From b7a0b6a557e7ffc12e4acc5176748f5d7d07e0ed Mon Sep 17 00:00:00 2001
From: Erik Brakkee <erik@brakkee.org>
Date: Thu, 16 Jan 2025 21:38:48 +0100
Subject: [PATCH] open to closed not report anymore when from is a network.

---
 cmd/policygen/configvalidator.go |  9 ++++++---
 example/config.yaml              | 17 +++++++++++++++--
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/cmd/policygen/configvalidator.go b/cmd/policygen/configvalidator.go
index e7eeb3e..2afe153 100644
--- a/cmd/policygen/configvalidator.go
+++ b/cmd/policygen/configvalidator.go
@@ -58,6 +58,7 @@ func validate(files []string, options *Options) error {
 	})
 
 	// map  applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace.
+	// Exclusing when 'from' side is a CIDR.
 	openToClosedAccess := make(map[string]string)
 
 	applicationPods := make(map[string][]v1.Pod)
@@ -182,11 +183,13 @@ func validate(files []string, options *Options) error {
 
 				if !application.Namespace.Open {
 					for _, applicationNameFrom := range communication.From {
-						applicationFrom, _, _ := config.GetApplication(applicationNameFrom)
+						applicationFrom, networkFrom, _ := config.GetApplication(applicationNameFrom)
 						if applicationFrom != nil && !applicationFrom.Namespace.Open {
 							continue
 						}
-						openToClosedAccess[applicationNameFrom] = applicationName
+						if networkFrom == nil {
+							openToClosedAccess[applicationNameFrom] = applicationName
+						}
 					}
 				}
 			}
@@ -194,7 +197,7 @@ func validate(files []string, options *Options) error {
 	}
 
 	for appFrom, appTo := range openToClosedAccess {
-		LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a netowrk authentication for this workload.",
+		LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a network authentication for this workload.",
 			appFrom, appTo)
 	}
 
diff --git a/example/config.yaml b/example/config.yaml
index f1f9327..c62b4f7 100644
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -12,8 +12,16 @@ networks:
       - port: 2303
         protocol: UDP
 
-
 namespaces:
+  - name: openns
+    open: true
+    applications:
+      - name: openapp
+        ports:
+          - port: 100
+        serviceAccounts:
+          - xyz
+
   - name: wamblee-org
     #open: true
     capabilities:
@@ -48,9 +56,14 @@ namespaces:
            protocol: UDP
 
 communications:
+  - from:
+      - openapp
+    to:
+      - nexus-server
+
   - from: # can we support both string and list of strings?
       - httpd-wamblee-org
-      #- internet
+      - internet
       #- apiserver
     to:
       - nexus-server