From e5d070d29b91cbdc422f58c869f64e572a6fa349 Mon Sep 17 00:00:00 2001
From: Eswar Rajan <89014588+seswarrajan@users.noreply.github.com>
Date: Fri, 18 Nov 2022 11:41:00 +0530
Subject: [PATCH] Adding support to display k8s Network policy in discover
 (#210)

---
 cmd/discover.go      |  2 +-
 discover/discover.go | 50 ++++++++++++++++++++++++++++++--------------
 go.mod               |  2 +-
 go.sum               |  4 ++--
 4 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/cmd/discover.go b/cmd/discover.go
index 4c6eda7b..e572233c 100644
--- a/cmd/discover.go
+++ b/cmd/discover.go
@@ -27,7 +27,7 @@ func init() {
 	rootCmd.AddCommand(discoverCmd)
 	discoverCmd.Flags().StringVar(&discoverOptions.GRPC, "gRPC", "", "gRPC server information")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Format, "format", "f", "json", "Format: json or yaml")
-	discoverCmd.Flags().StringVarP(&discoverOptions.Policy, "policy", "p", "kubearmor", "Type of policies to be discovered: cilium or kubearmor")
+	discoverCmd.Flags().StringVarP(&discoverOptions.Policy, "policy", "p", "KubearmorSecurityPolicy", "Type of policies to be discovered: KubearmorSecurityPolicy|CiliumNetworkPolicy|NetworkPolicy")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Namespace, "namespace", "n", "", "Filter by Namespace")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Clustername, "clustername", "c", "", "Filter by Clustername")
 	discoverCmd.Flags().StringVarP(&discoverOptions.Labels, "labels", "l", "", "Filter by policy Label")
diff --git a/discover/discover.go b/discover/discover.go
index d0a07370..8617a37d 100644
--- a/discover/discover.go
+++ b/discover/discover.go
@@ -17,6 +17,8 @@ import (
 	"github.com/rs/zerolog/log"
 	"sigs.k8s.io/yaml"
 
+	nv1 "k8s.io/api/networking/v1"
+
 	wpb "github.com/accuknox/auto-policy-discovery/src/protobuf/v1/worker"
 	"github.com/accuknox/auto-policy-discovery/src/types"
 	"google.golang.org/grpc"
@@ -77,14 +79,11 @@ func ConvertPolicy(c *k8s.Client, o Options) error {
 		return errors.New("could not connect to the server. Possible troubleshooting:\n- Check if discovery engine is running\n- Create a portforward to discovery engine service using\n\t\033[1mkubectl port-forward -n explorer service/knoxautopolicy --address 0.0.0.0 --address :: 9089:9089\033[0m\n- Configure grpc server information using\n\t\033[1mkarmor log --grpc <info>\033[0m")
 	}
 
-	if o.Policy == "network" {
-		policy := types.CiliumNetworkPolicy{}
-
-		ciliumpolicy := []types.CiliumNetworkPolicy{}
+	if o.Policy == "CiliumNetworkPolicy" {
 
 		if len(response.Ciliumpolicy) > 0 {
 			for _, val := range response.Ciliumpolicy {
-				policy = types.CiliumNetworkPolicy{}
+				policy := types.CiliumNetworkPolicy{}
 
 				err = json.Unmarshal(val.Data, &policy)
 				if err != nil {
@@ -92,8 +91,6 @@ func ConvertPolicy(c *k8s.Client, o Options) error {
 					return err
 				}
 
-				ciliumpolicy = append(ciliumpolicy, policy)
-
 				str := ""
 				if o.Format == "json" {
 					arr, _ := json.MarshalIndent(policy, "", "    ")
@@ -110,8 +107,7 @@ func ConvertPolicy(c *k8s.Client, o Options) error {
 				}
 			}
 		}
-	} else if o.Policy == "system" {
-		kubearmorpolicy := []types.KubeArmorPolicy{}
+	} else if o.Policy == "KubearmorSecurityPolicy" {
 
 		if len(response.Kubearmorpolicy) > 0 {
 			for _, val := range response.Kubearmorpolicy {
@@ -123,7 +119,33 @@ func ConvertPolicy(c *k8s.Client, o Options) error {
 					return err
 				}
 
