Refactor workload connection checks to use pod specifications in exposure rules

Author: kooomix

rules/exposure-to-internet-via-istio-ingress/raw.rego

@@ -45,7 +45,8 @@ deny[msga] {
     is_same_namespace(connected_service, wl)
     spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
     spec_template_spec_patterns[wl.kind]
-    wl_connected_to_service(wl, connected_service)
+    pod := get_pod_spec(wl)["spec"]
+    wl_connected_to_service(pod, connected_service)
 
     # print("Found the workload that the service is connected to", wl)
 
@@ -177,3 +178,22 @@ get_fqsn(ns, dest_host) = fqsn {
 }
 
 
+
+# get_volume - get resource spec paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+get_pod_spec(resources) := result {
+	resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	resources_kinds[resources.kind]
+	result = {"spec": resources.spec.template, "start_of_path": "spec.template."}
+}
+
+# get_volume - get resource spec paths for "Pod"
+get_pod_spec(resources) := result {
+	resources.kind == "Pod"
+	result = {"spec": resources, "start_of_path": ""}
+}
+
+# get_volume - get resource spec paths for "CronJob"
+get_pod_spec(resources) := result {
+	resources.kind == "CronJob"
+	result = {"spec": resources.spec.jobTemplate.spec.template.spec, "start_of_path": "spec.jobTemplate.spec.template.spec."}
+}

rules/exposure-to-internet-via-istio-ingress/test/failed_with_beta/expected.json

@@ -171,10 +171,7 @@
                      }
                   ],
                   "selector": {
-                     "app": "int-0721",
-                     "context": "default",
-                     "name": "int-0721",
-                     "role": "app"
+                     "app": "nginx"
                   },
                   "sessionAffinity": "None",
                   "type": "ClusterIP"

rules/exposure-to-internet-via-istio-ingress/test/failed_with_beta/input/service.yaml

@@ -34,10 +34,7 @@ spec:
     protocol: TCP
     targetPort: 8080
   selector:
-    app: int-0721
-    context: default
-    name: int-0721
-    role: app
+    app: nginx
   sessionAffinity: None
   type: ClusterIP
 status:

rules/exposure-to-internet/raw.rego

@@ -9,7 +9,8 @@ deny[msga] {
     wl := input[_]
     spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
     spec_template_spec_patterns[wl.kind]
-    wl_connected_to_service(wl, service)
+    pod := get_pod_spec(wl)["spec"]
+    wl_connected_to_service(pod, service)
     failPath := ["spec.type"]
     msga := {
         "alertMessage": sprintf("workload '%v' is exposed through service '%v'", [wl.metadata.name, service.metadata.name]),
@@ -124,3 +125,24 @@ is_same_namespace(metadata1, metadata2) {
 	not metadata1.namespace
 	metadata2.namespace == "default"
 }
+
+
+
+# get_volume - get resource spec paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+get_pod_spec(resources) := result {
+	resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	resources_kinds[resources.kind]
+	result = {"spec": resources.spec.template, "start_of_path": "spec.template."}
+}
+
+# get_volume - get resource spec paths for "Pod"
+get_pod_spec(resources) := result {
+	resources.kind == "Pod"
+	result = {"spec": resources, "start_of_path": ""}
+}
+
+# get_volume - get resource spec paths for "CronJob"
+get_pod_spec(resources) := result {
+	resources.kind == "CronJob"
+	result = {"spec": resources.spec.jobTemplate.spec.template.spec, "start_of_path": "spec.jobTemplate.spec.template.spec."}
+}