Skip to content

[Prep for] Auto allow webhook traffic - restrict traffic from control plane IP based on configuration & support IPv6 for control plane #596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zohar7ch merged 3 commits into from
Jun 4, 2025
Merged

[Prep for] Auto allow webhook traffic - restrict traffic from control plane IP based on configuration & support IPv6 for control plane #596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b9702d
Support IPv6 for control plane
zohar7ch May 25, 2025
fc051f4
Determine webhook-traffic-netpol granulation based on configuration
zohar7ch May 25, 2025
624bdcd
Turn on auto-allow-webhook feature
zohar7ch Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 41 additions & 17 deletions src/operator/controllers/webhook_traffic/network_policy_handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"net"
"reflect"
"sigs.k8s.io/controller-runtime/pkg/client"
"strings"
Expand Down Expand Up @@ -53,19 +54,22 @@ type NetworkPolicyHandler struct {
injectablerecorder.InjectableRecorder
policy automate_third_party_network_policy.Enum
controlPlaneCIDRPrefixLength int
allowAllIncomingTraffic bool
}

func NewNetworkPolicyHandler(
client client.Client,
scheme *runtime.Scheme,
policy automate_third_party_network_policy.Enum,
controlPlaneCIDRPrefixLength int,
allowAllIncomingTraffic bool,
) *NetworkPolicyHandler {
return &NetworkPolicyHandler{
client: client,
scheme: scheme,
policy: policy,
controlPlaneCIDRPrefixLength: controlPlaneCIDRPrefixLength,
allowAllIncomingTraffic: allowAllIncomingTraffic,
}
}

Expand Down Expand Up @@ -305,22 +309,24 @@ func (n *NetworkPolicyHandler) getWebhookService(ctx context.Context, webhookSer

func (n *NetworkPolicyHandler) buildNetworkPolicy(ctx context.Context, webhookName string, webhookService *admissionv1.ServiceReference, service *corev1.Service) (v1.NetworkPolicy, error) {
policyName := fmt.Sprintf("webhook-%s-access-to-%s", strings.ToLower(webhookName), strings.ToLower(service.Name))
rule := v1.NetworkPolicyIngressRule{}

controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
if err != nil {
return v1.NetworkPolicy{}, errors.Wrap(err)
}

fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
return v1.NetworkPolicyPeer{
IPBlock: &v1.IPBlock{
CIDR: controlPLaneIP,
},
if !n.allowAllIncomingTraffic {
controlPlaneIPs, err := n.getControlPlaneIPsAsCIDR(ctx)
if err != nil {
return v1.NetworkPolicy{}, errors.Wrap(err)
}
})

rule := v1.NetworkPolicyIngressRule{}
rule.From = append(rule.From, fromControlPlaneIPs...)
fromControlPlaneIPs := lo.Map(controlPlaneIPs, func(controlPLaneIP string, _ int) v1.NetworkPolicyPeer {
return v1.NetworkPolicyPeer{
IPBlock: &v1.IPBlock{
CIDR: controlPLaneIP,
},
}
})

rule.From = append(rule.From, fromControlPlaneIPs...)
}

newPolicy := v1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -387,8 +393,11 @@ func (n *NetworkPolicyHandler) getControlPlaneIPsAsCIDR(ctx context.Context) ([]
}

addresses := make([]string, 0)
if svc.Spec.ClusterIP != "" && svc.Spec.ClusterIP != "None" {
addresses = append(addresses, fmt.Sprintf("%s/32", svc.Spec.ClusterIP))
for _, clusterIP := range svc.Spec.ClusterIPs {
ip, isIP := n.ipAddressToCIDR(clusterIP)
if isIP {
addresses = append(addresses, ip)
}
}

var endpoints corev1.Endpoints
Expand All @@ -399,15 +408,30 @@ func (n *NetworkPolicyHandler) getControlPlaneIPsAsCIDR(ctx context.Context) ([]

for _, subset := range endpoints.Subsets {
for _, endpointAddress := range subset.Addresses {
if endpointAddress.IP != "" && endpointAddress.IP != "None" {
addresses = append(addresses, fmt.Sprintf("%s/%d", endpointAddress.IP, n.controlPlaneCIDRPrefixLength))
ip, isIP := n.ipAddressToCIDR(endpointAddress.IP)
if isIP {
addresses = append(addresses, ip)
}
}
}

return addresses, nil
}

func (n *NetworkPolicyHandler) ipAddressToCIDR(ipAddress string) (string, bool) {
ip := net.ParseIP(ipAddress)
if ip == nil {
return "", false
}

if ip.To4() != nil {
return fmt.Sprintf("%s/%d", ipAddress, n.controlPlaneCIDRPrefixLength), true
}
// The address is IPv6, we currently support configurable CIDR prefix length only for IPv4
return fmt.Sprintf("%s/128", ipAddress), true

