Skip to content

Commit

Permalink
Refactor workload connection checks to use pod specifications in expo…
Browse files Browse the repository at this point in the history
…sure rules
  • Loading branch information
kooomix committed Jan 14, 2025
1 parent f9a862f commit c6fc553
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 10 deletions.
22 changes: 21 additions & 1 deletion rules/exposure-to-internet-via-istio-ingress/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ deny[msga] {
is_same_namespace(connected_service, wl)
spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
spec_template_spec_patterns[wl.kind]
wl_connected_to_service(wl, connected_service)
pod := get_pod_spec(wl)["spec"]
wl_connected_to_service(pod, connected_service)

# print("Found the workload that the service is connected to", wl)

Expand Down Expand Up @@ -177,3 +178,22 @@ get_fqsn(ns, dest_host) = fqsn {
}



# get_volume - get resource spec paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
get_pod_spec(resources) := result {
resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
resources_kinds[resources.kind]
result = {"spec": resources.spec.template, "start_of_path": "spec.template."}
}

# get_volume - get resource spec paths for "Pod"
get_pod_spec(resources) := result {
resources.kind == "Pod"
result = {"spec": resources, "start_of_path": ""}
}

# get_volume - get resource spec paths for "CronJob"
get_pod_spec(resources) := result {
resources.kind == "CronJob"
result = {"spec": resources.spec.jobTemplate.spec.template.spec, "start_of_path": "spec.jobTemplate.spec.template.spec."}
}
Original file line number Diff line number Diff line change
Expand Up @@ -171,10 +171,7 @@
}
],
"selector": {
"app": "int-0721",
"context": "default",
"name": "int-0721",
"role": "app"
"app": "nginx"
},
"sessionAffinity": "None",
"type": "ClusterIP"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,7 @@ spec:
protocol: TCP
targetPort: 8080
selector:
app: int-0721
context: default
name: int-0721
role: app
app: nginx
sessionAffinity: None
type: ClusterIP
status:
Expand Down
24 changes: 23 additions & 1 deletion rules/exposure-to-internet/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ deny[msga] {
wl := input[_]
spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
spec_template_spec_patterns[wl.kind]
wl_connected_to_service(wl, service)
pod := get_pod_spec(wl)["spec"]
wl_connected_to_service(pod, service)
failPath := ["spec.type"]
msga := {
"alertMessage": sprintf("workload '%v' is exposed through service '%v'", [wl.metadata.name, service.metadata.name]),
Expand Down Expand Up @@ -124,3 +125,24 @@ is_same_namespace(metadata1, metadata2) {
not metadata1.namespace
metadata2.namespace == "default"
}



# get_volume - get resource spec paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
get_pod_spec(resources) := result {
resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
resources_kinds[resources.kind]
result = {"spec": resources.spec.template, "start_of_path": "spec.template."}
}

# get_volume - get resource spec paths for "Pod"
get_pod_spec(resources) := result {
resources.kind == "Pod"
result = {"spec": resources, "start_of_path": ""}
}

# get_volume - get resource spec paths for "CronJob"
get_pod_spec(resources) := result {
resources.kind == "CronJob"
result = {"spec": resources.spec.jobTemplate.spec.template.spec, "start_of_path": "spec.jobTemplate.spec.template.spec."}
}

0 comments on commit c6fc553

Please sign in to comment.