Jul 31st update

2025-09-29 19:24:26 +03:00 · 2024-07-31 17:15:35 +00:00
parent 705a5e6061
commit 384b59cc87
39 changed files with 1026 additions and 74 deletions
--- a/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
@@ -79,6 +79,7 @@ class DefaultBackend
 {
 public:
    void load(cereal::JSONInputArchive &);
+    bool doesExist() const;

 private:
    bool is_exists = false;
@@ -90,6 +91,7 @@ public:
    void load(cereal::JSONInputArchive &archive_in);

    const std::vector<IngressDefinedRule> & getRules() const;
+    bool doesDefaultBackendExist() const;

 private:
    std::string ingress_class_name;
--- a/components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h
@@ -129,7 +129,7 @@ public:
    bool shouldBeautifyLogs() const;

    bool getCloud() const;
-    bool isK8SNeeded() const;
+    bool isContainerNeeded() const;
    bool isCefNeeded() const;
    bool isSyslogNeeded() const;
    const std::string & getSyslogServerIpv4Address() const;
@@ -140,7 +140,7 @@ private:
    const NewLoggingService & getCefServiceData() const;

    bool cloud = false;
-    bool k8s_service = false;
+    bool container_service = false;
    bool agent_local = true;
    bool beautify_logs = true;
    NewLoggingService syslog_service;
--- a/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
@@ -111,7 +111,7 @@ private:
    SecurityAppsWrapper security_apps;
 };

-class PolicyMakerUtils
+class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
 {
 public:
    std::string proccesSingleAppsecPolicy(
--- a/components/security_apps/local_policy_mgmt_gen/include/triggers_section.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/triggers_section.h
@@ -39,7 +39,7 @@ public:
        bool _logToAgent,
        bool _logToCef,
        bool _logToCloud,
-        bool _logToK8sService,
+        bool _logToContainerService,
        bool _logToSyslog,
        bool _responseBody,
        bool _tpDetect,
@@ -73,7 +73,7 @@ private:
    bool logToAgent;
    bool logToCef;
    bool logToCloud;
-    bool logToK8sService;
+    bool logToContainerService;
    bool logToSyslog;
    bool responseBody;
    bool tpDetect;
@@ -258,7 +258,7 @@ public:
    bool shouldBeautifyLogs() const;

    bool getCloud() const;
-    bool isK8SNeeded() const;
+    bool isContainerNeeded() const;
    bool isCefNeeded() const;
    bool isSyslogNeeded() const;
    const std::string & getSyslogServerIpv4Address() const;
@@ -269,7 +269,7 @@ private:
    const LoggingService & getCefServiceData() const;

    bool cloud = false;
-    bool k8s_service = false;
+    bool container_service = false;
    bool agent_local = true;
    bool beautify_logs = true;
    LoggingService syslog_service;
--- a/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
+++ b/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
@@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
    is_exists = true;
 }

+bool
+DefaultBackend::doesExist() const
+{
+    return is_exists;
+}
+
 void
 IngressSpec::load(cereal::JSONInputArchive &archive_in)
 {
@@ -101,6 +107,12 @@ IngressSpec::getRules() const
    return rules;
 }

+bool
+IngressSpec::doesDefaultBackendExist() const
+{
+    return default_backend.doesExist();
+}
+
 void
 SingleIngressData::load(cereal::JSONInputArchive &archive_in)
 {
--- a/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
@@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
    map<AnnotationKeys, string> &annotations_values,
    const SingleIngressData &item) const
 {
+    if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
+        policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
+    }
+    if (item.getSpec().doesDefaultBackendExist()) {
+        dbgTrace(D_LOCAL_POLICY)
+            << "Inserting Any host rule to the specific asset set";
+        K ingress_rule = K("*");
+        policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
+    }
+
    for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
        string url = rule.getHost();
        for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
                    << uri.getPath()
                    << "'";
                K ingress_rule = K(url + uri.getPath());
-                appsec_policy.addSpecificRule(ingress_rule);
+                policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
            }
        }
    }
-    policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
 }

-
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPoliciesFromIngresses()
 {
--- a/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
+++ b/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
@@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
    parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
+    default_rule.setHost("*");
    parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
 }

--- a/components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc
+++ b/components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc
@@ -183,7 +183,9 @@ NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
    auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode();
    auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType();
    bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default);
+    // BC try load previous name. TODO: update CRD
+    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
+    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);

    NewStdoutLogging stdout_log;
    parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in);
@@ -224,9 +226,9 @@ NewAppsecTriggerLogDestination::getCloud() const
 }

 bool
-NewAppsecTriggerLogDestination::isK8SNeeded() const
+NewAppsecTriggerLogDestination::isContainerNeeded() const
 {
-    return k8s_service;
+    return container_service;
 }

 bool
--- a/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
@@ -538,7 +538,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
    bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders();
    bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody();
    bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud();
-    bool logToK8sService = trigger_spec.getAppsecTriggerLogDestination().isK8SNeeded();
+    bool logToContainerService = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
    bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal();
    bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs();
    bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded();
@@ -565,7 +565,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
        logToAgent,
        logToCef,
        logToCloud,
-        logToK8sService,
+        logToContainerService,
        logToSyslog,
        responseBody,
        tpDetect,
@@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
    createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);

    // add default rule to policy
-    createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    }
 }

 // LCOV_EXCL_START Reason: no test exist
@@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
    );

    // add default rule to policy
-    createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
-        default_rule,
-        default_rule,
-        appsec_policy,
-        policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            default_rule,
+            default_rule,
+            appsec_policy,
+            policy_name);
+    }
 }
 // LCOV_EXCL_STOP

--- a/components/security_apps/local_policy_mgmt_gen/triggers_section.cc
+++ b/components/security_apps/local_policy_mgmt_gen/triggers_section.cc
@@ -30,7 +30,7 @@ LogTriggerSection::LogTriggerSection(
    bool _logToAgent,
    bool _logToCef,
    bool _logToCloud,
-    bool _logToK8sService,
+    bool _logToContainerService,
    bool _logToSyslog,
    bool _responseBody,
    bool _tpDetect,
@@ -55,7 +55,7 @@ LogTriggerSection::LogTriggerSection(
    logToAgent(_logToAgent),
    logToCef(_logToCef),
    logToCloud(_logToCloud),
-    logToK8sService(_logToK8sService),
+    logToContainerService(_logToContainerService),
    logToSyslog(_logToSyslog),
    responseBody(_responseBody),
    tpDetect(_tpDetect),
@@ -101,7 +101,7 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
        cereal::make_nvp("logToAgent",               logToAgent),
        cereal::make_nvp("logToCef",                 logToCef),
        cereal::make_nvp("logToCloud",               logToCloud),
-        cereal::make_nvp("logToK8sService",          logToK8sService),
+        cereal::make_nvp("logToContainerService",    logToContainerService),
        cereal::make_nvp("logToSyslog",              logToSyslog),
        cereal::make_nvp("responseBody",             responseBody),
        cereal::make_nvp("responseCode",             false),
@@ -396,7 +396,9 @@ AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
    auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode();
    auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType();
    bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default);
+    // BC try load previous name. TODO: update CRD
+    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
+    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);

    StdoutLogging stdout_log;
    parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in);
@@ -437,9 +439,9 @@ AppsecTriggerLogDestination::getCloud() const
 }

 bool
-AppsecTriggerLogDestination::isK8SNeeded() const
+AppsecTriggerLogDestination::isContainerNeeded() const
 {
-    return k8s_service;
+    return container_service;
 }

 bool