}

func (n *NetworkPolicyHandler) policiesAreEqual(policy *v1.NetworkPolicy, otherPolicy *v1.NetworkPolicy) bool {
return reflect.DeepEqual(policy.Spec, otherPolicy.Spec) &&
reflect.DeepEqual(policy.Labels, otherPolicy.Labels)
Expand Down
77 changes: 57 additions & 20 deletions src/operator/controllers/webhook_traffic/network_policy_handler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ const (
TestNamespace = "test-namespace"
TestWebhookName = "test-webhook"
TestServicePodName = "test-service-pod"
TestControlPlaneIP = "111.222.333.4"
TestControlPlaneIP = "11.22.33.4"
)

var OtterizeIngressNetpols = []v1.NetworkPolicy{
Expand Down Expand Up @@ -103,7 +103,7 @@ type NetworkPolicyHandlerTestSuite struct {

func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
s.MocksSuiteBase.SetupTest()
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32)
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, 32, false)
s.handler.InjectRecorder(s.Recorder)

s.validatingWebhook = ValidatingWebhookConfiguration.DeepCopy()
Expand Down Expand Up @@ -154,7 +154,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, false)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand Down Expand Up @@ -189,7 +189,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked

s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand Down Expand Up @@ -225,7 +225,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked

s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{secondPort, TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand All @@ -238,8 +238,15 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
s.mockReturningWebhookService()
s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{TestServicePort}))
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts([]int32{TestServicePort}).
WithFromIPBlock(s.handler.allowAllIncomingTraffic).
Build()})
s.mockGetNetworkPolicyForUpdate(NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts([]int32{TestServicePort}).
WithFromIPBlock(s.handler.allowAllIncomingTraffic).
Build())

//netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
//s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
Expand All @@ -254,10 +261,18 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
s.mockReturningWebhookService()
s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{12129})})
s.mockGetNetworkPolicyForUpdate(*getExpectedNetpolWithPorts([]int32{12129}))

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts([]int32{12129}).
WithFromIPBlock(s.handler.allowAllIncomingTraffic).
Build()})
s.mockGetNetworkPolicyForUpdate(
NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts([]int32{12129}).
WithFromIPBlock(s.handler.allowAllIncomingTraffic).
Build())

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Patch(gomock.Any(), gomock.All(netpolMatcher), gomock.Any()).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand All @@ -281,7 +296,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleIfBlocked
}

func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_DoNothing() {
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)

s.mockForReturningValidatingWebhook()
//s.mockReturningWebhookService()
Expand All @@ -298,15 +313,19 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
}

func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_ServiceIsBlockedByOtterize_ExistingWebhookPolicy_DeletePolicy() {
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32)
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Off, 32, false)

s.mockForReturningValidatingWebhook()
//s.mockReturningWebhookService()
//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
//s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{*getExpectedNetpolWithPorts([]int32{TestServicePort})})
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{
NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts([]int32{TestServicePort}).
WithFromIPBlock(s.handler.allowAllIncomingTraffic).
Build()})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Delete(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand All @@ -315,7 +334,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleOff_Servi
}

func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_ServiceIsNotBlockedByOtterize_CreatePolicy() {
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32)
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, false)
s.handler.InjectRecorder(s.Recorder)

s.mockForReturningValidatingWebhook()
Expand All @@ -324,7 +343,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_Se
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand All @@ -339,7 +358,7 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_MutatingWebhook
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand All @@ -354,7 +373,25 @@ func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_CRDsWebhooks_Ha
s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort})
netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
s.ExpectEvent(ReasonCreatingWebhookTrafficNetpol)
s.ExpectEvent(ReasonCreatingWebhookTrafficNetpolSuccess)
}

func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleAlways_AllowAllIncomingTraffic_CreatingWebhookPolicy() {
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.Always, 32, true)
s.handler.InjectRecorder(s.Recorder)

s.mockForReturningValidatingWebhook()
s.mockReturningWebhookService()
//s.mockServiceIsBlockedByOtterize(OtterizeIngressNetpols)
//s.mockGetControlPlaneIPs()
s.mockGetExistingOtterizeWebhooksNetpols([]v1.NetworkPolicy{})

