Set up harvester-restricted-vlan

Author: tmuntaner

Makefile.tinygo

@@ -1,6 +1,6 @@
 ROOT_DIR ?= $(dir $(realpath $(lastword $(MAKEFILE_LIST))))
 BIN_DIR := $(abspath $(ROOT_DIR)/bin)
-POLICY_DIR := $(dir $(patsubst %/,%,$(CURDIR)))
+POLICY_DIR := $(notdir $(patsubst %/,%,$(CURDIR)))
 
 GOLANGCI_LINT_VER := v2.5.0
 GOLANGCI_LINT_BIN := golangci-lint
@@ -14,8 +14,9 @@ ifeq ($(CI),true)
 else
 	podman run \
 		--rm \
+		--user $(id -u):$(id -g) \
 		-e GOFLAGS="-buildvcs=false" \
-		-v ${POLICY_DIR}:/src:rw,Z \
+		-v ${CURDIR}:/src:rw,Z \
 		-w /src tinygo/tinygo:0.39.0 \
 		tinygo build -o policy.wasm -target=wasi -no-debug ./cmd
 endif

policies/harvester-pci-devices/README.md

@@ -8,7 +8,7 @@ This policy guards against VMs attaching PCI Devices (e.g., GPUs) without permis
 apiVersion: policies.kubewarden.io/v1
 kind: ClusterAdmissionPolicy
 metadata:
-  name: cc-policy-1
+  name: harvester-pci-policy-1
 spec:
   module: harbor.op-prg2-0-dev-ingress.op.suse.org/op-portal/kubewarden-policy:20
   rules:

policies/harvester-pci-devices/internal/domain/settings_test.go

@@ -141,8 +141,8 @@ func TestNewSettingsFromValidationReq(t *testing.T) {
 	settingsJSON := []byte(`{
 		"namespaceDeviceBindings": [
 		{
-			"namespace": "test-cc-namespace-1",
-			"device": "test-cc-device-1"
+			"namespace": "test-restricted-namespace-1",
+			"device": "test-restricted-device-1"
 		}
 		]
 	}`)
@@ -153,5 +153,5 @@ func TestNewSettingsFromValidationReq(t *testing.T) {
 
 	newSettings, err := domain.NewSettingsFromValidationReq(validationRequest)
 	require.NoError(t, err)
-	assert.Equal(t, "test-cc-namespace-1", newSettings.NamespaceDeviceBindings[0].Namespace)
+	assert.Equal(t, "test-restricted-namespace-1", newSettings.NamespaceDeviceBindings[0].Namespace)
 }

policies/harvester-restricted-vlan-namespace/.gitignore

@@ -0,0 +1,19 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+*.wasm
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+coverage.xml
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+bin/

policies/harvester-restricted-vlan-namespace/Makefile

@@ -0,0 +1 @@
+../../Makefile.tinygo

policies/harvester-restricted-vlan-namespace/README.md

@@ -0,0 +1,49 @@
+# harvester-restricted-vlan-namespace
+
+This policy guards against harvester creating a network for a restricted VLAN in unauthorized namespaces.
+
+**Example policy:**
+
+```
+apiVersion: policies.kubewarden.io/v1
+kind: ClusterAdmissionPolicy
+metadata:
+  name: restricted-vlan-policy-1
+spec:
+  module: harvester-restricted-vlan:0.1.0
+  rules:
+    - apiGroups: ["k8s.cni.cncf.io"]
+      apiVersions: ["v1"]
+      resources: ["network-attachment-definitions"]
+      operations: ["CREATE", "UPDATE"]
+  settings:
+    namespaceVLANBindings:
+      - namespace:  test-restricted-1-network-1
+        vlan:       42
+      - namespace:  test-restricted-2-network-1
+        vlan:       1337
+  mutating: false  # or true if your policy mutates resources
+  policyServer: default
+```
+
+**Specifications:**
+
+1. All bound namespaces must use their respective bound VLANs.
+2. All bound VLANs must use their respective bound namespaces.
+3. Any namespace or VLAN that isn't bound, is unrestricted.
+
+**Examples:**
+
+The following examples are with the example policy above, with a random non-cc VLAN being 100.
+
+| namespace                   | network | Result |
+|-----------------------------|---------|--------|
+| test-restricted-1-network-1 | 42      | ALLOW  |
+| test-restricted-2-network-1 | 1337    | ALLOW  |
+| random-namespace            | 100     | ALLOW  |
+| test-restricted-1-network-1 | 1337    | REJECT |
+| test-restricted-2-network-2 | 42      | REJECT |
+| random-namespace            | 42      | REJECT |
+| random-namespace            | 1337    | REJECT |
+| test-restricted-1-network-1 | 100     | REJECT |
+| test-restricted-2-network-2 | 100     | REJECT |

