Generated network policy (#58)

* add types

Signed-off-by: Daniel Grunberger <[email protected]>

* add registry

Signed-off-by: Daniel Grunberger <[email protected]>

* add merge strategy

Signed-off-by: Daniel Grunberger <[email protected]>

* fix types

Signed-off-by: Daniel Grunberger <[email protected]>

* pr fixes

Signed-off-by: Daniel Grunberger <[email protected]>

* fix example

Signed-off-by: Daniel Grunberger <[email protected]>

* feedback comments

Signed-off-by: Daniel Grunberger <[email protected]>

* change to pointer

Signed-off-by: Daniel Grunberger <[email protected]>

* regenerate

Signed-off-by: Daniel Grunberger <[email protected]>

* use pointer pkg

Signed-off-by: Daniel Grunberger <[email protected]>

* fix file name

Signed-off-by: Daniel Grunberger <[email protected]>

* feat: add and expose the NetworkNeighbors custom resource

* add types

Signed-off-by: Daniel Grunberger <[email protected]>

* add registry

Signed-off-by: Daniel Grunberger <[email protected]>

* add merge strategy

Signed-off-by: Daniel Grunberger <[email protected]>

* fix types

Signed-off-by: Daniel Grunberger <[email protected]>

* fix: shorten stored file names to sidestep FS limitation

Signed-off-by: Vlad Klokun <[email protected]>

* style: remove redundant types from slice definitions

Signed-off-by: Vlad Klokun <[email protected]>

* fix: typo in the vulnerability summary storage source file names

Signed-off-by: Vlad Klokun <[email protected]>

* pr fixes

Signed-off-by: Daniel Grunberger <[email protected]>

* fix example

Signed-off-by: Daniel Grunberger <[email protected]>

* feedback comments

Signed-off-by: Daniel Grunberger <[email protected]>

* change to pointer

Signed-off-by: Daniel Grunberger <[email protected]>

* regenerate

Signed-off-by: Daniel Grunberger <[email protected]>

* use pointer pkg

Signed-off-by: Daniel Grunberger <[email protected]>

* fix file name

Signed-off-by: Daniel Grunberger <[email protected]>

---------

Signed-off-by: Daniel Grunberger <[email protected]>
Signed-off-by: Vlad Klokun <[email protected]>
Co-authored-by: Daniel Grunberger <[email protected]>
Co-authored-by: Vlad Klokun <[email protected]>
Co-authored-by: rcohencyberarmor <[email protected]>

* network neighborses for plural

Signed-off-by: Daniel Grunberger <[email protected]>

* add types

Signed-off-by: Daniel Grunberger <[email protected]>

* use local obj

Signed-off-by: Daniel Grunberger <[email protected]>

* fix types

Signed-off-by: Daniel Grunberger <[email protected]>

* add example

Signed-off-by: Daniel Grunberger <[email protected]>

* implement custom storage

Signed-off-by: Daniel Grunberger <[email protected]>

* pr cleaning

Signed-off-by: Daniel Grunberger <[email protected]>

* go mod

Signed-off-by: Daniel Grunberger <[email protected]>

* add creation time

Signed-off-by: Daniel Grunberger <[email protected]>

* rm creation time from np

Signed-off-by: Daniel Grunberger <[email protected]>

* pr fixes

Signed-off-by: Daniel Grunberger <[email protected]>

* go mod

Signed-off-by: Daniel Grunberger <[email protected]>

* Update pkg/registry/file/generatednetworkpolicy_test.go

Co-authored-by: Vlad Klokun <[email protected]>
Signed-off-by: Daniel Grunberger <[email protected]>

---------

Signed-off-by: Daniel Grunberger <[email protected]>
Signed-off-by: Vlad Klokun <[email protected]>
Signed-off-by: Daniel Grunberger <[email protected]>
Co-authored-by: Daniel Grunberger <[email protected]>
Co-authored-by: Vlad Klokun <[email protected]>
Co-authored-by: rcohencyberarmor <[email protected]>
Co-authored-by: Vlad Klokun <[email protected]>

