Skip to content

Commit

Permalink
Merge pull request #20 from armosec/netpol
Browse files Browse the repository at this point in the history
fix label parsing for cilium netpol
  • Loading branch information
matthyx authored Jul 26, 2024
2 parents cae76ef + 4e22805 commit 0f29e39
Show file tree
Hide file tree
Showing 5 changed files with 239 additions and 879 deletions.
19 changes: 18 additions & 1 deletion armometadata/k8sutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"strings"

"github.com/armosec/utils-k8s-go/wlid"
"github.com/cilium/cilium/pkg/labels"
"github.com/olvrng/ujson"
"github.com/spf13/viper"

Expand Down Expand Up @@ -148,7 +149,7 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
case strings.HasPrefix(jsonPath, "metadata.ownerReferences.."):
m.OwnerReferences[unquote(key)] = unquote(value)
case m.ApiVersion == "cilium.io/v2" && strings.HasPrefix(jsonPath, "spec.endpointSelector.matchLabels."):
m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
addCiliumMatchLabels(m.PodSelectorMatchLabels, key, value)
case m.ApiVersion == "networking.k8s.io/v1" && strings.HasPrefix(jsonPath, "spec.podSelector.matchLabels."):
m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
case m.ApiVersion == "security.istio.io/v1" && strings.HasPrefix(jsonPath, "spec.selector.matchLabels."):
Expand Down Expand Up @@ -180,6 +181,22 @@ func ParseCalicoSelector(value []byte) map[string]string {
return selector
}

// addCiliumMatchLabels adds matchLabels from a Cilium EndpointSelector to the given map
// a virtual label is created for each label with a Cilium specific prefix for matching
func addCiliumMatchLabels(matchLabels map[string]string, key, value []byte) {
k := unquote(key)
v := unquote(value)
matchLabels[k] = v
// check if we have to trim a Cilium specific prefix to k and create a virtual label
for _, labelSource := range []string{labels.LabelSourceAny, labels.LabelSourceK8s,
labels.LabelSourceReserved, labels.LabelSourceUnspec} {
prefix := labelSource + ":"
if strings.HasPrefix(k, prefix) {
matchLabels[k[len(prefix):]] = v
}
}
}

func unquote(value []byte) string {
buf, err := ujson.Unquote(value)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion armometadata/k8sutils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
ownerReferences: map[string]string{},
kind: "CiliumNetworkPolicy",
apiVersion: "cilium.io/v2",
podSelectorMatchLabels: map[string]string{"app": "frontend"},
podSelectorMatchLabels: map[string]string{"any:app": "frontend", "app": "frontend"},
},
{
name: "istionetworkpolicy",
Expand Down
2 changes: 1 addition & 1 deletion armometadata/testdata/ciliumnetworkpolicy.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"spec": {
"endpointSelector": {
"matchLabels": {
"app": "frontend"
"any:app": "frontend"
}
},
"egress": [
Expand Down
113 changes: 67 additions & 46 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,72 +5,93 @@ go 1.22.4
require (
github.com/armosec/armoapi-go v0.0.234
github.com/armosec/utils-go v0.0.20
github.com/docker/docker v25.0.1+incompatible
github.com/cilium/cilium v1.16.0
github.com/docker/docker v26.1.4+incompatible
github.com/francoispqt/gojay v1.2.13
github.com/olvrng/ujson v1.1.0
github.com/spf13/viper v1.7.0
github.com/stretchr/testify v1.8.4
go.uber.org/zap v1.22.0
k8s.io/api v0.25.3
k8s.io/apimachinery v0.27.4
k8s.io/apiserver v0.24.3
k8s.io/client-go v0.25.3
github.com/spf13/viper v1.19.0
github.com/stretchr/testify v1.9.0
go.uber.org/zap v1.27.0
k8s.io/api v0.30.2
k8s.io/apimachinery v0.30.2
k8s.io/apiserver v0.30.2
k8s.io/client-go v0.30.2
)

require (
github.com/armosec/gojay v1.2.15 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/fsnotify/fsnotify v1.4.9 // indirect
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.1 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/magiconair/properties v1.8.1 // indirect
github.com/mackerelio/go-osstat v0.2.5 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mitchellh/mapstructure v1.1.2 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
github.com/pelletier/go-toml v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rogpeppe/go-internal v1.11.0 // indirect
github.com/spf13/afero v1.6.0 // indirect
github.com/spf13/cast v1.3.0 // indirect
github.com/spf13/jwalterweatherman v1.0.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sasha-s/go-deadlock v0.3.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.6.0 // indirect
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
github.com/stripe/stripe-go/v74 v74.28.0 // indirect
github.com/subosito/gotenv v1.2.0 // indirect
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/multierr v1.6.0 // indirect
golang.org/x/net v0.12.0 // indirect
golang.org/x/oauth2 v0.10.0 // indirect
golang.org/x/sys v0.10.0 // indirect
golang.org/x/term v0.10.0 // indirect
golang.org/x/text v0.11.0 // indirect
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/vishvananda/netlink v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 // indirect
github.com/vishvananda/netns v0.0.4 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
golang.org/x/net v0.26.0 // indirect
golang.org/x/oauth2 v0.19.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/term v0.21.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.51.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading

0 comments on commit 0f29e39

Please sign in to comment.