init cilium res

Author: derailed

internal/alias.go

@@ -25,6 +25,7 @@ type ResourceMetas map[types.GVR]metav1.APIResource
 type Aliases struct {
 	aliases map[string]types.GVR
 	metas   ResourceMetas
+	cilium  bool
 }
 
 // NewAliases returns a new instance.
@@ -49,25 +50,46 @@ func (a *Aliases) Dump() {
 	}
 }
 
-var customShortNames = map[string][]string{
-	"cluster":             {"cl"},
-	"secrets":             {"sec"},
-	"deployments":         {"dp"},
-	"clusterroles":        {"cr"},
-	"clusterrolebindings": {"crb"},
-	"roles":               {"ro"},
-	"rolebindings":        {"rb"},
-	"networkpolicies":     {"np"},
-	"httproutes":          {"gwr"},
-	"gatewayclassess":     {"gwc"},
-	"gateways":            {"gw"},
+type ShortNames map[R][]string
+
+var customShortNames = ShortNames{
+	CL:  {"cl"},
+	SEC: {"sec"},
+	DP:  {"dp"},
+	CR:  {"cr"},
+	CRB: {"crb"},
+	RO:  {"ro"},
+	ROB: {"rb"},
+	NP:  {"np"},
+	GWR: {"gwr"},
+	GWC: {"gwc"},
+	GW:  {"gw"},
+}
+
+func (a *Aliases) Inject(ss ShortNames) {
+	for gvr, res := range a.metas {
+		if kk, ok := ss[R(res.Name)]; ok {
+			for _, k := range kk {
+				a.aliases[k] = gvr
+			}
+		}
+	}
+}
+
+func (a *Aliases) IsNamespaced(gvr types.GVR) bool {
+	if r, ok := a.metas[gvr]; ok {
+		return r.Namespaced
+	}
+
+	return true
 }
 
 // Init loads the aliases glossary.
 func (a *Aliases) Init(c types.Connection) error {
-	if err := a.loadPreferred(c); err != nil {
-		return err
-	}
+	return a.loadPreferred(c)
+}
+
+func (a *Aliases) Realize() {
 	for gvr, res := range a.metas {
 		a.aliases[res.Name] = gvr
 		if res.SingularName != "" {
@@ -76,7 +98,7 @@ func (a *Aliases) Init(c types.Connection) error {
 		for _, n := range res.ShortNames {
 			a.aliases[n] = gvr
 		}
-		if kk, ok := customShortNames[res.Name]; ok {
+		if kk, ok := customShortNames[R(res.Name)]; ok {
 			for _, k := range kk {
 				a.aliases[k] = gvr
 			}
@@ -91,8 +113,6 @@ func (a *Aliases) Init(c types.Connection) error {
 			}
 		}
 	}
-
-	return nil
 }
 
 func greaterV(v1, v2 string) bool {
@@ -122,9 +142,14 @@ func (a *Aliases) TitleFor(s string, plural bool) string {
 	if plural {
 		return m.Name
 	}
+
 	return m.SingularName
 }
 
+func (a *Aliases) IsCiliumCluster() bool {
+	return a.cilium
+}
+
 func (a *Aliases) loadPreferred(c types.Connection) error {
 	dial, err := c.CachedDiscovery()
 	if err != nil {
@@ -141,6 +166,9 @@ func (a *Aliases) loadPreferred(c types.Connection) error {
 		}
 		for _, r := range l.APIResources {
 			gvr := types.NewGVRFromAPIRes(gv, r)
+			if !a.cilium && strings.Contains(gvr.G(), "cilium.io") {
+				a.cilium = true
+			}
 			r.Group, r.Version = gvr.G(), gvr.V()
 			if r.SingularName == "" {
 				r.SingularName = strings.ToLower(r.Kind)

internal/cilium/cache/cep.go

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Popeye
+
+package cache
+
+import (
+	"fmt"
+	"strconv"
+	"sync"
+
+	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	"github.com/derailed/popeye/internal"
+	icache "github.com/derailed/popeye/internal/cache"
+	"github.com/derailed/popeye/internal/cilium"
+	"github.com/derailed/popeye/internal/db"
+)
+
+const CIDKey = "cid"
+
+// CiliumEndpoint represents a CiliumEndpoint cache.
+type CiliumEndpoint struct {
+	db *db.DB
+}
+
+// NewCiliumEndpoint returns a CiliumEndpoint cache.
+func NewCiliumEndpoint(dba *db.DB) *CiliumEndpoint {
+	return &CiliumEndpoint{db: dba}
+}
+
+// CiliumEndpointRefs computes all CiliumEndpoints external references.
+func (p *CiliumEndpoint) CEPRefs(refs *sync.Map) error {
+	txn, it := p.db.MustITFor(internal.Glossary[cilium.CEP])
+	defer txn.Abort()
+	for o := it.Next(); o != nil; o = it.Next() {
+		cep, ok := o.(*v2.CiliumEndpoint)
+		if !ok {
+			return fmt.Errorf("expected a CiliumEndpoint but got %T", o)
+		}
+		if cep.Status.Identity != nil {
+			key := icache.ResFqn(CIDKey, icache.FQN("", strconv.Itoa(int(cep.Status.Identity.ID))))
+			refs.Store(key, internal.AllKeys)
+		}
+	}
+
+	return nil
+}

