Skip to content

Commit 4fe7634

Browse files
rayaisaiahrayaisaiah
committed
added unit tests and logic if nodeport ensure there is no from rules
1 parent ee59a88 commit 4fe7634

File tree

2 files changed

+763
-171
lines changed

2 files changed

+763
-171
lines changed

tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go

Lines changed: 38 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -232,19 +232,20 @@ func checkNoServiceRisk(service *corev1.Service, policiesListAtNamespace []*netw
232232
if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
233233
return true
234234
}
235-
// If there are ports in the policy; check if the service is safe
236-
if len(ingress.Ports) > 0 {
237-
// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports
238-
// Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set
239-
if checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {
240-
// Check if service is not a load balancer (node port)
241-
if service.Spec.Type == corev1.ServiceTypeNodePort {
242-
return true
243-
}
244-
// If the service is a load balancer check if there exists a policy in the namespace that allows 168.63.129.16 (health probe IP)
245-
if checkAPolicyAllowsHealthProbeIP(policiesListAtNamespace) {
246-
return true
247-
}
235+
// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports
236+
// Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set
237+
if len(ingress.Ports) > 0 && checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {
238+
switch service.Spec.Type {
239+
// If service the service is a node port check the policy does not have from rules that could disrupt traffic
240+
case corev1.ServiceTypeNodePort:
241+
if len(ingress.From) == 0 {
242+
return true
243+
}
244+
// If the service is a load balancer check if there exists a policy in the namespace that allows 168.63.129.16 (health probe IP)
245+
case corev1.ServiceTypeLoadBalancer:
246+
if checkAPolicyAllowsHealthProbeIP(service, policiesListAtNamespace) {
247+
return true
248+
}
248249
}
249250
}
250251
}
@@ -340,32 +341,34 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p
340341
return true
341342
}
342343

343-
func checkAPolicyAllowsHealthProbeIP(policiesListAtNamespace []*networkingv1.NetworkPolicy) bool {
344+
func checkAPolicyAllowsHealthProbeIP(service *corev1.Service, policiesListAtNamespace []*networkingv1.NetworkPolicy) bool {
344345
healthProbeIP := net.ParseIP("168.63.129.16")
345346
for _, policy := range policiesListAtNamespace {
346-
for _, ingress := range policy.Spec.Ingress {
347-
for _, from := range ingress.From {
348-
// Check if the policy allows traffic from the health probe IP and there is no except
349-
// Note: ipBlock cannot be AND'd with namespaceSelector or podSelector
350-
if from.IPBlock != nil && from.IPBlock.CIDR != "" {
351-
// Check if the health probe IP is blocked in the CIDR except
352-
if from.IPBlock.Except != nil {
353-
for _, except := range from.IPBlock.Except {
354-
_, excecptCidr, err := net.ParseCIDR(except)
355-
if err != nil {
356-
continue
357-
}
358-
if excecptCidr.Contains(healthProbeIP) {
359-
return false
347+
if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) {
348+
for _, ingress := range policy.Spec.Ingress {
349+
for _, from := range ingress.From {
350+
// Check if the policy allows traffic from the health probe IP and there is no except
351+
// Note: ipBlock is additive cannot be AND'd with namespaceSelector or podSelector
352+
if from.IPBlock != nil && from.IPBlock.CIDR != "" {
353+
// Check if the health probe IP is blocked in the CIDR except
354+
if from.IPBlock.Except != nil {
355+
for _, except := range from.IPBlock.Except {
356+
_, excecptCidr, err := net.ParseCIDR(except)
357+
if err != nil {
358+
continue
359+
}
360+
if excecptCidr.Contains(healthProbeIP) {
361+
return false
362+
}
360363
}
361364
}
362-
}
363-
_, cidr, err := net.ParseCIDR(from.IPBlock.CIDR)
364-
if err != nil {
365-
continue
366-
}
367-
if cidr.Contains(healthProbeIP) {
368-
return true
365+
_, cidr, err := net.ParseCIDR(from.IPBlock.CIDR)
366+
if err != nil {
367+
continue
368+
}
369+
if cidr.Contains(healthProbeIP) {
370+
return true
371+
}
369372
}
370373
}
371374
}

0 commit comments

Comments
 (0)