, - }, + policy4_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationPorts: []uint32{8888, 8889}, }, }, }, @@ -435,20 +411,18 @@ var ( }, } - policy4_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationPorts: []uint32{8889, 8890}, - }, + policy4_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationPorts: []uint32{8889, 8890}, }, }, }, @@ -457,30 +431,28 @@ var ( }, } - policy4_3_deny = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy4_3_deny = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, - NotDestinationPorts: []uint32{8888, 8889}, }, + NotDestinationPorts: []uint32{8888, 8889}, }, }, }, @@ -489,30 +461,28 @@ var ( }, } - policy4_3_allow = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy4_3_allow = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, - DestinationPorts: []uint32{8888, 8889}, }, + DestinationPorts: []uint32{8888, 8889}, }, }, }, @@ -521,20 +491,18 @@ var ( }, } - policy4_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationPorts: []uint32{8889, 8890}, - }, + policy4_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationPorts: []uint32{8889, 8890}, }, }, }, @@ -543,23 +511,21 @@ var ( }, } - policy5_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Principals: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: "cluster.local/ns//sa/sleep", - }, + policy5_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Principals: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: "cluster.local/ns//sa/sleep", }, }, }, @@ -571,28 +537,26 @@ var ( }, } - policy5_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Principals: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Prefix{ - Prefix: "k8s.io", - }, + policy5_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Principals: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Prefix{ + Prefix: "k8s.io", }, - { - MatchType: &security.StringMatch_Suffix{ - Suffix: "notsleep", - }, + }, + { + MatchType: &security.StringMatch_Suffix{ + Suffix: "notsleep", }, }, }, @@ -604,33 +568,31 @@ var ( }, } - policy5_3_deny = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy5_3_deny = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, - NotPrincipals: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Suffix{ - Suffix: "sleep", - }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, + }, + }, + NotPrincipals: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Suffix{ + Suffix: "sleep", }, }, }, @@ -642,33 +604,31 @@ var ( }, } - policy5_3_allow = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy5_3_allow = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, - Principals: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Suffix{ - Suffix: "sleep", - }, + }, + Principals: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Suffix{ + Suffix: "sleep", }, }, }, @@ -680,23 +640,21 @@ var ( }, } - policy5_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Principals: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: "cluster.local/ns//sa/notsleep", - }, + policy5_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Principals: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: "cluster.local/ns//sa/notsleep", }, }, }, @@ -708,23 +666,21 @@ var ( }, } - policy6_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Namespaces: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: GLOBAL_NAMESPACE, - }, + policy6_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Namespaces: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: GLOBAL_NAMESPACE, }, }, }, @@ -736,28 +692,26 @@ var ( }, } - policy6_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Namespaces: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: "k8s-system", - }, + policy6_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Namespaces: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: "k8s-system", }, - { - MatchType: &security.StringMatch_Exact{ - Exact: "kube-system", - }, + }, + { + MatchType: &security.StringMatch_Exact{ + Exact: "kube-system", }, }, }, @@ -769,33 +723,31 @@ var ( }, } - policy6_3_deny = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy6_3_deny = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, - NotNamespaces: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: GLOBAL_NAMESPACE, - }, + }, + NotNamespaces: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: GLOBAL_NAMESPACE, }, }, }, @@ -807,33 +759,31 @@ var ( }, } - policy6_3_allow = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + policy6_3_allow = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, + }, + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, - Namespaces: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: GLOBAL_NAMESPACE, - }, + }, + Namespaces: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: GLOBAL_NAMESPACE, }, }, }, @@ -845,23 +795,21 @@ var ( }, } - policy6_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - Namespaces: []*security.StringMatch{ - { - MatchType: &security.StringMatch_Exact{ - Exact: "k8s-system", - }, + policy6_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + Namespaces: []*security.StringMatch{ + { + MatchType: &security.StringMatch_Exact{ + Exact: "k8s-system", }, }, }, @@ -873,39 +821,37 @@ var ( }, } - policy7_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy7_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, }, }, - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -916,39 +862,37 @@ var ( }, } - policy7_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + policy7_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, }, }, }, - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + }, + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, }, }, @@ -959,39 +903,37 @@ var ( }, } - policy7_3 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy7_3 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, }, }, - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotSourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotSourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1002,39 +944,37 @@ var ( }, } - policy7_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + policy7_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, }, }, }, - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + }, + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, }, }, @@ -1045,35 +985,33 @@ var ( }, } - policy8_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy8_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1084,35 +1022,33 @@ var ( }, } - policy8_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy8_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1123,35 +1059,33 @@ var ( }, } - policy8_3 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy8_3 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, - { - Matches: []*security.Match{ - { - NotSourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Matches: []*security.Match{ + { + NotSourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1162,35 +1096,33 @@ var ( }, } - policy8_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy8_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, }, }, - { - Matches: []*security.Match{ - { - SourceIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + Matches: []*security.Match{ + { + SourceIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1201,31 +1133,29 @@ var ( }, } - policy9_1 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy9_1 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1236,31 +1166,29 @@ var ( }, } - policy9_2 = authPolicy{ - &security.Authorization{ - Name: ALLOW_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_ALLOW, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + policy9_2 = &security.Authorization{ + Name: ALLOW_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + }, + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, }, }, @@ -1271,31 +1199,29 @@ var ( }, } - policy9_3 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 2}, - Length: 32, - }, + policy9_3 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 2}, + Length: 32, }, }, - { - NotDestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + }, + { + NotDestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, }, @@ -1306,31 +1232,29 @@ var ( }, } - policy9_4 = authPolicy{ - &security.Authorization{ - Name: DENY_AUTH, - Namespace: GLOBAL_NAMESPACE, - Scope: security.Scope_WORKLOAD_SELECTOR, - Action: security.Action_DENY, - Rules: []*security.Rule{ - { - Clauses: []*security.Clause{ - { - Matches: []*security.Match{ - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 3}, - Length: 32, - }, + policy9_4 = &security.Authorization{ + Name: DENY_AUTH, + Namespace: GLOBAL_NAMESPACE, + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_DENY, + Rules: []*security.Rule{ + { + Clauses: []*security.Clause{ + { + Matches: []*security.Match{ + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 3}, + Length: 32, }, }, - { - DestinationIps: []*security.Address{ - { - Address: []byte{192, 168, 122, 4}, - Length: 32, - }, + }, + { + DestinationIps: []*security.Address{ + { + Address: []byte{192, 168, 122, 4}, + Length: 32, }, }, }, @@ -1365,7 +1289,7 @@ func TestRbac_doRbac(t *testing.T) { "1. No policy for workload, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{"_namespace/_name": policy1}, + byKey: map[string]*security.Authorization{"_namespace/_name": policy1}, byNamespace: map[string]sets.Set[string]{"_namesapce": sets.New("_namespace/_name")}, }, }, @@ -1388,7 +1312,7 @@ func TestRbac_doRbac(t *testing.T) { "2-1. Destination IP allow match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy2_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy2_1}, byNamespace: byNamespaceAllow, }, }, @@ -1399,7 +1323,7 @@ func TestRbac_doRbac(t *testing.T) { "2-2. Destination IP allow mismatch, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy2_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy2_2}, byNamespace: byNamespaceAllow, }, }, @@ -1410,7 +1334,7 @@ func TestRbac_doRbac(t *testing.T) { "2-3. Destination IP deny match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ + byKey: map[string]*security.Authorization{ DENY_POLICY: policy2_3_deny, ALLOW_POLICY: policy2_3_allow, }, @@ -1424,7 +1348,7 @@ func TestRbac_doRbac(t *testing.T) { "2-4. Destination IP deny mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy2_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy2_4}, byNamespace: byNamespaceDeny, }, }, @@ -1436,7 +1360,7 @@ func TestRbac_doRbac(t *testing.T) { "3-1. Source IP allow match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy3_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy3_1}, byNamespace: byNamespaceAllow, }, }, @@ -1447,7 +1371,7 @@ func TestRbac_doRbac(t *testing.T) { "3-2. Source IP allow mismatch, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy3_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy3_2}, byNamespace: byNamespaceAllow, }, }, @@ -1458,7 +1382,7 @@ func TestRbac_doRbac(t *testing.T) { "3-3. Source IP deny match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ + byKey: map[string]*security.Authorization{ DENY_POLICY: policy3_3_deny, ALLOW_POLICY: policy3_3_allow, }, @@ -1472,7 +1396,7 @@ func TestRbac_doRbac(t *testing.T) { "3-4. Source IP deny mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy3_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy3_4}, byNamespace: byNamespaceDeny, }, }, @@ -1484,7 +1408,7 @@ func TestRbac_doRbac(t *testing.T) { "4-1. Destination port allow match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy4_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy4_1}, byNamespace: byNamespaceAllow, }, }, @@ -1495,7 +1419,7 @@ func TestRbac_doRbac(t *testing.T) { "4-2. Destination port allow mismatch, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy4_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy4_2}, byNamespace: byNamespaceAllow, }, }, @@ -1506,7 +1430,7 @@ func TestRbac_doRbac(t *testing.T) { "4-3. Destination port deny match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ + byKey: map[string]*security.Authorization{ DENY_POLICY: policy4_3_deny, ALLOW_POLICY: policy4_3_allow, }, @@ -1520,7 +1444,7 @@ func TestRbac_doRbac(t *testing.T) { "4-4. Destination port deny mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy4_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy4_4}, byNamespace: byNamespaceDeny, }, }, @@ -1532,7 +1456,7 @@ func TestRbac_doRbac(t *testing.T) { "5-1. Principal allow match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy5_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy5_1}, byNamespace: byNamespaceAllow, }, }, @@ -1551,7 +1475,7 @@ func TestRbac_doRbac(t *testing.T) { "5-2. Principal allow mismatch, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy5_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy5_2}, byNamespace: byNamespaceAllow, }, }, @@ -1570,7 +1494,7 @@ func TestRbac_doRbac(t *testing.T) { "5-3. Principal deny match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ + byKey: map[string]*security.Authorization{ DENY_POLICY: policy5_3_deny, ALLOW_POLICY: policy5_3_allow, }, @@ -1592,7 +1516,7 @@ func TestRbac_doRbac(t *testing.T) { "5-4. Principal deny mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy5_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy5_4}, byNamespace: byNamespaceDeny, }, }, @@ -1612,7 +1536,7 @@ func TestRbac_doRbac(t *testing.T) { "6-1. Namespace allow match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy6_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy6_1}, byNamespace: byNamespaceAllow, }, }, @@ -1625,7 +1549,7 @@ func TestRbac_doRbac(t *testing.T) { "6-2. Namespace allow mismatch, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy6_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy6_2}, byNamespace: byNamespaceAllow, }, }, @@ -1636,7 +1560,7 @@ func TestRbac_doRbac(t *testing.T) { "6-3. Namespace deny match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ + byKey: map[string]*security.Authorization{ DENY_POLICY: policy6_3_deny, ALLOW_POLICY: policy6_3_allow, }, @@ -1650,7 +1574,7 @@ func TestRbac_doRbac(t *testing.T) { "6-4. Namespace deny mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy6_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy6_4}, byNamespace: byNamespaceDeny, }, }, @@ -1662,7 +1586,7 @@ func TestRbac_doRbac(t *testing.T) { "7-1. Test rules OR-ed allow, 1 rule matches, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy7_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy7_1}, byNamespace: byNamespaceAllow, }, }, @@ -1678,7 +1602,7 @@ func TestRbac_doRbac(t *testing.T) { "7-2. Test rules OR-ed allow, no rule matches, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy7_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy7_2}, byNamespace: byNamespaceAllow, }, }, @@ -1694,7 +1618,7 @@ func TestRbac_doRbac(t *testing.T) { "7-3. Test rules OR-ed deny, 1 rule matches, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy7_3}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy7_3}, byNamespace: byNamespaceDeny, }, }, @@ -1710,7 +1634,7 @@ func TestRbac_doRbac(t *testing.T) { "7-4. Test rules OR-ed deny, no rule matches, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy7_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy7_4}, byNamespace: byNamespaceDeny, }, }, @@ -1727,7 +1651,7 @@ func TestRbac_doRbac(t *testing.T) { "8-1. Test clauses AND-ed allow, 1 clause mismatches, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy8_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy8_1}, byNamespace: byNamespaceAllow, }, }, @@ -1743,7 +1667,7 @@ func TestRbac_doRbac(t *testing.T) { "8-2. Test clauses AND-ed allow, all clauses match, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy8_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy8_2}, byNamespace: byNamespaceAllow, }, }, @@ -1759,7 +1683,7 @@ func TestRbac_doRbac(t *testing.T) { "8-3. Test clauses AND-ed deny, 1 clause mismatch, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy8_3}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy8_3}, byNamespace: byNamespaceDeny, }, }, @@ -1775,7 +1699,7 @@ func TestRbac_doRbac(t *testing.T) { "8-4. Test clauses AND-ed deny, all clauses match, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy8_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy8_4}, byNamespace: byNamespaceDeny, }, }, @@ -1792,7 +1716,7 @@ func TestRbac_doRbac(t *testing.T) { "9-1. Test matches OR-ed allow, 1 match matches, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy9_1}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy9_1}, byNamespace: byNamespaceAllow, }, }, @@ -1808,7 +1732,7 @@ func TestRbac_doRbac(t *testing.T) { "9-2. Test matches OR-ed allow, no match matches, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{ALLOW_POLICY: policy9_2}, + byKey: map[string]*security.Authorization{ALLOW_POLICY: policy9_2}, byNamespace: byNamespaceAllow, }, }, @@ -1824,7 +1748,7 @@ func TestRbac_doRbac(t *testing.T) { "9-3. Test matches OR-ed deny, 1 match matches, deny", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy9_3}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy9_3}, byNamespace: byNamespaceDeny, }, }, @@ -1840,7 +1764,7 @@ func TestRbac_doRbac(t *testing.T) { "9-4. Test matches OR-ed deny, no match matches, allow", fields{ &policyStore{ - byKey: map[string]authPolicy{DENY_POLICY: policy9_4}, + byKey: map[string]*security.Authorization{DENY_POLICY: policy9_4}, byNamespace: byNamespaceDeny, }, }, From e6424030d3d860d7e127d6e1cf06b6ea71f405c7 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Thu, 13 Jun 2024 20:31:02 +0800 Subject: [PATCH 2/3] Fix test Signed-off-by: Zhonghu Xu --- pkg/auth/rbac_test.go | 319 ++++++++++++++---- .../workload/cache/workload_cache.go | 7 +- 2 files changed, 266 insertions(+), 60 deletions(-) diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index af6fc84d6..0d7f30a98 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -19,8 +19,10 @@ package auth import ( "testing" + "github.com/stretchr/testify/assert" "istio.io/istio/pkg/util/sets" + "kmesh.net/kmesh/api/v2/workloadapi" "kmesh.net/kmesh/api/v2/workloadapi/security" "kmesh.net/kmesh/pkg/controller/workload/cache" ) @@ -1277,7 +1279,8 @@ func TestRbac_doRbac(t *testing.T) { policyStore *policyStore } type args struct { - conn *rbacConnection + conn *rbacConnection + workload *workloadapi.Workload } tests := []struct { name string @@ -1294,7 +1297,7 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ + conn: &rbacConnection{ srcIdentity: Identity{ trustDomain: "cluster.local", namespace: GLOBAL_NAMESPACE, @@ -1304,6 +1307,9 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 4}, dstPort: 8888, }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 4}}, + }, }, true, }, @@ -1316,7 +1322,11 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{dstIp: []byte{192, 168, 122, 2}}}, + args{ + conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1327,7 +1337,11 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{dstIp: []byte{192, 168, 122, 2}}}, + args{ + conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1341,7 +1355,11 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllowDeny, }, }, - args{&rbacConnection{dstIp: []byte{192, 168, 122, 2}}}, + args{ + conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1352,7 +1370,11 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceDeny, }, }, - args{&rbacConnection{dstIp: []byte{192, 168, 122, 2}}}, + args{ + conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, @@ -1364,7 +1386,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{srcIp: []byte{192, 168, 122, 10}}}, + args{ + conn: &rbacConnection{ + srcIp: []byte{192, 168, 122, 10}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1375,8 +1404,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{srcIp: []byte{192, 168, 122, 10}}}, - false, + args{ + conn: &rbacConnection{ + srcIp: []byte{192, 168, 122, 10}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { "3-3. Source IP deny match, deny", @@ -1389,8 +1424,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllowDeny, }, }, - args{&rbacConnection{srcIp: []byte{192, 168, 122, 10}}}, - false, + args{ + conn: &rbacConnection{ + srcIp: []byte{192, 168, 122, 10}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { "3-4. Source IP deny mismatch, allow", @@ -1400,8 +1441,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceDeny, }, }, - args{&rbacConnection{srcIp: []byte{192, 168, 122, 10}}}, - true, + args{ + conn: &rbacConnection{ + srcIp: []byte{192, 168, 122, 10}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1412,7 +1459,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{dstPort: 8888}}, + args{ + conn: &rbacConnection{ + dstIp: []byte{192, 168, 122, 2}, + dstPort: 