open to closed not report anymore when from is a network.

2025-01-16 21:38:48 +01:00 · 2025-01-16 21:38:48 +01:00 · b7a0b6a557
commit b7a0b6a557
parent 6a2f1b9fee
2 changed files with 21 additions and 5 deletions
--- a/cmd/policygen/configvalidator.go
+++ b/cmd/policygen/configvalidator.go
@ -58,6 +58,7 @@ func validate(files []string, options *Options) error {
 	})

 	// map  applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace.
+	// Exclusing when 'from' side is a CIDR.
 	openToClosedAccess := make(map[string]string)

 	applicationPods := make(map[string][]v1.Pod)
@ -182,11 +183,13 @@ func validate(files []string, options *Options) error {

 				if !application.Namespace.Open {
 					for _, applicationNameFrom := range communication.From {
-						applicationFrom, _, _ := config.GetApplication(applicationNameFrom)
+						applicationFrom, networkFrom, _ := config.GetApplication(applicationNameFrom)
 						if applicationFrom != nil && !applicationFrom.Namespace.Open {
 							continue
 						}
-						openToClosedAccess[applicationNameFrom] = applicationName
+						if networkFrom == nil {
+							openToClosedAccess[applicationNameFrom] = applicationName
+						}
 					}
 				}
 			}
@ -194,7 +197,7 @@ func validate(files []string, options *Options) error {
 	}

 	for appFrom, appTo := range openToClosedAccess {
-		LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a netowrk authentication for this workload.",
+		LogValidationMsg(Error, "Access from 'open' application '%s' to 'closed' application '%s'. This will lead to generation of a network authentication for this workload.",
 			appFrom, appTo)
 	}

--- a/example/config.yaml
+++ b/example/config.yaml
@ -12,8 +12,16 @@ networks:
      - port: 2303
        protocol: UDP

-
 namespaces:
+  - name: openns
+    open: true
+    applications:
+      - name: openapp
+        ports:
+          - port: 100
+        serviceAccounts:
+          - xyz
+
  - name: wamblee-org
    #open: true
    capabilities:
@ -48,9 +56,14 @@ namespaces:
           protocol: UDP

 communications:
+  - from:
+      - openapp
+    to:
+      - nexus-server
+
  - from: # can we support both string and list of strings?
      - httpd-wamblee-org
-      #- internet
+      - internet
      #- apiserver
    to:
      - nexus-server