netpolMatcher := NewNetworkPolicyMatcher([]int32{TestServicePort}, s.handler.allowAllIncomingTraffic)
s.Client.EXPECT().Create(gomock.Any(), gomock.All(netpolMatcher)).Return(nil)
err := s.handler.HandleAll(context.Background())
s.Require().NoError(err)
Expand Down Expand Up @@ -499,7 +536,7 @@ func (s *NetworkPolicyHandlerTestSuite) mockGetControlPlaneIPs() {
gomock.Any(), gomock.Eq(types.NamespacedName{Name: "kubernetes", Namespace: "default"}), gomock.Eq(&corev1.Service{}),
).DoAndReturn(
func(_ any, _ any, svc *corev1.Service, _ ...any) error {
svc.Spec.ClusterIP = TestControlPlaneIP
svc.Spec.ClusterIPs = []string{TestControlPlaneIP}
svc.Name = "kubernetes"
svc.Namespace = "default"
return nil
Expand Down
60 changes: 44 additions & 16 deletions src/operator/controllers/webhook_traffic/network_policy_handler_utils_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,26 +24,28 @@ var ExpectedNetpol = v1.NetworkPolicy{
},
Ingress: []v1.NetworkPolicyIngressRule{
{
Ports: []v1.NetworkPolicyPort{},
From: []v1.NetworkPolicyPeer{
{
IPBlock: &v1.IPBlock{
CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
},
},
},
Ports: nil,
From: nil,
},
},
PolicyTypes: []v1.PolicyType{v1.PolicyTypeIngress},
},
}

type NetworkPolicyBuilder struct {
policy *v1.NetworkPolicy
}

type NetworkPolicyMatcher struct {
ports []int32
ports []int32
allowAllIncomingTraffic bool
}

func NewNetworkPolicyMatcher(ports []int32) *NetworkPolicyMatcher {
return &NetworkPolicyMatcher{ports: ports}
func NewNetworkPolicyMatcher(ports []int32, allowAllIncomingTraffic bool) *NetworkPolicyMatcher {
return &NetworkPolicyMatcher{
ports: ports,
allowAllIncomingTraffic: allowAllIncomingTraffic,
}
}

func (m *NetworkPolicyMatcher) String() string {
Expand All @@ -56,21 +58,47 @@ func (m *NetworkPolicyMatcher) Matches(other interface{}) bool {
return false
}

expectedNetpol := getExpectedNetpolWithPorts(m.ports)
expectedNetpol := NewNetworkPolicyBuilder(ExpectedNetpol).
WithPorts(m.ports).
WithFromIPBlock(m.allowAllIncomingTraffic).
Build()

return otherAsNetpol.Namespace == TestNamespace &&
otherAsNetpol.Name == expectedNetpol.Name &&
reflect.DeepEqual(otherAsNetpol.Labels, expectedNetpol.Labels) &&
reflect.DeepEqual(otherAsNetpol.Spec, expectedNetpol.Spec)
}

func getExpectedNetpolWithPorts(ports []int32) *v1.NetworkPolicy {
expectedNetpol := ExpectedNetpol.DeepCopy()
expectedNetpol.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
func NewNetworkPolicyBuilder(base v1.NetworkPolicy) *NetworkPolicyBuilder {
return &NetworkPolicyBuilder{policy: base.DeepCopy()}
}

func (b *NetworkPolicyBuilder) WithPorts(ports []int32) *NetworkPolicyBuilder {
b.policy.Spec.Ingress[0].Ports = lo.Map(ports, func(port int32, _ int) v1.NetworkPolicyPort {
return v1.NetworkPolicyPort{
Protocol: lo.ToPtr(corev1.ProtocolTCP),
Port: lo.ToPtr(intstr.IntOrString{Type: intstr.Int, IntVal: port}),
}
})
return expectedNetpol
return b
}

func (b *NetworkPolicyBuilder) WithFromIPBlock(allowAll bool) *NetworkPolicyBuilder {
if allowAll {
// leave .From empty
return b
}

b.policy.Spec.Ingress[0].From = []v1.NetworkPolicyPeer{
{
IPBlock: &v1.IPBlock{
CIDR: fmt.Sprintf("%s/32", TestControlPlaneIP),
},
},
}
return b
}

func (b *NetworkPolicyBuilder) Build() v1.NetworkPolicy {
return *b.policy
}
Loading
Loading