attempt to fix the error when we update the network policy

Signed-off-by: Thomas Labarussias <issif+github@gadz.org>

actionners/calico/networkpolicy/networkpolicy.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"strings"
+	"time"
 
 	networkingv3 "github.com/projectcalico/api/pkg/apis/projectcalico/v3"
 	errorsv1 "k8s.io/apimachinery/pkg/api/errors"
@@ -158,6 +159,10 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) {
 		payload.Spec.Egress = []networkingv3.Rule{*denyRule}
 		payload.Spec.Egress = append(payload.Spec.Egress, *allowRule)
 		_, err = calicoClient.ProjectcalicoV3().NetworkPolicies(namespace).Update(context.Background(), &payload, metav1.UpdateOptions{})
+		if errorsv1.IsAlreadyExists(err) {
+			time.Sleep(1 * time.Second)
+			_, err = calicoClient.ProjectcalicoV3().NetworkPolicies(namespace).Update(context.Background(), &payload, metav1.UpdateOptions{})
+		}
 		output = fmt.Sprintf("the networkpolicy '%v' in the namespace '%v' has been updated", owner, namespace)
 	}
 	if err != nil {

deployment/helm/rules.yaml

@@ -1,13 +1,8 @@
 - action: Terminate Pod
   actionner: kubernetes:terminate
 
-- action: Disable outbound connections
-  actionner: kubernetes:networkpolicy
-  parameters:
-    allow:
-      - "192.168.1.0/24"
-      - "172.17.0.0/16"
-      - "10.0.0.0/32"
+- action: Disable outbound connections with Calico
+  actionner: calico:networkpolicy
 
 - action: Labelize Pod as Suspicious
   actionner: kubernetes:labelize
@@ -21,7 +16,7 @@
       - Unexpected outbound connection destination
       - Outbound Connection to Free.fr
   actions:
-    - action: Disable outbound connections
+    - action: Disable outbound connections with Calico
     - action: Terminate Pod
       parameters:
         grace_period_seconds: 0

deployment/helm/templates/rbac.yaml

@@ -27,7 +27,6 @@ rules:
       - pods
     verbs:
       - get
-      - list
       - update
       - patch
       - delete
@@ -45,7 +44,6 @@ rules:
     verbs:
       - create
       - get
-      - list
       - update
       - patch
   - apiGroups:
@@ -57,17 +55,16 @@ rules:
       - statefulsets
     verbs:
       - get
-      - list
       - delete
   - apiGroups:
       - networking.k8s.io
-      - crd.projectcalico.org
+      - projectcalico.org
     resources:
       - networkpolicies
+      - caliconetworkpolicies
     verbs:
       - create
       - get
-      - list
       - update
       - patch
   - apiGroups:
@@ -77,16 +74,15 @@ rules:
       - roles
     verbs:
       - get
-      - list
       - delete
   - apiGroups:
       - ""
     resources:
       - configmaps
       - secrets
+      - namespace
     verbs:
       - get
-      - list
       - delete
 {{- if .Values.podSecurityPolicy.create }}
 - apiGroups:

deployment/helm/values.yaml

@@ -77,8 +77,6 @@ defaultNotifiers: # these notifiers will be enabled for all rules
   #  - slack
   - k8sevents
 
-printAllEvents: true
-
 watchRules: true # reload if the rules file changes (default: true)
 
 rulesFiles: # list of locale rules files to use, they will be concatenated into a single config map

rules.yaml

@@ -53,6 +53,14 @@
       actionner: calico:networkpolicy
       parameters:
         order: 20
-        allow:
-          - "0.0.0.0/0"
+
+- rule: Delete namespace 
+  match:
+    rules:
+      - Test delete namespace
+    output_fields:
+      - ka.target.name=todelete
+  actions:
+    - action: Delete the resource
+      actionner: kubernetes:delete