Fixed a bug where auto-allow webhook network policy didn't allow communication to the service target port (#597)

Author: zohar7ch

src/operator/controllers/webhook_traffic/network_policy_handler.go

@@ -168,7 +168,7 @@ func (n *NetworkPolicyHandler) reduceWebhooksNetpols(ctx context.Context, webhoo
 			// At this point we want to create the network policy, because the configuration is either set to "always" or
 			// that it is set to "if blocked by otterize" and the service is blocked by otterize
 			// TODO: do we also need to create netpol for Otterize?
-			netpol, err := n.buildNetworkPolicy(ctx, webhookClientConfig.webhookName, webhookClientConfig.clientConfiguration.Service, service)
+			netpol, err := n.buildNetworkPolicy(ctx, webhookClientConfig.webhookName, service)
 			if err != nil {
 				return make(NetworkPolicyWithMetaByName), errors.Wrap(err)
 			}
@@ -307,7 +307,7 @@ func (n *NetworkPolicyHandler) getWebhookService(ctx context.Context, webhookSer
 	return service, true, nil
 }
 
-func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookName string, webhookService *admissionv1.ServiceReference, service *corev1.Service) (v1.NetworkPolicy, error) {
+func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookName string, service *corev1.Service) (v1.NetworkPolicy, error) {
 	policyName := fmt.Sprintf("webhook-%s-access-to-%s", strings.ToLower(webhookName), strings.ToLower(service.Name))
 	rule := v1.NetworkPolicyIngressRule{}
 
@@ -328,12 +328,17 @@ func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookNa
 		rule.From = append(rule.From, fromControlPlaneIPs...)
 	}
 
+	labelValue := webhookName
+	if len(labelValue) > 63 {
+		labelValue = labelValue[:63]
+	}
+
 	newPolicy := v1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      policyName,
 			Namespace: service.Namespace,
 			Labels: map[string]string{
-				v2alpha1.OtterizeNetworkPolicyWebhooks: webhookName,
+				v2alpha1.OtterizeNetworkPolicyWebhooks: labelValue,
 			},
 		},
 		Spec: v1.NetworkPolicySpec{
@@ -347,13 +352,27 @@ func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookNa
 		},
 	}
 
-	if webhookService.Port != nil {
-		newPolicy.Spec.Ingress[0].Ports = append(newPolicy.Spec.Ingress[0].Ports, v1.NetworkPolicyPort{
-			Port:     lo.ToPtr(intstr.IntOrString{IntVal: *webhookService.Port, Type: intstr.Int}),
-			Protocol: lo.ToPtr(corev1.ProtocolTCP),
-		})
+	netpolPorts := make([]v1.NetworkPolicyPort, 0, 2*len(service.Spec.Ports))
+
+	for _, servicePort := range service.Spec.Ports {
+		// Add the port
+		netpolPorts = append(netpolPorts,
+			v1.NetworkPolicyPort{
+				Port:     lo.ToPtr(intstr.IntOrString{IntVal: servicePort.Port, Type: intstr.Int}),
+				Protocol: lo.ToPtr(servicePort.Protocol),
+			})
+		// Add the target port
+		if servicePort.TargetPort.IntVal != 0 || servicePort.TargetPort.StrVal != "" {
+			netpolPorts = append(netpolPorts,
+				v1.NetworkPolicyPort{
+					Port:     lo.ToPtr(servicePort.TargetPort),
+					Protocol: lo.ToPtr(servicePort.Protocol),
+				})
+		}
 	}
 
+	newPolicy.Spec.Ingress[0].Ports = netpolPorts
+
 	return newPolicy, nil
 }
 

src/operator/controllers/webhook_traffic/network_policy_handler_test.go

@@ -15,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"testing"
 )
@@ -117,6 +118,12 @@ func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
 			Selector: map[string]string{
 				"Taylor": "Swift",
 			},
+			Ports: []corev1.ServicePort{
+				{
+					Port:     TestServicePort,
+					Protocol: corev1.ProtocolTCP,
+				},
+			},
 		},
 	}
 
