Add namespace check for workload connection in gateway rules

kooomix · kooomix · commit 31c1dfbf7348 · 2025-01-14T08:54:37.000+02:00
diff --git a/rules/exposure-to-internet-via-gateway-api/raw.rego b/rules/exposure-to-internet-via-gateway-api/raw.rego
@@ -56,6 +56,11 @@ is_exposed_service(svc) {
     svc.spec.type == "LoadBalancer"
 }
 
+
+wl_connected_to_service(wl, svc) {
+    wl.metadata.namespace == svc.metadata.namespace
+}
+
 wl_connected_to_service(wl, svc) {
     count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)
 }
diff --git a/rules/exposure-to-internet-via-istio-ingress/raw.rego b/rules/exposure-to-internet-via-istio-ingress/raw.rego
@@ -141,6 +141,11 @@ is_exposed_service(svc) {
     svc.spec.type == "LoadBalancer"
 }
 
+
+wl_connected_to_service(wl, svc) {
+    wl.metadata.namespace == svc.metadata.namespace
+}
+
 wl_connected_to_service(wl, svc) {
     count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)
 }
diff --git a/rules/unauthenticated-service/raw.rego b/rules/unauthenticated-service/raw.rego
@@ -34,6 +34,11 @@ has_unauthenticated_service(service_name, namespace, service_scan_result) if {
 	service_scan_result.spec.ports[_].authenticated == false
 }
 
+
+wl_connected_to_service(wl, svc) {
+    wl.metadata.namespace == svc.metadata.namespace
+}
+
 wl_connected_to_service(wl, svc) if {
 	count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)
 }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,11 @@ is_exposed_service(svc) {`
`56`	`56`	`svc.spec.type == "LoadBalancer"`
`57`	`57`	`}`
`58`	`58`
	`59`	`+`
	`60`	`+wl_connected_to_service(wl, svc) {`
	`61`	`+ wl.metadata.namespace == svc.metadata.namespace`
	`62`	`+}`
	`63`	`+`
`59`	`64`	`wl_connected_to_service(wl, svc) {`
`60`	`65`	`count({x \| svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)`
`61`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,11 @@ is_exposed_service(svc) {`
`141`	`141`	`svc.spec.type == "LoadBalancer"`
`142`	`142`	`}`
`143`	`143`
	`144`	`+`
	`145`	`+wl_connected_to_service(wl, svc) {`
	`146`	`+ wl.metadata.namespace == svc.metadata.namespace`
	`147`	`+}`
	`148`	`+`
`144`	`149`	`wl_connected_to_service(wl, svc) {`
`145`	`150`	`count({x \| svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)`
`146`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,11 @@ has_unauthenticated_service(service_name, namespace, service_scan_result) if {`
`34`	`34`	`service_scan_result.spec.ports[_].authenticated == false`
`35`	`35`	`}`
`36`	`36`
	`37`	`+`
	`38`	`+wl_connected_to_service(wl, svc) {`
	`39`	`+ wl.metadata.namespace == svc.metadata.namespace`
	`40`	`+}`
	`41`	`+`
`37`	`42`	`wl_connected_to_service(wl, svc) if {`
`38`	`43`	`count({x \| svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)`
`39`	`44`	`}`