Merge pull request #583 from achrefbensaad/optional-network-policies

make network rules optional for system policy
accuknox · Nov 17, 2022 · fbad090 · fbad090
2 parents ce8fb16 + b4917d2
commit fbad090
Show file tree

Hide file tree

Showing 19 changed files with 89 additions and 74 deletions.
diff --git a/src/protobuf/v1/analyzer/analyzer.pb.go b/src/protobuf/v1/analyzer/analyzer.pb.go
diff --git a/src/protobuf/v1/analyzer/analyzer_grpc.pb.go b/src/protobuf/v1/analyzer/analyzer_grpc.pb.go
diff --git a/src/protobuf/v1/config/config.pb.go b/src/protobuf/v1/config/config.pb.go
diff --git a/src/protobuf/v1/config/config_grpc.pb.go b/src/protobuf/v1/config/config_grpc.pb.go
diff --git a/src/protobuf/v1/consumer/consumer.pb.go b/src/protobuf/v1/consumer/consumer.pb.go
diff --git a/src/protobuf/v1/consumer/consumer_grpc.pb.go b/src/protobuf/v1/consumer/consumer_grpc.pb.go
diff --git a/src/protobuf/v1/discovery/discovery.pb.go b/src/protobuf/v1/discovery/discovery.pb.go
diff --git a/src/protobuf/v1/discovery/discovery_grpc.pb.go b/src/protobuf/v1/discovery/discovery_grpc.pb.go
diff --git a/src/protobuf/v1/insight/insight.pb.go b/src/protobuf/v1/insight/insight.pb.go
diff --git a/src/protobuf/v1/insight/insight_grpc.pb.go b/src/protobuf/v1/insight/insight_grpc.pb.go
diff --git a/src/protobuf/v1/observability/observability.pb.go b/src/protobuf/v1/observability/observability.pb.go
diff --git a/src/protobuf/v1/observability/observability_grpc.pb.go b/src/protobuf/v1/observability/observability_grpc.pb.go
diff --git a/src/protobuf/v1/publisher/publisher.pb.go b/src/protobuf/v1/publisher/publisher.pb.go
diff --git a/src/protobuf/v1/publisher/publisher_grpc.pb.go b/src/protobuf/v1/publisher/publisher_grpc.pb.go
diff --git a/src/protobuf/v1/worker/worker.pb.go b/src/protobuf/v1/worker/worker.pb.go
diff --git a/src/protobuf/v1/worker/worker.proto b/src/protobuf/v1/worker/worker.proto
@@ -19,6 +19,7 @@ message WorkerRequest {
     string clustername = 5;
     string labels = 6;
     string fromsource = 7;
+    bool includenetwork = 8;
 }
 
 message WorkerResponse {

diff --git a/src/protobuf/v1/worker/worker_grpc.pb.go b/src/protobuf/v1/worker/worker_grpc.pb.go
diff --git a/src/server/grpcServer.go b/src/server/grpcServer.go
@@ -115,8 +115,8 @@ func (s *workerServer) Convert(ctx context.Context, in *wpb.WorkerRequest) (*wpb
 	} else if in.GetPolicytype() == "system" {
 		log.Info().Msg("Convert system policy called")
 		system.InitSysPolicyDiscoveryConfiguration()
-		system.WriteSystemPoliciesToFile(in.GetNamespace(), in.GetClustername(), in.GetLabels(), in.GetFromsource())
-		return system.GetSysPolicy(in.Namespace, in.Clustername, in.Labels, in.Fromsource), nil
+		system.WriteSystemPoliciesToFile(in.GetNamespace(), in.GetClustername(), in.GetLabels(), in.GetFromsource(), in.GetIncludenetwork())
+		return system.GetSysPolicy(in.Namespace, in.Clustername, in.Labels, in.Fromsource, in.Includenetwork), nil
 	} else {
 		log.Info().Msg("Convert policy called, but no policy type")
 	}

diff --git a/src/systempolicy/systemPolicy.go b/src/systempolicy/systemPolicy.go
@@ -267,8 +267,8 @@ func populateKnoxSysPolicyFromWPFSDb(namespace, clustername, labels, fromsource
 	return ConvertWPFSToKnoxSysPolicy(res, pnMap)
 }
 
