Skip to content

allowing CIDRs, wildcards and Plural in IP and DNS#324

Merged
matthyx merged 6 commits into
kubescape:mainfrom
k8sstormcenter:upstream-pr/sbob-network
Jun 25, 2026
Merged

allowing CIDRs, wildcards and Plural in IP and DNS#324
matthyx merged 6 commits into
kubescape:mainfrom
k8sstormcenter:upstream-pr/sbob-network

Conversation

@entlein

@entlein entlein commented May 15, 2026

Copy link
Copy Markdown
Contributor

Sorry, we do not accept changes directly against this repository. Please see
CONTRIBUTING.md for information on where and how to contribute instead.

Summary by CodeRabbit

  • New Features
    • Added NetworkNeighbor.IPAddresses (list) support for literal IPs, CIDRs, and *, including wildcard-aware matching.
    • Added wildcard-aware DNS name matching (including and * rules).
  • Validation & API Changes
    • Added admission-time validation for network profile IP/DNS entries, including deprecated single-value fields when set.
  • Documentation
    • Documented the IP/DNS matching contract and performance guidance.
  • Tests
    • Added protobuf encoding/round-trip tests plus unit tests and benchmarks for matching and validation.
  • Chores
    • Bumped the protoc Docker build image version.
  • Deprecated
    • Deprecated singular IPAddress; use IPAddresses instead.

@coderabbitai

coderabbitai Bot commented May 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2a9383a1-d868-4ca2-b1c4-7bb04e986637

📥 Commits

Reviewing files that changed from the base of the PR and between 1769507 and 5cdffeb.

⛔ Files ignored due to path filters (3)
  • pkg/generated/applyconfiguration/softwarecomposition/v1beta1/execcalls.go is excluded by !**/generated/**
  • pkg/generated/applyconfiguration/softwarecomposition/v1beta1/networkneighbor.go is excluded by !**/generated/**
  • pkg/generated/openapi/zz_generated.openapi.go is excluded by !**/generated/**
📒 Files selected for processing (3)
  • api-rules/sample_apiserver_violation_exceptions.list
  • build/protoc.Dockerfile
  • pkg/apis/softwarecomposition/v1beta1/generated.proto
✅ Files skipped from review due to trivial changes (1)
  • api-rules/sample_apiserver_violation_exceptions.list
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/apis/softwarecomposition/v1beta1/generated.proto

📝 Walkthrough

Walkthrough

This PR adds list-form network neighbor IP fields, introduces IP and DNS matcher and validation helpers with tests and benchmarks, and applies the new validation rules during NetworkNeighborhood create and update validation.

Changes

Network neighbor matching

Layer / File(s) Summary
IPAddresses API shape
pkg/apis/softwarecomposition/network_types.go, pkg/apis/softwarecomposition/v1beta1/network_types.go, pkg/apis/softwarecomposition/v1beta1/generated.proto, pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go, pkg/apis/softwarecomposition/v1beta1/zz_generated.deepcopy.go, pkg/apis/softwarecomposition/zz_generated.deepcopy.go, pkg/apis/softwarecomposition/v1beta1/network_types_protobuf_test.go, api-rules/sample_apiserver_violation_exceptions.list, build/protoc.Dockerfile
NetworkNeighbor adds IPAddresses []string as the replacement for deprecated singular IPAddress, with schema, conversion, deepcopy, protobuf round-trip coverage, API rule exception, and proto toolchain updates.
IP matcher and validation
pkg/registry/file/networkmatch/doc.go, pkg/registry/file/networkmatch/README.md, pkg/registry/file/networkmatch/match_ip.go, pkg/registry/file/networkmatch/match_ip_test.go, pkg/registry/file/networkmatch/validate.go, pkg/registry/file/networkmatch/validate_test.go, pkg/registry/file/networkmatch/bench_test.go
A new networkmatch IP path defines compile-once matching, admission validation, wildcard semantics, unit tests, and benchmarks.
DNS matcher and validation
pkg/registry/file/networkmatch/doc.go, pkg/registry/file/networkmatch/README.md, pkg/registry/file/networkmatch/match_dns.go, pkg/registry/file/networkmatch/match_dns_test.go, pkg/registry/file/networkmatch/validate.go, pkg/registry/file/networkmatch/validate_test.go, pkg/registry/file/networkmatch/bench_test.go
A new networkmatch DNS path defines compile-once matching, admission validation, wildcard semantics, unit tests, and benchmarks.
Admission validation wiring
pkg/registry/softwarecomposition/networkneighborhood/strategy.go, pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go
Strategy validation now checks container ingress and egress neighbor IP and DNS entries, including deprecated singular fields, on both create and update paths and returns field-specific validation errors.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Suggested reviewers

