[Prep for] Auto allow webhook traffic - restrict traffic from control plane IP based on configuration & support IPv6 for control plane (#596)

Author: zohar7ch

src/operator/controllers/webhook_traffic/network_policy_handler.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"net"
 	"reflect"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"strings"
@@ -53,19 +54,22 @@ type NetworkPolicyHandler struct {
 	injectablerecorder.InjectableRecorder
 	policy                       automate_third_party_network_policy.Enum
 	controlPlaneCIDRPrefixLength int
+	allowAllIncomingTraffic      bool
 }
 
 func NewNetworkPolicyHandler(
 	client client.Client,
 	scheme *runtime.Scheme,
 	policy automate_third_party_network_policy.Enum,
 	controlPlaneCIDRPrefixLength int,
+	allowAllIncomingTraffic bool,
 ) *NetworkPolicyHandler {
 	return &NetworkPolicyHandler{
 		client:                       client,
 		scheme:                       scheme,
 		policy:                       policy,
 		controlPlaneCIDRPrefixLength: controlPlaneCIDRPrefixLength,
+		allowAllIncomingTraffic:      allowAllIncomingTraffic,
 	}
 }
 
@@ -305,22 +309,24 @@ func (n *NetworkPolicyHandler) getWebhookService(ctx context.Context, webhookSer
 
 func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookName string, webhookService *admissionv1.ServiceReference, service *corev1.Service) (v1.NetworkPolicy, error) {
 	policyName := fmt.Sprintf("webhook-%s-access-to-%s", strings.ToLower(webhookName), strings.ToLower(service.Name))
+	rule := v1.NetworkPolicyIngressRule{}
 
-	controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
-	if err != nil {
-		return v1.NetworkPolicy{}, errors.Wrap(err)
-	}
-
-	fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
-		return v1.NetworkPolicyPeer{
-			IPBlock: &v1.IPBlock{
-				CIDR: controlPLaneIP,
-			},
+	if !n.allowAllIncomingTraffic {
+		controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
+		if err != nil {
+			return v1.NetworkPolicy{}, errors.Wrap(err)
 		}
-	})
 
-	rule := v1.NetworkPolicyIngressRule{}
-	rule.From = append(rule.From, fromControlPlaneIPs...)
+		fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
+			return v1.NetworkPolicyPeer{
+				IPBlock: &v1.IPBlock{
+					CIDR: controlPLaneIP,
+				},
+			}
+		})
+
+		rule.From = append(rule.From, fromControlPlaneIPs...)
+	}
 
 	newPolicy := v1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
@@ -387,8 +393,11 @@ func (n *NetworkPolicyHandler) getControlPlaneIPsAsCIDR(ctx context.Context) ([]
 	}
 
 	addresses := make([]string, 0)
-	if svc.Spec.ClusterIP != "" && svc.Spec.ClusterIP != "None" {
-		addresses = append(addresses, fmt.Sprintf("%s/32", svc.Spec.ClusterIP))
+	for _, clusterIP := range svc.Spec.ClusterIPs {
+		ip, isIP := n.ipAddressToCIDR(clusterIP)
+		if isIP {
+			addresses = append(addresses, ip)
+		}
 	}
 
 	var endpoints corev1.Endpoints
@@ -399,15 +408,30 @@ func (n *NetworkPolicyHandler) getControlPlaneIPsAsCIDR(ctx context.Context) ([]
 
 	for _, subset := range endpoints.Subsets {
 		for _, endpointAddress := range subset.Addresses {
-			if endpointAddress.IP != "" && endpointAddress.IP != "None" {
-				addresses = append(addresses, fmt.Sprintf("%s/%d", endpointAddress.IP, n.controlPlaneCIDRPrefixLength))
+			ip, isIP := n.ipAddressToCIDR(endpointAddress.IP)
+			if isIP {
+				addresses = append(addresses, ip)
 			}
 		}
 	}
 
