add NetworkNeighborhood as a collection of NetworkNeighbors

Signed-off-by: Matthias Bertschy <[email protected]>

.dockerignore

@@ -0,0 +1,3 @@
+**/.git
+vendor
+artifacts

artifacts/networkneighborhood/01-example.yaml

@@ -0,0 +1,42 @@
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: NetworkNeighborhood
+metadata:
+  name: deployment-nginx
+  annotations:
+    status: incomplete
+  labels:
+      "kubescape.io/workload-api-group": "apps"
+      "kubescape.io/workload-api-version": "v1"
+      "kubescape.io/workload-name": "nginx"
+      "kubescape.io/workload-kind": "deployment"
+      "kubescape.io/workload-namespace": "kubescape"
+
+spec:
+  matchLabels:
+      app: nginx
+
+  containers:
+    - name: nginx
+      ingress:
+      - type: internal
+        identifier: bla
+        namespaceSelector:
+            matchLabels:
+              name: kubescape
+        podSelector:
+            matchLabels:
+              app: kubescape-ui
+        ports:
+        -   name: TCP-6379
+            protocol: TCP
+            port: 6379
+
+      egress:
+      - type: external
+        identifier: bla
+        ipAddress: 123.5.2.3
+        dns: stripe.com
+        ports:
+        - name: TCP-5978
+          protocol: TCP
+          port: 5978

pkg/apis/softwarecomposition/network_types.go

@@ -19,6 +19,7 @@ const (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkNeighborsList is a list of NetworkNeighbors.
+// DEPRECATED - use NetworkNeighborhoodList instead.
 type NetworkNeighborsList struct {
 	metav1.TypeMeta
 	metav1.ListMeta
@@ -30,6 +31,7 @@ type NetworkNeighborsList struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkNeighbors represents a list of network communications for a specific workload.
+// DEPRECATED - use NetworkNeighborhood instead.
 type NetworkNeighbors struct {
 	metav1.TypeMeta
 	metav1.ObjectMeta
@@ -43,11 +45,46 @@ type NetworkNeighborsSpec struct {
 	Egress               []NetworkNeighbor
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighborhoodList is a list of NetworkNeighborhoods.
+type NetworkNeighborhoodList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []NetworkNeighborhood
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighborhood represents a list of network communications for a specific workload.
+type NetworkNeighborhood struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec NetworkNeighborhoodSpec
+}
+
+type NetworkNeighborhoodSpec struct {
+	metav1.LabelSelector // The labels which are inside spec.selector in the parent workload.
+	Containers           []NetworkNeighborhoodContainer
+	InitContainers       []NetworkNeighborhoodContainer
+	EphemeralContainers  []NetworkNeighborhoodContainer
+}
+
+type NetworkNeighborhoodContainer struct {
+	Name    string
+	Ingress []NetworkNeighbor
+	Egress  []NetworkNeighbor
+}
+
 // NetworkNeighbor represents a single network communication made by this resource.
 type NetworkNeighbor struct {
 	Identifier        string
 	Type              CommunicationType
-	DNS               string
+	DNS               string // DEPRECATED - use DNSNames instead.
+	DNSNames          []string
 	Ports             []NetworkPort
 	PodSelector       *metav1.LabelSelector
 	NamespaceSelector *metav1.LabelSelector
@@ -64,6 +101,10 @@ type NetworkPort struct {
 	Port     *int32
 }
 
+func (p NetworkPort) String() string {
+	return p.Name
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // GeneratedNetworkPolicyList is a list of GeneratedNetworkPolicies.

pkg/apis/softwarecomposition/networkpolicy/networkpolicy.go

@@ -24,6 +24,8 @@ const (
 	storageV1ApiVersion = "spdx.softwarecomposition.kubescape.io"
 )
 
