Support HTTPRoute in Gateway API

Signed-off-by: Ben <[email protected]>

Author: slashben

rules/exposure-to-internet/raw.rego

@@ -5,7 +5,7 @@ deny[msga] {
     service := input[_]
     service.kind == "Service"
     is_exposed_service(service)
-    
+
     wl := input[_]
     spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
     spec_template_spec_patterns[wl.kind]
@@ -32,7 +32,7 @@ deny[msga] {
 deny[msga] {
     ingress := input[_]
     ingress.kind == "Ingress"
-    
+
     svc := input[_]
     svc.kind == "Service"
 
@@ -49,7 +49,7 @@ deny[msga] {
     wl_connected_to_service(wl, svc)
 
     result := svc_connected_to_ingress(svc, ingress)
-    
+
     msga := {
         "alertMessage": sprintf("workload '%v' is exposed through ingress '%v'", [wl.metadata.name, ingress.metadata.name]),
         "packagename": "armo_builtins",
@@ -70,7 +70,51 @@ deny[msga] {
 		}
         ]
     }
-} 
+}
+
+deny[msga] {
+    httproute := input[_]
+    httproute.kind == "HTTPRoute"
+
+    svc := input[_]
+    svc.kind == "Service"
+
+    # Make sure that they belong to the same namespace
+    svc.metadata.namespace == httproute.metadata.namespace
+
+    # avoid duplicate alerts
+    # if service is already exposed through NodePort or LoadBalancer workload will fail on that
+    not is_exposed_service(svc)
+
+    wl := input[_]
+    wl.metadata.namespace == svc.metadata.namespace
+    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
+    spec_template_spec_patterns[wl.kind]
+    wl_connected_to_service(wl, svc)
+
+    result := svc_connected_to_httproute(svc, httproute)
+
+    msga := {
+        "alertMessage": sprintf("workload '%v' is exposed through httproute '%v'", [wl.metadata.name, httproute.metadata.name]),
+        "packagename": "armo_builtins",
+        "failedPaths": [],
+        "fixPaths": [],
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [wl]
+        },
+        "relatedObjects": [
+		{
+	            "object": httproute,
+		    "reviewPaths": result,
+	            "failedPaths": result,
+	        },
+		{
+	            "object": svc,
+		}
+        ]
+    }
+}
 
 # ====================================================================================
 
@@ -90,6 +134,10 @@ wl_connected_to_service(wl, svc) {
     wl.spec.selector.matchLabels == svc.spec.selector
 }
 
+wl_connected_to_service(wl, svc) {
+    count({x | svc.spec.selector[x] == wl.spec.template.metadata.labels[x]}) == count(svc.spec.selector)
+}
+
 # check if service is connected to ingress
 svc_connected_to_ingress(svc, ingress) = result {
     rule := ingress.spec.rules[i]
@@ -98,3 +146,11 @@ svc_connected_to_ingress(svc, ingress) = result {
     result := [sprintf("spec.rules[%d].http.paths[%d].backend.service.name", [i,j])]
 }
 
+svc_connected_to_httproute(svc, httproute) = result {
+    rule := httproute.spec.rules[i]
+    ref := rule.backendRefs[j]
+    ref.kind == "Service"
+    svc.metadata.name == ref.name
+    result := [sprintf("spec.rules[%d].backendRefs[%d].name", [i,j])]
+}
+

rules/exposure-to-internet/rule.metadata.json

@@ -52,6 +52,17 @@
         "resources": [
           "Ingress"
         ]
+    },
+    {
+      "apiGroups": [
+        "gateway.networking.k8s.io"
+      ],
+      "apiVersions": [
+        "v1"
+      ],
+      "resources": [
+        "HTTPRoute"
+      ]
     }
   ],
   "description": "fails in case the running workload has binded Service or Ingress that are exposing it on Internet.",

rules/exposure-to-internet/test/failed_with_httproute/expected.json

@@ -0,0 +1,21 @@
+[
+    {
+       "alertMessage": "workload 'httpbin' is exposed through httproute 'httpbin'",
+       "failedPaths": [],
+       "fixPaths": [],
+       "ruleStatus": "",
+       "packagename": "armo_builtins",
+       "alertScore": 7,
+       "alertObject": {
+          "k8sApiObjects": [
+             {
+                "apiVersion": "apps/v1",
+                "kind": "Deployment",
+                "metadata": {
+                   "name": "httpbin"
+                }
+             }
+          ]
+       }
+    }
+ ]

