Merge branch 'support_admin_netpolicy' into support_anp_for_eval_cmd

np-guard · Nov 12, 2024 · 0f9cdc9 · 0f9cdc9
2 parents 279b759 + 9d5eab2
commit 0f9cdc9
Show file tree

Hide file tree

Showing 9 changed files with 180 additions and 15 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b
+      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b
+      uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b
+      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd
diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml
@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     - name: Set up Go
-      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
       with:
         go-version-file: ./go.mod
 

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         with:
           go-version-file: ./go.mod
           cache: false

diff --git a/.github/workflows/make-release.yaml b/.github/workflows/make-release.yaml
@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         with:
           go-version-file: ./go.mod
 

diff --git a/pkg/internal/netpolerrors/netpol_errors.go b/pkg/internal/netpolerrors/netpol_errors.go
@@ -148,9 +148,17 @@ func SamePriorityErr(name1, name2 string) string {
 		"Two policies are considered to be conflicting if they are assigned the same priority."
 }
 
+const (
+	// according to this: https://network-policy-api.sigs.k8s.io/api-overview/#adminnetworkpolicy-priorities
+	// The Priority field in the ANP spec is defined as an integer value within the range 0 to 1000
+	MinANPPriority = 0
+	MaxANPPriority = 1000
+)
+
 // PriorityValueErr returns error message of invalid priority value in an admin-network-policy
 func PriorityValueErr(name string, priority int32) string {
-	return fmt.Sprintf("Invalid Priority Value: %d in Admin Network Policy: %q; Priority value must be between 0-1000", priority, name)
+	return fmt.Sprintf("Invalid Priority Value: %d in Admin Network Policy: %q; Priority value must be between %d-%d", priority, name,
+		MinANPPriority, MaxANPPriority)
 }
 
 const uniquenessRequest = "Only one object of a given kind can have a given name at a time."

diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go
@@ -422,19 +422,12 @@ func (anp *AdminNetworkPolicy) GetEgressPolicyConns(dst Peer) (*PolicyConnection
 	return res, nil
 }
 
-const (
-	// according to this: https://network-policy-api.sigs.k8s.io/api-overview/#adminnetworkpolicy-priorities
-	// The Priority field in the ANP spec is defined as an integer value within the range 0 to 1000
-	minANPPriority = 0
-	maxANPPriority = 1000
-)
-
 // HasValidPriority returns if the priority in a valid range
 func (anp *AdminNetworkPolicy) HasValidPriority() bool {
 	// note: k8s defines "1000" as the maximum numeric value for priority
 	// but openshift currently only support priority values between 0 and 99
 	// current implementation satisfies k8s requirement
-	return anp.Spec.Priority >= minANPPriority && anp.Spec.Priority <= maxANPPriority
+	return anp.Spec.Priority >= netpolerrors.MinANPPriority && anp.Spec.Priority <= netpolerrors.MaxANPPriority
 }
 
 // CheckEgressConnAllowed checks if the input conn is allowed/passed/denied or not captured on egress by current admin-network-policy

diff --git a/tests/anp_banp_blog_demo/ns.yaml b/tests/anp_banp_blog_demo/ns.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foo
+  labels:
+    security: internal
+    kubernetes.io/metadata.name: foo
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
+  labels:
+    security: internal
+    kubernetes.io/metadata.name: bar    
+
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baz
+  labels:    
+    kubernetes.io/metadata.name: baz
+
+---
+
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    kubernetes.io/metadata.name: monitoring        
diff --git a/tests/anp_banp_blog_demo/policies.yaml b/tests/anp_banp_blog_demo/policies.yaml
@@ -0,0 +1,72 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring
+  namespace: foo
+spec:
+  podSelector:
+  policyTypes:
+    - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
+
+---
+
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+        security: internal
+  ingress:
+  - name: "deny-ingress-from-all-namespaces"
+    action: "Deny"
+    from:
+    - namespaces: {}
+#          matchLabels:
+#            kubernetes.io/metadata.name: monitoring
+
+---
+
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: allow-monitoring
+spec:
+  priority: 9
+  subject:
+    namespaces: {}
+  ingress:
+  - name: "allow-ingress-from-monitoring"
+    action: "Allow"
+    from:
+    - namespaces:
+          matchLabels:
+            kubernetes.io/metadata.name: monitoring
+
+
+---
+
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: pass-monitoring
+spec:
+  priority: 7
+  subject:
+    namespaces:
+      matchLabels:
+        security: internal
+  ingress:
+  - name: "pass-ingress-from-monitoring"
+    action: "Pass"
+    from:
+    - namespaces:
+          matchLabels:
+            kubernetes.io/metadata.name: monitoring
diff --git a/tests/anp_banp_blog_demo/workloads.yaml b/tests/anp_banp_blog_demo/workloads.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: foo
+  name: my-foo
+  labels:
+    security: internal
+spec:
+  containers:
+    - name: myfirstContainer
+      image: fooimage
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: bar
+  name: my-bar
+  labels:
+    security: internal
+spec:
+  containers:
+    - name: myfirstContainer
+      image: barimage
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: baz
+  name: my-baz
+  labels:
+    security: none
+spec:
+  containers:
+    - name: myfirstContainer
+      image: bazimage
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: monitoring
+  name: my-monitoring
+  labels:
+    security: monitoring
+spec:
+  containers:
+    - name: myfirstContainer
+      image: monitoringimage
+
+---
+
+