 	return addresses, nil
 }
 
+func (n *NetworkPolicyHandler) ipAddressToCIDR(ipAddress string) (string, bool) {
+	ip := net.ParseIP(ipAddress)
+	if ip == nil {
+		return "", false
+	}
+
+	if ip.To4() != nil {
+		return fmt.Sprintf("%s/%d", ipAddress, n.controlPlaneCIDRPrefixLength), true
+	}
+	// The address is IPv6, we currently support configurable CIDR prefix length only for IPv4
+	return fmt.Sprintf("%s/128", ipAddress), true
+
+}
+
 func (n *NetworkPolicyHandler) policiesAreEqual(policy *v1.NetworkPolicy, otherPolicy *v1.NetworkPolicy) bool {
 	return reflect.DeepEqual(policy.Spec, otherPolicy.Spec) &&
 		reflect.DeepEqual(policy.Labels, otherPolicy.Labels)

src/operator/controllers/webhook_traffic/network_policy_handler_test.go

@@ -25,7 +25,7 @@ const (
 	TestNamespace      = "test-namespace"
 	TestWebhookName    = "test-webhook"
 	TestServicePodName = "test-service-pod"
-	TestControlPlaneIP = "111.222.333.4"
+	TestControlPlaneIP = "11.22.33.4"
 )
 
 var OtterizeIngressNetpols = []v1.NetworkPolicy{
@@ -103,7 +103,7 @@ type NetworkPolicyHandlerTestSuite struct {
 
 func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
 	s.MocksSuiteBase.SetupTest()
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32, false)
 	s.handler.InjectRecorder(s.Recorder)
 
 	s.validatingWebhook = ValidatingWebhookConfiguration.DeepCopy()
@@ -154,7 +154,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -189,7 +189,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -225,7 +225,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -238,8 +238,15 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockReturningWebhookService()
 	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
-	s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{TestServicePort}))
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{TestServicePort}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
+	s.mockGetNetworkPolicyForUpdate(NewNetworkPolicyBuilder(ExpectedNetpol).
+		WithPorts([]int32{TestServicePort}).
+		WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+		Build())
 
 	//netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
 	//s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
@@ -254,10 +261,18 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockReturningWebhookService()
 	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{12129})})
-	s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{12129}))
-
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{12129}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
+	s.mockGetNetworkPolicyForUpdate(
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{12129}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build())
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Patch(gomock.Any(), gomock.All(netpolMatcher), gomock.Any()).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -281,7 +296,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_DoNothing() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)
 
 	s.mockForReturningValidatingWebhook()
 	//s.mockReturningWebhookService()
@@ -298,15 +313,19 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_ExistingWebhookPolicy_DeletePolicy() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)
 
 	s.mockForReturningValidatingWebhook()
 	//s.mockReturningWebhookService()
 	//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	//s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{TestServicePort}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Delete(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -315,7 +334,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_ServiceIsNotBlockedByOtterize_CreatePolicy() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, false)
 	s.handler.InjectRecorder(s.Recorder)
 
 	s.mockForReturningValidatingWebhook()
@@ -324,7 +343,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_Se
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -339,7 +358,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_MutatingWebhook
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -354,7 +373,25 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_CRDsWebhooks_Ha
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
+	err := s.handler.HandleAll(context.Background())
+	s.Require().NoError(err)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
+}
+
+func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_AllowAllIncomingTraffic_CreatingWebhookPolicy() {
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, true)
+	s.handler.InjectRecorder(s.Recorder)
+
+	s.mockForReturningValidatingWebhook()
+	s.mockReturningWebhookService()
+	//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
+	//s.mockGetControlPlaneIPs()
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -499,7 +536,7 @@ func (s *NetworkPolicyHandlerTestSuite) mockGetControlPlaneIPs() {
 		gomock.Any(), gomock.Eq(types.NamespacedName{Name: "kubernetes", Namespace: "default"}), gomock.Eq(&corev1.Service{}),
 	).DoAndReturn(
 		func(_ any, _ any, svc *corev1.Service, _ ...any) error {
-			svc.Spec.ClusterIP = TestControlPlaneIP
+			svc.Spec.ClusterIPs = []string{TestControlPlaneIP}
 			svc.Name = "kubernetes"
 			svc.Namespace = "default"
 			return nil

