forked from farhoodlabs/paperclip
fix(plugin): restrict kubernetes cilium cidr egress
This commit is contained in:
@@ -49,6 +49,7 @@ export function buildCiliumNetworkPolicyManifest(input: BuildCiliumNetworkPolicy
|
|||||||
if (input.egressAllowCidrs.length > 0) {
|
if (input.egressAllowCidrs.length > 0) {
|
||||||
egress.push({
|
egress.push({
|
||||||
toCIDRSet: input.egressAllowCidrs.map((cidr) => ({ cidr })),
|
toCIDRSet: input.egressAllowCidrs.map((cidr) => ({ cidr })),
|
||||||
|
toPorts: [{ ports: [{ port: "443", protocol: "TCP" }] }],
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,27 @@
|
|||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
import { KNOWN_ADAPTER_TYPES } from "./adapter-defaults.js";
|
import { KNOWN_ADAPTER_TYPES } from "./adapter-defaults.js";
|
||||||
|
|
||||||
const cidrRegex = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/;
|
function isIpv4Cidr(value: string): boolean {
|
||||||
|
const [address, prefix, extra] = value.split("/");
|
||||||
|
if (!address || !prefix || extra !== undefined || !/^\d+$/.test(prefix)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
const prefixNumber = Number(prefix);
|
||||||
|
if (prefixNumber < 0 || prefixNumber > 32) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
const octets = address.split(".");
|
||||||
|
return octets.length === 4 && octets.every((octet) => {
|
||||||
|
if (!/^\d+$/.test(octet)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
const value = Number(octet);
|
||||||
|
return value >= 0 && value <= 255;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
export const kubernetesProviderConfigSchema = z
|
export const kubernetesProviderConfigSchema = z
|
||||||
.object({
|
.object({
|
||||||
@@ -16,7 +36,7 @@ export const kubernetesProviderConfigSchema = z
|
|||||||
imagePullSecrets: z.array(z.string()).default([]),
|
imagePullSecrets: z.array(z.string()).default([]),
|
||||||
|
|
||||||
egressAllowFqdns: z.array(z.string()).default([]),
|
egressAllowFqdns: z.array(z.string()).default([]),
|
||||||
egressAllowCidrs: z.array(z.string().regex(cidrRegex, "Invalid CIDR")).default([]),
|
egressAllowCidrs: z.array(z.string().refine(isIpv4Cidr, "Invalid CIDR")).default([]),
|
||||||
egressMode: z.enum(["cilium", "standard"]).default("standard"),
|
egressMode: z.enum(["cilium", "standard"]).default("standard"),
|
||||||
|
|
||||||
defaultResources: z
|
defaultResources: z
|
||||||
|
|||||||
@@ -56,5 +56,6 @@ describe("buildCiliumNetworkPolicyManifest", () => {
|
|||||||
});
|
});
|
||||||
const cidrRule = cnp.spec.egress.find((e: { toCIDRSet?: { cidr: string }[] }) => e.toCIDRSet);
|
const cidrRule = cnp.spec.egress.find((e: { toCIDRSet?: { cidr: string }[] }) => e.toCIDRSet);
|
||||||
expect(cidrRule.toCIDRSet[0].cidr).toBe("10.0.0.0/8");
|
expect(cidrRule.toCIDRSet[0].cidr).toBe("10.0.0.0/8");
|
||||||
|
expect(cidrRule.toPorts).toEqual([{ ports: [{ port: "443", protocol: "TCP" }] }]);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -36,4 +36,12 @@ describe("kubernetesProviderConfigSchema", () => {
|
|||||||
parseKubernetesProviderConfig({ inCluster: true, egressAllowCidrs: ["not-a-cidr"] }),
|
parseKubernetesProviderConfig({ inCluster: true, egressAllowCidrs: ["not-a-cidr"] }),
|
||||||
).toThrow(/CIDR/i);
|
).toThrow(/CIDR/i);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("rejects CIDRs with invalid octets or prefixes", () => {
|
||||||
|
for (const cidr of ["999.0.0.0/8", "10.0.0.0/99", "10.0.0/24"]) {
|
||||||
|
expect(() =>
|
||||||
|
parseKubernetesProviderConfig({ inCluster: true, egressAllowCidrs: [cidr] }),
|
||||||
|
).toThrow(/CIDR/i);
|
||||||
|
}
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user