From 97a8ec719bf35d4655682046c0df83994ffba2ce Mon Sep 17 00:00:00 2001 From: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> Date: Mon, 13 Nov 2023 17:37:33 +1100 Subject: [PATCH 1/4] chore: add apache 2.0 license Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> --- LICENSE | 201 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From 86ac8a948884cf3d13d01571f2debcb8c9e6ced6 Mon Sep 17 00:00:00 2001 From: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> Date: Mon, 13 Nov 2023 17:37:51 +1100 Subject: [PATCH 2/4] chore: fix version and allow new -A and --all behaviour Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> --- .slsa-goreleaser/darwin-amd64.yml | 2 +- .slsa-goreleaser/darwin-arm64.yml | 2 +- .slsa-goreleaser/linux-amd64.yml | 2 +- .slsa-goreleaser/linux-arm64.yml | 2 +- README.md | 2 +- advisor/cmd/gen.go | 40 ++++++++- advisor/pkg/api/pod_traffic.go | 4 +- advisor/pkg/k8s/networkpolicies.go | 129 ++++++++++++++++++++++++----- 8 files changed, 150 insertions(+), 33 deletions(-) diff --git a/.slsa-goreleaser/darwin-amd64.yml b/.slsa-goreleaser/darwin-amd64.yml index e08b397f7..795111c30 100644 --- a/.slsa-goreleaser/darwin-amd64.yml +++ b/.slsa-goreleaser/darwin-amd64.yml @@ -34,4 +34,4 @@ ldflags: - "-X main.Commit={{ .Env.COMMIT }}" - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" - "-X main.TreeState={{ .Env.TREE_STATE }}" - - "-X github.com/xentra-ai/advisor/pkg/k8s.Version=${VERSION}" + - "-X github.com/xentra-ai/advisor/pkg/k8s.Version={{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/darwin-arm64.yml b/.slsa-goreleaser/darwin-arm64.yml index bb05634af..96b255ec9 100644 --- a/.slsa-goreleaser/darwin-arm64.yml +++ b/.slsa-goreleaser/darwin-arm64.yml @@ -34,4 +34,4 @@ ldflags: - "-X main.Commit={{ .Env.COMMIT }}" - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" - "-X main.TreeState={{ .Env.TREE_STATE }}" - - "-X github.com/xentra-ai/advisor/pkg/k8s.Version=${VERSION}" + - "-X github.com/xentra-ai/advisor/pkg/k8s.Version={{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/linux-amd64.yml b/.slsa-goreleaser/linux-amd64.yml index 42942bbef..138cb9807 100644 --- a/.slsa-goreleaser/linux-amd64.yml +++ b/.slsa-goreleaser/linux-amd64.yml @@ -34,4 +34,4 @@ ldflags: - "-X main.Commit={{ .Env.COMMIT }}" - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" - "-X main.TreeState={{ .Env.TREE_STATE }}" - - "-X github.com/xentra-ai/advisor/pkg/k8s.Version=${VERSION}" + - "-X github.com/xentra-ai/advisor/pkg/k8s.Version={{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/linux-arm64.yml b/.slsa-goreleaser/linux-arm64.yml index 156b810ef..3af5b6597 100644 --- a/.slsa-goreleaser/linux-arm64.yml +++ b/.slsa-goreleaser/linux-arm64.yml @@ -34,4 +34,4 @@ ldflags: - "-X main.Commit={{ .Env.COMMIT }}" - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" - "-X main.TreeState={{ .Env.TREE_STATE }}" - - "-X github.com/xentra-ai/advisor/pkg/k8s.Version=${VERSION}" + - "-X github.com/xentra-ai/advisor/pkg/k8s.Version={{ .Env.VERSION }}" diff --git a/README.md b/README.md index bf122f06b..2572e0da0 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ Contributions are welcome! Please read the contributing guide to get started. ## 📄 License -This project is licensed under the [PLACEHOLDER] License - see the [LICENSE.md](LICENSE.md) file for details. +This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details. ## 🙏 Acknowledgments diff --git a/advisor/cmd/gen.go b/advisor/cmd/gen.go index 602f8dc5b..8ba85f3b5 100644 --- a/advisor/cmd/gen.go +++ b/advisor/cmd/gen.go @@ -11,18 +11,50 @@ var genCmd = &cobra.Command{ Short: "Generate resources", } +var ( + allNamespaces bool + allInNamespace bool +) + +func init() { + networkPolicyCmd.Flags().BoolVarP(&allNamespaces, "all-namespaces", "A", false, "Generate policies for all pods in all namespaces") + networkPolicyCmd.Flags().BoolVar(&allInNamespace, "all", false, "Generate policies for all pods in the current namespace") +} + var networkPolicyCmd = &cobra.Command{ Use: "networkpolicy [pod-name]", Aliases: []string{"netpol"}, Short: "Generate network policy", - Args: cobra.ExactArgs(1), + Args: cobra.MaximumNArgs(1), Run: func(cmd *cobra.Command, args []string) { - // Retrieve the config from the command context config, ok := cmd.Context().Value(k8s.ConfigKey).