Added harvester-restricted-network-vm

Author: tmuntaner

policies/harvester-restricted-network-vm/.gitignore

@@ -0,0 +1,18 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+*.wasm
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+bin/

policies/harvester-restricted-network-vm/Makefile

@@ -0,0 +1 @@
+../../Makefile.tinygo

policies/harvester-restricted-network-vm/README.md

@@ -0,0 +1,51 @@
+# harvester-restricted-network-vm
+
+This policy guards against VMs being deployed into protected network segments.
+
+**Example policy:**
+
+```
+apiVersion: policies.kubewarden.io/v1
+kind: ClusterAdmissionPolicy
+metadata:
+  name: restricted-network-vm-policy-1
+spec:
+  module: harvester-restricted-network-vm:20
+  rules:
+    - apiGroups: ["kubevirt.io"]
+      apiVersions: ["v1"]
+      resources: ["virtualmachines"]
+      operations: ["CREATE", "UPDATE"]
+  settings:
+    namespaceNetworkBindings: 
+      - namespace: test-restricted-1-network-1
+        network:  test-restricted-1-network-1/network-1
+      - namespace: test-restricted-2-network-1
+        network:  test-restricted-1-network-1/network-1
+      - namespace: test-restricted-3-network-3
+        network:  test-restricted-3-network-3/network-3
+  mutating: false
+  policyServer: default
+```
+
+**Specifications:**
+
+1. You should be able to create a VM with any of the specific combinations there
+2. You should not be able to create a VM from any namespace or network that is in that list, but the exact combination is not in the list.
+3. Any namespace or network that is not on the list is not restricted
+
+**Examples:**
+
+| namespace                   | network                               | Result |
+|-----------------------------|---------------------------------------|--------|
+| test-restricted-1-network-1 | test-restricted-1-network-1/network-1 | ALLOW  |
+| test-restricted-2-network-1 | test-restricted-1-network-1/network-1 | ALLOW  |
+| test-restricted-3-network-3 | test-restricted-3-network-3/network-3 | ALLOW  |
+| random-namespace            | random-network                        | ALLOW  |
+| test-restricted-3-network-3 | test-restricted-1-network-1/network-1 | REJECT |
+| test-restricted-1-network-1 | test-restricted-3-network-3/network-3 | REJECT |
+| random-namespace            | test-restricted-1-network-1/network-1 | REJECT |
+| random-namespace            | test-restricted-3-network-3/network-3 | REJECT |
+| test-restricted-1-network-1 | random-network                        | REJECT |
+| test-restricted-2-network-2 | random-network                        | REJECT |
+| test-restricted-3-network-3 | random-network                        | REJECT |

policies/harvester-restricted-network-vm/cmd/main.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"context"
+
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-network-vm/internal/logger"
+	"github.com/wapc/wapc-guest-tinygo"
+)
+
+func main() {
+	ctx := logger.ContextWithLogger(context.Background())
+
+	wapc.RegisterFunctions(wapc.Functions{
+		"validate": func(payload []byte) ([]byte, error) {
+			return validate(ctx, payload)
+		},
+		"validate_settings": func(payload []byte) ([]byte, error) {
+			return validateSettings(ctx, payload)
+		},
+	})
+}

policies/harvester-restricted-network-vm/cmd/settings.go

@@ -0,0 +1,129 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-network-vm/internal/logger"
+	"github.com/francoispqt/onelog"
+	kubewarden "github.com/kubewarden/policy-sdk-go"
+	kubewardenProtocol "github.com/kubewarden/policy-sdk-go/protocol"
+)
+
+type SettingsError struct {
+	Namespace string
+	Network   string
+}
+
+func (s *SettingsError) Error() string {
+	return fmt.Sprintf(
+		"Invalid settings error, namespace and network must be specified. Namespace: '%s', Network: '%s'",
+		s.Namespace,
+		s.Network,
+	)
+}
+
+type NamespaceNetworkBinding struct {
+	Namespace string `json:"namespace"`
+	Network   string `json:"network"`
+}
+
+// Settings is the structure that describes the policy settings.
+type Settings struct {
+	NamespaceNetworkBindings []NamespaceNetworkBinding `json:"namespaceNetworkBindings"`
+}
+
+func (s *Settings) valid() (bool, error) {
+	for _, ns := range s.NamespaceNetworkBindings {
+		// Check if namespace and network are not empty
+		if ns.Namespace == "" || ns.Network == "" {
+			return false, &SettingsError{
+				Namespace: ns.Namespace,
+				Network:   ns.Network,
+			}
+		}
+	}
+	return true, nil
+}
+
+func NewSettingsFromValidationReq(validationReq *kubewardenProtocol.ValidationRequest) (Settings, error) {
+	settings := Settings{}
+	err := json.Unmarshal(validationReq.Settings, &settings)
+	return settings, err
+}
+
+func validateSettings(ctx context.Context, payload []byte) ([]byte, error) {
+	l := logger.FromContext(ctx)
+	l.Info("validating settings")
+
+	settings := Settings{}
+	err := json.Unmarshal(payload, &settings)
+	if err != nil {
+		return kubewarden.RejectSettings(kubewarden.Message(fmt.Sprintf("Invalid settings JSON: %v", err)))
+	}
+
+	valid, err := settings.valid()
+	if !valid || err != nil {
+		return kubewarden.RejectSettings("settings are not valid")
+	}
+
+	return kubewarden.AcceptSettings()
+}
+
+// isNetworkAllowed verifies if a (namespace, network) combination is allowed.
+//
+// Restrictions
+//   - namespaces with network bindings can only accept a network bound to it
+//   - networks with namespace bindings can only accept a namespace bound to it
+//   - If a namespace and network don't have a binding, then it's unrestricted
+//
+// example:
+//
+//	  settings:
+//			- namespace: restricted-namespace
+//			  network: restricted-network
+//
+// Allowed:
+//
+//	{"namespace": "restricted-namespace", "network": "restricted-network"}
+//	{"namespace": "random-namespace", "network": "random-network"}
+//
+// Denied:
+//
+//	{"namespace": "restricted-namespace", "network": "random-network"}
+//	{"namespace": "random-namespace", "network": "restricted-network"}
+func (s *Settings) isNetworkAllowed(ctx context.Context, namespace, network string) bool {
+	l := logger.FromContext(ctx).With(func(entry onelog.Entry) {
+		entry.String("namespace", namespace)
+		entry.String("network", network)
+	})
+	allowed := true
+
+	for _, ns := range s.NamespaceNetworkBindings {
+		// if a namespace is bound, then its network must be bound to it
+		if ns.Namespace == namespace && ns.Network != network {
+			allowed = false
+		}
+
+		// if a network is bound, then its namespace must be bound to it
+		if ns.Network == network && ns.Namespace != namespace {
+			allowed = false
+		}
+
+		// network and namespace are bound
+		if ns.Network == network && ns.Namespace == namespace {
+			l.Debug("network and namespace matched")
+			return true
+		}
+	}
+
+	// if allowed is "true", it's because the namespace and network are not bound and are considered unrestricted
+	if allowed {
+		l.Debug("namespace and network are unrestricted")
+		return true
+	}
+
+	l.Debug("namespace or network is restricted and cannot bound together")
+	return false
+}