fix for crds upload

2025-11-16 17:31:52 +03:00 · 2024-07-29 15:53:23 +03:00
parent 705a5e6061
commit 286c017133
7 changed files with 50 additions and 11 deletions
--- a/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
@@ -79,6 +79,7 @@ class DefaultBackend
 {
 public:
    void load(cereal::JSONInputArchive &);
+    bool doesExist() const;

 private:
    bool is_exists = false;
@@ -90,6 +91,7 @@ public:
    void load(cereal::JSONInputArchive &archive_in);

    const std::vector<IngressDefinedRule> & getRules() const;
+    bool doesDefaultBackendExist() const;

 private:
    std::string ingress_class_name;
--- a/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
@@ -111,7 +111,7 @@ private:
    SecurityAppsWrapper security_apps;
 };

-class PolicyMakerUtils
+class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
 {
 public:
    std::string proccesSingleAppsecPolicy(
--- a/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
+++ b/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
@@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
    is_exists = true;
 }

+bool
+DefaultBackend::doesExist() const
+{
+    return is_exists;
+}
+
 void
 IngressSpec::load(cereal::JSONInputArchive &archive_in)
 {
@@ -101,6 +107,12 @@ IngressSpec::getRules() const
    return rules;
 }

+bool
+IngressSpec::doesDefaultBackendExist() const
+{
+    return default_backend.doesExist();
+}
+
 void
 SingleIngressData::load(cereal::JSONInputArchive &archive_in)
 {
--- a/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
@@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
    map<AnnotationKeys, string> &annotations_values,
    const SingleIngressData &item) const
 {
+    if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
+        policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
+    }
+    if (item.getSpec().doesDefaultBackendExist()) {
+        dbgTrace(D_LOCAL_POLICY)
+            << "Inserting Any host rule to the specific asset set";
+        K ingress_rule = K("*");
+        policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
+    }
+
    for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
        string url = rule.getHost();
        for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
                    << uri.getPath()
                    << "'";
                K ingress_rule = K(url + uri.getPath());
-                appsec_policy.addSpecificRule(ingress_rule);
+                policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
            }
        }
    }
-    policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
 }

-
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPoliciesFromIngresses()
 {
--- a/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
+++ b/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
@@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
    parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
+    default_rule.setHost("*");
    parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
 }

--- a/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
@@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
    createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);

    // add default rule to policy
-    createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    }
 }

 // LCOV_EXCL_START Reason: no test exist
@@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
    );

    // add default rule to policy
-    createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
-        default_rule,
-        default_rule,
-        appsec_policy,
-        policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            default_rule,
+            default_rule,
+            appsec_policy,
+            policy_name);
+    }
 }
 // LCOV_EXCL_STOP