responded to service comments

rayaisaiah · rayaisaiah · commit dd25cc8cc389 · 2025-02-05T00:49:25.000Z
diff --git a/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go
@@ -248,7 +248,9 @@ func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servic
 						noSelectorServices = append(noSelectorServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
 					} else {
 						// Check if are there services with selector that match the network policy
-						safeServices = checkServiceRisk(service, namespace.Name, policiesByNamespace[namespace.Name], safeServices)
+						if checkServiceRisk(service, namespace.Name, policiesByNamespace[namespace.Name]) {
+							safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
+						}
 					}
 				}
 			}
@@ -303,37 +305,40 @@ func hasIngressPolicies(policies []networkingv1.NetworkPolicy) bool {
 	return false
 }
 
-func checkServiceRisk(service corev1.Service, namespace string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) []string {
+func checkServiceRisk(service corev1.Service, namespace string, policiesListAtNamespace []networkingv1.NetworkPolicy) bool {
 	for _, policy := range policiesListAtNamespace {
 		for _, ingress := range policy.Spec.Ingress {
 			// Check if there is an allow all ingress policy that matches labels the service is safe
 			if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
 				// Check if there is an allow all ingress policy with empty selectors return true as the policy allows all services in the namespace
-				if len(policy.Spec.PodSelector.MatchLabels) == 0 {
+				if checkPolicySelectorsAreEmpty(policy.Spec.PodSelector) {
 					fmt.Printf("found an allow all ingress policy: %s with empty selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
-					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
-					return safeServices
+					return true
 				}
 				// Check if there is an allow all ingress policy that matches the service labels
 				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {
+					// TODO add this to above logic and check in one if statement after i am done printing the logs
 					fmt.Printf("found an allow all ingress policy: %s with matching selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
-					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
-					return safeServices
+					return true
 				}
 			}
 			// If there are no ingress from but there are ports in the policy; check if the service is safe
 			if len(ingress.From) == 0 && len(ingress.Ports) > 0 {
 				// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports
-				if len(policy.Spec.PodSelector.MatchLabels) == 0 || checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {
+				if checkPolicySelectorsAreEmpty(policy.Spec.PodSelector) || checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {
 					if checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {
-						safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
-						return safeServices
+						fmt.Printf("found an ingress port policy: %s with matching selectors and target ports so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
+						return true
 					}
 				}
 			}
 		}
 	}
-	return safeServices
+	return false
+}
+
+func checkPolicySelectorsAreEmpty(podSelector metav1.LabelSelector) bool {
+	return len(podSelector.MatchLabels) == 0 && len(podSelector.MatchExpressions) == 0
 }
 
 func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string) bool {
@@ -343,6 +348,7 @@ func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string
 	}
 
