Skip to content

Commit 0f29e39

Browse files
authored
Merge pull request #20 from armosec/netpol
fix label parsing for cilium netpol
2 parents cae76ef + 4e22805 commit 0f29e39

File tree

5 files changed

+239
-879
lines changed

5 files changed

+239
-879
lines changed

armometadata/k8sutils.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"strings"
1010

1111
"github.com/armosec/utils-k8s-go/wlid"
12+
"github.com/cilium/cilium/pkg/labels"
1213
"github.com/olvrng/ujson"
1314
"github.com/spf13/viper"
1415

@@ -148,7 +149,7 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
148149
case strings.HasPrefix(jsonPath, "metadata.ownerReferences.."):
149150
m.OwnerReferences[unquote(key)] = unquote(value)
150151
case m.ApiVersion == "cilium.io/v2" && strings.HasPrefix(jsonPath, "spec.endpointSelector.matchLabels."):
151-
m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
152+
addCiliumMatchLabels(m.PodSelectorMatchLabels, key, value)
152153
case m.ApiVersion == "networking.k8s.io/v1" && strings.HasPrefix(jsonPath, "spec.podSelector.matchLabels."):
153154
m.PodSelectorMatchLabels[unquote(key)] = unquote(value)
154155
case m.ApiVersion == "security.istio.io/v1" && strings.HasPrefix(jsonPath, "spec.selector.matchLabels."):
@@ -180,6 +181,22 @@ func ParseCalicoSelector(value []byte) map[string]string {
180181
return selector
181182
}
182183

184+
// addCiliumMatchLabels adds matchLabels from a Cilium EndpointSelector to the given map
185+
// a virtual label is created for each label with a Cilium specific prefix for matching
186+
func addCiliumMatchLabels(matchLabels map[string]string, key, value []byte) {
187+
k := unquote(key)
188+
v := unquote(value)
189+
matchLabels[k] = v
190+
// check if we have to trim a Cilium specific prefix to k and create a virtual label
191+
for _, labelSource := range []string{labels.LabelSourceAny, labels.LabelSourceK8s,
192+
labels.LabelSourceReserved, labels.LabelSourceUnspec} {
193+
prefix := labelSource + ":"
194+
if strings.HasPrefix(k, prefix) {
195+
matchLabels[k[len(prefix):]] = v
196+
}
197+
}
198+
}
199+
183200
func unquote(value []byte) string {
184201
buf, err := ujson.Unquote(value)
185202
if err != nil {

armometadata/k8sutils_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
259259
ownerReferences: map[string]string{},
260260
kind: "CiliumNetworkPolicy",
261261
apiVersion: "cilium.io/v2",
262-
podSelectorMatchLabels: map[string]string{"app": "frontend"},
262+
podSelectorMatchLabels: map[string]string{"any:app": "frontend", "app": "frontend"},
263263
},
264264
{
265265
name: "istionetworkpolicy",

armometadata/testdata/ciliumnetworkpolicy.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
"spec": {
88
"endpointSelector": {
99
"matchLabels": {
10-
"app": "frontend"
10+
"any:app": "frontend"
1111
}
1212
},
1313
"egress": [

go.mod

Lines changed: 67 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -5,72 +5,93 @@ go 1.22.4
55
require (
66
github.com/armosec/armoapi-go v0.0.234
77
github.com/armosec/utils-go v0.0.20
8-
github.com/docker/docker v25.0.1+incompatible
8+
github.com/cilium/cilium v1.16.0
9+
github.com/docker/docker v26.1.4+incompatible
910
github.com/francoispqt/gojay v1.2.13
1011
github.com/olvrng/ujson v1.1.0
11-
github.com/spf13/viper v1.7.0
12-
github.com/stretchr/testify v1.8.4
13-
go.uber.org/zap v1.22.0
14-
k8s.io/api v0.25.3
15-
k8s.io/apimachinery v0.27.4
16-
k8s.io/apiserver v0.24.3
17-
k8s.io/client-go v0.25.3
12+
github.com/spf13/viper v1.19.0
13+
github.com/stretchr/testify v1.9.0
14+
go.uber.org/zap v1.27.0
15+
k8s.io/api v0.30.2
16+
k8s.io/apimachinery v0.30.2
17+
k8s.io/apiserver v0.30.2
18+
k8s.io/client-go v0.30.2
1819
)
1920