(*k8s.Config) if !ok { log.Fatal().Msg("Failed to retrieve Kubernetes configuration") } - podName := args[0] + + // Get the namespace from kubeConfigFlags + namespace, _, err := kubeConfigFlags.ToRawKubeConfigLoader().Namespace() + if err != nil { + log.Fatal().Err(err).Msg("Failed to get namespace") + } + + options := k8s.GenerateOptions{} + + if allNamespaces { + options.Mode = k8s.AllPodsInAllNamespaces + } else if allInNamespace { + options.Mode = k8s.AllPodsInNamespace + options.Namespace = namespace + } else { + // Validate that a pod name is provided + if len(args) != 1 { + cmd.Usage() + return + } + options.Mode = k8s.SinglePod + options.PodName = args[0] + options.Namespace = namespace + } stopChan, errChan, done := k8s.PortForward(config) <-done // Block until we receive a notification from the goroutine that port-forwarding has been set up @@ -32,7 +64,7 @@ var networkPolicyCmd = &cobra.Command{ } }() log.Debug().Msg("Port forwarding set up successfully.") - k8s.GenerateNetworkPolicy(podName, config) + k8s.GenerateNetworkPolicy(options, config) close(stopChan) }, } diff --git a/advisor/pkg/api/pod_traffic.go b/advisor/pkg/api/pod_traffic.go index 450e0c14c..eee7e8ed1 100644 --- a/advisor/pkg/api/pod_traffic.go +++ b/advisor/pkg/api/pod_traffic.go @@ -66,13 +66,13 @@ func GetPodTraffic(podName string) ([]PodTraffic, error) { // Parse the JSON response and unmarshal it into the Go struct. if err := json.Unmarshal([]byte(body), &podTraffic); err != nil { - log.Error().Err(err).Msg("Error unmarshal JSON") + log.Warn().Err(err).Msg("Error unmarshal JSON") return nil, err } // If no pod traffic is found, return nil if len(podTraffic) == 0 { - log.Error().Err(err).Msg("No pod traffic found") + log.Warn().Err(err).Msg("No pod traffic found in database") return nil, nil } return podTraffic, nil diff --git a/advisor/pkg/k8s/networkpolicies.go b/advisor/pkg/k8s/networkpolicies.go index a66733f4d..a1e7a2fb6 100644 --- a/advisor/pkg/k8s/networkpolicies.go +++ b/advisor/pkg/k8s/networkpolicies.go @@ -1,11 +1,13 @@ package k8s import ( + "context" "encoding/json" "strings" log "github.com/rs/zerolog/log" api "github.com/xentra-ai/advisor/pkg/api" + corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -15,6 +17,22 @@ import ( // Version is set at build time using -ldflags var Version = "development" // default value +// ModeType defines the mode of operation for generating network policies +type ModeType int + +const ( + SinglePod ModeType = iota + AllPodsInNamespace + AllPodsInAllNamespaces +) + +// GenerateOptions holds options for the GenerateNetworkPolicy function +type GenerateOptions struct { + Mode ModeType + PodName string // Used if Mode is SinglePod + Namespace string // Used if Mode is AllPodsInNamespace or SinglePod +} + type NetworkPolicyRule struct { Ports []networkingv1.NetworkPolicyPort FromTo []networkingv1.NetworkPolicyPeer @@ -32,35 +50,72 @@ type RuleSets struct { Egress []networkingv1.NetworkPolicyEgressRule } -func GenerateNetworkPolicy(podName string, config *Config) { - podTraffic, err := api.GetPodTraffic(podName) - if err != nil { - log.Fatal().Err(err).Msg("Error retrieving pod traffic") - } +func GenerateNetworkPolicy(options GenerateOptions, config *Config) { + var pods []corev1.Pod - if podTraffic == nil { - log.Fatal().Msgf("No pod traffic found for pod %s\n", podName) - } + switch options.Mode { + case SinglePod: + // Fetch all pods in the given namespace + fetchedPod, err := fetchSinglePodInNamespace(options.PodName, options.Namespace, config) + if err != nil { + log.Fatal().Err(err).Msgf("failed to fetch pods in namespace %s", options.Namespace) + } + pods = append(pods, *fetchedPod) - podDetail, err := api.GetPodSpec(podTraffic[0].SrcIP) - if err != nil { - log.Fatal().Err(err).Msg("Error retrieving pod spec") - } + case AllPodsInNamespace: + // Fetch all pods in the given namespace + fetchedPods, err := fetchAllPodsInNamespace(options.Namespace, config) + if err != nil { + log.Fatal().Err(err).Msgf("failed