|
5 | 5 | "flag" |
6 | 6 | "fmt" |
7 | 7 | "log" |
8 | | - "net" |
9 | 8 | "os" |
10 | 9 | "strings" |
11 | 10 |
|
@@ -232,20 +231,13 @@ func checkNoServiceRisk(service *corev1.Service, policiesListAtNamespace []*netw |
232 | 231 | if len(ingress.From) == 0 && len(ingress.Ports) == 0 { |
233 | 232 | return true |
234 | 233 | } |
235 | | - // If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports |
236 | | - // Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set |
237 | | - if len(ingress.Ports) > 0 && checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) { |
238 | | - switch service.Spec.Type { |
239 | | - // If service the service is a node port check the policy does not have from rules that could disrupt traffic |
240 | | - case corev1.ServiceTypeNodePort: |
241 | | - if len(ingress.From) == 0 { |
242 | | - return true |
243 | | - } |
244 | | - // If the service is a load balancer check if there exists a policy in the namespace that allows 168.63.129.16 (health probe IP) |
245 | | - case corev1.ServiceTypeLoadBalancer: |
246 | | - if checkAPolicyAllowsHealthProbeIP(service, policiesListAtNamespace) { |
247 | | - return true |
248 | | - } |
| 234 | + // If there are no ingress from but there are ports in the policy; check if the service is safe |
| 235 | + if len(ingress.From) == 0 { |
| 236 | + // If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports |
| 237 | + // Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set |
| 238 | + // Note: for loadbalancer services the health probe always hits the service target ports |
| 239 | + if checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) { |
| 240 | + return true |
249 | 241 | } |
250 | 242 | } |
251 | 243 | } |
@@ -341,42 +333,6 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p |
341 | 333 | return true |
342 | 334 | } |
343 | 335 |
|
344 | | -func checkAPolicyAllowsHealthProbeIP(service *corev1.Service, policiesListAtNamespace []*networkingv1.NetworkPolicy) bool { |
345 | | - healthProbeIP := net.ParseIP("168.63.129.16") |
346 | | - for _, policy := range policiesListAtNamespace { |
347 | | - if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) { |
348 | | - for _, ingress := range policy.Spec.Ingress { |
349 | | - for _, from := range ingress.From { |
350 | | - // Check if the policy allows traffic from the health probe IP and there is no except |
351 | | - // Note: ipBlock is additive cannot be AND'd with namespaceSelector or podSelector |
352 | | - if from.IPBlock != nil && from.IPBlock.CIDR != "" { |
353 | | - // Check if the health probe IP is blocked in the CIDR except |
354 | | - if from.IPBlock.Except != nil { |
355 | | - for _, except := range from.IPBlock.Except { |
356 | | - _, excecptCidr, err := net.ParseCIDR(except) |
357 | | - if err != nil { |
358 | | - continue |
359 | | - } |
360 | | - if excecptCidr.Contains(healthProbeIP) { |
361 | | - return false |
362 | | - } |
363 | | - } |
364 | | - } |
365 | | - _, cidr, err := net.ParseCIDR(from.IPBlock.CIDR) |
366 | | - if err != nil { |
367 | | - continue |
368 | | - } |
369 | | - if cidr.Contains(healthProbeIP) { |
370 | | - return true |
371 | | - } |
372 | | - } |
373 | | - } |
374 | | - } |
375 | | - } |
376 | | - } |
377 | | - return false |
378 | | -} |
379 | | - |
380 | 336 | func difference(slice1, slice2 []string) []string { |
381 | 337 | m := make(map[string]struct{}) |
382 | 338 | for _, s := range slice2 { |
|
0 commit comments