Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

analysis with specific ingress controllers #281

Draft
wants to merge 24 commits into
base: main
Choose a base branch
from
Draft

analysis with specific ingress controllers #281

wants to merge 24 commits into from

Conversation

shireenf-ibm
Copy link
Contributor

issue #235

@shireenf-ibm shireenf-ibm marked this pull request as draft November 28, 2023 11:57
@shireenf-ibm
Copy link
Contributor Author

hi @adisos,
some questions:

at this first commit in this PR, I've added a test directory with an example that should be resolved for issue #235

  • I would like if you take a look on the example

with our current analysis , ingress connection to the default/apple-app[Pod] is blocked by the policy.
when conducting the namespace of the specific ingress in the policy as an ingress resource:

  1. should the new output include the "old" row of :
    {ingress-controller} => default/apple-app[Pod] : TCP 5678
    or a new row with the specified namespace in the policy?
    (e.g ingress-nginx => default/apple-app[Pod] : TCP 5678 )

  2. how should the analyzer behave if the policy enables the ingress from ingress-nginx but there is no Ingress/Route object provided?

@adisos
Copy link
Collaborator

adisos commented Nov 30, 2023

hi @adisos, some questions:

at this first commit in this PR, I've added a test directory with an example that should be resolved for issue #235

* I would like if you take a look on the example

with our current analysis , ingress connection to the default/apple-app[Pod] is blocked by the policy. when conducting the namespace of the specific ingress in the policy as an ingress resource:

1. should the new output include the "old" row of :
   `{ingress-controller} => default/apple-app[Pod] : TCP 5678`
   or a new row with the specified namespace in the policy?
   (e.g `ingress-nginx => default/apple-app[Pod] : TCP 5678` )

2. how should the analyzer behave if the policy enables the ingress from `ingress-nginx` but there is no `Ingress/Route` object provided?

(1) A connectivity line should specify a specific ingress-controller if possible
(2) In such case just as in usual analysis of netpols -- show the possible connections based on the policy. (maybe this is related to the issue about exposure analysis).

@pull-request-size pull-request-size bot added size/L and removed size/M labels Dec 5, 2023
@shireenf-ibm
Copy link
Contributor Author

shireenf-ibm commented Dec 5, 2023
edited
Loading

hi @adisos ,
in this commit a first solution for considering the specific ingress controllers:

  • for each peer that is selected by Route/Ingress object:
    • if the general ingress-controller connection to the peer is empty (i.e. blocked by policies' rules - no intersection)
      -> then I check for specific ingress controllers connections to the peer.
      -> if all ingress controllers connections are blocked by the policy, then the original "blocking" warning is printed
  • code update in connlist.go file
  • since our interfaces checks allowed connections only between peers; in-order to check connections from the specific ingress controllers (e.g. ingress-nginx), I add fake pods with namespace and name of the specific ingress-controller namespace (which i have).
    this means, this solution assumes that the policy-rule selecting an ingress controller must have a namespaceSelector with the label of the specified namespace.
    but not sure how to behave if it has also a podselector rule?

@shireenf-ibm shireenf-ibm marked this pull request as ready for review December 5, 2023 09:28
@shireenf-ibm shireenf-ibm changed the title wip - analysis with specific ingress controllers analysis with specific ingress controllers Dec 5, 2023
@shireenf-ibm shireenf-ibm marked this pull request as draft December 11, 2023 09:30
@shireenf-ibm
Copy link
Contributor Author

in the last commit added support for some labels of the openshift and nginx ingress-controllers namespaces.
Also added a new doc docs/ingress_analysis.md with a description of the new supported labels and the analysis output

@shireenf-ibm shireenf-ibm marked this pull request as ready for review December 19, 2023 17:34
adisos
adisos reviewed Dec 31, 2023
View reviewed changes
Copy link
Collaborator

@adisos adisos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a few comments

docs/connlist_output.md Outdated Show resolved Hide resolved
docs/ingress_analysis.md Outdated Show resolved Hide resolved
docs/ingress_analysis.md Outdated Show resolved Hide resolved
docs/ingress_analysis.md Outdated Show resolved Hide resolved
docs/ingress_analysis.md Outdated Show resolved Hide resolved
docs/ingress_analysis.md Outdated Show resolved Hide resolved
pkg/netpol/connlist/connlist.go
// adding the ingress controller pod to the policy engine,
ingressControllerPod, err := pe.AddPodByNameAndNamespace(common.IngressPodName, common.IngressPodNamespace)
// adding specific known controller pods to the policy engine
specificIngressControllers, err := addSpecificIngressControllers(pe)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if such pods already exist in the input resources list?

Copy link
Contributor Author

@shireenf-ibm shireenf-ibm Jan 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if such pod already exists but no Route/Ingress found - nothing need to be done (handled in the past).

if we have Ingress/Route , till now assumed there is no ingress-controller deployment, in the resources.
but if such resources exist :
how should it behave?
option 1 : act as the existing ingress pod/s are the only ones considered for ingress analysis? (don't add fake ingress pods from other namespaces)
but then if (for-example) we have an nginx-ingress deployment in the resources.
and a policy-rule with namespaceSelector selecting one of the openshift controller namespaces - this rule will be ignored for ingress-analysis (as any rule which select a not existing namespace/pod)

option2 : add fake ingress pods for the other ingress-controllers ?
if this option is the desired :
- if all ingress-controllers are supported should still have the general output line with {ingress-controller} as source ? (without the existing pod line)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another q: should we assume only one ingress-controller deployment may exist in the resources?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to assume only the input ingress controller if there is such, and then avoid adding the fake ingress pods.

pkg/netpol/connlist/connlist.go Show resolved Hide resolved
pkg/netpol/connlist/connlist.go Outdated Show resolved Hide resolved
test_outputs/cli/acs-security-demos_focus_workload_ingress-controller_connlist_output.txt Outdated Show resolved Hide resolved
@shireenf-ibm shireenf-ibm marked this pull request as draft March 26, 2024 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisos adisos adisos left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shireenf-ibm @adisos