fix: non-dynamic CIDR updation per node while creating netpol (#257)

* fix: non-dynamic CIDR updation per node while creating netpol Signed-off-by: VedRatan <[email protected]> * chore: revert nimbus version in netpol go.mod Signed-off-by: VedRatan <[email protected]> --------- Signed-off-by: VedRatan <[email protected]>
5GSEC · Sep 30, 2024 · e445f8e · e445f8e
1 parent 56bd5c3
commit e445f8e
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 72 deletions.
diff --git a/pkg/adapter/nimbus-netpol/go.sum b/pkg/adapter/nimbus-netpol/go.sum
@@ -15,6 +15,7 @@ github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
@@ -154,15 +155,21 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
+k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
 k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws=
+k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4=
 k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
+k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
+k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA=
+k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4=
+sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

diff --git a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/go-logr/logr"
 	netv1 "k8s.io/api/networking/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -36,6 +37,7 @@ var (
 func init() {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(netv1.AddToScheme(scheme))
+	utilruntime.Must(corev1.AddToScheme(scheme))
 	k8sClient = k8s.NewOrDie(scheme)
 }
 
@@ -104,7 +106,7 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string
 	}
 
 	deleteDanglingNetpols(ctx, np, logger)
-	netPols := processor.BuildNetPolsFrom(logger, np)
+	netPols := processor.BuildNetPolsFrom(logger, np, k8sClient)
 	// Iterate using a separate index variable to avoid aliasing
 	for idx := range netPols {
 		netpol := netPols[idx]

diff --git a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go
@@ -4,26 +4,27 @@
 package processor
 
 import (
+	"context"
 	"strings"
 
+	v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1"
+	"github.com/5GSEC/nimbus/pkg/adapter/idpool"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
-
-	v1alpha1 "github.com/5GSEC/nimbus/api/v1alpha1"
-	"github.com/5GSEC/nimbus/pkg/adapter/idpool"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.NetworkPolicy {
+func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy, k8sClient client.Client) []netv1.NetworkPolicy {
 	// Build netpols based on given IDs
 	var netpols []netv1.NetworkPolicy
 	for _, nimbusRule := range np.Spec.NimbusRules {
 		id := nimbusRule.ID
 		logger.Info(id)
 		if idpool.IsIdSupportedBy(id, "netpol") {
-			netpol := buildNetPolFor(id)
+			netpol := buildNetPolFor(id, k8sClient, logger)
 			netpol.Name = np.Name + "-" + strings.ToLower(id)
 			netpol.Namespace = np.Namespace
 			netpol.Spec.PodSelector.MatchLabels = np.Spec.Selector.MatchLabels
@@ -37,80 +38,76 @@ func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.Netw
 	return netpols
 }
 
-func buildNetPolFor(id string) netv1.NetworkPolicy {
+func buildNetPolFor(id string, k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy {
 	switch id {
 	case idpool.DNSManipulation:
-		return dnsManipulationNetpol()
+		return dnsManipulationNetpol(k8sClient, logger)
 	case idpool.DenyENAccess:
-		return denyExternalNetworkAcessNetpol()
+		return denyExternalNetworkAcessNetpol(k8sClient, logger)
 	default:
 		return netv1.NetworkPolicy{}
 	}
 }
 
-func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy {
+func denyExternalNetworkAcessNetpol(k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy {
 	udpProtocol := corev1.ProtocolUDP
 	tcpProtocol := corev1.ProtocolTCP
 	dnsPort := &intstr.IntOrString{
 		Type:   0,
 		IntVal: 53,
 	}
+	froNetpolPeers, err := getPODCIDRs(k8sClient)
+	if err != nil {
+		logger.Error(err, "Failed to get pod CIDRs")
+	}
+	staticCIDRs := []netv1.NetworkPolicyPeer{
+		{
+			IPBlock: &netv1.IPBlock{
+				CIDR: "10.0.0.0/8",
+			},
+		},
+		{
+			IPBlock: &netv1.IPBlock{
+				CIDR: "172.16.0.0/12",
+			},
+		},
+		{
+			IPBlock: &netv1.IPBlock{
+				CIDR: "192.168.0.0/16",
+			},
+		},
+	}
+
+	froNetpolPeers = append(froNetpolPeers, staticCIDRs...)
+
+	toNetPolPeers := []netv1.NetworkPolicyPeer{}
+
+	selector := netv1.NetworkPolicyPeer{
+		PodSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"k8s-app": "kube-dns",
+			},
+		},
+		NamespaceSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"kubernetes.io/metadata.name": "kube-system",
+			},
+		},
+	}
+
+	toNetPolPeers = append(toNetPolPeers, selector)
+	toNetPolPeers = append(toNetPolPeers, froNetpolPeers...)
 
