ROX-33673: Add missing OOTB egress network policy#19524
ROX-33673: Add missing OOTB egress network policy#19524
Conversation
|
Skipping CI for Draft Pull Request. |
There was a problem hiding this comment.
Hey - I've found 1 issue
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="CHANGELOG.md" line_range="24" />
<code_context>
- ROX-33099: New Operator Helm Chart is now the only recommended way to install on non-OpenShift clusters.
- ROX-33098 (Tech Preview): Effective path and Actual Path have been combined into a single File Path policy criterion.
- ROX-33156 (Tech Preview): A new default policy category called "File Activity Monitoring" is now available.
+- ROX-33673: A new default policy added to detect missing egress NetworkPolicy associated with deployments. The policy is disabled by default.
### Removed Features
</code_context>
<issue_to_address>
**issue (typo):** Consider adding a verb for grammatical correctness (e.g., "has been added").
Rephrase to include a verb, e.g.: "A new default policy has been added to detect missing egress NetworkPolicy associated with deployments."
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
5cdd9ca to
0a3a034
Compare
|
Images are ready for the commit at 0a3a034. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19524 +/- ##
==========================================
+ Coverage 49.23% 49.24% +0.01%
==========================================
Files 2727 2727
Lines 205764 205778 +14
==========================================
+ Hits 101304 101342 +38
+ Misses 96921 96900 -21
+ Partials 7539 7536 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@AlexVulaj: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
This PR adds a missing OOTB policy to detect deployments that lack egress network policies. While StackRox added network policy detection capabilities and shipped the "Deployments should have at least one ingress Network Policy" policy (ID:
38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3) several versions ago, the corresponding egress policy was never created despite the underlying field support existing in the codebase.The new policy "Deployments should have at least one egress Network Policy" (ID:
dae95df3-ce8e-435c-8e16-c5197943db6e) mirrors the structure and behavior of its ingress counterpart. It alerts when deployments are missing egress network policies, helping enforce zero-trust networking principles by identifying workloads with unrestricted outbound network access that could potentially exfiltrate data or communicate with untrusted endpoints.Related JIRA: https://redhat.atlassian.net/browse/ROX-33673
User-facing documentation
CHANGELOG entry added. User documentation update may be needed to document the new policy alongside the existing ingress policy documentation.
Testing and quality
flag
Automated testing
Updated test data in
sensor/tests/resource/networkpolicy/data/policies.jsonto include the new egress policy. The underlying "Has Egress Network Policy" field already has existing test coverage inpkg/booleanpolicy/network_criteria_test.go. Policy loading is validated by existing tests inpkg/defaults/policies/policies_test.gowhich verify MITRE exception list consistency and policy structure.How I validated my change
pkg/booleanpolicy/augmentedobjs/custom_types.goandpkg/booleanpolicy/fieldnames/list.go