metal-stack · majst01 · Jan 30, 2024 · Dec 18, 2023 · Dec 18, 2023 · Dec 19, 2023
@@ -23,14 +23,14 @@ jobs:
 
     steps:
     - name: Log in to the container registry
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ secrets.DOCKER_REGISTRY_USER }}
         password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
 
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - uses: google-github-actions/auth@v1
       with:
@@ -40,9 +40,10 @@ jobs:
       uses: google-github-actions/setup-gcloud@v0
 
     - name: Set up Go 1.21
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: '1.21'
+        cache: false
 
     - name: Lint
       uses: golangci/golangci-lint-action@v3
@@ -64,7 +65,7 @@ jobs:
         make
 
     - name: Push Docker image
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v5
       with:
         context: .
         push: true
@@ -89,12 +90,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Set up Go 1.21
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: '1.21'
+        cache: false
 
     - name: Run tests
       run: |

@@ -2,16 +2,21 @@ package controllers
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
+	"go4.org/netipx"
+
 	"github.com/metal-stack/firewall-controller/v2/pkg/dns"
+	"github.com/metal-stack/firewall-controller/v2/pkg/helper"
 	"github.com/metal-stack/firewall-controller/v2/pkg/nftables"
 
 	"github.com/go-logr/logr"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/record"
 
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -33,7 +38,8 @@ type ClusterwideNetworkPolicyReconciler struct {
 	FirewallName  string
 	SeedNamespace string
 