internal/cilium/cilium.go

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Popeye
+
+package cilium
+
+import (
+	"github.com/derailed/popeye/internal"
+	"github.com/derailed/popeye/types"
+)
+
+func init() {
+	for _, r := range CiliumRS {
+		internal.Glossary[r] = types.BlankGVR
+	}
+}
+
+const (
+	CEP  internal.R = "ciliumendpoints"
+	CID  internal.R = "ciliumidentities"
+	CNP  internal.R = "ciliumnetworkpolicies"
+	CCNP internal.R = "ciliumclusterwidenetworkpolicies"
+)
+
+var CiliumRS = []internal.R{CEP, CID, CNP, CCNP}
+
+var Aliases = internal.ShortNames{
+	CEP: {"cep"},
+	CID: {"cid"},
+}

internal/cilium/lint/ccnp.go

@@ -0,0 +1,152 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Popeye
+
+package lint
+
+import (
+	"context"
+	"fmt"
+
+	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	"github.com/cilium/cilium/pkg/policy/api"
+	"github.com/derailed/popeye/internal"
+	"github.com/derailed/popeye/internal/cilium"
+	"github.com/derailed/popeye/internal/client"
+	"github.com/derailed/popeye/internal/db"
+	"github.com/derailed/popeye/internal/issues"
+	ilint "github.com/derailed/popeye/internal/lint"
+	v1 "k8s.io/api/core/v1"
+)
+
+// CiliumClusterwideNetworkPolicy tracks CiliumClusterwideNetworkPolicy sanitization.
+type CiliumClusterwideNetworkPolicy struct {
+	*issues.Collector
+	db *db.DB
+}
+
+// NewCiliumClusterwideNetworkPolicy returns a new instance.
+func NewCiliumClusterwideNetworkPolicy(c *issues.Collector, db *db.DB) *CiliumClusterwideNetworkPolicy {
+	return &CiliumClusterwideNetworkPolicy{
+		Collector: c,
+		db:        db,
+	}
+}
+
+// Lint lints the resource.
+func (s *CiliumClusterwideNetworkPolicy) Lint(ctx context.Context) error {
+	txn, it := s.db.MustITFor(internal.Glossary[cilium.CCNP])
+	defer txn.Abort()
+	for o := it.Next(); o != nil; o = it.Next() {
+		ccnp := o.(*v2.CiliumClusterwideNetworkPolicy)
+		fqn := client.FQN("", ccnp.Name)
+		s.InitOutcome(fqn)
+		ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, ccnp))
+
+		rules := ccnp.Specs
+		if ccnp.Spec != nil {
+			rules = append(rules, ccnp.Spec)
+		}
+		for _, r := range rules {
+			if err := s.checkRule(ctx, r); err != nil {
+				s.AddErr(ctx, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *CiliumClusterwideNetworkPolicy) checkRule(ctx context.Context, r *api.Rule) error {
+	if r.EndpointSelector.Size() > 0 {
+		if ok, err := s.checkEPSel(r.EndpointSelector); err != nil {
+			return err
+		} else if !ok {
+			s.AddCode(ctx, 1700, "endpoint")
+		}
+	}
+	if r.NodeSelector.Size() > 0 {
+		if ok, err := s.checkNodeSel(r.NodeSelector); err != nil {
+			return err
+		} else if !ok {
+			s.AddCode(ctx, 1701)
+		}
+	}
+	for _, ing := range r.Ingress {
+		for _, sel := range ing.FromEndpoints {
+			if ok, err := s.checkEPSel(sel); err != nil {
+				return err
+			} else if !ok {
+				s.AddCode(ctx, 1700, "ingress")
+			}
+		}
+	}
+	for _, eg := range r.Egress {
+		for _, sel := range eg.ToEndpoints {
+			if ok, err := s.checkEPSel(sel); err != nil {
+				return err
+			} else if !ok {
+				s.AddCode(ctx, 1700, "egress")
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *CiliumClusterwideNetworkPolicy) checkEPSel(sel api.EndpointSelector) (bool, error) {
+	mm, err := s.matchCEPsBySel(sel)
+	if err != nil {
+		return false, err
+	}
+
+	return len(mm) > 0, nil
+}
+
+func (s *CiliumClusterwideNetworkPolicy) checkNodeSel(sel api.EndpointSelector) (bool, error) {
+	mm, err := s.matchNodesBySel(sel)
+	if err != nil {
+		return false, err
+	}
+
+	return len(mm) > 0, nil
+}
+
+func (s *CiliumClusterwideNetworkPolicy) matchNodesBySel(sel api.EndpointSelector) ([]string, error) {
+	txn := s.db.Txn(false)
+	defer txn.Abort()
+	txn, it := s.db.MustITFor(internal.Glossary[internal.NO])
+	defer txn.Abort()
+	mm := make([]string, 0, 10)
+	for o := it.Next(); o != nil; o = it.Next() {
+		no, ok := o.(*v1.Node)
+		if !ok {
+			return nil, fmt.Errorf("expecting node but got %s", o)
+		}
+		fqn := client.FQN("", no.Name)
+		if matchSelector(no.Labels, sel) {
+			mm = append(mm, fqn)
+		}
+	}
+
+	return mm, nil
+}
+
+func (s *CiliumClusterwideNetworkPolicy) matchCEPsBySel(sel api.EndpointSelector) ([]string, error) {
+	txn := s.db.Txn(false)
+	defer txn.Abort()
+	txn, it := s.db.MustITFor(internal.Glossary[cilium.CEP])
+	defer txn.Abort()
+	mm := make([]string, 0, 10)
+	for o := it.Next(); o != nil; o = it.Next() {
+		cep, ok := o.(*v2.CiliumEndpoint)
+		if !ok {
+			return nil, fmt.Errorf("expecting cilium endpoint but got %s", o)
+		}
+		fqn := client.FQN(cep.Namespace, cep.Name)
+		if matchSelector(cep.Labels, sel) {
+			mm = append(mm, fqn)
+		}
+	}
+
+	return mm, nil
+}

