use of com.google.container.v1.NetworkPolicy in project strimzi-kafka-operator by strimzi.
the class CruiseControl method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for Cruise Control
*
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(1);
// CO can access the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
restApiRule.setFrom(Collections.singletonList(clusterOperatorPeer));
rules.add(restApiRule);
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(CruiseControlResources.networkPolicyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, CruiseControlResources.deploymentName(cluster)).endPodSelector().withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
}
use of com.google.container.v1.NetworkPolicy in project strimzi-kafka-operator by strimzi.
the class KafkaClusterTest method testControlPlanePortNetworkPolicy.
@ParallelTest
public void testControlPlanePortNetworkPolicy() {
NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster))).endPodSelector().build();
Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap());
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies => Different namespace
NetworkPolicy np = k.generateNetworkPolicy("operator-namespace", null);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CONTROLPLANE_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CONTROLPLANE_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(1));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
}
use of com.google.container.v1.NetworkPolicy in project strimzi-kafka-operator by strimzi.
the class KafkaClusterTest method testNetworkPolicyPeers.
@ParallelTest
public void testNetworkPolicyPeers() {
NetworkPolicyPeer peer1 = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key1").withValues("my-value1").build()).endPodSelector().build();
NetworkPolicyPeer peer2 = new NetworkPolicyPeerBuilder().withNewNamespaceSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key2").withValues("my-value2").build()).endNamespaceSelector().build();
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap())).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withNetworkPolicyPeers(peer1).withTls(false).build(), new GenericKafkaListenerBuilder().withName("tls").withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNetworkPolicyPeers(peer2).build(), new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).withNetworkPolicyPeers(peer1, peer2).build()).endKafka().endSpec().build();
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(null, null);
List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9092))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer1));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9093))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer2));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9094))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(2));
assertThat(rules.get(0).getFrom().contains(peer1), is(true));
assertThat(rules.get(0).getFrom().contains(peer2), is(true));
}
use of com.google.container.v1.NetworkPolicy in project strimzi-kafka-operator by strimzi.
the class KafkaClusterTest method testReplicationPortNetworkPolicy.
@ParallelTest
public void testReplicationPortNetworkPolicy() {
NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster))).endPodSelector().build();
NetworkPolicyPeer eoPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaResources.entityOperatorDeploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaExporterResources.deploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, CruiseControlResources.deploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().endNamespaceSelector().build();
NetworkPolicyPeer clusterOperatorPeerSameNamespace = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().build();
NetworkPolicyPeer clusterOperatorPeerNamespaceWithLabels = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().withMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue")).endNamespaceSelector().build();
Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap());
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies => Different namespace
NetworkPolicy np = k.generateNetworkPolicy("operator-namespace", null);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeer), is(true));
// Check Network Policies => Same namespace
np = k.generateNetworkPolicy(namespace, null);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeerSameNamespace), is(true));
// Check Network Policies => Namespace with Labels
np = k.generateNetworkPolicy("operator-namespace", Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeerNamespaceWithLabels), is(true));
}
use of com.google.container.v1.NetworkPolicy in project strimzi-kafka-operator by strimzi.
the class KafkaConnectClusterTest method testNetworkPolicyWithConnectorOperator.
@ParallelTest
public void testNetworkPolicyWithConnectorOperator() {
KafkaConnect resource = new KafkaConnectBuilder(this.resourceWithMetrics).build();
KafkaConnectCluster kc = KafkaConnectCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS);
NetworkPolicy np = kc.generateNetworkPolicy(true, "operator-namespace", null);
assertThat(np.getMetadata().getName(), is(kc.getName()));
assertThat(np.getSpec().getPodSelector().getMatchLabels(), is(kc.getSelectorLabels().toMap()));
assertThat(np.getSpec().getIngress().size(), is(2));
assertThat(np.getSpec().getIngress().get(0).getPorts().size(), is(1));
assertThat(np.getSpec().getIngress().get(0).getPorts().get(0).getPort().getIntVal(), is(KafkaConnectCluster.REST_API_PORT));
assertThat(np.getSpec().getIngress().get(0).getFrom().size(), is(2));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(0).getPodSelector().getMatchLabels(), is(kc.getSelectorLabels().toMap()));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(0).getNamespaceSelector(), is(nullValue()));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(1).getPodSelector().getMatchLabels(), is(singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(1).getNamespaceSelector().getMatchLabels(), is(nullValue()));
assertThat(np.getSpec().getIngress().get(1).getPorts().size(), is(1));
assertThat(np.getSpec().getIngress().get(1).getPorts().get(0).getPort().getIntVal(), is(KafkaConnectCluster.METRICS_PORT));
}
Aggregations