-	Log logr.Logger
+	Log      logr.Logger
+	Recorder record.EventRecorder
 
 	Interval time.Duration
 	DnsProxy *dns.DNSProxy
@@ -91,7 +97,14 @@ func (r *ClusterwideNetworkPolicyReconciler) Reconcile(ctx context.Context, _ ct
 	if err := r.ShootClient.List(ctx, &services); err != nil {
 		return ctrl.Result{}, err
 	}
-	nftablesFirewall := nftables.NewFirewall(f, &cwnps, &services, r.DnsProxy, r.Log)
+
+	validCwnps, err := r.allowedCWNPsOrDelete(ctx, cwnps.Items, f.Spec.NetworkAccessType, f.Spec.AllowedNetworks)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	cwnps.Items = validCwnps
+
+	nftablesFirewall := nftables.NewFirewall(f, &cwnps, &services, r.DnsProxy, r.Log, r.Recorder)
 	if err := r.manageDNSProxy(ctx, f, cwnps, nftablesFirewall); err != nil {
 		return ctrl.Result{}, err
 	}
@@ -181,3 +194,84 @@ func (r *ClusterwideNetworkPolicyReconciler) getReconciliationTicker(scheduleCha
 		}
 	}
 }
+
+func (r *ClusterwideNetworkPolicyReconciler) allowedCWNPsOrDelete(ctx context.Context, cwnps []firewallv1.ClusterwideNetworkPolicy, accessType firewallv2.NetworkAccessType, allowedNetworks firewallv2.AllowedNetworks) ([]firewallv1.ClusterwideNetworkPolicy, error) {
+	// FIXME refactor to func and add test, remove illegal rules from further processing
+	// report as event in case rule is not allowed
+
+	// what to do, if accesstype is baseline but there are allowedNetworks given?
+	if accessType != firewallv2.NetworkAccessForbidden {
+		return cwnps, nil
+	}
+
+	validCWNPs := make([]firewallv1.ClusterwideNetworkPolicy, 0, len(cwnps))
+	forbiddenCWNPs := make([]firewallv1.ClusterwideNetworkPolicy, 0)
+
+	egressSet, err := helper.BuildNetworksIPSet(allowedNetworks.Egress)
+	if err != nil {
+		return nil, err
+	}
+
+	ingressSet, err := helper.BuildNetworksIPSet(allowedNetworks.Ingress)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, cwnp := range cwnps {
+		cwnp := cwnp
+		oke, err := r.validateCWNPEgressTargetPrefix(cwnp, egressSet)
+		if err != nil {
+			return nil, err
+		}
+		oki, err := r.validateCWNPIngressTargetPrefix(cwnp, ingressSet)
+		if err != nil {
+			return nil, err
+		}
+		// the CWNP is ok if both ingress/egress match with the allowed networks
+		ok := oki && oke
+
+		if !ok {
+			forbiddenCWNPs = append(forbiddenCWNPs, cwnp)
+		} else {
+			validCWNPs = append(validCWNPs, cwnp)
+		}
+	}
+	if len(cwnps) != len(validCWNPs) {
+		var errs []error
+		for _, cwnp := range forbiddenCWNPs {
+			cwnp := cwnp
+			err := r.ShootClient.Delete(ctx, &cwnp)
+			if err != nil {
+				errs = append(errs, err)
+			}
+		}
+		if len(errs) > 0 {
+			// TODO: should we acutally fail when single cwnps that won't be applied anyways cannot be deleted?
+			// Alternatively just log / record event / retry reconcile?
+			return nil, fmt.Errorf("failed to delete all forbidden CWNPs: %w", errors.Join(errs...))
+		}
+	}
+	return validCWNPs, nil
+}
+
+func (r *ClusterwideNetworkPolicyReconciler) validateCWNPEgressTargetPrefix(cwnp firewallv1.ClusterwideNetworkPolicy, externalSet *netipx.IPSet) (bool, error) {
+	for _, egress := range cwnp.Spec.Egress {
+		for _, to := range egress.To {
+			if ok, err := helper.ValidateCIDR(&cwnp, to.CIDR, externalSet, r.Recorder); !ok {
+				return false, err
+			}
+		}
+	}
+	return true, nil
+}
+
+func (r *ClusterwideNetworkPolicyReconciler) validateCWNPIngressTargetPrefix(cwnp firewallv1.ClusterwideNetworkPolicy, externalSet *netipx.IPSet) (bool, error) {
+	for _, ingress := range cwnp.Spec.Ingress {
+		for _, from := range ingress.From {
+			if ok, err := helper.ValidateCIDR(&cwnp, from.CIDR, externalSet, r.Recorder); !ok {
+				return false, err
+			}
+		}
+	}
+	return true, nil
+}
@@ -11,15 +11,16 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
 	github.com/ks2211/go-suricata v0.0.0-20200823200910-986ce1470707
-	github.com/metal-stack/firewall-controller-manager v0.3.0
+	github.com/metal-stack/firewall-controller-manager v0.3.2-0.20240115082359-d2ad341a4113
 	github.com/metal-stack/metal-go v0.24.3
 	github.com/metal-stack/metal-lib v0.13.5
-	github.com/metal-stack/metal-networker v0.33.0
+	github.com/metal-stack/metal-networker v0.33.1-0.20240122150602-99b8a185b9f4
 	github.com/metal-stack/v v1.0.3
 	github.com/miekg/dns v1.1.55
 	github.com/txn2/txeh v1.5.3
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/zap v1.26.0
+	go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516
 	k8s.io/api v0.26.3
 	k8s.io/apiextensions-apiserver v0.26.3
 	k8s.io/apimachinery v0.27.4