2021
require (
2122
github.com/armosec/gojay v1.2.15 // indirect
22-
github.com/davecgh/go-spew v1.1.1 // indirect
23-
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
24-
github.com/fsnotify/fsnotify v1.4.9 // indirect
25-
github.com/go-logr/logr v1.2.4 // indirect
26-
github.com/go-openapi/jsonpointer v0.19.6 // indirect
27-
github.com/go-openapi/jsonreference v0.20.1 // indirect
28-
github.com/go-openapi/swag v0.22.3 // indirect
23+
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
24+
github.com/blang/semver/v4 v4.0.0 // indirect
25+
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
26+
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
27+
github.com/fsnotify/fsnotify v1.7.0 // indirect
28+
github.com/go-logr/logr v1.4.1 // indirect
29+
github.com/go-openapi/analysis v0.23.0 // indirect
30+
github.com/go-openapi/errors v0.22.0 // indirect
31+
github.com/go-openapi/jsonpointer v0.21.0 // indirect
32+
github.com/go-openapi/jsonreference v0.21.0 // indirect
33+
github.com/go-openapi/loads v0.22.0 // indirect
34+
github.com/go-openapi/spec v0.21.0 // indirect
35+
github.com/go-openapi/strfmt v0.23.0 // indirect
36+
github.com/go-openapi/swag v0.23.0 // indirect
37+
github.com/go-openapi/validate v0.24.0 // indirect
2938
github.com/gogo/protobuf v1.3.2 // indirect
30-
github.com/golang/protobuf v1.5.3 // indirect
31-
github.com/google/gnostic v0.5.7-v3refs // indirect
32-
github.com/google/go-cmp v0.5.9 // indirect
39+
github.com/golang/protobuf v1.5.4 // indirect
40+
github.com/google/gnostic-models v0.6.8 // indirect
41+
github.com/google/go-cmp v0.6.0 // indirect
3342
github.com/google/gofuzz v1.2.0 // indirect
34-
github.com/google/uuid v1.3.0 // indirect
35-
github.com/hashicorp/hcl v1.0.0 // indirect
43+
github.com/google/uuid v1.6.0 // indirect
44+
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
45+
github.com/inconshreveable/mousetrap v1.1.0 // indirect
3646
github.com/josharian/intern v1.0.0 // indirect
3747
github.com/json-iterator/go v1.1.12 // indirect
38-
github.com/magiconair/properties v1.8.1 // indirect
48+
github.com/mackerelio/go-osstat v0.2.5 // indirect
49+
github.com/magiconair/properties v1.8.7 // indirect
3950
github.com/mailru/easyjson v0.7.7 // indirect
40-
github.com/mitchellh/mapstructure v1.1.2 // indirect
51+
github.com/mitchellh/mapstructure v1.5.0 // indirect
4152
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
4253
github.com/modern-go/reflect2 v1.0.2 // indirect
4354
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
55+
github.com/oklog/ulid v1.3.1 // indirect
4456
github.com/opencontainers/go-digest v1.0.0 // indirect
4557
github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
46-
github.com/pelletier/go-toml v1.2.0 // indirect
58+
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
59+
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
4760
github.com/pkg/errors v0.9.1 // indirect
48-
github.com/pmezard/go-difflib v1.0.0 // indirect
49-
github.com/rogpeppe/go-internal v1.11.0 // indirect
50-
github.com/spf13/afero v1.6.0 // indirect
51-
github.com/spf13/cast v1.3.0 // indirect
52-
github.com/spf13/jwalterweatherman v1.0.0 // indirect
53-
github.com/spf13/pflag v1.0.5 // indirect
61+
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
62+
github.com/sagikazarmark/locafero v0.4.0 // indirect
63+
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
64+
github.com/sasha-s/go-deadlock v0.3.1 // indirect
65+
github.com/sirupsen/logrus v1.9.3 // indirect
66+
github.com/sourcegraph/conc v0.3.0 // indirect
67+
github.com/spf13/afero v1.11.0 // indirect
68+
github.com/spf13/cast v1.6.0 // indirect
69+
github.com/spf13/cobra v1.8.1 // indirect
70+
github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
5471
github.com/stripe/stripe-go/v74 v74.28.0 // indirect
55-
github.com/subosito/gotenv v1.2.0 // indirect
56-
go.uber.org/atomic v1.7.0 // indirect
57-
go.uber.org/multierr v1.6.0 // indirect
58-
golang.org/x/net v0.12.0 // indirect
59-
golang.org/x/oauth2 v0.10.0 // indirect
60-
golang.org/x/sys v0.10.0 // indirect
61-
golang.org/x/term v0.10.0 // indirect
62-
golang.org/x/text v0.11.0 // indirect
63-
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
64-
google.golang.org/appengine v1.6.7 // indirect
65-
google.golang.org/protobuf v1.31.0 // indirect
72+
github.com/subosito/gotenv v1.6.0 // indirect
73+
github.com/vishvananda/netlink v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 // indirect
74+
github.com/vishvananda/netns v0.0.4 // indirect
75+
go.mongodb.org/mongo-driver v1.14.0 // indirect
76+
go.uber.org/multierr v1.11.0 // indirect
77+
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
78+
golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
79+
golang.org/x/net v0.26.0 // indirect
80+
golang.org/x/oauth2 v0.19.0 // indirect
81+
golang.org/x/sync v0.7.0 // indirect
82+
golang.org/x/sys v0.21.0 // indirect
83+
golang.org/x/term v0.21.0 // indirect
84+
golang.org/x/text v0.16.0 // indirect
85+
golang.org/x/time v0.5.0 // indirect
86+
google.golang.org/protobuf v1.34.2 // indirect
6687
gopkg.in/inf.v0 v0.9.1 // indirect
67-
gopkg.in/ini.v1 v1.51.0 // indirect
88+
gopkg.in/ini.v1 v1.67.0 // indirect
6889
gopkg.in/yaml.v2 v2.4.0 // indirect
6990
gopkg.in/yaml.v3 v3.0.1 // indirect
70-
k8s.io/klog/v2 v2.100.1 // indirect
71-
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
72-
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
91+
k8s.io/klog/v2 v2.120.1 // indirect
92+
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
93+
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
7394
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
74-
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
75-
sigs.k8s.io/yaml v1.3.0 // indirect
95+
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
96+
sigs.k8s.io/yaml v1.4.0 // indirect
7697
)

0 commit comments

Comments
 (0)