github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-07-16 07:24:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Kong k8s (#38)

Browse Source 
* make the webhook generic

* add service account

* change variable name

* remove the comments

---------

Co-authored-by: wiaamm <wiaamm@checkpoint.com>
This commit is contained in:
Daniel-Eisenberg 2025-07-02 16:37:09 +03:00 committed by GitHub
parent c59e4d0e76
commit 479f605800
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 167 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
docker/openappsec-waf-webhook/webhook_server.py
View File

@ -15,6 +15,7 @@ app = Flask(__name__)
AGENT_IMAGE = os.getenv('AGENT_IMAGE', 'ghcr.io/openappsec/agent') AGENT_IMAGE = os.getenv('AGENT_IMAGE', 'ghcr.io/openappsec/agent')
AGENT_TAG = os.getenv('AGENT_TAG', 'latest') AGENT_TAG = os.getenv('AGENT_TAG', 'latest')
AGENT_CPU = os.getenv('AGENT_CPU', '200m') AGENT_CPU = os.getenv('AGENT_CPU', '200m')
PROXY_KIND = os.getenv('PROXY_KIND', 'istio')
INIT_CONTAINER_IMAGE = os.getenv('INIT_CONTAINER_IMAGE', 'ghcr.io/openappsec/openappsec-envoy-filters') INIT_CONTAINER_IMAGE = os.getenv('INIT_CONTAINER_IMAGE', 'ghcr.io/openappsec/openappsec-envoy-filters')
INIT_CONTAINER_TAG = os.getenv('INIT_CONTAINER_TAG', 'latest') INIT_CONTAINER_TAG = os.getenv('INIT_CONTAINER_TAG', 'latest')
ISTIOD_PORT = os.getenv('ISTIOD_PORT', '15014') ISTIOD_PORT = os.getenv('ISTIOD_PORT', '15014')
@ -23,6 +24,10 @@ FULL_INIT_CONTAINER_IMAGE = f"{INIT_CONTAINER_IMAGE}:{INIT_CONTAINER_TAG}"
config.load_incluster_config() config.load_incluster_config()
def is_istio_agent():
"""Check if the current agent kind is Istio"""
return PROXY_KIND.lower() == "istio"
def configure_logging(): def configure_logging():
# Read the DEBUG_LEVEL from environment variables, defaulting to WARNING # Read the DEBUG_LEVEL from environment variables, defaulting to WARNING
DEBUG_LEVEL = os.getenv('DEBUG_LEVEL', 'WARNING').upper() DEBUG_LEVEL = os.getenv('DEBUG_LEVEL', 'WARNING').upper()
@ -45,7 +50,6 @@ def configure_logging():
formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s') formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s')
handler.setFormatter(formatter) handler.setFormatter(formatter)
# Remove any existing handlers
if app.logger.hasHandlers(): if app.logger.hasHandlers():
app.logger.handlers.clear() app.logger.handlers.clear()
@ -58,16 +62,21 @@ def get_sidecar_container():
token = os.getenv("TOKEN") token = os.getenv("TOKEN")
custom_fog_enabled = os.getenv("CUSTOM_FOG_ENABLED") == "true" # Check if it's set to "true" custom_fog_enabled = os.getenv("CUSTOM_FOG_ENABLED") == "true" # Check if it's set to "true"
fog_address = os.getenv("FOG_ADDRESS") fog_address = os.getenv("FOG_ADDRESS")
registered_server = os.getenv("REGISTERED_SERVER")
appsec_proxy = os.getenv("APPSEC_PROXY") appsec_proxy = os.getenv("APPSEC_PROXY")
config_map_ref = os.getenv("CONFIG_MAP_REF") config_map_ref = os.getenv("CONFIG_MAP_REF")
secret_ref = os.getenv("SECRET_REF") secret_ref = os.getenv("SECRET_REF")
persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true" persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true"
# Prepare the volumeMounts list if is_istio_agent():
volume_mounts = [ volume_mounts = [
{"name": "envoy-attachment-shared", "mountPath": "/envoy/attachment/shared/"}, {"name": "envoy-attachment-shared", "mountPath": "/envoy/attachment/shared/"},
{"name": "advanced-model", "mountPath": "/advanced-model"} {"name": "advanced-model", "mountPath": "/advanced-model"}