@@ -154,7 +161,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false, nil)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -189,43 +196,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
-	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
-	err := s.handler.HandleAll(context.Background())
-	s.Require().NoError(err)
-	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
-	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
-}
-
-func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlockedByOtterize_ServiceIsBlockedByOtterize_TwoWebhooksToSameServiceDifferentPorts_CreatingOneWebhookPolicy() {
-	secondPort := int32(1432)
-	s.validatingWebhook.Webhooks = append(s.validatingWebhook.Webhooks,
-		admissionv1.ValidatingWebhook{
-			Name: "Second",
-			ClientConfig: admissionv1.WebhookClientConfig{
-				Service: &admissionv1.ServiceReference{
-					Name:      TestServiceName,
-					Namespace: TestNamespace,
-					Port:      lo.ToPtr(secondPort),
-				},
-			},
-		})
-
-	s.mockForReturningValidatingWebhook()
-
-	// Called once for "First" webhook
-	s.mockReturningWebhookService()
-	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
-	s.mockGetControlPlaneIPs()
-
-	// Called second time for "Second"" webhook
-	s.mockReturningWebhookService()
-	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
-	s.mockGetControlPlaneIPs()
-
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
-
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -272,7 +243,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
 			Build())
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Patch(gomock.Any(), gomock.All(netpolMatcher), gomock.Any()).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -325,7 +296,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
 			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
 			Build()})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Delete(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -343,7 +314,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_Se
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -358,7 +329,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_MutatingWebhook
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -373,7 +344,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_CRDsWebhooks_Ha
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -391,7 +362,64 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_Al
 	//s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
+	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
+	err := s.handler.HandleAll(context.Background())
+	s.Require().NoError(err)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
+}
+
+func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_ServiceHasDifferentTargetPortThanPort_CreatePolicy() {
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, false)
+	s.handler.InjectRecorder(s.Recorder)
+	targetPort := int32(1820)
+	s.webhookService = &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      TestServiceName,
+			Namespace: TestNamespace,
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"Taylor": "Swift",
+			},
+			Ports: []corev1.ServicePort{
+				{
+					Port:       TestServicePort,
+					TargetPort: intstr.FromInt32(targetPort),
+					Protocol:   corev1.ProtocolTCP,
+				},
+			},
+		},
+	}
+
+	s.mockForReturningValidatingWebhook()
+	s.mockReturningWebhookService()
+	//s.mockServiceIsBlockedByOtterize(make([]v1.NetworkPolicy, 0))
+	s.mockGetControlPlaneIPs()
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{targetPort, TestServicePort}, s.handler.allowAllIncomingTraffic, nil)
+	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
+	err := s.handler.HandleAll(context.Background())
+	s.Require().NoError(err)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
+}
+
+func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_WebhookNameTooLong_CreatePolicy() {
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, false)
+	s.handler.InjectRecorder(s.Recorder)
+	s.validatingWebhook = ValidatingWebhookConfiguration.DeepCopy()
+	s.validatingWebhook.Name = "A-lantern-lit-her-journey-through-the-meadow-A-breeze-whispered-shadows-danced-and-the-forest-echoed-with-silent-wonder"
+
+	s.mockForReturningValidatingWebhook()
+	s.mockReturningWebhookService()
+	//s.mockServiceIsBlockedByOtterize(make([]v1.NetworkPolicy, 0))
+	s.mockGetControlPlaneIPs()
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false, lo.ToPtr("A-lantern-lit-her-journey-through-the-meadow-A-breeze-whispered-shadows-danced-and-the-forest-echoed-with-silent-wonder"))
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)

src/operator/controllers/webhook_traffic/network_policy_handler_utils_test.go

@@ -7,6 +7,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"reflect"
@@ -39,12 +40,14 @@ type NetworkPolicyBuilder struct {
 type NetworkPolicyMatcher struct {
 	ports                   []int32
 	allowAllIncomingTraffic bool
+	webhookName             *string
 }
 
-func NewNetworkPolicyMatcher(ports []int32, allowAllIncomingTraffic bool) *NetworkPolicyMatcher {
+func NewNetworkPolicyMatcher(ports []int32, allowAllIncomingTraffic bool, webhookName *string) *NetworkPolicyMatcher {
 	return &NetworkPolicyMatcher{
 		ports:                   ports,
 		allowAllIncomingTraffic: allowAllIncomingTraffic,
+		webhookName:             webhookName,
 	}
 }
 
@@ -61,6 +64,7 @@ func (m *NetworkPolicyMatcher) Matches(other interface{}) bool {
 	expectedNetpol := NewNetworkPolicyBuilder(ExpectedNetpol).
 		WithPorts(m.ports).
 		WithFromIPBlock(m.allowAllIncomingTraffic).
+		WithWebhookName(m.webhookName).
 		Build()
 
 	return otherAsNetpol.Namespace == TestNamespace &&
@@ -99,6 +103,24 @@ func (b *NetworkPolicyBuilder) WithFromIPBlock(allowAll bool) *NetworkPolicyBuil
 	return b
 }
 
+func (b *NetworkPolicyBuilder) WithWebhookName(webhookName *string) *NetworkPolicyBuilder {
+	if webhookName == nil {
+		return b
+	}
+
+	webhookShortName := *webhookName
+	if len(webhookShortName) > 63 {
+		webhookShortName = webhookShortName[:63]
+	}
+	b.policy.Labels = map[string]string{
+		v2alpha1.OtterizeNetworkPolicyWebhooks: webhookShortName,
+	}
+
+	b.policy.Name = fmt.Sprintf("webhook-%s-access-to-test-service", strings.ToLower(*webhookName))
+
+	return b
+}
+
 func (b *NetworkPolicyBuilder) Build() v1.NetworkPolicy {
 	return *b.policy
 }