updated to parse cidr to check for load balancer ip

rayaisaiah · rayaisaiah · commit c1b4d4af469b · 2025-02-10T23:57:21.000Z
diff --git a/tools/azure-npm-to-cilium-validator/README.md b/tools/azure-npm-to-cilium-validator/README.md
@@ -26,8 +26,7 @@ cd azure-container-networking/tools/azure-npm-to-cilium-validator
 Initialize the Go module and download dependencies:
 
 ```bash
-go mod tidy
-go mod vendor
+go mod tidy && go mod vendor
 ```
 
 ## Running the Tool
diff --git a/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"strings"
 
@@ -139,9 +140,9 @@ func getCIDRNetworkPolicies(policiesByNamespace map[string][]*networkingv1.Netwo
 }
 
 // Check for CIDR in ingress or egress rules
-func checkCIDRInPolicyRules(rules []networkingv1.NetworkPolicyPeer) bool {
-	for _, rule := range rules {
-		if rule.IPBlock != nil && rule.IPBlock.CIDR != "" {
+func checkCIDRInPolicyRules(to []networkingv1.NetworkPolicyPeer) bool {
+	for _, toRule := range to {
+		if toRule.IPBlock != nil && toRule.IPBlock.CIDR != "" {
 			return true
 		}
 	}
@@ -239,8 +240,8 @@ func checkNoServiceRisk(service *corev1.Service, policiesListAtNamespace []*netw
 				}
 			}
 			// Check if service is a loadbalancer and policy allows 168.63.129.16 and has no ports
-			if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.From) > 0 && len(ingress.Ports) == 0 {
-				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkAllowsLoadBalancerIngressCIDR(ingress.From) {
+			if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.Ports) == 0 {
+				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkAllowsLoadBalancerIP(ingress.From) {
 					return true
 				}
 			}
@@ -349,10 +350,17 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p
 	return true
 }
 
-func checkAllowsLoadBalancerIngressCIDR(from []networkingv1.NetworkPolicyPeer) bool {
-	for _, peer := range from {
-		if peer.IPBlock != nil && peer.IPBlock.CIDR == "168.63.129.16/32" {
-			return true
+func checkAllowsLoadBalancerIP(from []networkingv1.NetworkPolicyPeer) bool {
+	loadBalancerIP := net.ParseIP("168.63.129.16")
+	for _, fromRule := range from {
+		if fromRule.IPBlock != nil && fromRule.IPBlock.CIDR != "" {
+			_, cidr, err := net.ParseCIDR(fromRule.IPBlock.CIDR)
+			if err != nil {
+				continue
+			}
+			if cidr.Contains(loadBalancerIP) {
+				return true
+			}
 		}
 	}
 	return false

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import (`
`5`	`5`	`"flag"`
`6`	`6`	`"fmt"`
`7`	`7`	`"log"`
	`8`	`+ "net"`
`8`	`9`	`"os"`
`9`	`10`	`"strings"`
`10`	`11`
`@@ -139,9 +140,9 @@ func getCIDRNetworkPolicies(policiesByNamespace map[string][]*networkingv1.Netwo`
`139`	`140`	`}`
`140`	`141`
`141`	`142`	`// Check for CIDR in ingress or egress rules`
`142`		`-func checkCIDRInPolicyRules(rules []networkingv1.NetworkPolicyPeer) bool {`
`143`		`- for _, rule := range rules {`
`144`		`- if rule.IPBlock != nil && rule.IPBlock.CIDR != "" {`
	`143`	`+func checkCIDRInPolicyRules(to []networkingv1.NetworkPolicyPeer) bool {`
	`144`	`+ for _, toRule := range to {`
	`145`	`+ if toRule.IPBlock != nil && toRule.IPBlock.CIDR != "" {`
`145`	`146`	`return true`
`146`	`147`	`}`
`147`	`148`	`}`
`@@ -239,8 +240,8 @@ func checkNoServiceRisk(service corev1.Service, policiesListAtNamespace []netw`
`239`	`240`	`}`
`240`	`241`	`}`
`241`	`242`	`// Check if service is a loadbalancer and policy allows 168.63.129.16 and has no ports`
`242`		`- if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.From) > 0 && len(ingress.Ports) == 0 {`
`243`		`- if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkAllowsLoadBalancerIngressCIDR(ingress.From) {`
	`243`	`+ if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.Ports) == 0 {`
	`244`	`+ if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkAllowsLoadBalancerIP(ingress.From) {`
`244`	`245`	`return true`
`245`	`246`	`}`
`246`	`247`	`}`
`@@ -349,10 +350,17 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p`
`349`	`350`	`return true`
`350`	`351`	`}`
`351`	`352`
`352`		`-func checkAllowsLoadBalancerIngressCIDR(from []networkingv1.NetworkPolicyPeer) bool {`
`353`		`- for _, peer := range from {`
`354`		`- if peer.IPBlock != nil && peer.IPBlock.CIDR == "168.63.129.16/32" {`
`355`		`- return true`
	`353`	`+func checkAllowsLoadBalancerIP(from []networkingv1.NetworkPolicyPeer) bool {`
	`354`	`+ loadBalancerIP := net.ParseIP("168.63.129.16")`
	`355`	`+ for _, fromRule := range from {`
	`356`	`+ if fromRule.IPBlock != nil && fromRule.IPBlock.CIDR != "" {`
	`357`	`+ _, cidr, err := net.ParseCIDR(fromRule.IPBlock.CIDR)`
	`358`	`+ if err != nil {`
	`359`	`+ continue`
	`360`	`+ }`
	`361`	`+ if cidr.Contains(loadBalancerIP) {`
	`362`	`+ return true`
	`363`	`+ }`
`356`	`364`	`}`
`357`	`365`	`}`
`358`	`366`	`return false`