] ]
else:
volume_mounts = [
{"name": "advanced-model", "mountPath": "/advanced-model"}
]
if persistence_enabled: if persistence_enabled:
volume_mounts.extend([ volume_mounts.extend([
@ -99,14 +108,12 @@ def get_sidecar_container():
"CRDS_SCOPE": os.getenv("CRDS_SCOPE"), "CRDS_SCOPE": os.getenv("CRDS_SCOPE"),
} }
# Base environment variables
env = [ env = [
{"name": "registered_server", "value": "ISTIO Server"} {"name": "registered_server", "value": registered_server}
] ]
# Add optional environment variables if they are set
for var_name, var_value in optional_env_vars.items(): for var_name, var_value in optional_env_vars.items():
if var_value is not None: # Only add if the variable is set if var_value is not None:
env.append({"name": var_name, "value": var_value}) env.append({"name": var_name, "value": var_value})
sidecar = { sidecar = {
@ -149,7 +156,7 @@ def get_istio_version():
url = f"http://istiod.istio-system:{ISTIOD_PORT}/version" url = f"http://istiod.istio-system:{ISTIOD_PORT}/version"
response = requests.get(url) response = requests.get(url)
if response.status_code == 200: if response.status_code == 200:
return response.text.strip().split('-')[0] # Extracting version return response.text.strip().split('-')[0]
else: else:
raise Exception(f"Failed to get Istio version: {response.status_code}") raise Exception(f"Failed to get Istio version: {response.status_code}")
@ -209,7 +216,6 @@ def get_init_container():
app.logger.debug("Exiting get_init_container()") app.logger.debug("Exiting get_init_container()")
return init_container return init_container
# The volume mount configuration for both the original and sidecar containers
def get_volume_mount(): def get_volume_mount():
app.logger.debug("Entering get_volume_mount()") app.logger.debug("Entering get_volume_mount()")
volume_mount = { volume_mount = {
@ -220,12 +226,12 @@ def get_volume_mount():
app.logger.debug("Exiting get_volume_mount()") app.logger.debug("Exiting get_volume_mount()")
return volume_mount return volume_mount
# Volume definition for the pod
def get_volume_definition(): def get_volume_definition():
app.logger.debug("Entering get_volume_definition()") app.logger.debug("Entering get_volume_definition()")
persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true" persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true"
if is_istio_agent():
volume_def = [ volume_def = [
{ {
"name": "envoy-attachment-shared", "name": "envoy-attachment-shared",
@ -239,6 +245,16 @@ def get_volume_definition():
} }
} }
] ]
else:
volume_def = [
{
"name": "advanced-model",
"configMap": {
"name": "advanced-model-config",
"optional": True
}
}
]
if persistence_enabled: if persistence_enabled:
volume_def.extend([ volume_def.extend([
@ -385,7 +401,6 @@ def remove_env_variable(containers, container_name, env_var_name, patches):
def create_or_update_envoy_filter(name, namespace, selector_label_name, selector_label_value): def create_or_update_envoy_filter(name, namespace, selector_label_name, selector_label_value):
api = client.CustomObjectsApi() api = client.CustomObjectsApi()
# Define the EnvoyFilter specification
envoy_filter_spec = { envoy_filter_spec = {
"apiVersion": "networking.istio.io/v1alpha3", "apiVersion": "networking.istio.io/v1alpha3",
"kind": "EnvoyFilter", "kind": "EnvoyFilter",
@ -439,7 +454,6 @@ def create_or_update_envoy_filter(name, namespace, selector_label_name, selector
} }
} }
# Check if the EnvoyFilter exists
try: try:
existing_envoy_filter = api.get_namespaced_custom_object( existing_envoy_filter = api.get_namespaced_custom_object(
group="networking.istio.io", group="networking.istio.io",
@ -559,8 +573,10 @@ def mutate():
app.logger.debug("Current containers in the pod: %s", json.dumps(containers, indent=2)) app.logger.debug("Current containers in the pod: %s", json.dumps(containers, indent=2))
sidecar_exists = any(container['name'] == 'open-appsec-nano-agent' for container in containers) sidecar_exists = any(container['name'] == 'open-appsec-nano-agent' for container in containers)
init_container_exist = any(init_container['name'] == 'prepare-attachment' for init_container in init_containers) init_container_exist = any(init_container['name'] == 'prepare-attachment' for init_container in init_containers)
volume_exist = any(volume['name'] == 'envoy-attachment-shared' for volume in volumes) # Only check for envoy-attachment-shared volume if agent kind is Istio
volume_exist = any(volume['name'] == 'envoy-attachment-shared' for volume in volumes) if is_istio_agent() else False
app.logger.debug("Does sidecar 'open-appsec-nano-agent' exist? %s", sidecar_exists) app.logger.debug("Does sidecar 'open-appsec-nano-agent' exist? %s", sidecar_exists)
app.logger.debug("Agent kind: %s", PROXY_KIND)
# Determine if we should remove the injected data # Determine if we should remove the injected data
REMOVE_WAF = os.getenv('REMOVE_INJECTED_DATA', 'false').lower() == 'true' REMOVE_WAF = os.getenv('REMOVE_INJECTED_DATA', 'false').lower() == 'true'
@ -574,12 +590,14 @@ def mutate():
CONFIG_PORT_VALUE = os.getenv('CONFIG_PORT') CONFIG_PORT_VALUE = os.getenv('CONFIG_PORT')
CONCURRENCY_NUMBER_VALUE = os.getenv('CONCURRENCY_NUMBER') CONCURRENCY_NUMBER_VALUE = os.getenv('CONCURRENCY_NUMBER')
if REMOVE_WAF: if REMOVE_WAF:
app.logger.debug("Removing injected sidecar and associated resources.")
if is_istio_agent():
app.logger.debug("PROXY_KIND is istio, removing Istio-specific components.")
if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE: if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE:
remove_envoy_filter_by_selector(namespace, SELECTOR_LABEL_NAME, SELECTOR_LABEL_VALUE) remove_envoy_filter_by_selector(namespace, SELECTOR_LABEL_NAME, SELECTOR_LABEL_VALUE)
app.logger.debug("Removing injected sidecar and associated resources.")
# Remove ld library path env variable
if ISTIO_CONTAINER_NAME: if ISTIO_CONTAINER_NAME:
if CONCURRENCY_NUMBER_VALUE: if CONCURRENCY_NUMBER_VALUE:
remove_env_variable(containers, ISTIO_CONTAINER_NAME, 'CONCURRENCY_NUMBER', patches) remove_env_variable(containers, ISTIO_CONTAINER_NAME, 'CONCURRENCY_NUMBER', patches)
@ -599,7 +617,6 @@ def mutate():
else: else:
app.logger.debug("shareProcessNamespace not found; no patch to remove it") app.logger.debug("shareProcessNamespace not found; no patch to remove it")
# Remove the init container if it exists
if init_container_exist: if init_container_exist:
for idx, init_container in enumerate(init_containers): for idx, init_container in enumerate(init_containers):
if init_container['name'] == 'prepare-attachment': if init_container['name'] == 'prepare-attachment':
@ -608,12 +625,23 @@ def mutate():
"path": f"/spec/initContainers/{idx}" "path": f"/spec/initContainers/{idx}"
}) })
app.logger.debug(f"Removed init container patch: {patches[-1]}") app.logger.debug(f"Removed init container patch: {patches[-1]}")
break # Stop once we find and remove the target container break
else:
app.logger.debug(f"PROXY_KIND is {PROXY_KIND}, skipping Istio-specific removal.")
