Skip to content

Commit

Permalink
Merge pull request #965 from msherif1234/cidr_wh
Browse files Browse the repository at this point in the history 
NETOBSERV-2048: Add webhook check to prevent CIDR duplication when configure multi rules filtering
  • Loading branch information
@msherif1234
msherif1234 authored Jan 9, 2025
2 parents fa16f57 + 18f5ec7 commit 3425830
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 1 deletion.
9 changes: 8 additions & 1 deletion apis/flowcollector/v1beta2/flowcollector_validation_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,8 +107,15 @@ func (r *FlowCollector) validateAgent(_ context.Context, fc *FlowCollector) (adm
}
var errs []error
if fc.Spec.Agent.EBPF.FlowFilter != nil && fc.Spec.Agent.EBPF.FlowFilter.Enable != nil && *fc.Spec.Agent.EBPF.FlowFilter.Enable {
m := make(map[string]bool)
for i := range fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules {
errs = append(errs, validateFilter(&fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules[i])...)
rule := fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules[i]
if found := m[rule.CIDR]; found {
errs = append(errs, fmt.Errorf("flow filter rule CIDR %s already exists", rule.CIDR))
break
}
m[rule.CIDR] = true
errs = append(errs, validateFilter(&rule)...)
}
errs = append(errs, validateFilter(fc.Spec.Agent.EBPF.FlowFilter)...)
}
Expand Down
37 changes: 37 additions & 0 deletions apis/flowcollector/v1beta2/flowcollector_validation_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ func TestValidateAgent(t *testing.T) {
Action: "Accept",
CIDR: "0.0.0.0/0",
Direction: "Egress",
Protocol: "TCP",
},
},
},
Expand All @@ -57,6 +58,42 @@ func TestValidateAgent(t *testing.T) {
},
},
},
{
name: "Invalid filter with duplicate CIDR",
fc: &FlowCollector{
ObjectMeta: metav1.ObjectMeta{
Name: "cluster",
},
Spec: FlowCollectorSpec{
Agent: FlowCollectorAgent{
Type: AgentEBPF,
EBPF: FlowCollectorEBPF{
Features: []AgentFeature{DNSTracking, FlowRTT, PacketDrop},
Privileged: true,
Sampling: ptr.To(int32(100)),
FlowFilter: &EBPFFlowFilter{
Enable: ptr.To(true),
FlowFilterRules: []EBPFFlowFilterRule{
{
Action: "Accept",
CIDR: "0.0.0.0/0",
Direction: "Egress",
Protocol: "TCP",
},
{
Action: "Accept",
CIDR: "0.0.0.0/0",
Direction: "Egress",
Protocol: "UDP",
},
},
},
},
},
},
},
expectedError: "flow filter rule CIDR 0.0.0.0/0 already exists",
},
{
name: "PacketDrop without privilege triggers warning",
fc: &FlowCollector{
Expand Down

0 comments on commit 3425830

Please sign in to comment.