issue #113: default-deny netpol for each namespace (#119)

* issue #113: default-deny netpol for each namespace
* Fix lint issues
Signed-off-by: Ziv Nevo <[email protected]>

Author: zivnevo

pkg/controller/controller_test.go

@@ -66,23 +66,26 @@ func TestPoliciesSynthesizerAPIFailFast(t *testing.T) {
 
 func TestExtractConnectionsNoK8sResources(t *testing.T) {
 	dirPath := filepath.Join(getTestsDir(), "bad_yamls", "irrelevant_k8s_resources.yaml")
-	conns, errs := extractConnections(dirPath, false)
+	resources, conns, errs := extractConnections(dirPath, false)
 	require.Len(t, errs, 1)
 	require.Empty(t, conns)
+	require.Empty(t, resources)
 }
 
 func TestExtractConnectionsNoK8sResourcesFailFast(t *testing.T) {
 	dirPath := filepath.Join(getTestsDir(), "bad_yamls")
-	conns, errs := extractConnections(dirPath, true)
+	resources, conns, errs := extractConnections(dirPath, true)
 	require.Len(t, errs, 1)
 	require.Empty(t, conns)
+	require.Empty(t, resources)
 }
 
 func TestExtractConnectionsBadConfigMapRefs(t *testing.T) {
 	dirPath := filepath.Join(getTestsDir(), "bad_yamls", "bad_configmap_refs.yaml")
-	conns, errs := extractConnections(dirPath, false)
+	resources, conns, errs := extractConnections(dirPath, false)
 	require.Len(t, errs, 3)
 	require.Empty(t, conns)
+	require.Len(t, resources, 2) // the two deployments in this example get read
 }
 
 func readLines(path string) ([]string, error) {

pkg/controller/engine.go

@@ -6,25 +6,26 @@ import (
 )
 
 // Scans the given directory for YAMLs with k8s resources and extracts required connections between workloads
-func extractConnections(dirPath string, stopOn1stErr bool) ([]*common.Connections, []FileProcessingError) {
+func extractConnections(dirPath string, stopOn1stErr bool) ([]common.Resource, []*common.Connections, []FileProcessingError) {
 	// 1. Get all relevant resources from the repo and parse them
 	dObjs, fileErrors := getK8sDeploymentResources(dirPath, stopOn1stErr)
 	if stopProcessing(stopOn1stErr, fileErrors) {
-		return nil, fileErrors
+		return nil, nil, fileErrors
 	}
 	if len(dObjs) == 0 {
 		fileErrors = appendAndLogNewError(fileErrors, noK8sResourcesFound())
-		return []*common.Connections{}, fileErrors
+		return []common.Resource{}, []*common.Connections{}, fileErrors
 	}
 
 	resources, links, parseErrors := parseResources(dObjs)
 	fileErrors = append(fileErrors, parseErrors...)
 	if stopProcessing(stopOn1stErr, fileErrors) {
-		return nil, fileErrors
+		return nil, nil, fileErrors
 	}
 
 	// 2. Discover all connections between resources
-	return discoverConnections(resources, links), fileErrors
+	connections := discoverConnections(resources, links)
+	return resources, connections, fileErrors
 }
 
 func parseResources(objs []parsedK8sObjects) ([]common.Resource, []common.Service, []FileProcessingError) {

pkg/controller/example_test.go

@@ -118,6 +118,21 @@ func ExamplePoliciesSynthesizer() {
 	//                 "Egress"
 	//             ]
 	//         }
+	//     },
+	//     {
+	//         "kind": "NetworkPolicy",
+	//         "apiVersion": "networking.k8s.io/v1",
+	//         "metadata": {
+	//             "name": "default-deny-in-namespace-",
+	//             "creationTimestamp": null
+	//         },
+	//         "spec": {
+	//             "podSelector": {},
+	//             "policyTypes": [
+	//                 "Ingress",
+	//                 "Egress"
+	//             ]
+	//         }
 	//     }
 	// ]
 }

pkg/controller/policies_synthesizer.go

@@ -64,10 +64,10 @@ func (ps *PoliciesSynthesizer) Errors() []FileProcessingError {
 // PoliciesFromFolderPath returns a slice of Kubernetes NetworkPolicies that allow only the connections discovered
 // while processing K8s resources under the provided directory or one of its subdirectories (recursively).
 func (ps *PoliciesSynthesizer) PoliciesFromFolderPath(dirPath string) ([]*networking.NetworkPolicy, error) {
-	connections, errs := extractConnections(dirPath, ps.stopOnError)
+	resources, connections, errs := extractConnections(dirPath, ps.stopOnError)
 	policies := []*networking.NetworkPolicy{}
 	if !stopProcessing(ps.stopOnError, errs) {
-		policies = synthNetpols(connections)
+		policies = synthNetpols(resources, connections)
 	}
 
 	ps.errors = errs
@@ -81,7 +81,7 @@ func (ps *PoliciesSynthesizer) PoliciesFromFolderPath(dirPath string) ([]*networ
 // ConnectionsFromFolderPath returns a slice of Connections, listing the connections discovered
 // while processing K8s resources under the provided directory or one of its subdirectories (recursively).
 func (ps *PoliciesSynthesizer) ConnectionsFromFolderPath(dirPath string) ([]*common.Connections, error) {
-	connections, errs := extractConnections(dirPath, ps.stopOnError)
+	_, connections, errs := extractConnections(dirPath, ps.stopOnError)
 	ps.errors = errs
 	if err := hasFatalError(errs); err != nil {
 		return nil, err

pkg/controller/synth_netpols.go

@@ -15,6 +15,7 @@ import (
 const (
 	dnsPort           = 53
 	networkAPIVersion = "networking.k8s.io/v1"
+	networkPolicyKind = "NetworkPolicy"
 )
 
 type deploymentConnectivity struct {
@@ -45,9 +46,44 @@ func (deployConn *deploymentConnectivity) addEgressRule(
 	deployConn.egressConns = append(deployConn.egressConns, rule)
 }
 
