fix(kubernetes): scope NetworkPolicyEdgeBuilder connections to same namespace#7585
Open
AlexanderSanin wants to merge 1 commit into
Open
Conversation
…amespace Kubernetes NetworkPolicies are namespace-scoped resources: a policy in namespace A has no effect on pods in namespace B. However, NetworkPolicyEdgeBuilder was connecting a NetworkPolicy to every Pod in the graph regardless of namespace, producing false-positive PASS results in CKV2_K8S_6 for pods that shared no NetworkPolicy in their own namespace. The fix extracts the namespace from each NetworkPolicy and Pod vertex (falling back to "default" when not set, matching the Kubernetes API behaviour) and skips the connection when they differ. Both the empty-podSelector wildcard path and the matchLabels path now respect namespace scoping. Closes bridgecrewio#7474 Signed-off-by: Oleksandr Sanin <alexaaander.sanin@gmail.com>
AlexanderSanin
requested a deployment
to
scan-security
GitHub Actions
Waiting
Contributor
Author
|
Hey @maxamel @omriyoffe-panw. Could you, please, have a look at this? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes false-positive PASS results in
CKV2_K8S_6(Require all pods to have a NetworkPolicy) caused byNetworkPolicyEdgeBuilderignoring namespace scoping.Kubernetes NetworkPolicies are namespace-scoped: a policy in
namespace-adoes not protect pods innamespace-b. Before this fix, the edge builder connected aNetworkPolicywith an emptypodSelector: {}to every Pod in the entire graph, regardless of namespace. This meant a single wildcard NetworkPolicy in any namespace caused pods in all other namespaces to incorrectly pass the check.Root cause: In
NetworkPolicyEdgeBuilder.find_connections(), both the empty-podSelector wildcard branch and thematchLabelsbranch appended pod connections without comparing namespaces.Fix: Extract the namespace from the NetworkPolicy and Pod vertex attributes (falling back to
"default"when unset, matching the Kubernetes API default), and skip the connection when namespaces differ.Closes #7474
Test plan
test_LabelSelectorEdgeBuilder_on_templates_with_network_policycontinues to pass (all resources in the samedefaultnamespace — behaviour unchanged)test_NetworkPolicyEdgeBuilder_respects_namespace_scopingverifies that a NetworkPolicy innamespace-awith an emptypodSelectorand a label-based selector only connects to pods innamespace-a, not pods innamespace-btests/kubernetes/graph/test_local_graph.pypass