Determine webhook-traffic-netpol granulation based on configuration

We want to determine whether the webhook-traffic-netpol rule will allow
network traffic with or without `From` section based on configuration.
When adding the `From` section, it means that the policy would be more
strict (Will allow traffic only from IPs recognized as control-plane
addresses).

Author: zohar7ch

src/operator/controllers/webhook_traffic/network_policy_handler.go

@@ -54,19 +54,22 @@ type NetworkPolicyHandler struct {
 	injectablerecorder.InjectableRecorder
 	policy                       automate_third_party_network_policy.Enum
 	controlPlaneCIDRPrefixLength int
+	allowAllIncomingTraffic      bool
 }
 
 func NewNetworkPolicyHandler(
 	client client.Client,
 	scheme *runtime.Scheme,
 	policy automate_third_party_network_policy.Enum,
 	controlPlaneCIDRPrefixLength int,
+	allowAllIncomingTraffic bool,
 ) *NetworkPolicyHandler {
 	return &NetworkPolicyHandler{
 		client:                       client,
 		scheme:                       scheme,
 		policy:                       policy,
 		controlPlaneCIDRPrefixLength: controlPlaneCIDRPrefixLength,
+		allowAllIncomingTraffic:      allowAllIncomingTraffic,
 	}
 }
 
@@ -306,22 +309,24 @@ func (n *NetworkPolicyHandler) getWebhookService(ctx context.Context, webhookSer
 
 func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookName string, webhookService *admissionv1.ServiceReference, service *corev1.Service) (v1.NetworkPolicy, error) {
 	policyName := fmt.Sprintf("webhook-%s-access-to-%s", strings.ToLower(webhookName), strings.ToLower(service.Name))
+	rule := v1.NetworkPolicyIngressRule{}
 
-	controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
-	if err != nil {
-		return v1.NetworkPolicy{}, errors.Wrap(err)
-	}
-
-	fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
-		return v1.NetworkPolicyPeer{
-			IPBlock: &v1.IPBlock{
-				CIDR: controlPLaneIP,
-			},
+	if !n.allowAllIncomingTraffic {
+		controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
+		if err != nil {
+			return v1.NetworkPolicy{}, errors.Wrap(err)
 		}
-	})
 
-	rule := v1.NetworkPolicyIngressRule{}
-	rule.From = append(rule.From, fromControlPlaneIPs...)
+		fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
+			return v1.NetworkPolicyPeer{
+				IPBlock: &v1.IPBlock{
+					CIDR: controlPLaneIP,
+				},
+			}
+		})
+
+		rule.From = append(rule.From, fromControlPlaneIPs...)
+	}
 
 	newPolicy := v1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{

src/operator/controllers/webhook_traffic/network_policy_handler_test.go

@@ -103,7 +103,7 @@ type NetworkPolicyHandlerTestSuite struct {
 
 func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
 	s.MocksSuiteBase.SetupTest()
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32, false)
 	s.handler.InjectRecorder(s.Recorder)
 
 	s.validatingWebhook = ValidatingWebhookConfiguration.DeepCopy()
@@ -154,7 +154,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -189,7 +189,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -225,7 +225,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -238,8 +238,15 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockReturningWebhookService()
 	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
-	s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{TestServicePort}))
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{TestServicePort}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
+	s.mockGetNetworkPolicyForUpdate(NewNetworkPolicyBuilder(ExpectedNetpol).
+		WithPorts([]int32{TestServicePort}).
+		WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+		Build())
 
 	//netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
 	//s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
@@ -254,10 +261,18 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 	s.mockReturningWebhookService()
 	s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{12129})})
-	s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{12129}))
-
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{12129}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
+	s.mockGetNetworkPolicyForUpdate(
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{12129}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build())
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Patch(gomock.Any(), gomock.All(netpolMatcher), gomock.Any()).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -281,7 +296,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_DoNothing() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)
 
 	s.mockForReturningValidatingWebhook()
 	//s.mockReturningWebhookService()
@@ -298,15 +313,19 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_ExistingWebhookPolicy_DeletePolicy() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)
 
 	s.mockForReturningValidatingWebhook()
 	//s.mockReturningWebhookService()
 	//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
 	//s.mockGetControlPlaneIPs()
-	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
+		NewNetworkPolicyBuilder(ExpectedNetpol).
+			WithPorts([]int32{TestServicePort}).
+			WithFromIPBlock(s.handler.allowAllIncomingTraffic).
+			Build()})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Delete(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -315,7 +334,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_ServiceIsNotBlockedByOtterize_CreatePolicy() {
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, false)
 	s.handler.InjectRecorder(s.Recorder)
 
 	s.mockForReturningValidatingWebhook()
@@ -324,7 +343,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_Se
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -339,7 +358,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_MutatingWebhook
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)
@@ -354,7 +373,25 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_CRDsWebhooks_Ha
 	s.mockGetControlPlaneIPs()
 	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
 