  • matthyx

Possibly related PRs

  • kubescape/storage#319: Changes to NetworkNeighbor field shapes and merge logic overlap with the list-form IP field update in this PR.

Poem

🐇 I hopped through IPs and DNS in a row,
With stars and ellipses, I learned how to flow.
A list in the warren now fits just so bright,
And validators guard every burrow at night.
Soft little benchmarks go thump in the hay.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 39.58% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding CIDR, wildcard, and plural list support for IP and DNS matching.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@entlein entlein changed the title Upstream pr/sbob network allowing CIDRs, wildcards and Plural in IP and DNS May 15, 2026
@entlein

entlein commented May 16, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

Tier 2 (execs):

Tier 3 (network):

Tier 4 (tamper/sign):

Umbrellas:

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

@coderabbitai

coderabbitai Bot commented May 16, 2026

Copy link
Copy Markdown
🧩 Analysis chain

@entlein: Triggering a fresh review of this PR (#324networkmatch package, Tier 3 network). While the review runs, let me pull metadata on the relevant PRs to cross-check coupling.


🏁 Script executed:

#!/bin/bash
# Fetch details of the current PR
gh pr view 324 --repo kubescape/storage --json title,body,files,baseRefName,headRefName,state

echo "---"
# Fetch related storage PRs
for n in 322 323 325 326; do
  echo "=== storage#$n ==="
  gh pr view $n --repo kubescape/storage --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

echo "---"
# Fetch related node-agent PRs
for n in 805 806 807 808 809 810 811 812; do
  echo "=== node-agent#$n ==="
  gh pr view $n --repo kubescape/node-agent --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

Length of output: 21242


@entlein: Review triggered. Here is the full atomicity and coupling analysis based on actual file diffs across all PRs.


Atomicity Confirmation

PR Tier Verdict Notes
storage#322 Exec ✅ Atomic Single file pair (compare_exec_args.go + test)
storage#323 Opens ✅ Atomic Scoped to dynamicpathdetector/* + types.go
storage#324 Network Atomic New networkmatch/ package + network_types.go field additions + strategy wiring — no tier bleed
storage#325 Exec/CRD ✅ Atomic CollapseConfig CRD + processors; collapse_config_from_crd.go bridges to #323 types (expected)
storage#326 Umbrella ✅ Correct File union of #322+#323+#324+#325 confirmed
node-agent#805 Exec ✅ Atomic parse/ library + event_reporting only
node-agent#806 Network ✅ Atomic CEL consumer of storage#324 — correct tier
node-agent#807 Exec ⚠️ See below Touches open.go — overlap with #811
node-agent#808 Tamper/CRD ⚠️ See below tamper_alert.go + projection_apply.go overlap with #809 and #812
node-agent#809 Sign/Tamper ⚠️ See below tamper_alert.go overlap with #808
node-agent#810 Umbrella ✅ Correct File union of all node-agent PRs confirmed
node-agent#811 Opens ⚠️ See below open.go overlap with #807
node-agent#812 Exec/Proj ⚠️ See below projection_apply.go + projection_types.go overlap with #808

Cross-PR Coupling Flags

🔴 File-Level Conflicts (merge order matters)

1. node-agent#808 ↔ node-agent#809 — tamper_alert.go + tamper_alert_test.go
Both PRs modify the same two files. These are not independent — one must be rebased onto the other before the umbrella (#810) can merge cleanly.