-func synthNetpols(connections []*common.Connections) []*network.NetworkPolicy {
+// Generate a default-deny NetworkPolicy for the given namespace
+func getNsDefaultDenyPolicy(namespace string) *network.NetworkPolicy {
+	return &network.NetworkPolicy{
+		TypeMeta: metaV1.TypeMeta{
+			Kind:       networkPolicyKind,
+			APIVersion: networkAPIVersion,
+		},
+		ObjectMeta: metaV1.ObjectMeta{
+			Name:      "default-deny-in-namespace-" + namespace,
+			Namespace: namespace,
+		},
+		Spec: network.NetworkPolicySpec{
+			PodSelector: metaV1.LabelSelector{},               // select all pods in the namespace
+			Ingress:     []network.NetworkPolicyIngressRule{}, // deny all ingress
+			Egress:      []network.NetworkPolicyEgressRule{},  // deny all egress
+			PolicyTypes: []network.PolicyType{network.PolicyTypeIngress, network.PolicyTypeEgress},
+		},
+	}
+}
+
+// Generate default-deny NetworkPolicy for each namespace of the given resources
+func getNsDefaultDenyPolicies(resources []common.Resource) []*network.NetworkPolicy {
+	denyNetpols := []*network.NetworkPolicy{}
+	namespaces := map[string]bool{}
+	for resIdx := range resources {
+		namespace := resources[resIdx].Resource.Namespace
+		if _, ok := namespaces[namespace]; !ok {
+			namespaces[namespace] = true
+			denyNetpols = append(denyNetpols, getNsDefaultDenyPolicy(namespace))
+		}
+	}
+	return denyNetpols
+}
+
+func synthNetpols(resources []common.Resource, connections []*common.Connections) []*network.NetworkPolicy {
 	deployConnectivity := determineConnectivityPerDeployment(connections)
 	netpols := buildNetpolPerDeployment(deployConnectivity)
+	netpols = append(netpols, getNsDefaultDenyPolicies(resources)...)
 	return netpols
 }
 
@@ -152,7 +188,7 @@ func buildNetpolPerDeployment(deployConnectivity []*deploymentConnectivity) []*n
 		}
 		netpol := network.NetworkPolicy{
 			TypeMeta: metaV1.TypeMeta{
-				Kind:       "NetworkPolicy",
+				Kind:       networkPolicyKind,
 				APIVersion: networkAPIVersion,
 			},
 			ObjectMeta: metaV1.ObjectMeta{

tests/bookinfo/expected_netpol_output.json

@@ -300,6 +300,21 @@
                     "Egress"
                 ]
             }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
         }
     ]
 }

tests/k8s_guestbook/expected_netpol_output.json

@@ -233,6 +233,38 @@
                     "Egress"
                 ]
             }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-default",
+                "namespace": "default",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-redis",
+                "namespace": "redis",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
         }
     ]
 }

tests/k8s_wordpress_example/expected_netpol_output.json

@@ -100,6 +100,21 @@
                     "Egress"
                 ]
             }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
         }
     ]
 }

tests/onlineboutique/expected_netpol_interface_output.json

@@ -850,5 +850,20 @@
                 "Egress"
             ]
         }
+    },
+    {
+        "kind": "NetworkPolicy",
+        "apiVersion": "networking.k8s.io/v1",
+        "metadata": {
+            "name": "default-deny-in-namespace-",
+            "creationTimestamp": null
+        },
+        "spec": {
+            "podSelector": {},
+            "policyTypes": [
+                "Ingress",
+                "Egress"
+            ]
+        }
     }
 ]

tests/onlineboutique/expected_netpol_output.json

@@ -854,6 +854,21 @@
                     "Egress"
                 ]
             }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
         }
     ]
 }

tests/onlineboutique/expected_netpol_output.yaml

@@ -402,5 +402,15 @@ items:
         policyTypes:
             - Ingress
             - Egress
+    - apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        creationTimestamp: null
+        name: default-deny-in-namespace-
+      spec:
+        podSelector: {}
+        policyTypes:
+            - Ingress
+            - Egress
 kind: NetworkPolicyList
 metadata: {}

tests/sockshop/expected_netpol_output.json

@@ -338,6 +338,22 @@
                     "Egress"
                 ]
             }
+        },
+        {
+            "kind": "NetworkPolicy",
+            "apiVersion": "networking.k8s.io/v1",
+            "metadata": {
+                "name": "default-deny-in-namespace-sock-shop",
+                "namespace": "sock-shop",
+                "creationTimestamp": null
+            },
+            "spec": {
+                "podSelector": {},
+                "policyTypes": [
+                    "Ingress",
+                    "Egress"
+                ]
+            }
         }
     ]
 }