use of com.google.container.v1.NetworkPolicy in project strimzi by strimzi.
the class ZookeeperCluster method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for ZooKeeper nodes
*
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
NetworkPolicyPort clientsPort = new NetworkPolicyPort();
clientsPort.setPort(new IntOrString(CLIENT_TLS_PORT));
clientsPort.setProtocol("TCP");
NetworkPolicyPort clusteringPort = new NetworkPolicyPort();
clusteringPort.setPort(new IntOrString(CLUSTERING_PORT));
clusteringPort.setProtocol("TCP");
NetworkPolicyPort leaderElectionPort = new NetworkPolicyPort();
leaderElectionPort.setPort(new IntOrString(LEADER_ELECTION_PORT));
leaderElectionPort.setProtocol("TCP");
NetworkPolicyPeer zookeeperClusterPeer = new NetworkPolicyPeer();
LabelSelector labelSelector2 = new LabelSelector();
Map<String, String> expressions2 = new HashMap<>(1);
expressions2.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.zookeeperStatefulSetName(cluster));
labelSelector2.setMatchLabels(expressions2);
zookeeperClusterPeer.setPodSelector(labelSelector2);
// Zookeeper only ports - 2888 & 3888 which need to be accessed by the Zookeeper cluster members only
NetworkPolicyIngressRule zookeeperClusteringIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clusteringPort, leaderElectionPort).withFrom(zookeeperClusterPeer).build();
rules.add(zookeeperClusteringIngressRule);
// Clients port - needs to be access from outside the Zookeeper cluster as well
NetworkPolicyIngressRule clientsIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clientsPort).withFrom().build();
NetworkPolicyPeer kafkaClusterPeer = new NetworkPolicyPeer();
LabelSelector labelSelector = new LabelSelector();
Map<String, String> expressions = new HashMap<>(1);
expressions.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster));
labelSelector.setMatchLabels(expressions);
kafkaClusterPeer.setPodSelector(labelSelector);
NetworkPolicyPeer entityOperatorPeer = new NetworkPolicyPeer();
LabelSelector labelSelector3 = new LabelSelector();
Map<String, String> expressions3 = new HashMap<>(1);
expressions3.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.entityOperatorDeploymentName(cluster));
labelSelector3.setMatchLabels(expressions3);
entityOperatorPeer.setPodSelector(labelSelector3);
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeer();
LabelSelector labelSelector4 = new LabelSelector();
Map<String, String> expressions4 = new HashMap<>(1);
expressions4.put(Labels.STRIMZI_KIND_LABEL, "cluster-operator");
labelSelector4.setMatchLabels(expressions4);
clusterOperatorPeer.setPodSelector(labelSelector4);
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
// This is a hack because we have no guarantee that the CO namespace has some particular labels
List<NetworkPolicyPeer> clientsPortPeers = new ArrayList<>(4);
clientsPortPeers.add(kafkaClusterPeer);
clientsPortPeers.add(zookeeperClusterPeer);
clientsPortPeers.add(entityOperatorPeer);
clientsPortPeers.add(clusterOperatorPeer);
clientsIngressRule.setFrom(clientsPortPeers);
rules.add(clientsIngressRule);
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
if (isJmxEnabled) {
NetworkPolicyPort jmxPort = new NetworkPolicyPort();
jmxPort.setPort(new IntOrString(JMX_PORT));
NetworkPolicyIngressRule jmxRule = new NetworkPolicyIngressRuleBuilder().withPorts(jmxPort).withFrom().build();
rules.add(jmxRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(KafkaResources.zookeeperNetworkPolicyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withPodSelector(labelSelector2).withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
}
use of com.google.container.v1.NetworkPolicy in project strimzi by strimzi.
the class NetworkPolicyResource method allowNetworkPolicySettingsForEntityOperator.
