added checks for allow all ingress policies

Azure · Jan 31, 2025 · 71d0ced · 71d0ced
1 parent cdb91b2
commit 71d0ced
Showing 1 changed file with 12 additions and 20 deletions.
diff --git a/tools/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator.go
@@ -317,9 +317,17 @@ func hasIngressPolicies(policies []networkingv1.NetworkPolicy) bool {
 func checkServiceRisk(service v1.Service, namespace string, servicePorts []string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) []string {
 	for _, policy := range policiesListAtNamespace {
 		for _, ingress := range policy.Spec.Ingress {
-			// Check if there is an allow all policy that matches labels the service is safe
+			// Check if there is an allow all ingress policy that matches labels the service is safe
 			if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
-				if matchAllServiceSelector(&metav1.LabelSelector{MatchLabels: service.Spec.Selector}, &policy.Spec.PodSelector) {
+				// Check if there is an allow all ingress policy with empty selectors return true as the policy allows all services in the namespace
+				if len(policy.Spec.PodSelector.MatchLabels) == 0 {
+					fmt.Printf("found an allow all ingress policy: %s with empty selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
+					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
+					return safeServices
+				}
+				// Check if there is an allow all ingress policy that matches the service labels
+				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {
+					fmt.Printf("found an allow all ingress policy: %s with matching selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
 					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
 					return safeServices
 				}
@@ -345,26 +353,10 @@ func checkServiceRisk(service v1.Service, namespace string, servicePorts []strin
 	return safeServices
 }
 
-func matchAllServiceSelector(serviceSelector *metav1.LabelSelector, policyPodSelector *metav1.LabelSelector) bool {
-	if serviceSelector == nil || policyPodSelector == nil {
-		return false
-	}
-
-	// Get the labels from the pod selector in the network policy and selector in the service
-	policyPodLabels := policyPodSelector.MatchLabels
-	serviceLabels := serviceSelector.MatchLabels
-
-	// If the labels in the policy pod selector are present in the service selector then return true
-	if checkPolicyMatchServiceLabels(serviceLabels, policyPodLabels) {
-		return true
-	}
-
-	return false
-}
-
 func checkPolicyMatchServiceLabels(serviceLabels, policyPodLabels map[string]string) bool {
 	// Count the number of labels that match
 	matchLabelCount := 0
+
 	for policyKey, policyValue := range policyPodLabels {
 		for serviceKey, serviceValue := range serviceLabels {
 			if serviceKey == policyKey && serviceValue == policyValue {
@@ -375,7 +367,7 @@ func checkPolicyMatchServiceLabels(serviceLabels, policyPodLabels map[string]str
 
 	// If the number of labels that match is equal to the number of labels in the policy pod selector then return true
 	// as that means all the match labels in the policy pod selector are present in the service selector
-	if matchLabelCount == len(policyPodLabels) {
+	if matchLabelCount != 0 && matchLabelCount == len(policyPodLabels) {
 		return true
 	}
 	return false