2. node-agent#808 ↔ node-agent#812 — projection_apply.go + projection_types.go
#812 adds ExecsByPath composite-key to ProjectedContainerProfile; #808 restructures projection_apply.go. These will conflict at the hunk level. Suggested order: merge #812 first, then rebase #808 on top.

3. node-agent#807 ↔ node-agent#811 — open.go
#807 modifies open.go for R0040 args; #811 adds was_path_opened* helpers to the same file. One must be rebased on the other. Suggested order: merge #811 first (it's additive/new helpers), then rebase #807.

🟡 Ordering Dependencies (no file conflicts, but merge sequence required)

4. storage#323 → storage#325
collapse_config_from_crd.go in #325 references types introduced by #323's types.go (WildcardIdentifier, CollapseConfig API). Merge #323 before #325.

5. storage#324 → node-agent#806
node-agent#806's network.go CEL library consumes the networkmatch package from this PR. A go.mod bump pointing to the merged commit of storage#324 is required before node-agent#806 can merge.

6. storage#325 → node-agent#808
The projection overlay in #808 consumes the CollapseConfiguration CRD and client introduced in #325. Cross-repo go.mod bump required.


Recommended Merge Sequence

graph TD
    A[storage#322] --> E[storage#326 umbrella]
    B[storage#323] --> C[storage#325] --> E
    D[storage#324] --> F[node-agent#806] --> K[node-agent#810 umbrella]
    C --> G[node-agent#808]
    H[node-agent#811] --> I[node-agent#807] --> K
    J[node-agent#812] --> G
    G --> L[node-agent#809] --> K
    A --> E
    D --> E
    H --> K
    J --> K
    F --> K
Loading

In short: the three intra-node-agent file conflicts (#808↔#809, #808↔#812, #807↔#811) are the only remaining non-atomic coupling. Everything else is correctly sequenced by your tier map. This PR (#324) itself is clean and ready for review.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@matthyx matthyx moved this to WIP in KS PRs tracking May 26, 2026
// IPAddresses is the v0.0.2 list-form replacement for IPAddress.
// Each entry MAY be a literal IP, a CIDR (a.b.c.d/n), or the "*" sentinel.
// See pkg/registry/file/networkmatch for matcher semantics.
IPAddresses []string `json:"ipAddresses,omitempty" protobuf:"bytes,9,rep,name=ipAddresses"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking: IPAddresses is added here, but the generated protobuf/conversion/deepcopy code is unchanged, so the field is silently dropped on real storage paths. The new TestNetworkNeighbor_IPAddresses_ProtobufRoundtrip already fails (go test ./pkg/apis/softwarecomposition/v1beta1). Please regenerate generated.pb.go, conversion code, and deepcopy code for this field before merge.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has now been addressed and the PR compiles standalone

@matthyx matthyx left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking: IPAddresses does not survive marshal/unmarshal today. The new protobuf roundtrip test fails because generated.pb.go, zz_generated.conversion.go, and zz_generated.deepcopy.go were not regenerated for the new field, so the API loses data on storage/conversion paths. Please regenerate the generated artifacts (and ideally add conversion/deepcopy regression coverage) before merging.

@entlein entlein force-pushed the upstream-pr/sbob-network branch 2 times, most recently from 6473d36 to 46f37d3 Compare May 27, 2026 17:37
@entlein

entlein commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

the failed test -> can we rerun- it passed on my arm64 3x in a row 🤷🏻‍♀️

entlein pushed a commit to k8sstormcenter/node-agent that referenced this pull request May 27, 2026
Three matthyx blockers (2026-05-27):

(1) tamper_alert.go:28 — imports pkg/signature and pkg/signature/profiles
which ship in node-agent#809 (not yet merged). Adds minimum-surface
stubs (pkg/signature/stub.go, pkg/signature/profiles/stub.go) so the
PR compiles standalone. With IsSigned returning false, the tamper path
short-circuits and never invokes Verify — the no-op stub is behavior-
safe: signed-profile detection is dormant until kubescape#809 lands and replaces
these files with the real implementation.