-				kubearmorpolicy = append(kubearmorpolicy, policy)
+				str := ""
+				if o.Format == "json" {
+					arr, _ := json.MarshalIndent(policy, "", "    ")
+					str = fmt.Sprintf("%s\n", string(arr))
+					fmt.Printf("%s", str)
+				} else if o.Format == "yaml" {
+					arr, _ := json.Marshal(policy)
+					yamlarr, _ := yaml.JSONToYAML(arr)
+					str = fmt.Sprintf("%s", string(yamlarr))
+					fmt.Printf("%s---\n", str)
+				} else {
+					fmt.Printf("Currently supported formats are json and yaml\n")
+					break
+				}
+			}
+		}
+	} else if o.Policy == "NetworkPolicy" {
+
+		if len(response.K8SNetworkpolicy) > 0 {
+			for _, val := range response.K8SNetworkpolicy {
+				policy := nv1.NetworkPolicy{}
+
+				err = json.Unmarshal(val.Data, &policy)
+				if err != nil {
+					log.Error().Msg(err.Error())
+					return err
+				}
 
 				str := ""
 				if o.Format == "json" {
@@ -148,12 +170,8 @@ func ConvertPolicy(c *k8s.Client, o Options) error {
 
 // Policy discovers Cilium or KubeArmor policies
 func Policy(c *k8s.Client, o Options) error {
-	if o.Policy == "cilium" {
-		o.Policy = "network"
-	} else if o.Policy == "kubearmor" {
-		o.Policy = "system"
-	} else {
-		log.Error().Msgf("Policy type not recognized.\nCurrently supported policies are cilium and kubearmor\n")
+	if o.Policy != "CiliumNetworkPolicy" && o.Policy != "NetworkPolicy" && o.Policy != "KubearmorSecurityPolicy" {
+		log.Error().Msgf("Policy type not recognized.\nCurrently supported policies are cilium, kubearmor and k8snetpol\n")
 	}
 
 	if err := ConvertPolicy(c, o); err != nil {
diff --git a/go.mod b/go.mod
index d46e1a0f..99ee5f11 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ replace (
 )
 
 require (
-	github.com/accuknox/auto-policy-discovery/src v0.0.0-20221004060846-9c120a7390e8
+	github.com/accuknox/auto-policy-discovery/src v0.0.0-20221117052812-ce8fb166b71d
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/cilium/cilium v1.10.14
 	github.com/clarketm/json v1.17.1
diff --git a/go.sum b/go.sum
index e1998562..fdb1e1ab 100644
--- a/go.sum
+++ b/go.sum
@@ -115,8 +115,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdko
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA=
 github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
-github.com/accuknox/auto-policy-discovery/src v0.0.0-20221004060846-9c120a7390e8 h1:FgHgVCj7+WNkQ5fJ0tbiquLbEPLqeeBqFGRj7baMbRw=
-github.com/accuknox/auto-policy-discovery/src v0.0.0-20221004060846-9c120a7390e8/go.mod h1:R5eU8iW3k7lPwrycZ0zpe4s0X76IpjJxpHCkSyd7CpY=
+github.com/accuknox/auto-policy-discovery/src v0.0.0-20221117052812-ce8fb166b71d h1:5a2urN7udpy1Rq9mDSKVguceC7mHlcBYbGIiMpFFcVw=
+github.com/accuknox/auto-policy-discovery/src v0.0.0-20221117052812-ce8fb166b71d/go.mod h1:/D33+lnnMT27UBbfmOhtPctwrgCmvd82ze00+GeycUs=
 github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=