diff --git a/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h b/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h index 16d7e78..2403290 100644 --- a/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h +++ b/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h @@ -79,6 +79,7 @@ class DefaultBackend { public: void load(cereal::JSONInputArchive &); + bool doesExist() const; private: bool is_exists = false; @@ -90,6 +91,7 @@ public: void load(cereal::JSONInputArchive &archive_in); const std::vector & getRules() const; + bool doesDefaultBackendExist() const; private: std::string ingress_class_name; diff --git a/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h b/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h index 7575720..c760f6e 100644 --- a/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h +++ b/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h @@ -111,7 +111,7 @@ private: SecurityAppsWrapper security_apps; }; -class PolicyMakerUtils +class PolicyMakerUtils : Singleton::Consume { public: std::string proccesSingleAppsecPolicy( diff --git a/components/security_apps/local_policy_mgmt_gen/ingress_data.cc b/components/security_apps/local_policy_mgmt_gen/ingress_data.cc index 8be6f1d..2a6128f 100755 --- a/components/security_apps/local_policy_mgmt_gen/ingress_data.cc +++ b/components/security_apps/local_policy_mgmt_gen/ingress_data.cc @@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &) is_exists = true; } +bool +DefaultBackend::doesExist() const +{ + return is_exists; +} + void IngressSpec::load(cereal::JSONInputArchive &archive_in) { @@ -101,6 +107,12 @@ IngressSpec::getRules() const return rules; } +bool +IngressSpec::doesDefaultBackendExist() const +{ + return default_backend.doesExist(); +} + void SingleIngressData::load(cereal::JSONInputArchive &archive_in) { diff --git a/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc b/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc index 33f4522..57a81a2 100644 --- a/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc +++ b/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc @@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy( map &annotations_values, const SingleIngressData &item) const { + if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) { + policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy; + } + if (item.getSpec().doesDefaultBackendExist()) { + dbgTrace(D_LOCAL_POLICY) + << "Inserting Any host rule to the specific asset set"; + K ingress_rule = K("*"); + policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule); + } + for (const IngressDefinedRule &rule : item.getSpec().getRules()) { string url = rule.getHost(); for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) { @@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy( << uri.getPath() << "'"; K ingress_rule = K(url + uri.getPath()); - appsec_policy.addSpecificRule(ingress_rule); + policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule); } } } - policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy; } - std::tuple, map> K8sPolicyUtils::createAppsecPoliciesFromIngresses() { diff --git a/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc b/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc index a040f65..dd15280 100755 --- a/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc +++ b/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc @@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in) dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec"; parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey("default", default_rule, archive_in); + default_rule.setHost("*"); parseAppsecJSONKey>("specificRules", specific_rules, archive_in); } diff --git a/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc b/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc index 2d54e7d..fa80d08 100755 --- a/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc +++ b/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc @@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c createPolicyElements(specific_rules, default_rule, appsec_policy, policy_name); // add default rule to policy - createPolicyElementsByRule(default_rule, default_rule, appsec_policy, policy_name); + if (Singleton::Consume::by()->getEnvType() != EnvType::K8S) { + createPolicyElementsByRule(default_rule, default_rule, appsec_policy, policy_name); + } } // LCOV_EXCL_START Reason: no test exist @@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy( - default_rule, - default_rule, - appsec_policy, - policy_name); + if (Singleton::Consume::by()->getEnvType() != EnvType::K8S) { + createPolicyElementsByRule( + default_rule, + default_rule, + appsec_policy, + policy_name); + } } // LCOV_EXCL_STOP diff --git a/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s b/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s index 7a873b8..5e3e24a 100755 --- a/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s +++ b/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s @@ -13,6 +13,10 @@ profile_id= cluster_id= latest_policy_version=1 +if [ -f $POLICY_CRDS_PATH ]; then + chmod 644 $POLICY_CRDS_PATH +fi + load_agent_details() { tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json) @@ -29,7 +33,7 @@ get_latest_policy_version() bucket_list=$(curl -s -w "%{http_code}\n" --request GET \ -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \ "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}") - paths_list=$(echo $bucket_list | /etc/cp/bin/yq -p xml | grep "/policy") + paths_list=$(echo $bucket_list | awk -F'|' '/policy-/ {for (i = 1; i <= NF; i++) if ($i ~ /policy/) print $i}') prefix="${tenant_id}/${profile_id}" paths=$(echo $paths_list | tr " " "\n" | grep / ) @@ -257,6 +261,7 @@ usage() echo "Options:" echo " --fog : Namespace with the relevant Helm Chart" echo " --upload_policy_only : Upload policy to the fog, withput changing agent mode" + echo " --debug : Keep the debuging files" exit 255 } @@ -277,6 +282,8 @@ validate_arg_value_exists() fi } +debug_mode="false" + while true; do if [ "$1" = "--token" ]; then validate_arg_value_exists "$1" "$#" @@ -290,6 +297,8 @@ while true; do validate_arg_value_exists "$1" "$#" shift ra_token="$1" + elif [ "$1" = "--debug" ]; then + debug_mode="true" elif [ -z "$1" ]; then break fi @@ -305,5 +314,8 @@ upload_crds_to_the_cloud if [ "$?" = "0" ]; then echo "SUCCESS" fi +if [ "$debug_mode" = "false" ]; then + rm $POLICY_CRDS_PATH +fi exit 0