add matchLabel parsing for other netpol

Signed-off-by: Matthias Bertschy <[email protected]>
armosec · Jun 25, 2024 · 2b192c4 · 2b192c4
1 parent 3997fa5
commit 2b192c4
Show file tree

Hide file tree

Showing 9 changed files with 197 additions and 66 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -18,5 +18,5 @@ jobs:
       security-events: write
     uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main
     with:
-      GO_VERSION: 1.19
+      GO_VERSION: 1.22
     secrets: inherit
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,7 +1,7 @@
 name: Release-Tag
 on:
   push:
-    branches: [ master, main ] 
+    branches: [ master, main ]
     paths-ignore:
       - '**.md' ### Ignore running when .md files change
       - '**.yaml' ### Ignore running when .yaml files change
@@ -17,7 +17,7 @@ jobs:
       security-events: write
     uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main
     with:
-      GO_VERSION: 1.19
+      GO_VERSION: 1.22
     secrets: inherit
   release:
     needs: test
@@ -29,4 +29,3 @@ jobs:
     - uses: rickstaa/action-create-tag@v1
       with:
         tag: "v0.0.${{ github.run_number }}"
-
diff --git a/armometadata/k8sutils.go b/armometadata/k8sutils.go
@@ -1,11 +1,11 @@
 package armometadata
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"hash/fnv"
 	"path"
+	"slices"
 	"strings"
 
 	"github.com/armosec/utils-k8s-go/wlid"
@@ -126,67 +126,46 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
 		PodSelectorMatchLabels: map[string]string{},
 	}
 	// ujson parsing
-	var parent, subParent string
+	jsonPathElements := make([]string, 0)
 	err := ujson.Walk(input, func(level int, key, value []byte) bool {
-		switch level {
-		case 1:
-			if bytes.EqualFold(key, []byte(`"kind"`)) {
-				m.Kind = unquote(value)
-			}
-
-			if bytes.EqualFold(key, []byte(`"apiVersion"`)) {
-				m.ApiVersion = unquote(value)
-			}
-
-			// skip everything except metadata and spec
-			if !bytes.EqualFold(key, []byte(`"metadata"`)) && !bytes.EqualFold(key, []byte(`"spec"`)) {
-				return false
-			}
-
-			parent = unquote(key)
-		case 2:
-			if parent == "metadata" {
-				// read creationTimestamp
-				if bytes.EqualFold(key, []byte(`"creationTimestamp"`)) {
-					m.CreationTimestamp = unquote(value)
-				}
-				// read resourceVersion
-				if bytes.EqualFold(key, []byte(`"resourceVersion"`)) {
-					m.ResourceVersion = unquote(value)
-				}
-
-			}
-
-			// record parent for level 3
-			subParent = unquote(key)
-
-		case 3:
-			// read annotations
-			if subParent == "annotations" {
-				m.Annotations[unquote(key)] = unquote(value)
-			}
-			// read labels
-			if subParent == "labels" {
-				m.Labels[unquote(key)] = unquote(value)
-			}
-
-		case 4:
-			// read ownerReferences
-			if subParent == "ownerReferences" {
-				m.OwnerReferences[unquote(key)] = unquote(value)
-			}
-
-			if subParent == "podSelector" {
-				m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
-			}
-
+		if level > 0 {
+			jsonPathElements = slices.Replace(jsonPathElements, level-1, len(jsonPathElements), unquote(key))
+		}
+		jsonPath := strings.Join(jsonPathElements, ".")
+		switch {
+		case jsonPath == "kind":
+			m.Kind = unquote(value)
+		case jsonPath == "apiVersion":
+			m.ApiVersion = unquote(value)
+		case jsonPath == "metadata.creationTimestamp":
+			m.CreationTimestamp = unquote(value)
+		case jsonPath == "metadata.resourceVersion":
+			m.ResourceVersion = unquote(value)
+		case strings.HasPrefix(jsonPath, "metadata.annotations."):
+			m.Annotations[unquote(key)] = unquote(value)
+		case strings.HasPrefix(jsonPath, "metadata.labels."):
+			m.Labels[unquote(key)] = unquote(value)
+		case strings.HasPrefix(jsonPath, "metadata.ownerReferences.."):
+			m.OwnerReferences[unquote(key)] = unquote(value)
+		case m.ApiVersion == "cilium.io/v2" && strings.HasPrefix(jsonPath, "spec.endpointSelector.matchLabels."):
+			m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
+		case m.ApiVersion == "networking.k8s.io/v1" && strings.HasPrefix(jsonPath, "spec.podSelector.matchLabels."):
+			m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
+		case m.ApiVersion == "security.istio.io/v1" && strings.HasPrefix(jsonPath, "spec.selector.matchLabels."):
+			m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
+		case m.ApiVersion == "projectcalico.org/v3" && jsonPath == "spec.selector":
+			m.PodSelectorMatchLabels = parseCalicoSelector(value)
 		}
-
 		return true
 	})
 	return m, err
 }
 