src/operator/controllers/webhook_traffic/network_policy_handler_utils_test.go

@@ -24,26 +24,28 @@ var ExpectedNetpol = v1.NetworkPolicy{
 		},
 		Ingress: []v1.NetworkPolicyIngressRule{
 			{
-				Ports: []v1.NetworkPolicyPort{},
-				From: []v1.NetworkPolicyPeer{
-					{
-						IPBlock: &v1.IPBlock{
-							CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
-						},
-					},
-				},
+				Ports: nil,
+				From:  nil,
 			},
 		},
 		PolicyTypes: []v1.PolicyType{v1.PolicyTypeIngress},
 	},
 }
 
+type NetworkPolicyBuilder struct {
+	policy *v1.NetworkPolicy
+}
+
 type NetworkPolicyMatcher struct {
-	ports []int32
+	ports                   []int32
+	allowAllIncomingTraffic bool
 }
 
-func NewNetworkPolicyMatcher(ports []int32) *NetworkPolicyMatcher {
-	return &NetworkPolicyMatcher{ports: ports}
+func NewNetworkPolicyMatcher(ports []int32, allowAllIncomingTraffic bool) *NetworkPolicyMatcher {
+	return &NetworkPolicyMatcher{
+		ports:                   ports,
+		allowAllIncomingTraffic: allowAllIncomingTraffic,
+	}
 }
 
 func (m *NetworkPolicyMatcher) String() string {
@@ -56,21 +58,47 @@ func (m *NetworkPolicyMatcher) Matches(other interface{}) bool {
 		return false
 	}
 
-	expectedNetpol := getExpectedNetpolWithPorts(m.ports)
+	expectedNetpol := NewNetworkPolicyBuilder(ExpectedNetpol).
+		WithPorts(m.ports).
+		WithFromIPBlock(m.allowAllIncomingTraffic).
+		Build()
 
 	return otherAsNetpol.Namespace == TestNamespace &&
 		otherAsNetpol.Name == expectedNetpol.Name &&
 		reflect.DeepEqual(otherAsNetpol.Labels, expectedNetpol.Labels) &&
 		reflect.DeepEqual(otherAsNetpol.Spec, expectedNetpol.Spec)
 }
 
-func getExpectedNetpolWithPorts(ports []int32) *v1.NetworkPolicy {
-	expectedNetpol := ExpectedNetpol.DeepCopy()
-	expectedNetpol.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
+func NewNetworkPolicyBuilder(base v1.NetworkPolicy) *NetworkPolicyBuilder {
+	return &NetworkPolicyBuilder{policy: base.DeepCopy()}
+}
+
+func (b *NetworkPolicyBuilder) WithPorts(ports []int32) *NetworkPolicyBuilder {
+	b.policy.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
 		return v1.NetworkPolicyPort{
 			Protocol: lo.ToPtr(corev1.ProtocolTCP),
 			Port:     lo.ToPtr(intstr.IntOrString{Type: intstr.Int, IntVal: port}),
 		}
 	})
-	return expectedNetpol
+	return b
+}
+
+func (b *NetworkPolicyBuilder) WithFromIPBlock(allowAll bool) *NetworkPolicyBuilder {
+	if allowAll {
+		// leave .From empty
+		return b
+	}
+
+	b.policy.Spec.Ingress[0].From = []v1.NetworkPolicyPeer{
+		{
+			IPBlock: &v1.IPBlock{
+				CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
+			},
+		},
+	}
+	return b
+}
+
+func (b *NetworkPolicyBuilder) Build() v1.NetworkPolicy {
+	return *b.policy
 }