# For kong agents, set automountServiceAccountToken back to false
if 'automountServiceAccountToken' in obj.get('spec', {}):
patches.append({
"op": "replace",
"path": "/spec/automountServiceAccountToken",
"value": False
})
app.logger.debug("Set automountServiceAccountToken=false for kong agent removal")
# Remove the sidecar container if it exists
if sidecar_exists: if sidecar_exists:
for idx, container in enumerate(containers): for idx, container in enumerate(containers):
volume_mounts = container.get('volumeMounts', []) volume_mounts = container.get('volumeMounts', [])
if is_istio_agent():
for idx_v, volume_mount in enumerate(volume_mounts): for idx_v, volume_mount in enumerate(volume_mounts):
if volume_mount['name'] == 'envoy-attachment-shared': if volume_mount['name'] == 'envoy-attachment-shared':
patches.append({ patches.append({
@ -628,32 +656,30 @@ def mutate():
}) })
app.logger.debug(f"Removed sidecar container patch: {patches[-1]}") app.logger.debug(f"Removed sidecar container patch: {patches[-1]}")
# Remove the volume if it exists
if volume_exist: if volume_exist:
for idx, volume in enumerate(volumes): for idx, volume in enumerate(volumes):
if volume['name'] == 'envoy-attachment-shared': if is_istio_agent() and volume['name'] == 'envoy-attachment-shared':
patches.append({ patches.append({
"op": "remove", "op": "remove",
"path": f"/spec/volumes/{idx}" "path": f"/spec/volumes/{idx}"
}) })
app.logger.debug(f"Removed volume patch: {patches[-1]}") app.logger.debug(f"Removed volume patch: {patches[-1]}")
break # Stop once we find and remove the target container break
else: else:
app.logger.debug("Before if: Sidecar 'open-appsec-nano-agent' does not exist. Preparing to add it.") app.logger.debug("Before if: Sidecar 'open-appsec-nano-agent' does not exist. Preparing to add it.")
# Define the sidecar container
sidecar = get_sidecar_container() sidecar = get_sidecar_container()
# Define the init container() volume_def = get_volume_definition()
if is_istio_agent():
app.logger.debug("PROXY_KIND is istio, adding Istio-specific components.")
init_container = get_init_container() init_container = get_init_container()
# Define the volume mount for istio-proxy
volume_mount = get_volume_mount() volume_mount = get_volume_mount()
# Define the volume
volume_def = get_volume_definition()
if ISTIO_CONTAINER_NAME: if ISTIO_CONTAINER_NAME:
add_env_if_not_exist(containers, ISTIO_CONTAINER_NAME, patches) add_env_if_not_exist(containers, ISTIO_CONTAINER_NAME, patches)
add_env_variable_value_from(containers, ISTIO_CONTAINER_NAME, 'OPENAPPSEC_UID', None, patches, value_from={"fieldRef": {"fieldPath": "metadata.uid"}}) add_env_variable_value_from(containers, ISTIO_CONTAINER_NAME, 'OPENAPPSEC_UID', None, patches, value_from={"fieldRef": {"fieldPath": "metadata.uid"}})
@ -668,10 +694,6 @@ def mutate():
else: else:
app.logger.debug("ISTIO_CONTAINER_NAME skipping environment variable addition") app.logger.debug("ISTIO_CONTAINER_NAME skipping environment variable addition")
# Add the sidecar container
if not sidecar_exists:
# Add shareProcessNamespace if not already set
patches.append({ patches.append({
"op": "add", "op": "add",
"path": "/spec/shareProcessNamespace", "path": "/spec/shareProcessNamespace",
@ -679,14 +701,6 @@ def mutate():
}) })
app.logger.debug("Added shareProcessNamespace patch") app.logger.debug("Added shareProcessNamespace patch")
patches.append({
"op": "add",
"path": "/spec/containers/-",
"value": sidecar
})
app.logger.debug("Added sidecar container patch: %s", patches[-1])
# Add the volume mount to istio-proxy container (assumes istio-proxy is first container)
patches.append({ patches.append({
"op": "add", "op": "add",
"path": "/spec/containers/0/volumeMounts/-", "path": "/spec/containers/0/volumeMounts/-",
@ -694,7 +708,49 @@ def mutate():
}) })
app.logger.debug("Added volume mount patch to istio-proxy: %s", patches[-1]) app.logger.debug("Added volume mount patch to istio-proxy: %s", patches[-1])
# Add the new volume definition if not init_container_exist:
if 'initContainers' in obj['spec']:
obj['spec']['initContainers'].append(init_container)
else:
obj['spec']['initContainers'] = [init_container]
patches.append({
"op": "add",
"path": "/spec/initContainers",
"value": obj['spec']['initContainers']
})
if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE:
RELEASE_NAME = os.getenv('RELEASE_NAME', 'openappsec-waf-injected')
envoy_filter_name = RELEASE_NAME + "-waf-filter"
create_or_update_envoy_filter(envoy_filter_name, namespace, SELECTOR_LABEL_NAME, SELECTOR_LABEL_VALUE)
else:
app.logger.debug(f"PROXY_KIND is {PROXY_KIND}, skipping Istio-specific components.")