policies/harvester-restricted-vlan-namespace/cmd/main.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-vlan-namespace/internal"
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-vlan-namespace/internal/logger"
+	"github.com/wapc/wapc-guest-tinygo"
+)
+
+const httpBadRequestStatusCode = 400
+
+func main() {
+	ctx := logger.ContextWithLogger(context.Background())
+
+	wapc.RegisterFunctions(wapc.Functions{
+		"validate": func(payload []byte) ([]byte, error) {
+			return validateRequest(ctx, payload)
+		},
+		"validate_settings": func(payload []byte) ([]byte, error) {
+			return validateSettings(ctx, payload)
+		},
+	})
+}
+
+func parseSettings(payload []byte) (internal.Settings, error) {
+	settings := internal.Settings{}
+	err := json.Unmarshal(payload, &settings)
+	if err != nil {
+		return internal.Settings{}, err
+	}
+
+	return settings, nil
+}

policies/harvester-restricted-vlan-namespace/cmd/validate_request.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-vlan-namespace/internal"
+	"github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-vlan-namespace/internal/logger"
+	"github.com/francoispqt/onelog"
+	kubewarden "github.com/kubewarden/policy-sdk-go"
+	kubewardenProtocol "github.com/kubewarden/policy-sdk-go/protocol"
+)
+
+func validateRequest(ctx context.Context, payload []byte) ([]byte, error) {
+	validationRequest := kubewardenProtocol.ValidationRequest{}
+	err := json.Unmarshal(payload, &validationRequest)
+	if err != nil {
+		return kubewarden.RejectRequest(
+			kubewarden.Message(err.Error()),
+			kubewarden.Code(httpBadRequestStatusCode))
+	}
+
+	settings, err := parseSettings(validationRequest.Settings)
+	if err != nil {
+		return kubewarden.RejectRequest(
+			kubewarden.Message(err.Error()),
+			kubewarden.Code(httpBadRequestStatusCode))
+	}
+
+	networkAttachmentDefinition := internal.NetworkAttachmentDefinition{}
+	err = json.Unmarshal(validationRequest.Request.Object, &networkAttachmentDefinition)
+	if err != nil {
+		return kubewarden.RejectRequest(
+			kubewarden.Message(err.Error()),
+			kubewarden.Code(httpBadRequestStatusCode))
+	}
+
+	namespace := networkAttachmentDefinition.Metadata.Namespace
+	vlan := networkAttachmentDefinition.Spec.Config.VLAN
+	l := logger.FromContext(ctx).With(func(entry onelog.Entry) {
+		entry.String("namespace", namespace)
+		entry.Int("vlan", vlan)
+	})
+
+	l.Info("NETWORK_CHECK namespace")
+	if !settings.IsVLANAllowed(ctx, namespace, vlan) {
+		l.Info("NETWORK_REJECTED namespace")
+		return kubewarden.RejectRequest("Invalid request", kubewarden.Code(httpBadRequestStatusCode))
+	}
+	l.Info("NETWORK_ALLOWED namespace")
+
+	return kubewarden.AcceptRequest()
+}

policies/harvester-restricted-vlan-namespace/cmd/validate_settings.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	kubewarden "github.com/kubewarden/policy-sdk-go"
+)
+
+func validateSettings(ctx context.Context, payload []byte) ([]byte, error) {
+	settings, err := parseSettings(payload)
+	if err != nil {
+		return kubewarden.RejectSettings(kubewarden.Message(fmt.Sprintf("Invalid settings JSON: %v", err)))
+	}
+
+	valid := settings.IsValid(ctx)
+	if !valid {
+		return kubewarden.RejectSettings("Invalid settings")
+	}
+
+	return kubewarden.AcceptSettings()
+}

policies/harvester-restricted-vlan-namespace/go.mod

@@ -0,0 +1,26 @@
+module github.com/SUSE/openplatform-kubewarden-policies/policies/harvester-restricted-vlan-namespace
+
+go 1.22
+
+toolchain go1.23.1
+
+require (
+	github.com/francoispqt/onelog v0.0.0-20190306043706-8c2bb31b10a4
+	github.com/kubewarden/policy-sdk-go v0.11.0
+	github.com/stretchr/testify v1.10.0
+	github.com/wapc/wapc-guest-tinygo v0.3.3
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/francoispqt/gojay v1.2.13 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kubewarden/k8s-objects v1.32.0-kw1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+replace github.com/go-openapi/strfmt => github.com/kubewarden/strfmt v0.1.3