class MpPerimeter: policies = [ api.AcceptLink(filters=[ api.f.perimeter, api.f.endpoint("zone", [ "staging", "mufasa", "rafiki", "prod", "nightly", "dev", "ops", "nightly-k8s" ], who="server", flags=re.IGNORECASE), api.f.endpoint("app", ["dmzvm", "cassandra", "k8s"], who="server", flags=re.IGNORECASE), api.f.endpoint("process", ["sshd", "haproxy"], who="server", flags=re.IGNORECASE), ], changes=[]), api.AcceptLink(filters=[ api.f.type(["AEG", "AIN"]), api.f.same_zone, api.f.endpoint("app", "dmzvm", who="client"), api.f.endpoint("process", "sshd", who="client"), api.f.endpoint("app", "bendvm", who="server"), api.f.endpoint("process", "sshd", who="server"), ], changes=[]), ]
class MpINT: policies = [ api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "grafana-server", who="client"), api.f.endpoint("process", "prometheus", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "kube-rbac-proxy", who="client"), api.f.endpoint("process", ["node_exporter", "kube-state-metrics"], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "coredns", who="client"), api.f.endpoint("process", "coredns", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "kubelet", who="client"), api.f.endpoint("process", "kubelet", who="server"), ], changes=[]), ]
class MpHbCheck: policies = [ api.AcceptLink(filters=[ api.f.endpoint("binary_name", "/snap/amazon-ssm-agent/.*/ssm-agent-worker", who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), ], changes=[ ("client", "binary_name", "/snap/amazon-ssm-agent/[0-9]+/ssm-agent-worker"), ]), ] policies = [ api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "heartbeat_check.py", who="client"), api.f.endpoint("process", "com.araalinetworks.LaunchKt", who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpMotd: policies = [ api.AcceptLink(filters=[ api.f.endpoint("parent_process", "50-motd-news", who="client"), api.f.endpoint("dns_pattern", ":motd.ubuntu.com:"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint( "process", "/usr/lib/ubuntu-release-upgrader/check-new-release", who="client"), api.f.endpoint("dns_pattern", [":changelogs.ubuntu.com:"], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("parent_process", "apt-get", who="client"), api.f.endpoint("dns_pattern", [ ":us-west-2.ec2.archive.ubuntu.com:", ":downloads.apache.org:", ":www.apache.org:", ":security.ubuntu.com:", ":dl.bintray.com:" ], who="server"), ], changes=[]), ]
class MpAwsEks: policies = [ api.AcceptLink(filters=[ api.f.endpoint("app", "kube-system.kube.kube-proxy"), api.f.type("NAE"), api.f.endpoint("process", "kube-proxy", who="client"), api.f.endpoint("dns_pattern", ":.*\.eks\.amazonaws\.com:", who="server"), ], changes=[ ("server", "dns_pattern", ":.*\.eks\.amazonaws\.com:"), ]), api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", ["grpc-health-probe", "aws-cni"], who="client"), api.f.endpoint("process", "aws-k8s-agent", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("process", "aws-k8s-agent", who="client"), api.f.endpoint("dns_pattern", ":ec2.us-west-2.amazonaws.com:"), ], changes=[ ("server", "dns_pattern", ":ec2\..*\.amazonaws\.com:"), ]), ]
class MpNAE: policies = [ api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "/usr/local/bin/cvescan", who="client"), api.f.endpoint("dns_pattern", ":people.canonical.com:", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "grafana-server", who="client"), api.f.endpoint("dns_pattern", [ ":hooks.slack.com:", ":grafana.com:", ":raw.githubusercontent.com:", ], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "kubelet", who="client"), api.f.endpoint("dns_pattern", [ ":ec2.us-west-2.amazonaws.com:", ":api.ecr.us-west-2.amazonaws.com:", ], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "kubelet", who="client"), api.f.endpoint("dns_pattern", ":.*.eks.amazonaws.com:", who="server"), ], changes=[ ("server", "dns_pattern", ":.*\.eks\.amazonaws\.com:"), ]), api.AcceptLink(filters=[ api.f.endpoint("app", "cassandra"), api.f.type("NAE"), api.f.endpoint("process", "/usr/bin/pip3", who="client"), api.f.endpoint("dns_pattern", [ ":pypi.python.org:", ":pypi.org:", ":files.pythonhosted.org:" ], who="server"), ], changes=[]), ]
