Enhance network matching function

[toadzhou]

Enhance the matching function of egress

short introduction

Network policies need to add more functionality than just one path to an executable program.

Add new matching

   network:
     matchProtocols:
     - protocol: tcp, udp
       fromSource:
       - path: /usr/bin/curl
       - fqdn: www.google.com
       - ip: 204.79.197.200/32    #This could be one of my internal proxy gateways
       - port: 443

tetragon related product implementation https://tetragon.io/docs/concepts/tracing-policy/selectors/#operator-types

Because of language issues, there may be some problems with expression in some aspects. Comparing similar products, I personally feel that the usage of kubearmro is more in line with my habits, but I still hope to consider strengthening the export restrictions on the network and control the pod exit strategy in a more refined manner. Thanks

[daemon1024]

@toadzhou We have been pondering about it for a while. The main blocker for implementing this has been lack of support for these matching in AppArmor.

But we are now planning to implement this with just BPF LSM. Thanks for the feature request.

I will keep you posted here, how and when we pick this up.

[toadzhou]

@daemon1024 thanks for your reply.

Multiple Enforcers This is the advantage of this project, allowing for more kernel versions. But it is also subject to some limitations brought by different Enforcers. "BPF LSM" has some unique features that can be implemented on newer kernels, such as network restrictions on INGRESS and EGRESS. Of course, this requires some overall assessment, because my focus is not very comprehensive.

The above ideas refer to "tetragon" and "openshift/ingress-node-firewall".

[toadzhou]

Is it still due to some technical reasons that this feature is being delayed?