Skip to content

Commit 4bba37f

Browse files
committed
npm lite default deny
1 parent bf080b9 commit 4bba37f

File tree

6 files changed

+37
-0
lines changed

6 files changed

+37
-0
lines changed

cni/network/network_windows.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ func setEndpointOptions(cnsNwConfig *cns.GetNetworkContainerResponse, epInfo *ne
5959
epInfo.AllowInboundFromHostToNC = cnsNwConfig.AllowHostToNCCommunication
6060
epInfo.AllowInboundFromNCToHost = cnsNwConfig.AllowNCToHostCommunication
6161
epInfo.NetworkContainerID = cnsNwConfig.NetworkContainerID
62+
epInfo.DefaultDenyACL = cnsNwConfig.DefaultDenyACL
6263
}
6364
}
6465

cns/NetworkContainerContract.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,7 @@ type CreateNetworkContainerRequest struct {
127127
EndpointPolicies []NetworkContainerRequestPolicies
128128
NCStatus v1alpha.NCStatus
129129
NetworkInterfaceInfo NetworkInterfaceInfo //nolint // introducing new field for backendnic, to be used later by cni code
130+
DefaultDenyACL bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
130131
}
131132

132133
func (req *CreateNetworkContainerRequest) Validate() error {
@@ -487,6 +488,7 @@ type GetNetworkContainerResponse struct {
487488
AllowHostToNCCommunication bool
488489
AllowNCToHostCommunication bool
489490
NetworkInterfaceInfo NetworkInterfaceInfo
491+
DefaultDenyACL bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
490492
}
491493

492494
type PodIpInfo struct {

cns/networkcontainers/networkcontainers.go

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,35 @@ func getNetworkConfig(configFilePath string) ([]byte, error) {
134134
flatNetConfigMap[versionStr] = configMap[versionStr].(string)
135135
flatNetConfigMap[nameStr] = configMap[nameStr].(string)
136136

137+
// TODO Check if default deny bool is enabled to true
138+
// insert default dent policy here
139+
defaultDenyOutACL := map[string]interface{}{
140+
"Name": "EndpointPolicy",
141+
"Value": map[string]interface{}{
142+
"Type": "ACL",
143+
"Action": "Block",
144+
"Direction": "Out",
145+
"Priority": 300,
146+
},
147+
}
148+
149+
defaultDenyInACL := map[string]interface{}{
150+
"Name": "EndpointPolicy",
151+
"Value": map[string]interface{}{
152+
"Type": "ACL",
153+
"Action": "Block",
154+
"Direction": "In",
155+
"Priority": 300,
156+
},
157+
}
158+
additionalArgsKey := "AdditionalArgs"
159+
if _, exists := flatNetConfigMap[additionalArgsKey]; !exists {
160+
flatNetConfigMap[additionalArgsKey] = []interface{}{}
161+
}
162+
163+
flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyOutACL)
164+
flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyInACL)
165+
137166
// convert into bytes format
138167
netConfig, err := json.Marshal(flatNetConfigMap)
139168
if err != nil {

cns/restserver/util.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -531,6 +531,7 @@ func (service *HTTPRestService) getAllNetworkContainerResponses(
531531
AllowHostToNCCommunication: savedReq.AllowHostToNCCommunication,
532532
AllowNCToHostCommunication: savedReq.AllowNCToHostCommunication,
533533
NetworkInterfaceInfo: savedReq.NetworkInterfaceInfo,
534+
DefaultDenyACL: savedReq.DefaultDenyACL,
534535
}
535536

536537
// If the NC version check wasn't skipped, take into account the VFP programming status when returning the response
@@ -933,6 +934,7 @@ func (service *HTTPRestService) handleGetNetworkContainers(w http.ResponseWriter
933934
LocalIPConfiguration: ncDetails.CreateNetworkContainerRequest.LocalIPConfiguration,
934935
AllowHostToNCCommunication: ncDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication,
935936
AllowNCToHostCommunication: ncDetails.CreateNetworkContainerRequest.AllowNCToHostCommunication,
937+
DefaultDenyACL: ncDetails.CreateNetworkContainerRequest.DefaultDenyACL,
936938
}
937939
networkContainers[i] = getNcResp
938940
i++

crd/multitenancy/api/v1alpha1/podnetworkinstance.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,8 @@ type PodNetworkInstanceSpec struct {
5656
// optional for now in case orchestrator uses the deprecated fields
5757
// +kubebuilder:validation:Optional
5858
PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
59+
// DefaultDenyACL is a bool that specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
60+
DefaultDenyACL bool
5961
}
6062

6163
// PodNetworkInstanceStatus defines the observed state of PodNetworkInstance

network/endpoint.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,7 @@ type EndpointInfo struct {
112112
IsIPv6Enabled bool
113113
HostSubnetPrefix string // can be used later to add an external interface
114114
PnPID string
115+
DefaultDenyACL bool
115116
}
116117

117118
// RouteInfo contains information about an IP route.

0 commit comments

Comments
 (0)