to fetch pods in namespace %s", options.Namespace) + } + pods = append(pods, fetchedPods...) - if podDetail == nil { - log.Fatal().Msgf("No pod spec found for pod %s\n", podTraffic[0].SrcIP) + case AllPodsInAllNamespaces: + // Fetch all pods in all namespaces + fetchedPods, err := fetchAllPodsInAllNamespaces(config) + if err != nil { + log.Fatal().Err(err).Msgf("failed to fetch all pods in all namespaces") + } + pods = append(pods, fetchedPods...) } - policy, err := transformToNetworkPolicy(podTraffic, podDetail, config) - if err != nil { - log.Error().Err(err).Msg("Error transforming policy") - } + // Generate network policies for each pod in pods + for _, pod := range pods { + podTraffic, err := api.GetPodTraffic(pod.Name) + if err != nil { + log.Error().Err(err).Msg("Error retrieving pod traffic") + continue + } - policyYAML, err := yaml.Marshal(policy) - if err != nil { - log.Error().Err(err).Msg("Error converting policy to YAML") + if podTraffic == nil { + log.Error().Msgf("No pod traffic found for pod %s\n", pod.Name) + continue + } + + podDetail, err := api.GetPodSpec(podTraffic[0].SrcIP) + if err != nil { + log.Error().Err(err).Msg("Error retrieving pod spec") + continue + } + + if podDetail == nil { + log.Error().Msgf("No pod spec found for pod %s\n", podTraffic[0].SrcIP) + continue + } + + policy, err := transformToNetworkPolicy(podTraffic, podDetail, config) + if err != nil { + log.Error().Err(err).Msg("Error transforming policy") + continue + } + + policyYAML, err := yaml.Marshal(policy) + if err != nil { + log.Error().Err(err).Msg("Error converting policy to YAML") + continue + } + log.Info().Msgf("Generated policy for pod %s:\n%s", pod.Name, string(policyYAML)) } - log.Info().Msgf("Generated policy for pod %s:\n%s", podName, string(policyYAML)) } func transformToNetworkPolicy(podTraffic []api.PodTraffic, podDetail *api.PodDetail, config *Config) (*networkingv1.NetworkPolicy, error) { @@ -242,3 +297,33 @@ func deduplicateEgressRules(rules []networkingv1.NetworkPolicyEgressRule) []netw } return deduplicated } + +// fetchSinglePodInNamespace fetches a single pods in a specific namespace +func fetchSinglePodInNamespace(podName, namespace string, config *Config) (*corev1.Pod, error) { + pod, err := config.Clientset.CoreV1().Pods(namespace).Get(context.TODO(), podName, metav1.GetOptions{}) + if err != nil { + // Handle the error according to your application's requirements + return nil, err + } + return pod, nil +} + +// fetchAllPodsInNamespace fetches all pods in a specific namespace +func fetchAllPodsInNamespace(namespace string, config *Config) ([]corev1.Pod, error) { + podList, err := config.Clientset.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return nil, err + } + + return podList.Items, nil +} + +// fetchAllPodsInAllNamespaces fetches all pods in all namespaces +func fetchAllPodsInAllNamespaces(config *Config) ([]corev1.Pod, error) { + podList, err := config.Clientset.CoreV1().Pods(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return nil, err + } + + return podList.Items, nil +} From 7210bfb53bf155a8e7fa9c4bf436b2f0280bb142 Mon Sep 17 00:00:00 2001 From: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> Date: Mon, 13 Nov 2023 17:41:28 +1100 Subject: [PATCH 3/4] fix: lint error with checking cmd.Usage() Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> --- advisor/cmd/gen.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advisor/cmd/gen.go b/advisor/cmd/gen.go index 8ba85f3b5..e93145b08 100644 --- a/advisor/cmd/gen.go +++ b/advisor/cmd/gen.go @@ -48,7 +48,7 @@ var networkPolicyCmd = &cobra.Command{ } else { // Validate that a pod name is provided if len(args) != 1 { - cmd.Usage() + _ = cmd.Usage() return } options.Mode = k8s.SinglePod From d599fd486b7c7b0b473e051883c71b345b634f5e Mon Sep 17 00:00:00 2001 From: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> Date: Tue, 14 Nov 2023 09:01:17 +1100 Subject: [PATCH 4/4] fix: address feedback Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com> --- README.md | 13 ++++++++++--- advisor/pkg/api/pod_traffic.go | 17 +++++++++++------ advisor/pkg/k8s/networkpolicies.go | 14 ++------------ 