current_spec = obj.get('spec', {})
if 'automountServiceAccountToken' in current_spec:
patches.append({
"op": "replace",
"path": "/spec/automountServiceAccountToken",
"value": True
})
app.logger.debug("Replaced existing automountServiceAccountToken=true for kong agent")
else:
patches.append({
"op": "add",
"path": "/spec/automountServiceAccountToken",
"value": True
})
app.logger.debug("Added automountServiceAccountToken=true for kong agent")
if not sidecar_exists:
patches.append({
"op": "add",
"path": "/spec/containers/-",
"value": sidecar
})
app.logger.debug("Added sidecar container patch: %s", patches[-1])
for volume in volume_def: for volume in volume_def:
patches.append({ patches.append({
"op": "add", "op": "add",
@ -702,15 +758,9 @@ def mutate():
"value": volume "value": volume
}) })
app.logger.debug("Added volume definition patch: %s", patches[-1]) app.logger.debug("Added volume definition patch: %s", patches[-1])
if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE:
RELEASE_NAME = os.getenv('RELEASE_NAME', 'openappsec-waf-injected')
envoy_filter_name = RELEASE_NAME + "-waf-filter"
create_or_update_envoy_filter(envoy_filter_name, namespace, SELECTOR_LABEL_NAME, SELECTOR_LABEL_VALUE)
else: else:
app.logger.debug("Before else: Sidecar 'open-appsec-nano-agent' already exists. Checking for image updates.") app.logger.debug("Before else: Sidecar 'open-appsec-nano-agent' already exists. Checking for image updates.")
# Optionally, update the sidecar image and tag if necessary
for idx, container in enumerate(containers): for idx, container in enumerate(containers):
if container['name'] == 'open-appsec-nano-agent': if container['name'] == 'open-appsec-nano-agent':
current_image = container.get('image', '') current_image = container.get('image', '')
@ -723,37 +773,24 @@ def mutate():
"value": FULL_AGENT_IMAGE "value": FULL_AGENT_IMAGE
}) })
app.logger.debug(f"Updated sidecar image patch: {patches[-1]}") app.logger.debug(f"Updated sidecar image patch: {patches[-1]}")
break # Sidecar found and handled break
if not init_container_exist: if is_istio_agent() and init_container_exist:
# Add the initContainer to the pod spec in the deployment
if 'initContainers' in obj['spec']:
obj['spec']['initContainers'].append(init_container)
else:
obj['spec']['initContainers'] = [init_container]
patches.append({
"op": "add",
"path": "/spec/initContainers",
"value": obj['spec']['initContainers']
})
else:
app.logger.debug("Before else: init-container 'prepare-attachment' already exists. Checking for image updates.") app.logger.debug("Before else: init-container 'prepare-attachment' already exists. Checking for image updates.")
# Optionally, update the sidecar image and tag if necessary for idx, container in enumerate(init_containers):
for idx, container in enumerate(containers):
if container['name'] == 'prepare-attachment': if container['name'] == 'prepare-attachment':
current_image = container.get('image', '') current_image = container.get('image', '')
app.logger.debug("Current init container image: %s", current_image) app.logger.debug("Current init container image: %s", current_image)
app.logger.debug("Desired init container image: %s", FULL_AGENT_IMAGE) app.logger.debug("Desired init container image: %s", FULL_INIT_CONTAINER_IMAGE)
if current_image != FULL_AGENT_IMAGE: if current_image != FULL_INIT_CONTAINER_IMAGE:
patches.append({ patches.append({
"op": "replace", "op": "replace",
"path": f"/spec/containers/{idx}/image", "path": f"/spec/initContainers/{idx}/image",
"value": FULL_AGENT_IMAGE "value": FULL_INIT_CONTAINER_IMAGE
}) })
app.logger.debug(f"Updated sidecar image patch: {patches[-1]}") app.logger.debug(f"Updated init container image patch: {patches[-1]}")
break # Sidecar found and handled break
app.logger.info("Total patches: %s", json.dumps(patches, indent=2)) app.logger.info("Total patches: %s", json.dumps(patches, indent=2))