(2) projection_apply.go:265 — NetworkNeighbor.IPAddresses missing.
(3) mock.go:202 — same IPAddresses issue.

Both (2) and (3) resolved by replacing kubescape/storage with
k8sstormcenter/storage's upstream-pr/sbob-network tip 46f37d32 (sibling
of kubescape/storage#324). Removed when kubescape#324 merges and a release ships
IPAddresses.
@matthyx

matthyx commented May 28, 2026

Copy link
Copy Markdown
Contributor

Rechecked on current head 46f37d3.

The original protobuf/codegen blocker is fixed - go test ./pkg/apis/softwarecomposition/v1beta1 now passes.

Still blocking: pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go updates only the internal->v1beta1 conversion. In autoConvert_v1beta1_NetworkNeighbor_To_softwarecomposition_NetworkNeighbor, IPAddresses is still missing, so reads still drop the field after deserialization. Please also add out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) in that function before merge.

entlein and others added 4 commits June 23, 2026 16:06
Signed-off-by: entlein <einentlein@gmail.com>
Signed-off-by: entlein <einentlein@gmail.com>
…nal state

Signed-off-by: entlein <einentlein@gmail.com>
NetworkNeighbor.IPAddresses (added on this branch) was missing
hand-edited entries in the Marshal/Size/String/Unmarshal stanzas of
generated.pb.go, the proto declaration, both conversion functions, and
the internal+v1beta1 deepcopy. Result: TestNetworkNeighbor_IPAddresses_
ProtobufRoundtrip failed and the field was silently dropped on every
real storage write.

This patch adds the missing codec for field 9 (repeated string, wire
tag 0x4a), the .proto declaration, the conversion stanzas in both
directions, and the deepcopy slice copy in both type-system layers.

Codegen pipeline is not run as part of build on this fork (the protoc
image is x86_64-only); hand-edit follows the proven recipe from commit
0d83e2b / ad60a5b.

Resolves matthyx review on network_types.go:68 (2026-05-27).

Signed-off-by: entlein <einentlein@gmail.com>
@entlein entlein force-pushed the upstream-pr/sbob-network branch from 46f37d3 to f4e5f53 Compare June 23, 2026 14:07

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go (1)

356-423: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add ingress-path cases to pin the full admission contract.

Line 365 builds only Egress neighbors, so this suite never asserts ingress field paths. Add malformed ingress IP/DNS cases (e.g., spec.containers[0].ingress[0].ipAddresses[0], ...dnsNames[0]) to protect the “ingress + egress” validation guarantee.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go` around
lines 356 - 423, The test cases in the NetworkNeighborhood validation suite
currently only cover egress neighbors and their corresponding field paths. Add
test cases that validate ingress neighbors to complete the admission contract
coverage. Create additional test cases (similar to the existing ones like
"single malformed IP" and "single malformed CIDR") that populate the Ingress
field of NetworkNeighborhoodContainer instead of Egress, and update their
wantPaths to reference the ingress paths (e.g.,
spec.containers[0].ingress[0].ipAddresses[0] and
spec.containers[0].ingress[0].dnsNames[0]). This may require modifying the
makeNN function to accept a parameter indicating whether to use ingress or
egress, or creating a separate makeNN variant for ingress validation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go`:
- Around line 464-480: In the ValidateUpdate test, the code currently passes the
same `bad` object as both the old and new parameters to the ValidateUpdate
method call, which prevents the test from properly validating that the method is
checking the correct operand. Instead, create two distinct fixtures: use a valid
NetworkNeighborhood object for the old parameter and the invalid `bad` object
for the new parameter when calling ValidateUpdate, ensuring the test explicitly
validates that the new object is being checked rather than masking potential
bugs in validation logic.