rules/exposure-to-internet/test/failed_with_httproute/input/deployment.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: "1"
+  creationTimestamp: "2024-02-04T19:05:12Z"
+  generation: 1
+  name: httpbin
+  namespace: httpbin
+  resourceVersion: "870"
+  uid: 7462bb4c-b5a2-413e-80ee-c1baaf34aade
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: httpbin
+      version: v1
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: httpbin
+        version: v1
+    spec:
+      containers:
+      - args:
+        - -port
+        - "8080"
+        - -max-duration
+        - 600s
+        command:
+        - go-httpbin
+        image: docker.io/mccutchen/go-httpbin:v2.6.0
+        imagePullPolicy: IfNotPresent
+        name: httpbin
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      - command:
+        - tail
+        - -f
+        - /dev/null
+        image: curlimages/curl:7.83.1
+        imagePullPolicy: IfNotPresent
+        name: curl
+        resources:
+          limits:
+            cpu: 200m
+          requests:
+            cpu: 100m
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      - image: gcr.io/solo-public/docs/hey:0.1.4
+        imagePullPolicy: IfNotPresent
+        name: hey
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: httpbin
+      serviceAccountName: httpbin
+      terminationGracePeriodSeconds: 30
+status:
+  availableReplicas: 1
+  conditions:
+  - lastTransitionTime: "2024-02-04T19:05:32Z"
+    lastUpdateTime: "2024-02-04T19:05:32Z"
+    message: Deployment has minimum availability.
+    reason: MinimumReplicasAvailable
+    status: "True"
+    type: Available
+  - lastTransitionTime: "2024-02-04T19:05:12Z"
+    lastUpdateTime: "2024-02-04T19:05:32Z"
+    message: ReplicaSet "httpbin-f46cc8b9b" has successfully progressed.
+    reason: NewReplicaSetAvailable
+    status: "True"
+    type: Progressing
+  observedGeneration: 1
+  readyReplicas: 1
+  replicas: 1
+  updatedReplicas: 1

rules/exposure-to-internet/test/failed_with_httproute/input/httproute.yaml

@@ -0,0 +1,51 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  creationTimestamp: "2024-02-04T19:06:03Z"
+  generation: 1
+  labels:
+    example: httpbin-route
+  name: httpbin
+  namespace: httpbin
+  resourceVersion: "914"
+  uid: fd820080-801d-4fa7-934a-e23abe8bf746
+spec:
+  hostnames:
+  - www.example.com
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: http
+    namespace: gloo-system
+  rules:
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: httpbin
+      port: 8000
+      weight: 1
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents:
+  - conditions:
+    - lastTransitionTime: "2024-02-04T19:06:03Z"
+      message: ""
+      observedGeneration: 1
+      reason: Accepted
+      status: "True"
+      type: Accepted
+    - lastTransitionTime: "2024-02-04T19:06:03Z"
+      message: ""
+      observedGeneration: 1
+      reason: ResolvedRefs
+      status: "True"
+      type: ResolvedRefs
+    controllerName: solo.io/gloo-gateway
+    parentRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: http
+      namespace: gloo-system

rules/exposure-to-internet/test/failed_with_httproute/input/service.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: "2024-02-04T19:05:12Z"
+  labels:
+    app: httpbin
+    service: httpbin
+  name: httpbin
+  namespace: httpbin
+  resourceVersion: "811"
+  uid: c391feb7-54e5-41b2-869b-33166869f1b7
+spec:
+  clusterIP: 10.96.162.234
+  clusterIPs:
+  - 10.96.162.234
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    port: 8000
+    protocol: TCP
+    targetPort: 8080
+  - name: tcp
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    app: httpbin
+  sessionAffinity: None
+  type: ClusterIP
+status:
+  loadBalancer: {}

testrunner/opaprocessor/processorutils.go

@@ -161,6 +161,7 @@ func AssertResponses(t *testing.T, responses []reporthandling.RuleResponse, expe
 		return err
 	}
 
+	//fmt.Println("actual:", string(actual))
 	require.JSONEq(t, string(expected), string(actual))
 	return nil
 }