diff --git a/actionners/calico/networkpolicy/networkpolicy.go b/actionners/calico/networkpolicy/networkpolicy.go index 8491dc6e..869ce002 100644 --- a/actionners/calico/networkpolicy/networkpolicy.go +++ b/actionners/calico/networkpolicy/networkpolicy.go @@ -5,6 +5,7 @@ import ( "fmt" "net" "strings" + "time" networkingv3 "github.com/projectcalico/api/pkg/apis/projectcalico/v3" errorsv1 "k8s.io/apimachinery/pkg/api/errors" @@ -158,6 +159,10 @@ func Action(action *rules.Action, event *events.Event) (utils.LogLine, error) { payload.Spec.Egress = []networkingv3.Rule{*denyRule} payload.Spec.Egress = append(payload.Spec.Egress, *allowRule) _, err = calicoClient.ProjectcalicoV3().NetworkPolicies(namespace).Update(context.Background(), &payload, metav1.UpdateOptions{}) + if errorsv1.IsAlreadyExists(err) { + time.Sleep(1 * time.Second) + _, err = calicoClient.ProjectcalicoV3().NetworkPolicies(namespace).Update(context.Background(), &payload, metav1.UpdateOptions{}) + } output = fmt.Sprintf("the networkpolicy '%v' in the namespace '%v' has been updated", owner, namespace) } if err != nil { diff --git a/deployment/helm/rules.yaml b/deployment/helm/rules.yaml index 467ec305..a28790b8 100644 --- a/deployment/helm/rules.yaml +++ b/deployment/helm/rules.yaml @@ -1,13 +1,8 @@ - action: Terminate Pod actionner: kubernetes:terminate -- action: Disable outbound connections - actionner: kubernetes:networkpolicy - parameters: - allow: - - "192.168.1.0/24" - - "172.17.0.0/16" - - "10.0.0.0/32" +- action: Disable outbound connections with Calico + actionner: calico:networkpolicy - action: Labelize Pod as Suspicious actionner: kubernetes:labelize @@ -21,7 +16,7 @@ - Unexpected outbound connection destination - Outbound Connection to Free.fr actions: - - action: Disable outbound connections + - action: Disable outbound connections with Calico - action: Terminate Pod parameters: grace_period_seconds: 0 diff --git a/deployment/helm/templates/rbac.yaml b/deployment/helm/templates/rbac.yaml index 85cda329..82076638 100644 --- a/deployment/helm/templates/rbac.yaml +++ b/deployment/helm/templates/rbac.yaml @@ -27,7 +27,6 @@ rules: - pods verbs: - get - - list - update - patch - delete @@ -45,7 +44,6 @@ rules: verbs: - create - get - - list - update - patch - apiGroups: @@ -57,17 +55,16 @@ rules: - statefulsets verbs: - get - - list - delete - apiGroups: - networking.k8s.io - - crd.projectcalico.org + - projectcalico.org resources: - networkpolicies + - caliconetworkpolicies verbs: - create - get - - list - update - patch - apiGroups: @@ -77,16 +74,15 @@ rules: - roles verbs: - get - - list - delete - apiGroups: - "" resources: - configmaps - secrets + - namespace verbs: - get - - list - delete {{- if .Values.podSecurityPolicy.create }} - apiGroups: diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml index c2cd1a94..f0109cb0 100644 --- a/deployment/helm/values.yaml +++ b/deployment/helm/values.yaml @@ -77,8 +77,6 @@ defaultNotifiers: # these notifiers will be enabled for all rules # - slack - k8sevents -printAllEvents: true - watchRules: true # reload if the rules file changes (default: true) rulesFiles: # list of locale rules files to use, they will be concatenated into a single config map diff --git a/rules.yaml b/rules.yaml index 243e9b5f..be56e996 100644 --- a/rules.yaml +++ b/rules.yaml @@ -53,6 +53,14 @@ actionner: calico:networkpolicy parameters: order: 20 - allow: - - "0.0.0.0/0" + +- rule: Delete namespace + match: + rules: + - Test delete namespace + output_fields: + - ka.target.name=todelete + actions: + - action: Delete the resource + actionner: kubernetes:delete