---

Nitpick comments:
In `@pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go`:
- Around line 356-423: The test cases in the NetworkNeighborhood validation
suite currently only cover egress neighbors and their corresponding field paths.
Add test cases that validate ingress neighbors to complete the admission
contract coverage. Create additional test cases (similar to the existing ones
like "single malformed IP" and "single malformed CIDR") that populate the
Ingress field of NetworkNeighborhoodContainer instead of Egress, and update
their wantPaths to reference the ingress paths (e.g.,
spec.containers[0].ingress[0].ipAddresses[0] and
spec.containers[0].ingress[0].dnsNames[0]). This may require modifying the
makeNN function to accept a parameter indicating whether to use ingress or
egress, or creating a separate makeNN variant for ingress validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebc0e04c-fd41-4f5a-a2e8-4716c9ca8593

📥 Commits

Reviewing files that changed from the base of the PR and between 6e9741f and f4e5f53.

⛔ Files ignored due to path filters (1)
  • pkg/apis/softwarecomposition/v1beta1/generated.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (18)
  • pkg/apis/softwarecomposition/network_types.go
  • pkg/apis/softwarecomposition/v1beta1/generated.proto
  • pkg/apis/softwarecomposition/v1beta1/network_types.go
  • pkg/apis/softwarecomposition/v1beta1/network_types_protobuf_test.go
  • pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go
  • pkg/apis/softwarecomposition/v1beta1/zz_generated.deepcopy.go
  • pkg/apis/softwarecomposition/zz_generated.deepcopy.go
  • pkg/registry/file/networkmatch/README.md
  • pkg/registry/file/networkmatch/bench_test.go
  • pkg/registry/file/networkmatch/doc.go
  • pkg/registry/file/networkmatch/match_dns.go
  • pkg/registry/file/networkmatch/match_dns_test.go
  • pkg/registry/file/networkmatch/match_ip.go
  • pkg/registry/file/networkmatch/match_ip_test.go
  • pkg/registry/file/networkmatch/validate.go
  • pkg/registry/file/networkmatch/validate_test.go
  • pkg/registry/softwarecomposition/networkneighborhood/strategy.go
  • pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go

Comment on lines +464 to +480
bad := &softwarecomposition.NetworkNeighborhood{
ObjectMeta: metav1.ObjectMeta{
Name: "test-nn",
Namespace: "default",
Annotations: map[string]string{helpers.CompletionMetadataKey: "complete", helpers.StatusMetadataKey: "ready"},
},
Spec: softwarecomposition.NetworkNeighborhoodSpec{
Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
Name: "c",
Egress: []softwarecomposition.NetworkNeighbor{
{IPAddresses: []string{"not-an-ip"}, DNSNames: []string{"**"}},
},
}},
},
}
s := NetworkNeighborhoodStrategy{}
errs := s.ValidateUpdate(context.TODO(), bad, bad)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use distinct old/new objects in ValidateUpdate test.

Line 480 passes bad as both new and old objects, which can mask bugs where ValidateUpdate validates the wrong operand. Use oldValid and newInvalid fixtures so the test pins new-object validation explicitly.