-func WriteSystemPoliciesToFile_Ext(namespace, clustername, labels, fromsource string) {
-	kubearmorK8SPolicies := extractK8SSystemPolicies(namespace, clustername, labels, fromsource)
+func WriteSystemPoliciesToFile_Ext(namespace, clustername, labels, fromsource string, includeNetwork bool) {
+	kubearmorK8SPolicies := extractK8SSystemPolicies(namespace, clustername, labels, fromsource, includeNetwork)
 	for _, pol := range kubearmorK8SPolicies {
 		fname := "kubearmor_policies_" + pol.Metadata["clusterName"] + "_" + pol.Metadata["namespace"] + "_" + pol.Metadata["containername"] + "_" + pol.Metadata["name"]
 		libs.WriteKubeArmorPolicyToYamlFile(fname, []types.KubeArmorPolicy{pol})
@@ -282,18 +282,18 @@ func WriteSystemPoliciesToFile_Ext(namespace, clustername, labels, fromsource st
 	}
 }
 
-func WriteSystemPoliciesToFile(namespace, clustername, labels, fromsource string) {
+func WriteSystemPoliciesToFile(namespace, clustername, labels, fromsource string, includeNetwork bool) {
 	latestPolicies := libs.GetSystemPolicies(CfgDB, namespace, "latest")
 	if len(latestPolicies) > 0 {
 		kubeArmorPolicies := plugin.ConvertKnoxSystemPolicyToKubeArmorPolicy(latestPolicies)
 		libs.WriteKubeArmorPolicyToYamlFile("kubearmor_policies", kubeArmorPolicies)
 	}
-	WriteSystemPoliciesToFile_Ext(namespace, clustername, labels, fromsource)
+	WriteSystemPoliciesToFile_Ext(namespace, clustername, labels, fromsource, includeNetwork)
 }
 
-func GetSysPolicy(namespace, clustername, labels, fromsource string) *wpb.WorkerResponse {
+func GetSysPolicy(namespace, clustername, labels, fromsource string, includeNetwork bool) *wpb.WorkerResponse {
 
-	kubearmorK8SPolicies := extractK8SSystemPolicies(namespace, clustername, labels, fromsource)
+	kubearmorK8SPolicies := extractK8SSystemPolicies(namespace, clustername, labels, fromsource, includeNetwork)
 	kubearmorVMPolicies, _ := extractVMSystemPolicies(types.PolicyDiscoveryVMNamespace, clustername, labels, fromsource)
 
 	var response wpb.WorkerResponse
@@ -330,13 +330,16 @@ func GetSysPolicy(namespace, clustername, labels, fromsource string) *wpb.Worker
 	return &response
 }
 
-func extractK8SSystemPolicies(namespace, clustername, labels, fromsource string) []types.KubeArmorPolicy {
+func extractK8SSystemPolicies(namespace, clustername, labels, fromsource string, includeNetwork bool) []types.KubeArmorPolicy {
 	sysPols := populateKnoxSysPolicyFromWPFSDb(namespace, clustername, labels, fromsource)
 	policies := plugin.ConvertKnoxSystemPolicyToKubeArmorPolicy(sysPols)
 
 	var result []types.KubeArmorPolicy
 	for _, pol := range policies {
 		if pol.Metadata["namespace"] != types.PolicyDiscoveryVMNamespace {
+			if !includeNetwork {
+				pol.Spec.Network = types.NetworkRule{}
+			}
 			result = append(result, pol)
 		}
 	}
@@ -1111,7 +1114,7 @@ func PopulateSystemPoliciesFromSystemLogs(sysLogs []types.KnoxSystemLog) []types
 			}
 
 			if strings.Contains(SystemPolicyTo, "file") {
-				WriteSystemPoliciesToFile(sysKey.Namespace, "", "", "")
+				WriteSystemPoliciesToFile(sysKey.Namespace, "", "", "", true)
 			}
 		}
 	}