class MpToMetadataSvc: policies = [ api.AcceptLink(filters=[ api.f.endpoint("process", ["kubelet", "aws-iam-authenticator", "aws-k8s-agent", "/usr/bin/yum"], who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.endpoint("app", "kube-system.aws.aws-vpc-cni-init"), api.f.endpoint("process", "curl", who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), ], changes=[ ]), ]
class MpIstio: policies = [ api.AcceptLink(filters=[ api.f.type("INT"), api.f.same_pod, api.f.endpoint("process", "pilot-agent", who="client"), api.f.endpoint("process", "envoy", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "envoy", who="client"), api.f.endpoint("process", "envoy", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.same_pod, api.f.endpoint("process", ["application.jar"], who="client"), api.f.endpoint("process", "envoy", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.same_pod, api.f.endpoint("process", ["pilot-agent", "envoy"], who="client"), api.f.endpoint("process", ["application.jar"], who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.self_loop, ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("AEG"), api.f.endpoint("process", ["kubelet"], who="client"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type(["AEG", "AIN"]), api.f.same_zone, api.f.endpoint("app", "kube-system.metrics-server-", who="client"), api.f.endpoint("process", "metrics-server", who="client"), api.f.endpoint("process", ["kubelet", "pilot-agent", "sidecar-injector"], who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type(["AEG", "AIN"]), api.f.same_zone, api.f.endpoint("process", "envoy", who="client"), api.f.endpoint("process", "pilot-discovery", who="server"), ], changes=[ ]), ]
class MpAlertMgr: policies = [ api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "alertmanager", who="client"), api.f.endpoint("process", "alertmanager", who="server"), ], changes=[ ]), ]
class MpKubeletClient: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", "kubelet", who="client"), api.f.endpoint("process", ["alertmanager", "grafana-server", "prometheus"], who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type(["AEG", "AIN"]), api.f.same_zone, api.f.endpoint("app", "k8s", who="client"), api.f.endpoint("process", "socat", who="client"), api.f.endpoint("app", "monitoring.grafana.grafana", who="server"), api.f.endpoint("process", "grafana-server", who="server"), ], changes=[ ]), ]
class MpPrometheus: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", "prometheus", who="client"), api.f.endpoint("process", ["alertmanager", "node_exporter", "prometheus", "kubelet", "kube-rbac-proxy",], who="server"), ], changes=[ ]), ]
class NightlyToProd: policies = [ api.AcceptLink(filters=[ api.f.state("DEFINED_POLICY"), api.f.type("AIN"), api.f.endpoint("zone", "nightly", who="client"), ], changes=[ ("client", "zone", "prod"), ]), api.AcceptLink(filters=[ api.f.state("DEFINED_POLICY"), api.f.type("AEG"), api.f.endpoint("zone", "nightly", who="server"), ], changes=[ ("server", "zone", "prod"), ]), ]
class MpCheckHealth: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("parent_process", "check_health.sh", who="client"), api.f.endpoint("process", "grpcwebproxy", who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpSnapdToSnapcraft: policies = [ api.AcceptLink(filters=[ api.f.endpoint("binary_name", "/snap/core/[0-9]+/usr/lib/snapd/snapd", who="client"), api.f.endpoint("dns_pattern", ":api.snapcraft.io:"), ], changes=[ ("client", "binary_name", "/snap/core/[0-9]+/usr/lib/snapd/snapd"), ]), ]
class MpSSMagentToMeta: policies = [ api.AcceptLink(filters=[ api.f.endpoint("binary_name", "/snap/amazon-ssm-agent/.*/ssm-agent-worker", who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), ], changes=[ ("client", "binary_name", "/snap/amazon-ssm-agent/[0-9]+/ssm-agent-worker"), ]), ]
class MpLacework: policies = [ api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint('binary_name', '/var/lib/lacework/3.4.2/datacollector', who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), api.f.endpoint("netmask", 32, who="server"), api.f.endpoint("dst_port", 80, who="server"), ], changes=[]), ]
class MpAraali: policies = [ api.AcceptLink(filters=[ api.f.endpoint("process", ["autok8s", "guarantor"], who="client"), api.f.endpoint("dns_pattern", ":.*.aws.araalinetworks.com:", who="server"), ], changes=[ ("server", "dns_pattern", ":.*\.aws\.araalinetworks\.com:"), ]), ]
