Revert "Handle nsfilter/fromsource filter from a common func (#532)"

This reverts commit 24ed1cf.
accuknox · Aug 25, 2022 · e68c767 · e68c767
1 parent 24ed1cf
commit e68c767
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 44 deletions.
diff --git a/src/networkpolicy/networkPolicy.go b/src/networkpolicy/networkPolicy.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/accuknox/auto-policy-discovery/src/cluster"
+	"github.com/accuknox/auto-policy-discovery/src/config"
 	cfg "github.com/accuknox/auto-policy-discovery/src/config"
 	fc "github.com/accuknox/auto-policy-discovery/src/feedconsumer"
 	"github.com/accuknox/auto-policy-discovery/src/libs"
@@ -2008,6 +2009,28 @@ func isVM(podName string, pods []types.Pod) bool {
 	return libs.ContainsElement(getLabelsFromPod(podName, pods), ReservedHost)
 }
 
+func applyPolicyFilter(discoveredPolicies map[string][]types.KnoxNetworkPolicy) map[string][]types.KnoxNetworkPolicy {
+
+	nsFilter := config.CurrentCfg.ConfigNetPolicy.NsFilter
+	nsNotFilter := config.CurrentCfg.ConfigNetPolicy.NsNotFilter
+
+	if len(nsFilter) > 0 {
+		for ns := range discoveredPolicies {
+			if !libs.ContainsElement(nsFilter, ns) {
+				delete(discoveredPolicies, ns)
+			}
+		}
+	} else if len(nsNotFilter) > 0 {
+		for ns := range discoveredPolicies {
+			if libs.ContainsElement(nsNotFilter, ns) {
+				delete(discoveredPolicies, ns)
+			}
+		}
+	}
+
+	return discoveredPolicies
+}
+
 func PopulateNetworkPoliciesFromNetworkLogs(networkLogs []types.KnoxNetworkLog) map[string][]types.KnoxNetworkPolicy {
 
 	discoveredNetworkPolicies := map[string][]types.KnoxNetworkPolicy{}
@@ -2070,6 +2093,9 @@ func PopulateNetworkPoliciesFromNetworkLogs(networkLogs []types.KnoxNetworkLog)
 			}
 		}
 
+		// filter discovered policies
+		discoveredNetworkPolicies = applyPolicyFilter(discoveredNetworkPolicies)
+
 		// iterate each namespace
 		for _, namespace := range namespaces {
 			discoveredPolicies := discoveredNetworkPolicies[namespace]

diff --git a/src/plugin/cilium.go b/src/plugin/cilium.go
@@ -843,9 +843,6 @@ func StartHubbleRelay(StopChan chan struct{}, cfg types.ConfigCiliumHubble) {
 		},
 	}
 
-	nsFilter := config.CurrentCfg.ConfigNetPolicy.NsFilter
-	nsNotFilter := config.CurrentCfg.ConfigSysPolicy.NsNotFilter
-
 	stream, err := client.GetFlows(context.Background(), req)
 	if err != nil {
 		log.Error().Msg("Unable to stream network flow: " + err.Error())
@@ -867,14 +864,6 @@ func StartHubbleRelay(StopChan chan struct{}, cfg types.ConfigCiliumHubble) {
 			case *observer.GetFlowsResponse_Flow:
 				flow := r.Flow
 
-				if IgnoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, flow.Destination.Namespace) {
-					continue
-				}
-
-				if IgnoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, flow.Source.Namespace) {
-					continue
-				}
-
 				CiliumFlowsMutex.Lock()
 				CiliumFlows = append(CiliumFlows, flow)
 				CiliumFlowsMutex.Unlock()

diff --git a/src/plugin/common.go b/src/plugin/common.go
diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go
@@ -345,6 +345,32 @@ func GetSystemAlertsFromKubeArmorRelay(trigger int) []*pb.Log {
 	return results
 }
 
+func ignoreLogFromRelayWithSource(filter []string, log *pb.Log) bool {
+	for _, srcFilter := range filter {
+		if strings.Contains(log.Source, srcFilter) {
+			return true
+		}
+	}
+	return false
+}
+
+func ignoreLogFromRelayWithNamespace(nsFilter, nsNotFilter []string, log *pb.Log) bool {
+	if len(nsFilter) > 0 {
+		for _, ns := range nsFilter {
+			if !strings.Contains(log.NamespaceName, ns) {
+				return true
+			}
+		}
+	} else if len(nsNotFilter) > 0 {
+		for _, notns := range nsNotFilter {
+			if strings.Contains(log.NamespaceName, notns) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 var KubeArmorRelayStarted = false
 
 func StartKubeArmorRelay(StopChan chan struct{}, cfg types.ConfigKubeArmorRelay) {
@@ -387,11 +413,11 @@ func StartKubeArmorRelay(StopChan chan struct{}, cfg types.ConfigKubeArmorRelay)
 					return
 				}
 
-				if IgnoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, res.NamespaceName) {
+				if ignoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, res) {
 					continue
 				}
 
-				if IgnoreLogFromRelayWithSource(fromSourceFilter, res.Source) {
+				if ignoreLogFromRelayWithSource(fromSourceFilter, res) {
 					continue
 				}
 
@@ -444,11 +470,11 @@ func StartKubeArmorRelay(StopChan chan struct{}, cfg types.ConfigKubeArmorRelay)
 					Type:          res.Type,
 				}
 
-				if IgnoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, log.NamespaceName) {
+				if ignoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, &log) {
 					continue
 				}
 
-				if IgnoreLogFromRelayWithSource(fromSourceFilter, log.Source) {
+				if ignoreLogFromRelayWithSource(fromSourceFilter, &log) {
 					continue
 				}