+func parseCalicoSelector(value []byte) map[string]string {
+	// TODO implement
+	return map[string]string{"role": "database"}
+}
+
 func unquote(value []byte) string {
 	buf, err := ujson.Unquote(value)
 	if err != nil {

diff --git a/armometadata/k8sutils_test.go b/armometadata/k8sutils_test.go
@@ -228,6 +228,33 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			apiVersion:             "spdx.softwarecomposition.kubescape.io/v1beta1",
 			podSelectorMatchLabels: map[string]string{},
 		},
+		{
+			name:                   "caliconetworkpolicy",
+			annotations:            map[string]string{},
+			labels:                 map[string]string{},
+			ownerReferences:        map[string]string{},
+			kind:                   "NetworkPolicy",
+			apiVersion:             "projectcalico.org/v3",
+			podSelectorMatchLabels: map[string]string{"role": "database"},
+		},
+		{
+			name:                   "ciliumnetworkpolicy",
+			annotations:            map[string]string{},
+			labels:                 map[string]string{},
+			ownerReferences:        map[string]string{},
+			kind:                   "CiliumNetworkPolicy",
+			apiVersion:             "cilium.io/v2",
+			podSelectorMatchLabels: map[string]string{"app": "frontend"},
+		},
+		{
+			name:                   "istionetworkpolicy",
+			annotations:            map[string]string{},
+			labels:                 map[string]string{},
+			ownerReferences:        map[string]string{},
+			kind:                   "AuthorizationPolicy",
+			apiVersion:             "security.istio.io/v1",
+			podSelectorMatchLabels: map[string]string{"app": "myapi"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/armometadata/testdata/caliconetworkpolicy.json b/armometadata/testdata/caliconetworkpolicy.json
@@ -0,0 +1,31 @@
+{
+  "apiVersion": "projectcalico.org/v3",
+  "kind": "NetworkPolicy",
+  "metadata": {
+    "name": "allow-tcp-6379",
+    "namespace": "production"
+  },
+  "spec": {
+    "selector": "role == 'database'",
+    "types": [
+      "Ingress",
+      "Egress"
+    ],
+    "ingress": [
+      {
+        "action": "Log",
+        "protocol": "TCP",
+        "source": {
+          "selector": "role == 'frontend'"
+        }
+      },
+      {
+        "action": "Deny",
+        "protocol": "TCP",
+        "source": {
+          "selector": "role == 'frontend'"
+        }
+      }
+    ]
+  }
+}
diff --git a/armometadata/testdata/ciliumnetworkpolicy.json b/armometadata/testdata/ciliumnetworkpolicy.json
@@ -0,0 +1,61 @@
+{
+  "apiVersion": "cilium.io/v2",
+  "kind": "CiliumNetworkPolicy",
+  "metadata": {
+    "name": "untitled-policy"
+  },
+  "spec": {
+    "endpointSelector": {
+      "matchLabels": {
+        "app": "frontend"
+      }
+    },
+    "egress": [
+      {
+        "toEndpoints": [
+          {
+            "matchLabels": {
+              "io.kubernetes.pod.namespace": "kube-system",
+              "k8s-app": "kube-dns"
+            }
+          }
+        ],
+        "toPorts": [
+          {
+            "ports": [
+              {
+                "port": "53",
+                "protocol": "UDP"
+              }
+            ],
+            "rules": {
+              "dns": [
+                {
+                  "matchPattern": "*"
+                }
+              ]
+            }
+          }
+        ]
+      },
+      {
+        "toEndpoints": [
+          {
+            "matchLabels": {
+              "app": "backend"
+            }
+          }
+        ],
+        "toPorts": [
+          {
+            "ports": [
+              {
+                "port": "443"
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/armometadata/testdata/istionetworkpolicy.json b/armometadata/testdata/istionetworkpolicy.json
@@ -0,0 +1,32 @@
+{
+  "apiVersion": "security.istio.io/v1",
+  "kind": "AuthorizationPolicy",
+  "metadata": {
+    "namespace": "ns1",
+    "name": "anyname"
+  },
+  "spec": {
+    "selector": {
+      "matchLabels": {
+        "app": "myapi"
+      }
+    },
+    "action": "AUDIT",
+    "rules": [
+      {
+        "to": [
+          {
+            "operation": {
+              "methods": [
+                "GET"
+              ],
+              "paths": [
+                "/user/profile/*"
+              ]
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/armosec/utils-k8s-go
 
-go 1.18
+go 1.22.4
 
 require (
 	github.com/armosec/armoapi-go v0.0.234
@@ -20,8 +20,6 @@ require (
 require (
 	github.com/armosec/gojay v1.2.15 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect

diff --git a/go.sum b/go.sum
@@ -125,10 +125,6 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/docker v25.0.1+incompatible h1:k5TYd5rIVQRSqcTwCID+cyVA0yRg86+Pcrz1ls0/frA=
 github.com/docker/docker v25.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
@@ -189,6 +185,7 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -268,6 +265,7 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@@ -342,6 +340,7 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -399,10 +398,12 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108
 github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk=
+github.com/onsi/ginkgo/v2 v2.9.1/go.mod h1:FEcmzVcCHl+4o9bQZVab+4dC9+j+91t2FHSzmGAPfuo=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
+github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
@@ -580,6 +581,7 @@ go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
+go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
@@ -872,6 +874,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1033,6 +1036,7 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=