npm lite default deny

rejain789 · rejain789 · commit 4bba37fd26ee · 2024-11-23T17:07:07.000-08:00
diff --git a/cni/network/network_windows.go b/cni/network/network_windows.go
@@ -59,6 +59,7 @@ func setEndpointOptions(cnsNwConfig *cns.GetNetworkContainerResponse, epInfo *ne
 		epInfo.AllowInboundFromHostToNC = cnsNwConfig.AllowHostToNCCommunication
 		epInfo.AllowInboundFromNCToHost = cnsNwConfig.AllowNCToHostCommunication
 		epInfo.NetworkContainerID = cnsNwConfig.NetworkContainerID
+		epInfo.DefaultDenyACL = cnsNwConfig.DefaultDenyACL
 	}
 }
 
diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go
@@ -127,6 +127,7 @@ type CreateNetworkContainerRequest struct {
 	EndpointPolicies           []NetworkContainerRequestPolicies
 	NCStatus                   v1alpha.NCStatus
 	NetworkInterfaceInfo       NetworkInterfaceInfo //nolint // introducing new field for backendnic, to be used later by cni code
+	DefaultDenyACL             bool                 // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
 }
 
 func (req *CreateNetworkContainerRequest) Validate() error {
@@ -487,6 +488,7 @@ type GetNetworkContainerResponse struct {
 	AllowHostToNCCommunication bool
 	AllowNCToHostCommunication bool
 	NetworkInterfaceInfo       NetworkInterfaceInfo
+	DefaultDenyACL             bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
 }
 
 type PodIpInfo struct {
diff --git a/cns/networkcontainers/networkcontainers.go b/cns/networkcontainers/networkcontainers.go
@@ -134,6 +134,35 @@ func getNetworkConfig(configFilePath string) ([]byte, error) {
 	flatNetConfigMap[versionStr] = configMap[versionStr].(string)
 	flatNetConfigMap[nameStr] = configMap[nameStr].(string)
 
+	// TODO Check if default deny bool is enabled to true
+	// insert default dent policy here
+	defaultDenyOutACL := map[string]interface{}{
+		"Name": "EndpointPolicy",
+		"Value": map[string]interface{}{
+			"Type":      "ACL",
+			"Action":    "Block",
+			"Direction": "Out",
+			"Priority":  300,
+		},
+	}
+
+	defaultDenyInACL := map[string]interface{}{
+		"Name": "EndpointPolicy",
+		"Value": map[string]interface{}{
+			"Type":      "ACL",
+			"Action":    "Block",
+			"Direction": "In",
+			"Priority":  300,
+		},
+	}
+	additionalArgsKey := "AdditionalArgs"
+	if _, exists := flatNetConfigMap[additionalArgsKey]; !exists {
+		flatNetConfigMap[additionalArgsKey] = []interface{}{}
+	}
+
+	flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyOutACL)
+	flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyInACL)
+
 	// convert into bytes format
 	netConfig, err := json.Marshal(flatNetConfigMap)
 	if err != nil {
diff --git a/cns/restserver/util.go b/cns/restserver/util.go
@@ -531,6 +531,7 @@ func (service *HTTPRestService) getAllNetworkContainerResponses(
 			AllowHostToNCCommunication: savedReq.AllowHostToNCCommunication,
 			AllowNCToHostCommunication: savedReq.AllowNCToHostCommunication,
 			NetworkInterfaceInfo:       savedReq.NetworkInterfaceInfo,
+			DefaultDenyACL:             savedReq.DefaultDenyACL,
 		}
 
 		// If the NC version check wasn't skipped, take into account the VFP programming status when returning the response
@@ -933,6 +934,7 @@ func (service *HTTPRestService) handleGetNetworkContainers(w http.ResponseWriter
 			LocalIPConfiguration:       ncDetails.CreateNetworkContainerRequest.LocalIPConfiguration,
 			AllowHostToNCCommunication: ncDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication,
 			AllowNCToHostCommunication: ncDetails.CreateNetworkContainerRequest.AllowNCToHostCommunication,
+			DefaultDenyACL:             ncDetails.CreateNetworkContainerRequest.DefaultDenyACL,
 		}
 		networkContainers[i] = getNcResp
 		i++
diff --git a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
@@ -56,6 +56,8 @@ type PodNetworkInstanceSpec struct {
 	// optional for now in case orchestrator uses the deprecated fields
 	// +kubebuilder:validation:Optional
 	PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
+	// DefaultDenyACL is a bool that specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
+	DefaultDenyACL bool
 }
 
 // PodNetworkInstanceStatus defines the observed state of PodNetworkInstance
diff --git a/network/endpoint.go b/network/endpoint.go
@@ -112,6 +112,7 @@ type EndpointInfo struct {
 	IsIPv6Enabled                 bool
 	HostSubnetPrefix              string // can be used later to add an external interface
 	PnPID                         string
+	DefaultDenyACL                bool
 }
 
 // RouteInfo contains information about an IP route.

