@@ -52,8 +52,6 @@ func main() {
5252
5353 // Iterate over namespaces and store policies/services
5454 for _ , ns := range namespacePointers {
55- fmt .Printf ("Writing policies and services for namespace %s...\n " , ns .Name )
56-
5755 // Get network policies
5856 networkPolicies , err := clientset .NetworkingV1 ().NetworkPolicies (ns .Name ).List (context .TODO (), metav1.ListOptions {})
5957 if err != nil {
@@ -106,125 +104,117 @@ func main() {
106104}
107105
108106func checkEndportNetworkPolicies (policiesByNamespace map [string ][]networkingv1.NetworkPolicy ) bool {
109- networkPolicyWithEndport := false
107+ foundNetworkPolicyWithEndport := false
110108 for namespace , policies := range policiesByNamespace {
111109 for _ , policy := range policies {
112- foundEndPort := false
113- for _ , egress := range policy .Spec .Egress {
114- for _ , port := range egress .Ports {
115- if port .EndPort != nil {
116- foundEndPort = true
117- if ! networkPolicyWithEndport {
118- fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with endPort" , "❌" )
119- fmt .Println ("Policies affected:" )
120- networkPolicyWithEndport = true
121- }
122- fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with endPort field in namespace: \033 [31m%s\033 [0m\n " , policy .Name , namespace )
123- // Exit egress.port loop
124- break
125- }
110+ // Check the ingress field for endport
111+ for _ , ingress := range policy .Spec .Ingress {
112+ foundEndPort := checkEndportInPolicyRules (ingress .Ports , policy .Name , namespace , "ingress" , foundNetworkPolicyWithEndport )
113+ if foundEndPort {
114+ foundNetworkPolicyWithEndport = true
115+ break
126116 }
117+ }
118+ for _ , egress := range policy .Spec .Egress {
119+ foundEndPort := checkEndportInPolicyRules (egress .Ports , policy .Name , namespace , "egress" , foundNetworkPolicyWithEndport )
127120 if foundEndPort {
128- // Exit egress loop
121+ foundNetworkPolicyWithEndport = true
129122 break
130123 }
131124 }
132125 }
133126 }
134127 // Print no impact if no network policy has endport
135- if ! networkPolicyWithEndport {
128+ if ! foundNetworkPolicyWithEndport {
136129 fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with endPort" , "✅" )
137130 return false
138131 }
139132 return true
140133}
141134
135+ func checkEndportInPolicyRules (ports []networkingv1.NetworkPolicyPort , policyName , namespace string , direction string , foundNetworkPolicyWithEndport bool ) bool {
136+ foundEndPort := false
137+ for _ , port := range ports {
138+ if port .EndPort != nil {
139+ foundEndPort = true
140+ if ! foundNetworkPolicyWithEndport {
141+ fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with endPort" , "❌" )
142+ fmt .Println ("Policies affected:" )
143+ }
144+ fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with %s endPort field in namespace: \033 [31m%s\033 [0m\n " , policyName , direction , namespace )
145+ break
146+ }
147+ }
148+ return foundEndPort
149+ }
150+
142151func checkCIDRNetworkPolicies (policiesByNamespace map [string ][]networkingv1.NetworkPolicy ) bool {
143- networkPolicyWithCIDR := false
152+ foundNetworkPolicyWithCIDR := false
144153 for namespace , policies := range policiesByNamespace {
145154 for _ , policy := range policies {
146- foundCIDRIngress := false
147- foundCIDREgress := false
148155 // Check the ingress field for cidr
149156 for _ , ingress := range policy .Spec .Ingress {
150- for _ , from := range ingress .From {
151- if from .IPBlock != nil {
152- if from .IPBlock .CIDR != "" {
153- foundCIDRIngress = true
154- // Print the network policy if it has an ingress cidr
155- if ! networkPolicyWithCIDR {
156- fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with cidr" , "❌" )
157- fmt .Println ("Policies affected:" )
158- networkPolicyWithCIDR = true
