support known servers

artifacts/knownservers/01-example.yaml

@@ -0,0 +1,12 @@
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: KnownServer
+metadata:
+  name: github
+spec:
+  - ipBlock: 12.3.4.23/24
+    server: github.com
+    name: github-workflows
+
+  - ipBlock: 190.56.3.2/16
+    server: github.com
+    name: github-repositories

pkg/apis/softwarecomposition/network_types.go

@@ -91,10 +91,34 @@ type PolicyRef struct {
 	OriginalIP string
 	DNS        string
 	Name       string
+	Server     string
 }
 
-type KnownServers struct {
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// KnownServerList is a list of KnownServer.
+type KnownServerList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []KnownServer
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// KnownServer represents a known server, containing information about its IP addresses and servers. The purpose is to enrich the GeneratedNetworkPolicy CRD
+type KnownServer struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec KnownServerSpec
+}
+
+type KnownServerSpec []KnownServerEntry
+
+type KnownServerEntry struct {
 	IPBlock string
-	DNS     string
+	Server  string
 	Name    string
 }

pkg/apis/softwarecomposition/networkpolicy/networkpolicy.go

@@ -17,7 +17,7 @@ const (
 	storageV1Beta1ApiVersion = "spdx.softwarecomposition.kubescape.io/v1beta1"
 )
 
-func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors, knownServers []softwarecomposition.KnownServers, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) {
+func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors, knownServers []softwarecomposition.KnownServer, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) {
 	networkPolicy := softwarecomposition.NetworkPolicy{
 		Kind:       "NetworkPolicy",
 		APIVersion: "networking.k8s.io/v1",
@@ -86,7 +86,7 @@ func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors
 	return generatedNetworkPolicy, nil
 }
 
-func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers []softwarecomposition.KnownServers) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) {
+func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServer []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) {
 	egressRule := softwarecomposition.NetworkPolicyEgressRule{}
 	policyRefs := []softwarecomposition.PolicyRef{}
 
@@ -111,32 +111,35 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServe
 	if neighbor.IPAddress != "" {
 		isKnownServer := false
 		// look if this IP is part of any known server
-		for _, knownServer := range knownServers {
-			_, subNet, err := net.ParseCIDR(knownServer.IPBlock)
-			if err != nil {
-				logger.L().Error("error parsing cidr", helpers.Error(err))
-				continue
-			}
-			if subNet.Contains(net.ParseIP(neighbor.IPAddress)) {
-				egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{
-					IPBlock: &softwarecomposition.IPBlock{
-						CIDR: knownServer.IPBlock,
-					},
-				})
-				isKnownServer = true
-
-				policyRef := softwarecomposition.PolicyRef{
-					Name:       knownServer.Name,
-					OriginalIP: neighbor.IPAddress,
-					IPBlock:    knownServer.IPBlock,
+		for _, knownServer := range KnownServer {
+			for _, entry := range knownServer.Spec {
+				_, subNet, err := net.ParseCIDR(entry.IPBlock)
+				if err != nil {
+					logger.L().Error("error parsing cidr", helpers.Error(err))
+					continue
 				}
-
-				if knownServer.DNS != "" {
-					policyRef.DNS = knownServer.DNS
+				if subNet.Contains(net.ParseIP(neighbor.IPAddress)) {
+					egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{
+						IPBlock: &softwarecomposition.IPBlock{
+							CIDR: entry.IPBlock,
+						},
+					})
+					isKnownServer = true
+
+					policyRef := softwarecomposition.PolicyRef{
+						Name:       entry.Name,
+						OriginalIP: neighbor.IPAddress,
+						IPBlock:    entry.IPBlock,
+						Server:     entry.Server,
+					}
+
+					if neighbor.DNS != "" {
+						policyRef.DNS = neighbor.DNS
+					}
+
+					policyRefs = append(policyRefs, policyRef)
+					break
 				}
-
-				policyRefs = append(policyRefs, policyRef)
-				break
 			}
 		}
 
@@ -148,7 +151,6 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServe
 
 			if neighbor.DNS != "" {
 				policyRefs = append(policyRefs, softwarecomposition.PolicyRef{
-					Name:       neighbor.DNS,
 					DNS:        neighbor.DNS,
 					IPBlock:    ipBlock.CIDR,
 					OriginalIP: neighbor.IPAddress,
@@ -170,7 +172,7 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServe
 	return egressRule, policyRefs
 }
 
-func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers []softwarecomposition.KnownServers) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) {
+func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServer []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) {
 	ingressRule := softwarecomposition.NetworkPolicyIngressRule{}
 	policyRefs := []softwarecomposition.PolicyRef{}
 
@@ -194,32 +196,35 @@ func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServ
 	if neighbor.IPAddress != "" {
 		isKnownServer := false
 		// look if this IP is part of any known server
-		for _, knownServer := range knownServers {
-			_, subNet, err := net.ParseCIDR(knownServer.IPBlock)
-			if err != nil {
-				logger.L().Error("error parsing cidr", helpers.Error(err))
-				continue
-			}
-			if subNet.Contains(net.ParseIP(neighbor.IPAddress)) {
-				ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{
-					IPBlock: &softwarecomposition.IPBlock{
-						CIDR: knownServer.IPBlock,
-					},
-				})
-				isKnownServer = true
-
-				policyRef := softwarecomposition.PolicyRef{
-					Name:       knownServer.Name,
-					OriginalIP: neighbor.IPAddress,
-					IPBlock:    knownServer.IPBlock,
+		for _, knownServer := range KnownServer {
+			for _, entry := range knownServer.Spec {
+				_, subNet, err := net.ParseCIDR(entry.IPBlock)
+				if err != nil {
+					logger.L().Error("error parsing cidr", helpers.Error(err))
+					continue
 				}
-
-				if knownServer.DNS != "" {
-					policyRef.DNS = knownServer.DNS
+				if subNet.Contains(net.ParseIP(neighbor.IPAddress)) {
+					ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{
+						IPBlock: &softwarecomposition.IPBlock{
+							CIDR: entry.IPBlock,
+						},
+					})
+					isKnownServer = true
+
+					policyRef := softwarecomposition.PolicyRef{
+						Name:       entry.Name,
+						OriginalIP: neighbor.IPAddress,
+						IPBlock:    entry.IPBlock,
+						Server:     entry.Server,
+					}
+
+					if neighbor.DNS != "" {
+						policyRef.DNS = neighbor.DNS
+					}
+
+					policyRefs = append(policyRefs, policyRef)
+					break
 				}
-
-				policyRefs = append(policyRefs, policyRef)
-				break
 			}
 		}
 
@@ -231,7 +236,6 @@ func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServ
 
 			if neighbor.DNS != "" {
 				policyRefs = append(policyRefs, softwarecomposition.PolicyRef{
-					Name:       neighbor.DNS,
 					DNS:        neighbor.DNS,
 					IPBlock:    ipBlock.CIDR,
 					OriginalIP: neighbor.IPAddress,