Skip to content

Commit

Permalink
feat(network-policy): configure ignored IP networks
Browse files Browse the repository at this point in the history
  • Loading branch information
@danielpacak
danielpacak committed May 24, 2023
1 parent 67ab925 commit 2711d34
Show file tree
Hide file tree
Showing 10 changed files with 130 additions and 22 deletions.
44 changes: 40 additions & 4 deletions .github/workflows/verify-pr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout Code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

- name: Run Cimon
uses: ./
Expand All @@ -42,7 +42,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout Code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

- name: Run Cimon
uses: ./
Expand All @@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout Code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

- name: Run Cimon
uses: ./
Expand All @@ -71,4 +71,40 @@ jobs:
run: |
curl -I https://cycode.com
curl -I https://github.com
test-docker-compose:
runs-on: ubuntu-22.04
needs:
- verify-standard
- verify-fail-on-error
- verify-no-artifact
steps:
- name: Checkout Code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

- name: Run Cimon
uses: ./
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}

- name: Create and Start Containers
run: |
docker compose \
--project-name cimon-tests \
--file tests/docker-compose/docker-compose.yaml \
up --detach
- name: Run Tests
run: |
./tests/docker-compose/test.sh
docker network inspect cimon-tests_default
ps aux | grep docker-proxy
- name: Stop and Remove Containers, Networks
run: |
docker compose \
--project-name cimon-tests \
--file tests/docker-compose/docker-compose.yaml \
down
37 changes: 19 additions & 18 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,25 @@ steps:
The action supports the following parameters:
| Name | Default | Description |
|--------------------------|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `client-id` | | Cimon client ID for authentication |
| `secret` | | Cimon secret for authentication |
| `prevent` | `false` | Enable prevention mode |
| `allowed-ips` | | A comma or white space separated list of allowed IP addresses |
| `allowed-hosts` | | A comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (`*`) to match multiple subdomains (e.g. `*.example.com`). |
| `github-token` | `${{ github.token }}` | GitHub token (used to overcome GitHub rate limiting) |
| `report-job-summary` | `true` | Report results through job summary output |
| `report-process-tree` | `false` | Enable to report the process tree |
| `report-artifact-log` | `true` | Report logs through job artifact |
| `slack-webhook-endpoint` | | Slack webhook endpoint to report security events |
| `apply-fs-events` | `false` | Enable processing filesystem events and display them in the process tree report |
| `docker-image` | `docker.io/cycodelabs/cimon:v0.6.0` | Docker image reference |
| `docker-image-pull` | `false` | Skip pulling image from registry (Used for debugging) |
| `docker-username` | `false` | Username to pull image from registry (Used for debugging) |
| `docker-password` | `false` | Password to pull image from registry (Used for debugging) |
| `log-level` | `info` | Log level (Used for debugging) |
| Name | Default | Description |
|--------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `client-id` | | Cimon client ID for authentication |
| `secret` | | Cimon secret for authentication |
| `prevent` | `false` | Enable prevention mode |
| `allowed-ips` | | A comma or white space separated list of allowed IP addresses |
| `allowed-hosts` | | A comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (`*`) to match multiple subdomains (e.g. `*.example.com`). |
| `ignored-ip-nets` | | A comma or white space separated list of ignored IP networks in CIDR notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if your workflow runs containers attached to a custom network with configured sub-range. In other words, inter-container networking is usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and 172.16.0.0/12 networks. |
| `github-token` | `${{ github.token }}` | GitHub token (used to overcome GitHub rate limiting) |
| `report-job-summary` | `true` | Report results through job summary output |
| `report-process-tree` | `false` | Enable to report the process tree |
| `report-artifact-log` | `true` | Report logs through job artifact |
| `slack-webhook-endpoint` | | Slack webhook endpoint to report security events |
| `apply-fs-events` | `false` | Enable processing filesystem events and display them in the process tree report |
| `docker-image` | `docker.io/cycodelabs/cimon:v0.6.0` | Docker image reference |
| `docker-image-pull` | `false` | Skip pulling image from registry (Used for debugging) |
| `docker-username` | `false` | Username to pull image from registry (Used for debugging) |
| `docker-password` | `false` | Password to pull image from registry (Used for debugging) |
| `log-level` | `info` | Log level (Used for debugging) |

