From 671781a91c56e773c524c8c9bb1c999b1d107196 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Tue, 20 Feb 2024 10:31:40 +0530 Subject: [PATCH] fix(adapters): Update adapters to update their policies info Signed-off-by: Anurag Rajawat --- go.mod | 2 +- pkg/adapter/nimbus-kubearmor/go.mod | 2 +- pkg/adapter/nimbus-kubearmor/go.sum | 4 ++-- pkg/adapter/nimbus-kubearmor/manager/manager.go | 15 ++++++--------- .../nimbus-kubearmor/watcher/kspwatcher.go | 13 ++----------- pkg/adapter/nimbus-netpol/go.mod | 2 +- pkg/adapter/nimbus-netpol/go.sum | 5 +++-- .../nimbus-netpol/manager/netpols_manager.go | 15 ++++++--------- .../nimbus-netpol/watcher/netpolwatcher.go | 13 ++----------- 9 files changed, 24 insertions(+), 47 deletions(-) diff --git a/go.mod b/go.mod index 22536c27..9a9acabd 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/pkg/errors v0.9.1 // indirect + github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.18.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.46.0 // indirect diff --git a/pkg/adapter/nimbus-kubearmor/go.mod b/pkg/adapter/nimbus-kubearmor/go.mod index be1af002..70a8c0ba 100644 --- a/pkg/adapter/nimbus-kubearmor/go.mod +++ b/pkg/adapter/nimbus-kubearmor/go.mod @@ -3,7 +3,7 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-kubearmor go 1.21 require ( - github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 + github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad github.com/go-logr/logr v1.4.1 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240125171707-8e6641511fe3 k8s.io/apimachinery v0.29.1 diff --git a/pkg/adapter/nimbus-kubearmor/go.sum b/pkg/adapter/nimbus-kubearmor/go.sum index 27d5382d..0154d514 100644 --- a/pkg/adapter/nimbus-kubearmor/go.sum +++ b/pkg/adapter/nimbus-kubearmor/go.sum @@ -1,5 +1,5 @@ -github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 h1:v2fY3lWXydstfekQSHs9n0TpNnTteC7Iws3ojwGtFJk= -github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768/go.mod h1:yw79m9f1+f3tBSZCMQKbNVKL39Q71FyGyoa8nClo1Hs= +github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad h1:vr8/EtADzXyAYOsZbG8KhSO7ClELdQMjWEfHde5C3yA= +github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad/go.mod h1:YgeRR5ijLJHHeapCUekTfLJXMVrqOMVT2rCsqHlKLdU= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= diff --git a/pkg/adapter/nimbus-kubearmor/manager/manager.go b/pkg/adapter/nimbus-kubearmor/manager/manager.go index f360ee48..abdb1079 100644 --- a/pkg/adapter/nimbus-kubearmor/manager/manager.go +++ b/pkg/adapter/nimbus-kubearmor/manager/manager.go @@ -145,17 +145,14 @@ func createOrUpdateKsp(ctx context.Context, npName, npNamespace string) { logger.Info("KubeArmorPolicy configured", "KubeArmorPolicy.Name", existingKsp.Name, "KubeArmorPolicy.Namespace", existingKsp.Namespace) } - // Due to adapters' dependency on nimbus module, the docker image build is - // failing. The relevant code is commented out below (lines 153-155). We shall - // uncomment this code in a subsequent PR. - // Every adapter is responsible for updating the status field of the // corresponding NimbusPolicy with the number and names of successfully created - // policies. This provides feedback to users about the translation and deployment - // of their security intent. - //if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "KubeArmorPolicy/"+ksp.Name, np.Name, np.Namespace); err != nil { - // logger.Error(err, "failed to update KubeArmorPolicies status in NimbusPolicy") - //} + // policies by calling the 'adapterutil.UpdateNpStatus' API. This provides + // feedback to users about the translation and deployment of their security + // intent. + if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "KubeArmorPolicy/"+ksp.Name, np.Name, np.Namespace); err != nil { + logger.Error(err, "failed to update KubeArmorPolicies status in NimbusPolicy") + } } } diff --git a/pkg/adapter/nimbus-kubearmor/watcher/kspwatcher.go b/pkg/adapter/nimbus-kubearmor/watcher/kspwatcher.go index 031b340e..1de22074 100644 --- a/pkg/adapter/nimbus-kubearmor/watcher/kspwatcher.go +++ b/pkg/adapter/nimbus-kubearmor/watcher/kspwatcher.go @@ -4,9 +4,7 @@ package watcher import ( - "bytes" "context" - "encoding/json" "time" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -53,15 +51,8 @@ func WatchKsps(ctx context.Context, updatedKspCh, deletedKspCh chan common.Reque return } - oldSpec, errOld := oldU.Object["spec"].