 	return netv1.NetworkPolicy{
 		Spec: netv1.NetworkPolicySpec{
 			Ingress: []netv1.NetworkPolicyIngressRule{
 				{
-					From: []netv1.NetworkPolicyPeer{
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "10.0.0.0/8",
-							},
-						},
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "172.16.0.0/12",
-							},
-						},
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "192.168.0.0/16",
-							},
-						},
-					},
+					From: froNetpolPeers,
 				},
 			},
 			Egress: []netv1.NetworkPolicyEgressRule{
 				{
-					To: []netv1.NetworkPolicyPeer{
-						{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"k8s-app": "kube-dns",
-								},
-							},
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"kubernetes.io/metadata.name": "kube-system",
-								},
-							},
-						},
-
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "10.0.0.0/8",
-							},
-						},
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "172.16.0.0/12",
-							},
-						},
-						{
-							IPBlock: &netv1.IPBlock{
-								CIDR: "192.168.0.0/16",
-							},
-						},
-					},
+					To: toNetPolPeers,
 					Ports: []netv1.NetworkPolicyPort{
 						{
 							Protocol: &udpProtocol,
@@ -131,32 +128,39 @@ func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy {
 	}
 }
 
-func dnsManipulationNetpol() netv1.NetworkPolicy {
+func dnsManipulationNetpol(k8sClient client.Client, logger logr.Logger) netv1.NetworkPolicy {
 	udpProtocol := corev1.ProtocolUDP
 	tcpProtocol := corev1.ProtocolTCP
 	dnsPort := &intstr.IntOrString{
 		Type:   0,
 		IntVal: 53,
 	}
 
+	netpolPeers, err := getPODCIDRs(k8sClient)
+	if err != nil {
+		logger.Error(err, "Failed to get pod CIDRs")
+	}
+
+	selector := netv1.NetworkPolicyPeer{
+		PodSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"k8s-app": "kube-dns",
+			},
+		},
+		NamespaceSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"kubernetes.io/metadata.name": "kube-system",
+			},
+		},
+	}
+
+	netpolPeers = append(netpolPeers, selector)
+
 	return netv1.NetworkPolicy{
 		Spec: netv1.NetworkPolicySpec{
 			Egress: []netv1.NetworkPolicyEgressRule{
 				{
-					To: []netv1.NetworkPolicyPeer{
-						{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"k8s-app": "kube-dns",
-								},
-							},
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"kubernetes.io/metadata.name": "kube-system",
-								},
-							},
-						},
-					},
+					To: netpolPeers,
 					Ports: []netv1.NetworkPolicyPort{
 						{
 							Protocol: &udpProtocol,
@@ -180,3 +184,24 @@ func addManagedByAnnotation(netpol *netv1.NetworkPolicy) {
 	netpol.Annotations = make(map[string]string)
 	netpol.Annotations["app.kubernetes.io/managed-by"] = "nimbus-netpol"
 }
+
+func getPODCIDRs(k8sClient client.Client) ([]netv1.NetworkPolicyPeer, error) {
+	podCIDRs := []netv1.NetworkPolicyPeer{}
+	ctx := context.Background()
+	nodes := &corev1.NodeList{}
+	if err := k8sClient.List(ctx, nodes); err != nil {
+		return nil, err
+	}
+	for _, node := range nodes.Items {
+		netPolPeer := netv1.NetworkPolicyPeer{
+			IPBlock: &netv1.IPBlock{
+				CIDR: node.Spec.PodCIDR,
+			},
+		}
+
+		podCIDRs = append(podCIDRs, netPolPeer)
+
+	}
+
+	return podCIDRs, nil
+}