+// FIXME switch to NetworkNeighborhood
+
 func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors, knownServers []softwarecomposition.KnownServer, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) {
 	if !IsAvailable(networkNeighbors) {
 		return softwarecomposition.GeneratedNetworkPolicy{}, fmt.Errorf("networkNeighbors %s/%s status annotation is not ready", networkNeighbors.Namespace, networkNeighbors.Name)

pkg/apis/softwarecomposition/register.go

@@ -69,6 +69,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ApplicationActivityList{},
 		&NetworkNeighbors{},
 		&NetworkNeighborsList{},
+		&NetworkNeighborhood{},
+		&NetworkNeighborhoodList{},
 		&OpenVulnerabilityExchangeContainer{},
 		&OpenVulnerabilityExchangeContainerList{},
 		&GeneratedNetworkPolicyList{},

pkg/apis/softwarecomposition/types.go

@@ -296,6 +296,7 @@ func (e ExecCalls) String() string {
 		s.WriteString(sep)
 		s.WriteString(arg)
 	}
+	// FIXME should we sort the envs?
 	for _, env := range e.Envs {
 		s.WriteString(sep)
 		s.WriteString(env)
@@ -311,9 +312,10 @@ type OpenCalls struct {
 func (e OpenCalls) String() string {
 	s := strings.Builder{}
 	s.WriteString(e.Path)
-	for _, arg := range e.Flags {
+	// FIXME should we sort the flags?
+	for _, flag := range e.Flags {
 		s.WriteString(sep)
-		s.WriteString(arg)
+		s.WriteString(flag)
 	}
 	return s.String()
 }

pkg/apis/softwarecomposition/v1beta1/network_types.go

@@ -19,6 +19,7 @@ const (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkNeighborsList is a list of NetworkNeighbors.
+// DEPRECATED - use NetworkNeighborhoodList instead.
 type NetworkNeighborsList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
@@ -30,6 +31,7 @@ type NetworkNeighborsList struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkNeighbors represents a list of network communications for a specific workload.
+// DEPRECATED - use NetworkNeighborhood instead.
 type NetworkNeighbors struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
@@ -47,11 +49,46 @@ type NetworkNeighborsSpec struct {
 	Egress []NetworkNeighbor `json:"egress" patchStrategy:"merge" patchMergeKey:"identifier"`
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighborhoodList is a list of NetworkNeighborhoods.
+type NetworkNeighborhoodList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []NetworkNeighborhood `json:"items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkNeighborhood represents a list of network communications for a specific workload.
+type NetworkNeighborhood struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Spec NetworkNeighborhoodSpec `json:"spec"`
+}
+
+type NetworkNeighborhoodSpec struct {
+	metav1.LabelSelector `json:",inline"`
+	Containers           []NetworkNeighborhoodContainer `json:"containers"`
+	InitContainers       []NetworkNeighborhoodContainer `json:"initContainers"`
+	EphemeralContainers  []NetworkNeighborhoodContainer `json:"ephemeralContainers"`
+}
+
+type NetworkNeighborhoodContainer struct {
+	Name    string            `json:"name"`
+	Ingress []NetworkNeighbor `json:"ingress"`
+	Egress  []NetworkNeighbor `json:"egress"`
+}
+
 // NetworkNeighbor represents a single network communication made by this resource.
 type NetworkNeighbor struct {
 	Identifier string            `json:"identifier"` // A unique identifier for this entry
 	Type       CommunicationType `json:"type"`
-	DNS        string            `json:"dns"`
+	DNS        string            `json:"dns"` // DEPRECATED - use DNSNames instead.
+	DNSNames   []string          `json:"dnsNames"`
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	Ports             []NetworkPort         `json:"ports" patchStrategy:"merge" patchMergeKey:"name"`

pkg/apis/softwarecomposition/v1beta1/networkpolicy/networkpolicy.go

@@ -11,6 +11,8 @@ const (
 	storageV1Beta1ApiVersion = "spdx.softwarecomposition.kubescape.io/v1beta1"
 )
 
+// FIXME switch to NetworkNeighborhood
+
 func GenerateNetworkPolicy(networkNeighbors v1beta1.NetworkNeighbors, knownServers []v1beta1.KnownServer, timeProvider metav1.Time) (v1beta1.GeneratedNetworkPolicy, error) {
 	networkNeighborsV1, err := convertNetworkNeighbors(&networkNeighbors)
 	if err != nil {

pkg/apis/softwarecomposition/v1beta1/register.go

@@ -71,6 +71,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ApplicationActivityList{},
 		&NetworkNeighbors{},
 		&NetworkNeighborsList{},
+		&NetworkNeighborhood{},
+		&NetworkNeighborhoodList{},
 		&OpenVulnerabilityExchangeContainer{},
 		&OpenVulnerabilityExchangeContainerList{},
 		&GeneratedNetworkPolicyList{},