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ func setEndpointOptions(cnsNwConfig cns.GetNetworkContainerResponse, epInfo ne`
`59`	`59`	`epInfo.AllowInboundFromHostToNC = cnsNwConfig.AllowHostToNCCommunication`
`60`	`60`	`epInfo.AllowInboundFromNCToHost = cnsNwConfig.AllowNCToHostCommunication`
`61`	`61`	`epInfo.NetworkContainerID = cnsNwConfig.NetworkContainerID`
	`62`	`+ epInfo.DefaultDenyACL = cnsNwConfig.DefaultDenyACL`
`62`	`63`	`}`
`63`	`64`	`}`
`64`	`65`
Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ type CreateNetworkContainerRequest struct {`
`127`	`127`	`EndpointPolicies []NetworkContainerRequestPolicies`
`128`	`128`	`NCStatus v1alpha.NCStatus`
`129`	`129`	`NetworkInterfaceInfo NetworkInterfaceInfo //nolint // introducing new field for backendnic, to be used later by cni code`
	`130`	`+ DefaultDenyACL bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods`
`130`	`131`	`}`
`131`	`132`
`132`	`133`	`func (req *CreateNetworkContainerRequest) Validate() error {`
`@@ -487,6 +488,7 @@ type GetNetworkContainerResponse struct {`
`487`	`488`	`AllowHostToNCCommunication bool`
`488`	`489`	`AllowNCToHostCommunication bool`
`489`	`490`	`NetworkInterfaceInfo NetworkInterfaceInfo`
	`491`	`+ DefaultDenyACL bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods`
`490`	`492`	`}`
`491`	`493`
`492`	`494`	`type PodIpInfo struct {`
Original file line number	Diff line number	Diff line change
`@@ -531,6 +531,7 @@ func (service *HTTPRestService) getAllNetworkContainerResponses(`
`531`	`531`	`AllowHostToNCCommunication: savedReq.AllowHostToNCCommunication,`
`532`	`532`	`AllowNCToHostCommunication: savedReq.AllowNCToHostCommunication,`
`533`	`533`	`NetworkInterfaceInfo: savedReq.NetworkInterfaceInfo,`
	`534`	`+ DefaultDenyACL: savedReq.DefaultDenyACL,`
`534`	`535`	`}`
`535`	`536`
`536`	`537`	`// If the NC version check wasn't skipped, take into account the VFP programming status when returning the response`
`@@ -933,6 +934,7 @@ func (service *HTTPRestService) handleGetNetworkContainers(w http.ResponseWriter`
`933`	`934`	`LocalIPConfiguration: ncDetails.CreateNetworkContainerRequest.LocalIPConfiguration,`
`934`	`935`	`AllowHostToNCCommunication: ncDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication,`
`935`	`936`	`AllowNCToHostCommunication: ncDetails.CreateNetworkContainerRequest.AllowNCToHostCommunication,`
	`937`	`+ DefaultDenyACL: ncDetails.CreateNetworkContainerRequest.DefaultDenyACL,`
`936`	`938`	`}`
`937`	`939`	`networkContainers[i] = getNcResp`
`938`	`940`	`i++`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,8 @@ type PodNetworkInstanceSpec struct {`
`56`	`56`	`// optional for now in case orchestrator uses the deprecated fields`
`57`	`57`	`// +kubebuilder:validation:Optional`
`58`	`58`	PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
	`59`	`+ // DefaultDenyACL is a bool that specifies whether a "deny all" policy is applied to l1vh multi-tenant pods`
	`60`	`+ DefaultDenyACL bool`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`// PodNetworkInstanceStatus defines the observed state of PodNetworkInstance`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ type EndpointInfo struct {`
`112`	`112`	`IsIPv6Enabled bool`
`113`	`113`	`HostSubnetPrefix string // can be used later to add an external interface`
`114`	`114`	`PnPID string`
	`115`	`+ DefaultDenyACL bool`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`// RouteInfo contains information about an IP route.`