(map[string]interface{}) - newSpec, errNew := newU.Object["spec"].(map[string]interface{}) - - if errOld && errNew { - oldSpecBytes, _ := json.Marshal(oldSpec) - newSpecBytes, _ := json.Marshal(newSpec) - if bytes.Equal(oldSpecBytes, newSpecBytes) { - return - } + if oldU.GetGeneration() == newU.GetGeneration() { + return } kspNamespacedName := common.Request{ diff --git a/pkg/adapter/nimbus-netpol/go.mod b/pkg/adapter/nimbus-netpol/go.mod index 59f5c915..8a3f7fab 100644 --- a/pkg/adapter/nimbus-netpol/go.mod +++ b/pkg/adapter/nimbus-netpol/go.mod @@ -3,7 +3,7 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-netpol go 1.21 require ( - github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 + github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad github.com/go-logr/logr v1.4.1 k8s.io/api v0.29.1 k8s.io/apimachinery v0.29.1 diff --git a/pkg/adapter/nimbus-netpol/go.sum b/pkg/adapter/nimbus-netpol/go.sum index 72c856d2..160e902b 100644 --- a/pkg/adapter/nimbus-netpol/go.sum +++ b/pkg/adapter/nimbus-netpol/go.sum @@ -1,5 +1,5 @@ -github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 h1:v2fY3lWXydstfekQSHs9n0TpNnTteC7Iws3ojwGtFJk= -github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768/go.mod h1:yw79m9f1+f3tBSZCMQKbNVKL39Q71FyGyoa8nClo1Hs= +github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad h1:vr8/EtADzXyAYOsZbG8KhSO7ClELdQMjWEfHde5C3yA= +github.com/5GSEC/nimbus v0.0.0-20240220040009-4cc97b1338ad/go.mod h1:YgeRR5ijLJHHeapCUekTfLJXMVrqOMVT2rCsqHlKLdU= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= @@ -152,6 +152,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= +golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go index c66c32c8..b3dddf87 100644 --- a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go +++ b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go @@ -140,17 +140,14 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string logger.Info("NetworkPolicy configured", "NetworkPolicy.Name", netpol.Name, "NetworkPolicy.Namespace", netpol.Namespace) } - // Due to adapters' dependency on nimbus module, the docker image build is - // failing. The relevant code is commented out below (lines 153-155). We shall - // uncomment this code in a subsequent PR. - // Every adapter is responsible for updating the status field of the // corresponding NimbusPolicy with the number and names of successfully created - // policies. This provides feedback to users about the translation and deployment - // of their security intent. - //if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "NetworkPolicy/"+netpol.Name, np.Name, np.Namespace); err != nil { - // logger.Error(err, "failed to update NetworkPolicies status in NimbusPolicy") - //} + // policies by calling the 'adapterutil.UpdateNpStatus' API. This provides + // feedback to users about the translation and deployment of their security + // intent. + if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "NetworkPolicy/"+netpol.Name, np.Name, np.Namespace); err != nil { + logger.Error(err, "failed to update NetworkPolicies status in NimbusPolicy") + } } } diff --git a/pkg/adapter/nimbus-netpol/watcher/netpolwatcher.go b/pkg/adapter/nimbus-netpol/watcher/netpolwatcher.go index 2f5b2254..aec78dec 100644 --- a/pkg/adapter/nimbus-netpol/watcher/netpolwatcher.go +++ b/pkg/adapter/nimbus-netpol/watcher/netpolwatcher.go @@ -4,9 +4,7 @@ package watcher import ( - "bytes" "context" - "encoding/json" "time" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -53,15 +51,8 @@ func WatchNetpols(ctx context.Context, updatedNetpolCh, deletedNetpolCh chan com return } - oldSpec, errOld := oldU.Object["spec"].(map[string]interface{}) - newSpec, errNew := newU.Object["spec"].(map[string]interface{}) - - if errOld && errNew { - oldSpecBytes, _ := json.Marshal(oldSpec) - newSpecBytes, _ := json.Marshal(newSpec) - if bytes.Equal(oldSpecBytes, newSpecBytes) { - return - } + if oldU.GetGeneration() == newU.GetGeneration() { + return } netpolNamespacedName := common.Request{