Suggested test adjustment
- bad := &softwarecomposition.NetworkNeighborhood{
+ newBad := &softwarecomposition.NetworkNeighborhood{
    ObjectMeta: metav1.ObjectMeta{
      Name:        "test-nn",
      Namespace:   "default",
      Annotations: map[string]string{helpers.CompletionMetadataKey: "complete", helpers.StatusMetadataKey: "ready"},
    },
    Spec: softwarecomposition.NetworkNeighborhoodSpec{
      Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
        Name: "c",
        Egress: []softwarecomposition.NetworkNeighbor{
          {IPAddresses: []string{"not-an-ip"}, DNSNames: []string{"**"}},
        },
      }},
    },
  }
+ oldGood := &softwarecomposition.NetworkNeighborhood{
+   ObjectMeta: newBad.ObjectMeta,
+   Spec: softwarecomposition.NetworkNeighborhoodSpec{
+     Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
+       Name: "c",
+       Egress: []softwarecomposition.NetworkNeighbor{
+         {IPAddresses: []string{"10.0.0.0/8"}, DNSNames: []string{"api.example.com."}},
+       },
+     }},
+   },
+ }
  s := NetworkNeighborhoodStrategy{}
- errs := s.ValidateUpdate(context.TODO(), bad, bad)
+ errs := s.ValidateUpdate(context.TODO(), newBad, oldGood)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
bad := &softwarecomposition.NetworkNeighborhood{
ObjectMeta: metav1.ObjectMeta{
Name: "test-nn",
Namespace: "default",
Annotations: map[string]string{helpers.CompletionMetadataKey: "complete", helpers.StatusMetadataKey: "ready"},
},
Spec: softwarecomposition.NetworkNeighborhoodSpec{
Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
Name: "c",
Egress: []softwarecomposition.NetworkNeighbor{
{IPAddresses: []string{"not-an-ip"}, DNSNames: []string{"**"}},
},
}},
},
}
s := NetworkNeighborhoodStrategy{}
errs := s.ValidateUpdate(context.TODO(), bad, bad)
newBad := &softwarecomposition.NetworkNeighborhood{
ObjectMeta: metav1.ObjectMeta{
Name: "test-nn",
Namespace: "default",
Annotations: map[string]string{helpers.CompletionMetadataKey: "complete", helpers.StatusMetadataKey: "ready"},
},
Spec: softwarecomposition.NetworkNeighborhoodSpec{
Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
Name: "c",
Egress: []softwarecomposition.NetworkNeighbor{
{IPAddresses: []string{"not-an-ip"}, DNSNames: []string{"**"}},
},
}},
},
}
oldGood := &softwarecomposition.NetworkNeighborhood{
ObjectMeta: newBad.ObjectMeta,
Spec: softwarecomposition.NetworkNeighborhoodSpec{
Containers: []softwarecomposition.NetworkNeighborhoodContainer{{
Name: "c",
Egress: []softwarecomposition.NetworkNeighbor{
{IPAddresses: []string{"10.0.0.0/8"}, DNSNames: []string{"api.example.com."}},
},
}},
},
}
s := NetworkNeighborhoodStrategy{}
errs := s.ValidateUpdate(context.TODO(), newBad, oldGood)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go` around
lines 464 - 480, In the ValidateUpdate test, the code currently passes the same
`bad` object as both the old and new parameters to the ValidateUpdate method
call, which prevents the test from properly validating that the method is
checking the correct operand. Instead, create two distinct fixtures: use a valid
NetworkNeighborhood object for the old parameter and the invalid `bad` object
for the new parameter when calling ValidateUpdate, ensuring the test explicitly
validates that the new object is being checked rather than masking potential
bugs in validation logic.

Signed-off-by: entlein <einentlein@gmail.com>
entlein pushed a commit to k8sstormcenter/node-agent that referenced this pull request Jun 25, 2026
Three matthyx blockers (2026-05-27):

(1) tamper_alert.go:28 — imports pkg/signature and pkg/signature/profiles
which ship in node-agent#809 (not yet merged). Adds minimum-surface
stubs (pkg/signature/stub.go, pkg/signature/profiles/stub.go) so the
PR compiles standalone. With IsSigned returning false, the tamper path
short-circuits and never invokes Verify — the no-op stub is behavior-
safe: signed-profile detection is dormant until kubescape#809 lands and replaces
these files with the real implementation.

(2) projection_apply.go:265 — NetworkNeighbor.IPAddresses missing.
(3) mock.go:202 — same IPAddresses issue.