artifacts/generatednetworkpolicies/01-example.yaml

@@ -0,0 +1,48 @@
+kind: GeneratedNetworkPolicy
+metadata:
+  labels:
+    kubescape.io/workload-api-group: apps
+    kubescape.io/workload-api-version: v1
+    kubescape.io/workload-kind: deployment
+    kubescape.io/workload-name: nginx
+    kubescape.io/workload-namespace: kubescape
+  name: deployment-nginx
+  namespace: default
+policyRef:
+- dns: stripe.com
+  ipBlock: 123.5.2.3/32
+  name: stripe.com
+  originalIP: 123.5.2.3
+spec:
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    annotations:
+      generated-by: kubescape
+    name: deployment-nginx
+    namespace: default
+  spec:
+    egress:
+    - ports:
+      - port: 5978
+        protocol: TCP
+      to:
+      - ipBlock:
+          cidr: 123.5.2.3/32
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            name: kubescape
+        podSelector:
+          matchLabels:
+            app: kubescape-ui
+      ports:
+      - port: 6379
+        protocol: TCP
+    podSelector:
+      matchLabels:
+        app: nginx
+    policyTypes:
+    - Ingress
+    - Egress

artifacts/networkneighborses/01-example.yaml

@@ -0,0 +1,40 @@
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: NetworkNeighbors
+metadata:
+  name: deployment-nginx
+  annotations:
+    status: incomplete
+  labels:
+      "kubescape.io/workload-api-group": "apps"
+      "kubescape.io/workload-api-version": "v1"
+      "kubescape.io/workload-name": "nginx"
+      "kubescape.io/workload-kind": "deployment"
+      "kubescape.io/workload-namespace": "kubescape"
+
+spec:
+  matchLabels:
+      app: nginx
+
+  ingress:
+  - type: internal
+    identifier: bla
+    namespaceSelector:
+        matchLabels:
+          name: kubescape
+    podSelector:
+        matchLabels:
+          app: kubescape-ui
+    ports:
+    -   name: TCP-6379
+        protocol: TCP
+        port: 6379
+
+  egress:
+  - type: external
+    identifier: bla
+    ipAddress: 123.5.2.3
+    dns: stripe.com 
+    ports:
+    - name: TCP-5978
+      protocol: TCP
+      port: 5978

go.mod

@@ -15,6 +15,8 @@ require (
 	github.com/spf13/cobra v1.6.0
 	github.com/stretchr/testify v1.8.4
 	go.opentelemetry.io/otel v1.13.0
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+	k8s.io/api v0.26.2
 	k8s.io/apimachinery v0.26.2
 	k8s.io/apiserver v0.26.2
 	k8s.io/client-go v0.26.2
@@ -108,15 +110,15 @@ require (
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.1.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.55.0 // indirect
@@ -126,7 +128,6 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.26.2 // indirect
 	k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect
 	k8s.io/kms v0.26.2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1 // indirect

go.sum

@@ -539,6 +539,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -563,8 +565,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -636,8 +638,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -768,8 +770,8 @@ golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/apis/softwarecomposition/network_types.go

@@ -0,0 +1,100 @@
+package softwarecomposition
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Protocol string
+type CommunicationType string
+
+const (
+	ProtocolTCP  Protocol = "TCP"
+	ProtocolUDP  Protocol = "UDP"
+	ProtocolSCTP Protocol = "SCTP"
+
+	CommunicationTypeIngress CommunicationType = "internal"
+	CommunicationTypeEgress  CommunicationType = "external"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighborsList is a list of NetworkNeighbors.
+type NetworkNeighborsList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []NetworkNeighbors
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighbors represents a list of network communications for a specific workload.
+type NetworkNeighbors struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec NetworkNeighborsSpec
+}
+
+type NetworkNeighborsSpec struct {
+	metav1.LabelSelector // The labels which are inside spec.selector in the parent workload.
+	Ingress              []NetworkNeighbor
+	Egress               []NetworkNeighbor
+}
+
+// NetworkNeighbor represents a single network communication made by this resource.
+type NetworkNeighbor struct {
+	Identifier        string
+	Type              CommunicationType
+	DNS               string
+	Ports             []NetworkPort
+	PodSelector       *metav1.LabelSelector
+	NamespaceSelector *metav1.LabelSelector
+	IPAddress         string
+}
+
+type NetworkPort struct {
+	// Name is an artificial identifier of the network port. We use it for merging keys with Strategic Merge Patch.
+	// Format is `{protocol}-{port}`.
+	//
+	// Example: tcp-6881
+	Name     string // protocol-port
+	Protocol Protocol
+	Port     *int32
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GeneratedNetworkPolicyList is a list of GeneratedNetworkPolicies.
+type GeneratedNetworkPolicyList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []GeneratedNetworkPolicy
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GeneratedNetworkPolicy represents a generated NetworkPolicy.
+type GeneratedNetworkPolicy struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec        NetworkPolicy
+	PoliciesRef []PolicyRef
+}
+
+type PolicyRef struct {
+	IPBlock    string
+	OriginalIP string
+	DNS        string
+	Name       string
+}
+
+type KnownServers struct {
+	IPBlock string
+	DNS     string
+	Name    string
+}