159- }
160- fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with ingress cidr field in namespace: \033 [31m%s\033 [0m\n " , policy .Name , namespace )
161-
162- // Exit ingress.from.ipBlock loop
163- break
164- }
165- }
166- }
157+ foundCIDRIngress := checkCIDRInPolicyRules (ingress .From , policy .Name , namespace , "ingress" , foundNetworkPolicyWithCIDR )
167158 if foundCIDRIngress {
168- // Exit ingress loop
159+ foundNetworkPolicyWithCIDR = true
169160 break
170161 }
171162 }
172163 // Check the egress field for cidr
173164 for _ , egress := range policy .Spec .Egress {
174- for _ , to := range egress .To {
175- if to .IPBlock != nil {
176- if to .IPBlock .CIDR != "" {
177- foundCIDREgress = true
178- // Print the network policy if it has an egress cidr
179- if ! networkPolicyWithCIDR {
180- fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with cidr" , "❌" )
181- fmt .Println ("Policies affected:" )
182- networkPolicyWithCIDR = true
183- }
184- fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with egress cidr field in namespace: \033 [31m%s\033 [0m\n " , policy .Name , namespace )
185-
186- // Exit egress.to.ipBlock loop
187- break
188- }
189- }
190- }
165+ foundCIDREgress := checkCIDRInPolicyRules (egress .To , policy .Name , namespace , "egress" , foundNetworkPolicyWithCIDR )
191166 if foundCIDREgress {
192- // Exit egress loop
167+ foundNetworkPolicyWithCIDR = true
193168 break
194169 }
195170 }
196171 }
197172 }
198173 // Print no impact if no network policy has cidr
199- if ! networkPolicyWithCIDR {
174+ if ! foundNetworkPolicyWithCIDR {
200175 fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with cidr" , "✅" )
201176 return false
202177 }
203178 return true
204179}
205180
181+ // Check for CIDR in ingress or egress rules
182+ func checkCIDRInPolicyRules (rules []networkingv1.NetworkPolicyPeer , policyName , namespace string , direction string , foundNetworkPolicyWithCIDR bool ) bool {
183+ foundCIDR := false
184+ for _ , rule := range rules {
185+ if rule .IPBlock != nil && rule .IPBlock .CIDR != "" {
186+ foundCIDR = true
187+ if ! foundNetworkPolicyWithCIDR {
188+ fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with cidr" , "❌" )
189+ fmt .Println ("Policies affected:" )
190+ }
191+ fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with %s cidr field in namespace: \033 [31m%s\033 [0m\n " , policyName , direction , namespace )
192+ break
193+ }
194+ }
195+ return foundCIDR
196+ }
197+
206198func checkForEgressPolicies (policiesByNamespace map [string ][]networkingv1.NetworkPolicy ) bool {
207- networkPolicyWithEgress := false
199+ foundNetworkPolicyWithEgress := false
208200 for namespace , policies := range policiesByNamespace {
209201 for _ , policy := range policies {
210202 for _ , egress := range policy .Spec .Egress {
211203 // If the policy has a egress field thats not an egress allow all flag it
212204 if len (egress .To ) > 0 || len (egress .Ports ) > 0 {
213- if ! networkPolicyWithEgress {
205+ if ! foundNetworkPolicyWithEgress {
214206 fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with egress" , "❌" )
215207 fmt .Printf ("%-30s | %-30s \n " , "(Not allow all egress)" , "" )
216208 fmt .Println ("Policies affected:" )
217- networkPolicyWithEgress = true
209+ foundNetworkPolicyWithEgress = true
218210 }
219211 fmt .Printf ("❌ Found NetworkPolicy: \033 [31m%s\033 [0m with egress field (non-allow all) in namespace: \033 [31m%s\033 [0m\n " , policy .Name , namespace )
220-
221- // Exit egress loop
222212 break
223213 }
224214 }
225215 }
226216 }
227- if ! networkPolicyWithEgress {
217+ if ! foundNetworkPolicyWithEgress {
228218 fmt .Printf ("%-30s | %-30s \n " , "NetworkPolicy with egress" , "✅" )
229219 return false
230220 }
0 commit comments