Both (2) and (3) resolved by replacing kubescape/storage with
k8sstormcenter/storage's upstream-pr/sbob-network tip 46f37d32 (sibling
of kubescape/storage#324). Removed when kubescape#324 merges and a release ships
IPAddresses.

Signed-off-by: entlein <einentlein@gmail.com>
@entlein entlein requested a review from matthyx June 25, 2026 08:11
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
build/protoc.Dockerfile (1)

1-1: 📐 Maintainability & Code Quality | 🔵 Trivial

Pin the protoc builder image to a specific digest for reproducible builds.

The current golang:1.26-trixie tag is a floating reference that can silently change the Go compiler version or base OS patch, potentially altering generated code output. Pin the FROM instruction to the resolved digest below to ensure deterministic builds:

Show diff
FROM --platform=$BUILDPLATFORM golang@sha256:76a29248dedcd75870e95cbd90cc8cb356db082404ac7d3a5803f276c3ba79c9 AS builder
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/protoc.Dockerfile` at line 1, The protoc builder image is using a
floating golang:1.26-trixie tag, which can change over time and break
reproducible builds. Update the FROM instruction in the builder stage to pin the
base image to the provided sha256 digest so the protoc generation environment
stays deterministic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api-rules/sample_apiserver_violation_exceptions.list`:
- Line 48: The exception entry for NetworkNeighbor.IPAddresses should be removed
by defining the list semantics directly on the API field instead of adding a new
list-type exception. Update the NetworkNeighbor type to include the appropriate
+listType marker for IPAddresses, regenerate the API artifacts, and then delete
this exception from the sample_apiserver_violation_exceptions list.

---

Nitpick comments:
In `@build/protoc.Dockerfile`:
- Line 1: The protoc builder image is using a floating golang:1.26-trixie tag,
which can change over time and break reproducible builds. Update the FROM
instruction in the builder stage to pin the base image to the provided sha256
digest so the protoc generation environment stays deterministic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 514517b2-2010-4f37-ad70-65995c5f63b6

📥 Commits

Reviewing files that changed from the base of the PR and between 5d93c67 and 1769507.

⛔ Files ignored due to path filters (3)
  • pkg/generated/applyconfiguration/softwarecomposition/v1beta1/execcalls.go is excluded by !**/generated/**
  • pkg/generated/applyconfiguration/softwarecomposition/v1beta1/networkneighbor.go is excluded by !**/generated/**
  • pkg/generated/openapi/zz_generated.openapi.go is excluded by !**/generated/**
📒 Files selected for processing (3)
  • api-rules/sample_apiserver_violation_exceptions.list
  • build/protoc.Dockerfile
  • pkg/apis/softwarecomposition/v1beta1/generated.proto

API rule violation: list_type_missing,github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1,Match,MatchDetails
API rule violation: list_type_missing,github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1,Match,RelatedVulnerabilities
API rule violation: list_type_missing,github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1,NetworkNeighbor,DNSNames
API rule violation: list_type_missing,github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1,NetworkNeighbor,IPAddresses

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Avoid adding a new list-type exception for IPAddresses.

For a new API field, define the intended list semantics on NetworkNeighbor.IPAddresses instead of expanding the exception list. Use the appropriate +listType marker in the API type and regenerate, then remove this exception.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api-rules/sample_apiserver_violation_exceptions.list` at line 48, The
exception entry for NetworkNeighbor.IPAddresses should be removed by defining
the list semantics directly on the API field instead of adding a new list-type
exception. Update the NetworkNeighbor type to include the appropriate +listType
marker for IPAddresses, regenerate the API artifacts, and then delete this
exception from the sample_apiserver_violation_exceptions list.

@matthyx matthyx force-pushed the upstream-pr/sbob-network branch from 1769507 to 5cdffeb Compare June 25, 2026 12:20
@matthyx matthyx merged commit fcbe1a3 into kubescape:main Jun 25, 2026
7 checks passed
@matthyx matthyx moved this from WIP to To Archive in KS PRs tracking Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

2 participants