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 2572e0da0..01dc2aeaa 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,6 @@ Xentra is a powerful kubectl plugin designed to enhance the security of your Kub - [📦 Installation](#-installation) - [🔨 Usage](#-usage) - [🔒 Generate Network Policies](#-generate-network-policies) - - [🛡️ Generate Seccomp Profiles](#️-generate-seccomp-profiles) - [🤝 Contributing](#-contributing) - [📄 License](#-license) - [🙏 Acknowledgments](#-acknowledgments) @@ -55,14 +54,22 @@ mv advisor /usr/local/bin/kubectl-advisor ### 🔒 Generate Network Policies +Create a network policy for a single pod in a namespace + ```bash kubectl advisor gen networkpolicy [pod-name] --namespace [namespace-name] ``` -### 🛡️ Generate Seccomp Profiles +Create a network policy for a all pod(s) in a namespace + +```bash +kubectl advisor gen networkpolicy --namespace [namespace-name] --all +``` + +Create a network policy for a all pod(s) in all namespace(s) ```bash -kubectl advisor gen seccomp [pod-name] --namespace [namespace-name] +kubectl advisor gen networkpolicy -A ``` For more details on the commands: diff --git a/advisor/pkg/api/pod_traffic.go b/advisor/pkg/api/pod_traffic.go index eee7e8ed1..19e248e1e 100644 --- a/advisor/pkg/api/pod_traffic.go +++ b/advisor/pkg/api/pod_traffic.go @@ -66,15 +66,15 @@ func GetPodTraffic(podName string) ([]PodTraffic, error) { // Parse the JSON response and unmarshal it into the Go struct. if err := json.Unmarshal([]byte(body), &podTraffic); err != nil { - log.Warn().Err(err).Msg("Error unmarshal JSON") + log.Error().Err(err).Msg("Error unmarshal JSON") return nil, err } - // If no pod traffic is found, return nil + // If no pod traffic is found, return err if len(podTraffic) == 0 { - log.Warn().Err(err).Msg("No pod traffic found in database") - return nil, nil + return nil, fmt.Errorf("No pod traffic found in database") } + return podTraffic, nil } @@ -98,7 +98,7 @@ func GetPodSpec(ip string) (*PodDetail, error) { return nil, nil } - var details PodDetail + var details *PodDetail // Parse the JSON response and unmarshal it into the Go struct. if err := json.NewDecoder(resp.Body).Decode(&details); err != nil { @@ -106,7 +106,12 @@ func GetPodSpec(ip string) (*PodDetail, error) { return nil, err } - return &details, nil + // If no pod details are found, return err + if details == nil { + return nil, fmt.Errorf("no pod traffic found in database") + } + + return details, nil } func GetSvcSpec(svcIp string) (*SvcDetail, error) { diff --git a/advisor/pkg/k8s/networkpolicies.go b/advisor/pkg/k8s/networkpolicies.go index a1e7a2fb6..ba8a25882 100644 --- a/advisor/pkg/k8s/networkpolicies.go +++ b/advisor/pkg/k8s/networkpolicies.go @@ -87,22 +87,12 @@ func GenerateNetworkPolicy(options GenerateOptions, config *Config) { continue } - if podTraffic == nil { - log.Error().Msgf("No pod traffic found for pod %s\n", pod.Name) - continue - } - podDetail, err := api.GetPodSpec(podTraffic[0].SrcIP) if err != nil { log.Error().Err(err).Msg("Error retrieving pod spec") continue } - if podDetail == nil { - log.Error().Msgf("No pod spec found for pod %s\n", podTraffic[0].SrcIP) - continue - } - policy, err := transformToNetworkPolicy(podTraffic, podDetail, config) if err != nil { log.Error().Err(err).Msg("Error transforming policy") @@ -239,7 +229,7 @@ func determinePeerForTraffic(traffic api.PodTraffic, config *Config) (*networkin } if origin == nil { - log.Debug().Msgf("Could not find details for origin assuming IP is external %s", traffic.DstIP) + log.Warn().Msgf("Could not find details for origin assuming IP is external %s", traffic.DstIP) return &networkingv1.NetworkPolicyPeer{ IPBlock: &networkingv1.IPBlock{ CIDR: traffic.DstIP + "/32", @@ -302,9 +292,9 @@ func deduplicateEgressRules(rules []networkingv1.NetworkPolicyEgressRule) []netw func fetchSinglePodInNamespace(podName, namespace string, config *Config) (*corev1.Pod, error) { pod, err := config.Clientset.CoreV1().Pods(namespace).Get(context.TODO(), podName, metav1.GetOptions{}) if err != nil { - // Handle the error according to your application's requirements return nil, err } + return pod, nil }