class MpPrometheusAraali: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", "prometheus", who="client"), api.f.endpoint( "process", ["araali_backend.py", "com.araalinetworks.LaunchKt"], who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpMonitoring: policies = [ api.AcceptLink(filters=[ api.f.endpoint("app", "^monitoring\."), api.f.type("NAE"), api.f.endpoint("process", "grafana-server", who="client"), api.f.endpoint("dns_pattern", [ ":stats.grafana.org:", ":secure.gravatar.com:", ], who="server"), ], changes=[]), ]
class MpHaproxyClient: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", "haproxy", who="client"), api.f.endpoint("process", [ 'araali_backend.py', "grpcwebproxy", "araaliweb", "com.araalinetworks.uiserver.UiServerKt" ], who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpHealthCheck: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", "/var/lib/haproxy/healthcheck.py", who="client"), api.f.endpoint("process", "prometheus", who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpK8s: policies = [ api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("app", "monitoring.prometheus.prometheus", who="client"), api.f.endpoint("process", "prometheus", who="client"), api.f.endpoint("app", "monitoring.grafana.grafana", who="server"), api.f.endpoint("process", "grafana-server", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type(["AEG", "AIN"]), api.f.same_zone, api.f.endpoint("app", ["k8s", "monitoring.alertmanager.alertmanager"], who="client"), api.f.endpoint("process", ["kubelet", "alertmanager"], who="client"), api.f.endpoint("app", "kube-system.coredns.coredns", who="server"), api.f.endpoint("process", "coredns", who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "pilot-agent", who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), api.f.endpoint("netmask", 32, who="server"), api.f.endpoint("dst_port", 80, who="server"), ], changes=[ ]), api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("app", "kube-system.certmanageraddon-cert-manager.cert-manager"), api.f.endpoint("process", "controller", who="client"), api.f.endpoint("subnet", "169.254.169.254", who="server"), api.f.endpoint("netmask", 32, who="server"), api.f.endpoint("dst_port", 80, who="server"), ], changes=[ ]), ]
class MpCassandra: policies = [ api.AcceptLink(filters=[ api.f.endpoint("app", "cassandra"), api.f.type("INT"), api.f.endpoint("process", "org.apache.cassandra.tools.NodeTool", who="client"), api.f.endpoint("process", "org.apache.cassandra.service.CassandraDaemon", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "cassandra"), api.f.type("INT"), api.f.endpoint("process", "curl", who="client"), api.f.endpoint("process", "cassandra_monitoring.py", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("process", [ "com.araalinetworks.LaunchKt", "araali_backend.py", "service_processor.py", "com.araalinetworks.uiserver.UiServerKt", "/usr/bin/cqlsh.py", "sshd" ], who="client", flags=re.IGNORECASE), api.f.endpoint("process", "cassandra", who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpHaproxyServer: policies = [ api.AcceptLink(filters=[ api.f.same_zone, api.f.endpoint("process", [ "com.araalinetworks.uiserver.UiServerKt", "araali_health_check.py" ], who="client"), api.f.endpoint("process", "haproxy", who="server", flags=re.IGNORECASE), ], changes=[]), ]
class MpAmznLinux: policies = [ api.AcceptLink(filters=[ api.f.endpoint("process", ["/usr/bin/yum", "amazon_linux_extras"], who="client", flags=re.IGNORECASE), api.f.endpoint("dns_pattern", ":amazonlinux.us-west-2.amazonaws.com:", who="server", flags=re.IGNORECASE), ], changes=[ ("server", "dns_pattern", ":amazonlinux\..*\.amazonaws\.com:"), ]), ]
class MpSSMagentToSSM: policies = [ api.AcceptLink(filters=[ api.f.endpoint("binary_name", "/snap/amazon-ssm-agent/.*/ssm-agent-worker", who="client"), api.f.endpoint("dns_pattern", ":ssm.us-west-2.amazonaws.com:", who="server"), ], changes=[ ("client", "binary_name", "/snap/amazon-ssm-agent/[0-9]+/ssm-agent-worker"), ("server", "dns_pattern", ":ssm\..*\.amazonaws\.com:"), ]), ]
class MpDynamo: policies = [ api.AcceptLink(filters=[ api.f.endpoint("process", [ "araali_backend.py", "com.araalinetworks.uiserver.UiServerKt", "com.araalinetworks.LaunchKt", "araaliweb", ], who="client", flags=re.IGNORECASE), api.f.endpoint("dns_pattern", ":dynamodb..*.amazonaws.com:"), ], changes=[ ("server", "dns_pattern", ":dynamodb\..*\.amazonaws\.com:"), ]), ]