-	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
+	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
+	err := s.handler.HandleAll(context.Background())
+	s.Require().NoError(err)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
+	s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
+}
+
+func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_AllowAllIncomingTraffic_CreatingWebhookPolicy() {
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, true)
+	s.handler.InjectRecorder(s.Recorder)
+
+	s.mockForReturningValidatingWebhook()
+	s.mockReturningWebhookService()
+	//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
+	//s.mockGetControlPlaneIPs()
+	s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})
+
+	netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
 	s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
 	err := s.handler.HandleAll(context.Background())
 	s.Require().NoError(err)

src/operator/controllers/webhook_traffic/network_policy_handler_utils_test.go

@@ -24,26 +24,28 @@ var ExpectedNetpol = v1.NetworkPolicy{
 		},
 		Ingress: []v1.NetworkPolicyIngressRule{
 			{
-				Ports: []v1.NetworkPolicyPort{},
-				From: []v1.NetworkPolicyPeer{
-					{
-						IPBlock: &v1.IPBlock{
-							CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
-						},
-					},
-				},
+				Ports: nil,
+				From:  nil,
 			},
 		},
 		PolicyTypes: []v1.PolicyType{v1.PolicyTypeIngress},
 	},
 }
 
+type NetworkPolicyBuilder struct {
+	policy *v1.NetworkPolicy
+}
+
 type NetworkPolicyMatcher struct {
-	ports []int32
+	ports                   []int32
+	allowAllIncomingTraffic bool
 }
 
-func NewNetworkPolicyMatcher(ports []int32) *NetworkPolicyMatcher {
-	return &NetworkPolicyMatcher{ports: ports}
+func NewNetworkPolicyMatcher(ports []int32, allowAllIncomingTraffic bool) *NetworkPolicyMatcher {
+	return &NetworkPolicyMatcher{
+		ports:                   ports,
+		allowAllIncomingTraffic: allowAllIncomingTraffic,
+	}
 }
 
 func (m *NetworkPolicyMatcher) String() string {
@@ -56,21 +58,47 @@ func (m *NetworkPolicyMatcher) Matches(other interface{}) bool {
 		return false
 	}
 
-	expectedNetpol := getExpectedNetpolWithPorts(m.ports)
+	expectedNetpol := NewNetworkPolicyBuilder(ExpectedNetpol).
+		WithPorts(m.ports).
+		WithFromIPBlock(m.allowAllIncomingTraffic).
+		Build()
 
 	return otherAsNetpol.Namespace == TestNamespace &&
 		otherAsNetpol.Name == expectedNetpol.Name &&
 		reflect.DeepEqual(otherAsNetpol.Labels, expectedNetpol.Labels) &&
 		reflect.DeepEqual(otherAsNetpol.Spec, expectedNetpol.Spec)
 }
 
-func getExpectedNetpolWithPorts(ports []int32) *v1.NetworkPolicy {
-	expectedNetpol := ExpectedNetpol.DeepCopy()
-	expectedNetpol.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
+func NewNetworkPolicyBuilder(base v1.NetworkPolicy) *NetworkPolicyBuilder {
+	return &NetworkPolicyBuilder{policy: base.DeepCopy()}
+}
+
+func (b *NetworkPolicyBuilder) WithPorts(ports []int32) *NetworkPolicyBuilder {
+	b.policy.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
 		return v1.NetworkPolicyPort{
 			Protocol: lo.ToPtr(corev1.ProtocolTCP),
 			Port:     lo.ToPtr(intstr.IntOrString{Type: intstr.Int, IntVal: port}),
 		}
 	})
-	return expectedNetpol
+	return b
+}
+
+func (b *NetworkPolicyBuilder) WithFromIPBlock(allowAll bool) *NetworkPolicyBuilder {
+	if allowAll {
+		// leave .From empty
+		return b
+	}
+
+	b.policy.Spec.Ingress[0].From = []v1.NetworkPolicyPeer{
+		{
+			IPBlock: &v1.IPBlock{
+				CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
+			},
+		},
+	}
+	return b
+}
+
+func (b *NetworkPolicyBuilder) Build() v1.NetworkPolicy {
+	return *b.policy
 }

src/operator/main.go

@@ -242,7 +242,8 @@ func main() {
 		scheme,
 		automate_third_party_network_policy.Off,
 		//enforcementConfig.GetAutomateThirdPartyNetworkPolicy(),
-		viper.GetInt(operatorconfig.ControlPlaneIPv4CidrPrefixLength))
+		viper.GetInt(operatorconfig.ControlPlaneIPv4CidrPrefixLength),
+		viper.GetBool(operatorconfig.WebhookTrafficAllowAllKey))
 	webhookTrafficReconcilerManager := webhook_traffic.NewWebhookTrafficReconcilerManager(mgr.GetClient(), webhooksTrafficNetworkHandler)
 
 	if enforcementConfig.EnableLinkerdPolicies {

src/shared/operatorconfig/config.go

@@ -68,6 +68,8 @@ const (
 	ExternallyManagedPolicyWorkloadsKey           = "externallyManagedPolicyWorkloads"
 	ControlPlaneIPv4CidrPrefixLength              = "control-plane-ipv4-cidr-prefix-length"
 	ControlPlaneIPv4CidrPrefixLengthDefault       = 32
+	WebhookTrafficAllowAllKey                     = "webhook-traffic-allow-all"
+	WebhookTrafficAllowAllDefault                 = true
 )
 
 func init() {
@@ -92,6 +94,7 @@ func init() {
 	viper.SetDefault(EnableGroupInternetIPsByCIDRKey, EnableGroupInternetIPsByCIDRDefault)
 	viper.SetDefault(EnableGroupInternetIPsByCIDRPeersLimitKey, EnableGroupInternetIPsByCIDRPeersLimitDefault)
 	viper.SetDefault(ControlPlaneIPv4CidrPrefixLength, ControlPlaneIPv4CidrPrefixLengthDefault)
+	viper.SetDefault(WebhookTrafficAllowAllKey, WebhookTrafficAllowAllDefault)
 	viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
 	viper.AutomaticEnv()