Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network policies generated by operator separate remote namespace and pod selectors #528

Closed
mjnagel opened this issue Jul 1, 2024 · 0 comments · Fixed by #564
Closed

Network policies generated by operator separate remote namespace and pod selectors #528

mjnagel opened this issue Jul 1, 2024 · 0 comments · Fixed by #564
Assignees
@rjferguson21 @MxNxPx
Labels
bug Something isn't working operator Issues pertaining to the UDS Operator (Pepr)
Milestone
0.25.0

Comments

@mjnagel
Copy link
Contributor

mjnagel commented Jul 1, 2024

Environment

N/A

Steps to reproduce

When combining remoteNamespace and remoteSelector in a single network.allow policy the generated netpol results in two separate peers. This effectively allows anything in the namespace ingress or egress rather than locking down to the specific pod.

Visual Proof (screenshots, videos, text, etc)

uds-core/src/pepr/operator/controllers/network/generate.ts

Lines 42 to 63 in de60e25

if (policy.remoteNamespace !== undefined) {
const namespaceSelector: V1LabelSelector = {};
// Add the remoteNamespace to the namespaceSelector if it exists and is not "*", otherwise match all namespaces
if (policy.remoteNamespace !== "" && policy.remoteNamespace !== "*") {
namespaceSelector.matchLabels = {
"kubernetes.io/metadata.name": policy.remoteNamespace,
};
}
// Add the remoteNamespace to the peers
peers.push({ namespaceSelector });
}
// Add the remoteSelector if they exist
if (policy.remoteSelector) {
peers.push({
podSelector: {
matchLabels: policy.remoteSelector,
},
});
}

Severity/Priority

High - this results in incorrect policies, that tend to work for the end user so they may not notice the reduced security posture.

Additional Context

Fixing this will likely be a breaking change, although it is meant to be a bugfix (behavior should've been this already).
@mjnagel mjnagel added the possible-bug Something may not be working label Jul 1, 2024
@mjnagel mjnagel changed the title Network policies generated by operator separate namespace and pod selectors Network policies generated by operator separate remote namespace and pod selectors Jul 1, 2024
@mjnagel mjnagel added bug Something isn't working operator Issues pertaining to the UDS Operator (Pepr) and removed possible-bug Something may not be working labels Jul 2, 2024
@MxNxPx MxNxPx self-assigned this Jul 8, 2024
@MxNxPx MxNxPx mentioned this issue Jul 11, 2024
Merged
4 tasks
@mjnagel mjnagel added this to the 0.25.0 milestone Jul 22, 2024
@mjnagel mjnagel closed this as completed in 9b14c2c Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rjferguson21 rjferguson21

@MxNxPx MxNxPx

Labels
bug Something isn't working operator Issues pertaining to the UDS Operator (Pepr)
Projects
None yet
Milestone
0.25.0
Development

Successfully merging a pull request may close this issue.

fix: address network policy generation inter-namespace bug defenseunicorns/uds-core
3 participants
@rjferguson21 @mjnagel @MxNxPx