add matchLabel parsing for cilium netpol

Signed-off-by: Matthias Bertschy <[email protected]>
armosec · Jun 24, 2024 · abc34cd · abc34cd
1 parent 3997fa5
commit abc34cd
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 1 deletion.
diff --git a/armometadata/k8sutils.go b/armometadata/k8sutils.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"hash/fnv"
 	"path"
+	"slices"
 	"strings"
 
 	"github.com/armosec/utils-k8s-go/wlid"
@@ -176,7 +177,7 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
 				m.OwnerReferences[unquote(key)] = unquote(value)
 			}
 
-			if subParent == "podSelector" {
+			if slices.Contains([]string{"podSelector", "endpointSelector"}, subParent) {
 				m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
 			}
 

diff --git a/armometadata/k8sutils_test.go b/armometadata/k8sutils_test.go
@@ -228,6 +228,15 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			apiVersion:             "spdx.softwarecomposition.kubescape.io/v1beta1",
 			podSelectorMatchLabels: map[string]string{},
 		},
+		{
+			name:                   "ciliumnetworkpolicy",
+			annotations:            map[string]string{},
+			labels:                 map[string]string{},
+			ownerReferences:        map[string]string{},
+			kind:                   "CiliumNetworkPolicy",
+			apiVersion:             "cilium.io/v2",
+			podSelectorMatchLabels: map[string]string{"app": "frontend"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/armometadata/testdata/ciliumnetworkpolicy.json b/armometadata/testdata/ciliumnetworkpolicy.json
@@ -0,0 +1,61 @@
+{
+  "apiVersion": "cilium.io/v2",
+  "kind": "CiliumNetworkPolicy",
+  "metadata": {
+    "name": "untitled-policy"
+  },
+  "spec": {
+    "endpointSelector": {
+      "matchLabels": {
+        "app": "frontend"
+      }
+    },
+    "egress": [
+      {
+        "toEndpoints": [
+          {
+            "matchLabels": {
+              "io.kubernetes.pod.namespace": "kube-system",
+              "k8s-app": "kube-dns"
+            }
+          }
+        ],
+        "toPorts": [
+          {
+            "ports": [
+              {
+                "port": "53",
+                "protocol": "UDP"
+              }
+            ],
+            "rules": {
+              "dns": [
+                {
+                  "matchPattern": "*"
+                }
+              ]
+            }
+          }
+        ]
+      },
+      {
+        "toEndpoints": [
+          {
+            "matchLabels": {
+              "app": "backend"
+            }
+          }
+        ],
+        "toPorts": [
+          {
+            "ports": [
+              {
+                "port": "443"
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}