class MpS3: policies = [ api.AcceptLink(filters=[ api.f.endpoint("process", [ "service_processor.py", "com.araalinetworks.uiserver.UiServerKt", "com.araalinetworks.LaunchKt", "araali_backend.py", "araaliweb", "/usr/local/bin/aws", ], who="client", flags=re.IGNORECASE), api.f.endpoint("dns_pattern", ":s3\..*\.amazonaws\.com:"), ], changes=[ ("server", "dns_pattern", ":s3\..*\.amazonaws\.com:"), ]), ]
class MpBendVm: policies = [ api.AcceptLink(filters=[ api.f.type("NAE"), api.f.endpoint("process", "dockerd", who="client"), api.f.endpoint("dns_pattern", ":175118736976.dkr.ecr..*.amazonaws.com:", who="server"), ], changes=[ ("server", "dns_pattern", ":175118736976\.dkr\.ecr\..*\.amazonaws\.com:"), ]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm.bend.web"), api.f.type("NAE"), api.f.endpoint("process", "araaliweb", who="client"), api.f.endpoint("dns_pattern", [ ":ipinfo.io:", ":metering.marketplace.us-east-1.amazonaws.com:" ], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bend.applens.applens-generator"), api.f.type("NAE"), api.f.endpoint("process", "com.araalinetworks.LaunchKt", who="client"), api.f.endpoint("dns_pattern", [":sns.us-west-2.amazonaws.com:"], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm.bend.backend"), api.f.type("NAE"), api.f.endpoint("process", "araali_backend.py", who="client"), api.f.endpoint("dns_pattern", [ ":sns.us-west-2.amazonaws.com:", ":lambda.us-west-2.amazonaws.com:" ], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm.bend.visbot"), api.f.type("NAE"), api.f.endpoint("process", "main.py", who="client"), api.f.endpoint("dns_pattern", [":email.us-west-2.amazonaws.com:", ":slack.com:"], who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "araaliweb", who="client"), api.f.endpoint("process", "docker-proxy", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "araali_backend.py", who="client"), api.f.endpoint("process", "docker-proxy", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.type("INT"), api.f.endpoint("process", "com.araalinetworks.LaunchKt", who="client"), api.f.endpoint("process", "scanner.py", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm"), api.f.type("INT"), api.f.endpoint("process", "docker-proxy", who="client"), api.f.endpoint("process", "main.py", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", ".uiserver"), api.f.type("INT"), api.f.endpoint("process", "grpcwebproxy", who="client"), api.f.endpoint("process", "com.araalinetworks.uiserver.UiServerKt", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm.bend.uiserver"), api.f.type("INT"), api.f.endpoint("parent_process", "check_health.sh", who="client"), api.f.endpoint("process", "grpcwebproxy", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.endpoint("app", "bendvm.bend.backend"), api.f.type("INT"), api.f.endpoint("process", "prometheus", who="client"), api.f.endpoint("process", "araali_backend.py", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.same_zone, api.f.type("AEG"), api.f.endpoint("app", "bendvm.bend.uiserver", who="client"), api.f.endpoint("process", "com.araalinetworks.uiserver.UiServerKt", who="client"), api.f.endpoint("app", "dmzvm", who="server"), api.f.endpoint("process", "haproxy", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.same_zone, api.f.type("AEG"), api.f.endpoint("app", "dmzvm", who="client"), api.f.endpoint("process", "haproxy", who="client"), api.f.endpoint("app", "bendvm.bend.web", who="server"), api.f.endpoint("process", "araaliweb", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.same_zone, api.f.type("AEG"), api.f.endpoint("app", "dmzvm", who="client"), api.f.endpoint("process", "haproxy", who="client"), api.f.endpoint("app", "bendvm.bend.uiserver", who="server"), api.f.endpoint("process", "grpcwebproxy", who="server"), ], changes=[]), api.AcceptLink(filters=[ api.f.same_zone, api.f.type("AEG"), api.f.endpoint("app", "dmzvm", who="client"), api.f.endpoint("process", "haproxy", who="client"), api.f.endpoint("app", "bendvm.bend.backend", who="server"), api.f.endpoint("process", "araali_backend.py", who="server"), ], changes=[]), ]
class AcceptAllDefined: policies = [ api.AcceptLink(filters=[ api.f.state("DEFINED_POLICY"), ], changes=[]), ]