8888, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1423,7 +1477,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{dstPort: 8888}}, + args{ + conn: &rbacConnection{ + dstIp: []byte{192, 168, 122, 2}, + dstPort: 8888, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1437,7 +1498,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllowDeny, }, }, - args{&rbacConnection{dstPort: 8888}}, + args{ + conn: &rbacConnection{ + dstIp: []byte{192, 168, 122, 2}, + dstPort: 8888, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1448,7 +1516,14 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceDeny, }, }, - args{&rbacConnection{dstPort: 8888}}, + args{ + conn: &rbacConnection{ + dstIp: []byte{192, 168, 122, 2}, + dstPort: 8888, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, @@ -1461,14 +1536,17 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ + conn: &rbacConnection{ srcIdentity: Identity{ trustDomain: "cluster.local", namespace: GLOBAL_NAMESPACE, serviceAccount: "sleep", }, + dstIp: []byte{192, 168, 122, 2}, }, - }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1480,14 +1558,17 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ + conn: &rbacConnection{ srcIdentity: Identity{ trustDomain: "cluster.local", namespace: GLOBAL_NAMESPACE, serviceAccount: "sleep", }, + dstIp: []byte{192, 168, 122, 2}, }, - }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1502,14 +1583,17 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ + conn: &rbacConnection{ srcIdentity: Identity{ trustDomain: "cluster.local", namespace: GLOBAL_NAMESPACE, serviceAccount: "sleep", }, + dstIp: []byte{192, 168, 122, 2}, }, - }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1521,14 +1605,17 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ + conn: &rbacConnection{ srcIdentity: Identity{ trustDomain: "cluster.local", namespace: GLOBAL_NAMESPACE, serviceAccount: "sleep", }, + dstIp: []byte{192, 168, 122, 2}, }, - }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, @@ -1541,8 +1628,15 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{srcIdentity: Identity{namespace: GLOBAL_NAMESPACE}}, - }, + conn: &rbacConnection{ + srcIdentity: Identity{ + namespace: GLOBAL_NAMESPACE, + }, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1553,8 +1647,16 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllow, }, }, - args{&rbacConnection{srcIdentity: Identity{namespace: GLOBAL_NAMESPACE}}}, - false, + args{ + conn: &rbacConnection{ + srcIdentity: Identity{ + namespace: GLOBAL_NAMESPACE, + }, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { "6-3. Namespace deny match, deny", @@ -1567,7 +1669,16 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceAllowDeny, }, }, - args{&rbacConnection{srcIdentity: Identity{namespace: GLOBAL_NAMESPACE}}}, + args{ + conn: &rbacConnection{ + srcIdentity: Identity{ + namespace: GLOBAL_NAMESPACE, + }, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, false, }, { @@ -1578,7 +1689,16 @@ func TestRbac_doRbac(t *testing.T) { byNamespace: byNamespaceDeny, }, }, - args{&rbacConnection{srcIdentity: Identity{namespace: GLOBAL_NAMESPACE}}}, + args{ + conn: &rbacConnection{ + srcIdentity: Identity{ + namespace: GLOBAL_NAMESPACE, + }, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, @@ -1591,11 +1711,13 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, }, - }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + }}, true, }, { @@ -1607,9 +1729,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 5}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1623,9 +1748,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1639,9 +1767,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 5}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, true, @@ -1656,9 +1787,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1672,9 +1806,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 3}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, true, @@ -1688,9 +1825,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, true, @@ -1704,9 +1844,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 3}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1721,9 +1864,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, true, @@ -1737,9 +1883,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 5}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1753,9 +1902,12 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 4}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, false, @@ -1769,19 +1921,40 @@ func TestRbac_doRbac(t *testing.T) { }, }, args{ - &rbacConnection{ - dstIp: []byte{192, 168, 122, 2}, + conn: &rbacConnection{ srcIp: []byte{192, 168, 122, 5}, + dstIp: []byte{192, 168, 122, 2}, + }, + workload: &workloadapi.Workload{ + Addresses: [][]byte{[]byte{192, 168, 122, 2}}, }, }, true, }, + { + "9-4-1. no workload found, deny", + fields{ + &policyStore{ + byKey: map[string]*security.Authorization{DENY_POLICY: policy9_4}, + byNamespace: byNamespaceDeny, + }, + }, + args{ + conn: &rbacConnection{ + srcIp: []byte{192, 168, 122, 5}, + dstIp: []byte{192, 168, 122, 2}, + }, + }, + false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + workloadCache := cache.NewWorkloadCache() + workloadCache.AddWorkload(tt.args.workload) rbac := &Rbac{ policyStore: tt.fields.policyStore, - workloadCache: cache.NewWorkloadCache(), + workloadCache: workloadCache, } if got := rbac.doRbac(tt.args.conn); got != tt.want { t.Errorf("Rbac.DoRbac() = %v, want %v", got, tt.want) @@ -1789,3 +1962,35 @@ func TestRbac_doRbac(t *testing.T) { }) } } + +func Test_handleAuthorizationTypeResponse(t *testing.T) { + policy1 := &security.Authorization{ + Name: "p1", + Namespace: "test", + Scope: security.Scope_WORKLOAD_SELECTOR, + Action: security.Action_ALLOW, + Rules: []*security.Rule{}, + } + + policy2 := &security.Authorization{ + Name: "p2", + Namespace: "test", + Scope: security.Scope_NAMESPACE, + Action: security.Action_ALLOW, + Rules: []*security.Rule{}, + } + + rbac := NewRbac(nil, nil) // Initialize your rbac object here + + err := rbac.UpdatePolicy(policy1) + assert.NoError(t, err) + + err = rbac.UpdatePolicy(policy2) + assert.NoError(t, err) + + rbac.RemovePolicy(policy1.ResourceName()) + + if !rbac.policyStore.byNamespace["test"].Contains(policy2.ResourceName()) { + t.Errorf("policy2 should still be in the policy store") + } +} diff --git a/pkg/controller/workload/cache/workload_cache.go b/pkg/controller/workload/cache/workload_cache.go index 82eef734a..3c0da4b05 100644 --- a/pkg/controller/workload/cache/workload_cache.go +++ b/pkg/controller/workload/cache/workload_cache.go @@ -64,15 +64,16 @@ func (w *cache) GetWorkloadByAddr(networkAddress NetworkAddress) *workloadapi.Wo } func composeNetworkAddress(network string, addr netip.Addr) NetworkAddress { - networkAddress := NetworkAddress{ + return NetworkAddress{ Network: network, Address: addr, } - - return networkAddress } func (w *cache) AddWorkload(workload *workloadapi.Workload) { + if workload == nil { + return + } uid := workload.Uid w.mutex.Lock() From b4e6b85dcb7f147f21d1f8efabf8efeeefe2b5e7 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Tue, 18 Jun 2024 12:55:23 +0800 Subject: [PATCH 3/3] Fix lint Signed-off-by: Zhonghu Xu --- pkg/auth/rbac_test.go | 68 ++++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index 0d7f30a98..031b5f34e 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -1308,7 +1308,9 @@ func TestRbac_doRbac(t *testing.T) { dstPort: 8888, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 4}}, + Addresses: [][]byte{ + {192, 168, 122, 4}, + }, }, }, true, @@ -1325,7 +1327,7 @@ func TestRbac_doRbac(t *testing.T) { args{ conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1340,7 +1342,7 @@ func TestRbac_doRbac(t *testing.T) { args{ conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1358,7 +1360,7 @@ func TestRbac_doRbac(t *testing.T) { args{ conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1373,7 +1375,7 @@ func TestRbac_doRbac(t *testing.T) { args{ conn: &rbacConnection{dstIp: []byte{192, 168, 122, 2}}, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1392,7 +1394,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1410,7 +1412,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, { @@ -1430,7 +1432,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, { @@ -1447,7 +1449,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1465,7 +1467,7 @@ func TestRbac_doRbac(t *testing.T) { dstPort: 8888, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1483,7 +1485,7 @@ func TestRbac_doRbac(t *testing.T) { dstPort: 8888, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1504,7 +1506,7 @@ func TestRbac_doRbac(t *testing.T) { dstPort: 8888, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1522,7 +1524,7 @@ func TestRbac_doRbac(t *testing.T) { dstPort: 8888, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1545,7 +1547,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1567,7 +1569,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1592,7 +1594,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1614,7 +1616,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1635,7 +1637,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1655,7 +1657,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, { @@ -1677,7 +1679,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, false, }, @@ -1697,7 +1699,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1716,7 +1718,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }}, true, }, @@ -1734,7 +1736,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1753,7 +1755,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1772,7 +1774,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, true, @@ -1792,7 +1794,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1811,7 +1813,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, true, @@ -1830,7 +1832,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, true, @@ -1849,7 +1851,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1869,7 +1871,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, true, @@ -1888,7 +1890,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1907,7 +1909,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, false, @@ -1926,7 +1928,7 @@ func TestRbac_doRbac(t *testing.T) { dstIp: []byte{192, 168, 122, 2}, }, workload: &workloadapi.Workload{ - Addresses: [][]byte{[]byte{192, 168, 122, 2}}, + Addresses: [][]byte{{192, 168, 122, 2}}, }, }, true,