@@ -233,16 +233,16 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/metal-stack/firewall-controller-manager v0.3.0 h1:sBCL7iiG17ZO/1TREv2RYiMdX5VddSc92snR8OKcAF8=
-github.com/metal-stack/firewall-controller-manager v0.3.0/go.mod h1:KjLZv/BatucZM9DQtBLN04wBGjvxEJRV1C+xDkCWwIE=
+github.com/metal-stack/firewall-controller-manager v0.3.2-0.20240115082359-d2ad341a4113 h1:QvFcs5sBI6BGLMidLKFfXDBgBG7idivvck8u8q5PD9Y=
+github.com/metal-stack/firewall-controller-manager v0.3.2-0.20240115082359-d2ad341a4113/go.mod h1:KjLZv/BatucZM9DQtBLN04wBGjvxEJRV1C+xDkCWwIE=
 github.com/metal-stack/metal-go v0.24.3 h1:z7btLKyhzyv/0mFhsxJE6+c0MXlYTfcUWKIL50gNx2M=
 github.com/metal-stack/metal-go v0.24.3/go.mod h1:jNJ0dWIBRwKeJoP+RGqTyE5qLsdZFISFrNHU5m3IDwA=
 github.com/metal-stack/metal-hammer v0.11.5 h1:bW4mkcBG8J1O7f71bXIrqVPL7uHZ4FZDF90hF69dn2U=
 github.com/metal-stack/metal-hammer v0.11.5/go.mod h1:Y4Pa0rt5aHLc+3YL36Xu7uI4Mo7ljV1PDZgQ5Y/c3CM=
 github.com/metal-stack/metal-lib v0.13.5 h1:OX94H+Pw31MOE9xSr460kFBv6CNJ2Nhjf4GY5IcuCxM=
 github.com/metal-stack/metal-lib v0.13.5/go.mod h1:BAR7fjdoV7DDg8i9GpJQBDaNSFirOcBs0vLYTBnhHQU=
-github.com/metal-stack/metal-networker v0.33.0 h1:DZf79nBS4CAL0QQnTq1jTucbL/Cj1qfj+jfFpmU8+Ws=
-github.com/metal-stack/metal-networker v0.33.0/go.mod h1:lVpSIE7E0iYgyTAavjcrLrUYB5IaFrtthhKzKn5fcH4=
+github.com/metal-stack/metal-networker v0.33.1-0.20240122150602-99b8a185b9f4 h1:eOV1Z99l1sRN+iWL+ZYtm9cZaB7jOPJrlsCam6UmAKk=
+github.com/metal-stack/metal-networker v0.33.1-0.20240122150602-99b8a185b9f4/go.mod h1:rmhP+MAz8GJyuhXGqb+F4LhtEcYUZPYj7ul8VN3pUF4=
 github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs=
 github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg=
 github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
@@ -376,6 +376,8 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
 go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516 h1:X66ZEoMN2SuaoI/dfZVYobB6E5zjZyyHUMWlCA7MgGE=
+go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=

@@ -226,6 +226,7 @@ func main() {
 		SeedClient:    seedMgr.GetClient(),
 		ShootClient:   shootMgr.GetClient(),
 		Log:           ctrl.Log.WithName("controllers").WithName("ClusterwideNetworkPolicy"),
+		Recorder:      shootMgr.GetEventRecorderFor("FirewallController"),
 		FirewallName:  firewallName,
 		SeedNamespace: seedNamespace,
 	}).SetupWithManager(shootMgr); err != nil {

@@ -0,0 +1,70 @@
+package helper
+
+import (
+	"fmt"
+	"net/netip"
+
+	"go4.org/netipx"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/record"
+)
+
+const (
+	forbiddenCIDR = "ForbiddenCIDR"
+)
+
+// Create an IPSet from a given list of strings describing networks.
+func BuildNetworksIPSet(networks []string) (*netipx.IPSet, error) {
+	var externalBuilder netipx.IPSetBuilder
+
+	for _, externalNetwork := range networks {
+		parsedExternal, err := netip.ParsePrefix(externalNetwork)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse prefix: %w", err)
+		}
+		externalBuilder.AddPrefix(parsedExternal)
+	}
+	externalSet, err := externalBuilder.IPSet()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ipset: %w", err)
+	}
+	return externalSet, nil
+}
+
+func NetworkSetAsString(externalSet *netipx.IPSet) string {
+	var allowedNetworksStr string
+	if externalSet != nil {
+		for i, r := range externalSet.Ranges() {
+			if i > 0 {
+				allowedNetworksStr += ","
+			}
+			if p, ok := r.Prefix(); ok {
+				allowedNetworksStr += p.String()
+			} else {
+				allowedNetworksStr += r.String()
+			}
+		}
+	}
+	return allowedNetworksStr
+}
+
+func ValidateCIDR(o runtime.Object, cidr string, ipset *netipx.IPSet, rec record.EventRecorder) (bool, error) {
+	parsedTo, err := netip.ParsePrefix(cidr)
+	if err != nil {
+		return false, fmt.Errorf("failed to parse to address: %w", err)
+	}
+	if !ipset.ContainsPrefix(parsedTo) {
+		allowedNetworksStr := NetworkSetAsString(ipset)
+		if rec != nil {
+			rec.Eventf(
+				o,
+				corev1.EventTypeWarning,
+				forbiddenCIDR,
+				"address:%q is outside of the allowed network range:%q, ignoring",
+				parsedTo.String(), allowedNetworksStr)
+		}
+		return false, nil
+	}
+	return true, nil
+}