open to closed not report anymore when from is a network.
This commit is contained in:
parent
6a2f1b9fee
commit
b7a0b6a557
@ -58,6 +58,7 @@ func validate(files []string, options *Options) error {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// map applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace.
|
// map applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace.
|
||||||
|
// Exclusing when 'from' side is a CIDR.
|
||||||
openToClosedAccess := make(map[string]string)
|
openToClosedAccess := make(map[string]string)
|
||||||
|
|
||||||
applicationPods := make(map[string][]v1.Pod)
|
applicationPods := make(map[string][]v1.Pod)
|
||||||
@ -182,11 +183,13 @@ func validate(files []string, options *Options) error {
|
|||||||
|
|
||||||
if !application.Namespace.Open {
|
if !application.Namespace.Open {
|
||||||
for _, applicationNameFrom := range communication.From {
|
for _, applicationNameFrom := range communication.From {
|
||||||
applicationFrom, _, _ := config.GetApplication(applicationNameFrom)
|
applicationFrom, networkFrom, _ := config.GetApplication(applicationNameFrom)
|
||||||
if applicationFrom != nil && !applicationFrom.Namespace.Open {
|
if applicationFrom != nil && !applicationFrom.Namespace.Open {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
openToClosedAccess[applicationNameFrom] = applicationName
|
if networkFrom == nil {
|
||||||
|
openToClosedAccess[applicationNameFrom] = applicationName
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -194,7 +197,7 @@ func validate(files []string, options *Options) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for appFrom, appTo := range openToClosedAccess {
|
for appFrom, appTo := range openToClosedAccess {
|
||||||
LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a netowrk authentication for this workload.",
|
LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a network authentication for this workload.",
|
||||||
appFrom, appTo)
|
appFrom, appTo)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -12,8 +12,16 @@ networks:
|
|||||||
- port: 2303
|
- port: 2303
|
||||||
protocol: UDP
|
protocol: UDP
|
||||||
|
|
||||||
|
|
||||||
namespaces:
|
namespaces:
|
||||||
|
- name: openns
|
||||||
|
open: true
|
||||||
|
applications:
|
||||||
|
- name: openapp
|
||||||
|
ports:
|
||||||
|
- port: 100
|
||||||
|
serviceAccounts:
|
||||||
|
- xyz
|
||||||
|
|
||||||
- name: wamblee-org
|
- name: wamblee-org
|
||||||
#open: true
|
#open: true
|
||||||
capabilities:
|
capabilities:
|
||||||
@ -48,9 +56,14 @@ namespaces:
|
|||||||
protocol: UDP
|
protocol: UDP
|
||||||
|
|
||||||
communications:
|
communications:
|
||||||
|
- from:
|
||||||
|
- openapp
|
||||||
|
to:
|
||||||
|
- nexus-server
|
||||||
|
|
||||||
- from: # can we support both string and list of strings?
|
- from: # can we support both string and list of strings?
|
||||||
- httpd-wamblee-org
|
- httpd-wamblee-org
|
||||||
#- internet
|
- internet
|
||||||
#- apiserver
|
#- apiserver
|
||||||
to:
|
to:
|
||||||
- nexus-server
|
- nexus-server
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user