feat: add policy type reference in target scanner

Signed-off-by: deggja <danieldagfinrud@gmail.com>
deggja · May 9, 2024 · 514eada · 514eada
1 parent f31ff68
commit 514eada
Showing 1 changed file with 104 additions and 0 deletions.
diff --git a/backend/pkg/k8s/target-scanner.go b/backend/pkg/k8s/target-scanner.go
@@ -3,6 +3,7 @@ package k8s
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -90,3 +91,106 @@ func ListPodsTargetedByNetworkPolicy(cynamicClient dynamic.Interface, policy *un
 
 	return targetedPods, nil
 }
+
+// DescribeNetworkPolicyRules provides a human-readable description of network policy rules.
+func DescribeNetworkPolicyRules(policy *unstructured.Unstructured) string {
+	var descriptions []string
+
+	// Parse Ingress Rules
+	ingressRules, _, _ := unstructured.NestedSlice(policy.Object, "spec", "ingress")
+	if len(ingressRules) > 0 {
+		for _, rule := range ingressRules {
+			descriptions = append(descriptions, fmt.Sprintf("Allows ingress from %s", describeRule(rule)))
+		}
+	} else {
+		descriptions = append(descriptions, "Blocks all ingress traffic")
+	}
+
+	// Parse Egress Rules
+	egressRules, _, _ := unstructured.NestedSlice(policy.Object, "spec", "egress")
+	if len(egressRules) > 0 {
+		for _, rule := range egressRules {
+			descriptions = append(descriptions, fmt.Sprintf("Allows egress to %s", describeRule(rule)))
+		}
+	} else {
+		descriptions = append(descriptions, "Blocks all egress traffic")
+	}
+
+	return strings.Join(descriptions, "; ")
+}
+
+// describeRule provides a summary of a single ingress or egress rule.
+func describeRule(rule interface{}) string {
+	ruleMap, ok := rule.(map[string]interface{})
+	if !ok {
+		return "unknown source/destination"
+	}
+
+	var sources []string
+
+	if from, ok := ruleMap["from"].([]interface{}); ok {
+		for _, fromRule := range from {
+			source := describeSource(fromRule)
+			sources = append(sources, source)
+		}
+	}
+
+	if to, ok := ruleMap["to"].([]interface{}); ok {
+		for _, toRule := range to {
+			destination := describeSource(toRule)
+			sources = append(sources, destination)
+		}
+	}
+
+	return strings.Join(sources, ", ")
+}
+
+// describeSource converts a source/destination object to a human-readable string.
+func describeSource(source interface{}) string {
+	sourceMap, ok := source.(map[string]interface{})
+	if !ok {
+		return "unknown"
+	}
+
+	var descriptions []string
+
+	if podSelector, ok := sourceMap["podSelector"].(map[string]interface{}); ok {
+		descriptions = append(descriptions, fmt.Sprintf("pods matching %s", describeSelector(podSelector)))
+	}
+
+	if namespaceSelector, ok := sourceMap["namespaceSelector"].(map[string]interface{}); ok {
+		descriptions = append(descriptions, fmt.Sprintf("namespaces matching %s", describeSelector(namespaceSelector)))
+	}
+
+	if ipBlock, ok := sourceMap["ipBlock"].(map[string]interface{}); ok {
+		if cidr, ok := ipBlock["cidr"].(string); ok {
+			description := fmt.Sprintf("CIDR %s", cidr)
+
+			if except, ok := ipBlock["except"].([]interface{}); ok {
+				var exceptions []string
+				for _, ex := range except {
+					if cidrEx, ok := ex.(string); ok {
+						exceptions = append(exceptions, cidrEx)
+					}
+				}
+				if len(exceptions) > 0 {
+					description += fmt.Sprintf(" except %s", strings.Join(exceptions, ", "))
+				}
+			}
+			descriptions = append(descriptions, description)
+		}
+	}
+
+	return strings.Join(descriptions, ", ")
+}
+
+// describeSelector converts a map of labels into a human-readable selector string.
+func describeSelector(selector map[string]interface{}) string {
+	var parts []string
+	for key, value := range selector {
+		if strVal, ok := value.(string); ok {
+			parts = append(parts, fmt.Sprintf("%s=%s", key, strVal))
+		}
+	}
+	return strings.Join(parts, ", ")
+}