 	// Check for each policy label that that label is present in the service labels
+	// Note does not check matchExpressions
 	for policyKey, policyValue := range policyLabels {
 		matchedPolicyLabelToServiceLabel := false
 		for serviceKey, serviceValue := range serviceLabels {
@@ -371,10 +377,7 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p
 			return false
 		}
 		servicePort := fmt.Sprintf("%d/%s", port.TargetPort.IntValue(), port.Protocol)
-		fmt.Printf("servicePort %s\n", servicePort)
-		fmt.Printf("ingressPorts %v\n", ingressPorts)
 		if !contains(ingressPorts, servicePort) {
-			fmt.Printf("Service port %s is not allowed in the policy\n", servicePort)
 			return false
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,9 @@ func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servic`
`248`	`248`	`noSelectorServices = append(noSelectorServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))`
`249`	`249`	`} else {`
`250`	`250`	`// Check if are there services with selector that match the network policy`
`251`		`- safeServices = checkServiceRisk(service, namespace.Name, policiesByNamespace[namespace.Name], safeServices)`
	`251`	`+ if checkServiceRisk(service, namespace.Name, policiesByNamespace[namespace.Name]) {`
	`252`	`+ safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))`
	`253`	`+ }`
`252`	`254`	`}`
`253`	`255`	`}`
`254`	`256`	`}`
`@@ -303,37 +305,40 @@ func hasIngressPolicies(policies []networkingv1.NetworkPolicy) bool {`
`303`	`305`	`return false`
`304`	`306`	`}`
`305`	`307`
`306`		`-func checkServiceRisk(service corev1.Service, namespace string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) []string {`
	`308`	`+func checkServiceRisk(service corev1.Service, namespace string, policiesListAtNamespace []networkingv1.NetworkPolicy) bool {`
`307`	`309`	`for _, policy := range policiesListAtNamespace {`
`308`	`310`	`for _, ingress := range policy.Spec.Ingress {`
`309`	`311`	`// Check if there is an allow all ingress policy that matches labels the service is safe`
`310`	`312`	`if len(ingress.From) == 0 && len(ingress.Ports) == 0 {`
`311`	`313`	`// Check if there is an allow all ingress policy with empty selectors return true as the policy allows all services in the namespace`
`312`		`- if len(policy.Spec.PodSelector.MatchLabels) == 0 {`
	`314`	`+ if checkPolicySelectorsAreEmpty(policy.Spec.PodSelector) {`
`313`	`315`	`fmt.Printf("found an allow all ingress policy: %s with empty selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)`
`314`		`- safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))`
`315`		`- return safeServices`
	`316`	`+ return true`
`316`	`317`	`}`
`317`	`318`	`// Check if there is an allow all ingress policy that matches the service labels`
`318`	`319`	`if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {`
	`320`	`+ // TODO add this to above logic and check in one if statement after i am done printing the logs`
`319`	`321`	`fmt.Printf("found an allow all ingress policy: %s with matching selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)`
`320`		`- safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))`
`321`		`- return safeServices`
	`322`	`+ return true`
`322`	`323`	`}`
`323`	`324`	`}`
`324`	`325`	`// If there are no ingress from but there are ports in the policy; check if the service is safe`
`325`	`326`	`if len(ingress.From) == 0 && len(ingress.Ports) > 0 {`
`326`	`327`	`// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports`
`327`		`- if len(policy.Spec.PodSelector.MatchLabels) == 0 \|\| checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {`
	`328`	`+ if checkPolicySelectorsAreEmpty(policy.Spec.PodSelector) \|\| checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {`
`328`	`329`	`if checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {`
`329`		`- safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))`
`330`		`- return safeServices`
	`330`	`+ fmt.Printf("found an ingress port policy: %s with matching selectors and target ports so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)`
	`331`	`+ return true`
`331`	`332`	`}`
`332`	`333`	`}`
`333`	`334`	`}`
`334`	`335`	`}`
`335`	`336`	`}`
`336`		`- return safeServices`
	`337`	`+ return false`
	`338`	`+}`
	`339`	`+`
	`340`	`+func checkPolicySelectorsAreEmpty(podSelector metav1.LabelSelector) bool {`
	`341`	`+ return len(podSelector.MatchLabels) == 0 && len(podSelector.MatchExpressions) == 0`
`337`	`342`	`}`
`338`	`343`
`339`	`344`	`func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string) bool {`
`@@ -343,6 +348,7 @@ func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string`
`343`	`348`	`}`
`344`	`349`
`345`	`350`	`// Check for each policy label that that label is present in the service labels`
	`351`	`+ // Note does not check matchExpressions`
`346`	`352`	`for policyKey, policyValue := range policyLabels {`
`347`	`353`	`matchedPolicyLabelToServiceLabel := false`
`348`	`354`	`for serviceKey, serviceValue := range serviceLabels {`
`@@ -371,10 +377,7 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p`
`371`	`377`	`return false`
`372`	`378`	`}`
`373`	`379`	`servicePort := fmt.Sprintf("%d/%s", port.TargetPort.IntValue(), port.Protocol)`
`374`		`- fmt.Printf("servicePort %s\n", servicePort)`
`375`		`- fmt.Printf("ingressPorts %v\n", ingressPorts)`
`376`	`380`	`if !contains(ingressPorts, servicePort) {`
`377`		`- fmt.Printf("Service port %s is not allowed in the policy\n", servicePort)`
`378`	`381`	`return false`
`379`	`382`	`}`
`380`	`383`	`}`