internal/cilium/lint/ccnp_test.go

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Popeye
+
+package lint
+
+import (
+	"testing"
+
+	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	"github.com/derailed/popeye/internal"
+	"github.com/derailed/popeye/internal/cilium"
+	"github.com/derailed/popeye/internal/db"
+	"github.com/derailed/popeye/internal/rules"
+	"github.com/derailed/popeye/internal/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCiliumClusterwideNetworkPolicy(t *testing.T) {
+	dba, err := test.NewTestDB()
+	assert.NoError(t, err)
+	l := db.NewLoader(dba)
+
+	ctx := test.MakeCtx(t)
+	assert.NoError(t, test.LoadDB[*v2.CiliumClusterwideNetworkPolicy](ctx, l.DB, "ccnp/1.yaml", internal.Glossary[cilium.CCNP]))
+	assert.NoError(t, test.LoadDB[*v2.CiliumEndpoint](ctx, l.DB, "cep/1.yaml", internal.Glossary[cilium.CEP]))
+
+	li := NewCiliumClusterwideNetworkPolicy(test.MakeCollector(t), dba)
+	assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumclusterwidenetworkpolicies", "ciliumclusterwidenetworkpolicies")))
+	assert.Equal(t, 3, len(li.Outcome()))
+
+	ii := li.Outcome()["ccnp1"]
+	assert.Equal(t, 0, len(ii))
+
+	ii = li.Outcome()["ccnp2"]
+	assert.Equal(t, 3, len(ii))
+	assert.Equal(t, `[POP-1700] No cilium endpoints matched endpoint selector`, ii[0].Message)
+	assert.Equal(t, rules.ErrorLevel, ii[0].Level)
+	assert.Equal(t, `[POP-1700] No cilium endpoints matched ingress selector`, ii[1].Message)
+	assert.Equal(t, rules.ErrorLevel, ii[1].Level)
+	assert.Equal(t, `[POP-1700] No cilium endpoints matched egress selector`, ii[2].Message)
+	assert.Equal(t, rules.ErrorLevel, ii[2].Level)
+
+	ii = li.Outcome()["ccnp3"]
+	assert.Equal(t, 1, len(ii))
+	assert.Equal(t, `[POP-1701] No nodes matched node selector`, ii[0].Message)
+	assert.Equal(t, rules.ErrorLevel, ii[0].Level)
+}