## Scenarios

Expand Down
9 changes: 9 additions & 0 deletions action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,15 @@ inputs:
allowed-hosts:
description: A comma-separated list of domain names
required: false
ignored-ip-nets:
description: |
A comma or white space separated list of ignored IP networks in CIDR
notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if
your workflow runs containers attached to a custom network with
configured sub-range. In other words, inter-container networking is
usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and
172.16.0.0/12 networks.
required: false
github-token:
description: GitHub token (used to overcome GitHub rate limiting)
required: false
Expand Down
6 changes: 6 additions & 0 deletions dist/main/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4132,6 +4132,7 @@ function getActionConfig() {
const preventionMode = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('prevent');
const allowedIPs = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('allowed-ips');
const allowedHosts = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('allowed-hosts');
const ignoredIPNets = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('ignored-ip-nets');

const applyFsEvents = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('apply-fs-events');
const clientId = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('client-id');
Expand All @@ -4157,6 +4158,7 @@ function getActionConfig() {
preventionMode: preventionMode,
allowedIPs: allowedIPs,
allowedHosts: allowedHosts,
ignoredIPNets: ignoredIPNets,
applyFsEvents: applyFsEvents,
clientId: clientId,
secret: secret,
Expand Down Expand Up @@ -4219,6 +4221,10 @@ async function run(config) {
args.push('--env', `CIMON_ALLOWED_HOSTS=${config.cimon.allowedHosts}`);
}

if (config.cimon.ignoredIPNets !== "") {
args.push('--env', `CIMON_IGNORED_IP_NETS=${config.cimon.ignoredIPNets}`);
}

if (config.github.jobSummary) {
args.push('--env', 'CIMON_REPORT_GITHUB_JOB_SUMMARY=1');
}
Expand Down
6 changes: 6 additions & 0 deletions src/main/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ function getActionConfig() {
const preventionMode = core.getBooleanInput('prevent');
const allowedIPs = core.getInput('allowed-ips');
const allowedHosts = core.getInput('allowed-hosts');
const ignoredIPNets = core.getInput('ignored-ip-nets');

const applyFsEvents = core.getBooleanInput('apply-fs-events');
const clientId = core.getInput('client-id');
Expand All @@ -41,6 +42,7 @@ function getActionConfig() {
preventionMode: preventionMode,
allowedIPs: allowedIPs,
allowedHosts: allowedHosts,
ignoredIPNets: ignoredIPNets,
applyFsEvents: applyFsEvents,
clientId: clientId,
secret: secret,
Expand Down Expand Up @@ -103,6 +105,10 @@ async function run(config) {
args.push('--env', `CIMON_ALLOWED_HOSTS=${config.cimon.allowedHosts}`);
}

if (config.cimon.ignoredIPNets !== "") {
args.push('--env', `CIMON_IGNORED_IP_NETS=${config.cimon.ignoredIPNets}`);
}

if (config.github.jobSummary) {
args.push('--env', 'CIMON_REPORT_GITHUB_JOB_SUMMARY=1');
}
Expand Down
10 changes: 10 additions & 0 deletions tests/docker-compose/docker-compose/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
FROM python:3.7-alpine
WORKDIR /code
ENV FLASK_APP=app.py
ENV FLASK_RUN_HOST=0.0.0.0
RUN apk add --no-cache gcc musl-dev linux-headers
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
EXPOSE 5000
COPY . .
CMD ["flask", "run"]
23 changes: 23 additions & 0 deletions tests/docker-compose/docker-compose/app.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
import time

import redis
from flask import Flask

app = Flask(__name__)
cache = redis.Redis(host='redis', port=6379)

def get_hit_count():
retries = 5
while True:
try:
return cache.incr('hits')
except redis.exceptions.ConnectionError as exc:
if retries == 0:
raise exc
retries -= 1
time.sleep(0.5)

@app.route('/')
def hello():
count = get_hit_count()
return 'Hello World! I have been seen {} times.\n'.format(count)
8 changes: 8 additions & 0 deletions tests/docker-compose/docker-compose/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
version: "3.9"
services:
web:
build: .
ports:
- "8000:5000"
redis:
image: "redis:alpine"
2 changes: 2 additions & 0 deletions tests/docker-compose/docker-compose/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
flask
redis
7 changes: 7 additions & 0 deletions tests/docker-compose/docker-compose/test.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash

for i in {1..5}
do
curl -I http://localhost:8000?rand="$i"
sleep 1s
done

0 comments on commit 2711d34

Please sign in to comment.