public static void allowNetworkPolicySettingsForEntityOperator(ExtensionContext extensionContext, String clusterName, String namespace) {
LabelSelector labelSelector = new LabelSelectorBuilder().addToMatchLabels(Constants.SCRAPER_LABEL_KEY, Constants.SCRAPER_LABEL_VALUE).build();
String eoDeploymentName = KafkaResources.entityOperatorDeploymentName(clusterName);
LOGGER.info("Apply NetworkPolicy access to {} from pods with LabelSelector {}", eoDeploymentName, labelSelector);
NetworkPolicy networkPolicy = NetworkPolicyTemplates.networkPolicyBuilder(namespace, eoDeploymentName, labelSelector).editSpec().editFirstIngress().addNewPort().withNewPort(Constants.TOPIC_OPERATOR_METRICS_PORT).withProtocol("TCP").endPort().addNewPort().withNewPort(Constants.USER_OPERATOR_METRICS_PORT).withProtocol("TCP").endPort().endIngress().withNewPodSelector().addToMatchLabels("strimzi.io/cluster", clusterName).addToMatchLabels("strimzi.io/kind", Kafka.RESOURCE_KIND).addToMatchLabels("strimzi.io/name", eoDeploymentName).endPodSelector().endSpec().build();
LOGGER.debug("Creating NetworkPolicy: {}", networkPolicy.toString());
ResourceManager.getInstance().createResource(extensionContext, networkPolicy);
LOGGER.info("Network policy for LabelSelector {} successfully created", labelSelector);
}
use of com.google.container.v1.NetworkPolicy in project strimzi by strimzi.
the class NetworkPoliciesIsolatedST method testNPGenerationEnvironmentVariable.
@IsolatedTest("Specific cluster operator for test case")
void testNPGenerationEnvironmentVariable(ExtensionContext extensionContext) {
assumeTrue(!Environment.isHelmInstall() && !Environment.isOlmInstall());
final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
EnvVar networkPolicyGenerationEnv = new EnvVarBuilder().withName("STRIMZI_NETWORK_POLICY_GENERATION").withValue("false").build();
clusterOperator.unInstall();
clusterOperator = new SetupClusterOperator.SetupClusterOperatorBuilder().withExtensionContext(extensionContext).withNamespace(clusterOperator.getDeploymentNamespace()).withExtraEnvVars(Collections.singletonList(networkPolicyGenerationEnv)).createInstallation().runInstallation();
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaWithCruiseControl(clusterName, 3, 3).build());
resourceManager.createResource(extensionContext, KafkaConnectTemplates.kafkaConnect(clusterName, 1).build());
List<NetworkPolicy> networkPolicyList = kubeClient().getClient().network().networkPolicies().list().getItems().stream().filter(item -> item.getMetadata().getLabels() != null && item.getMetadata().getLabels().containsKey("strimzi.io/name")).collect(Collectors.toList());
assertThat("List of NetworkPolicies generated by Strimzi is not empty.", networkPolicyList, is(Collections.EMPTY_LIST));
}
use of com.google.container.v1.NetworkPolicy in project strimzi by strimzi.
the class KafkaClusterTest method testNoNetworkPolicyPeers.
@ParallelTest
public void testNoNetworkPolicyPeers() {
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap())).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(false).build(), new GenericKafkaListenerBuilder().withName("tls").withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).build(), new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).build()).endKafka().endSpec().build();
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(null, null);
List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9092))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom(), is(nullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9093))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom(), is(nullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9094))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom(), is(nullValue()));
}
use of com.google.container.v1.NetworkPolicy in project strimzi by strimzi.
the class KafkaMirrorMaker2ClusterTest method testNetworkPolicyWithConnectorOperatorWithNamespaceLabels.
@ParallelTest
public void testNetworkPolicyWithConnectorOperatorWithNamespaceLabels() {
KafkaMirrorMaker2 resource = new KafkaMirrorMaker2Builder(this.resourceWithMetrics).build();
KafkaMirrorMaker2Cluster kc = KafkaMirrorMaker2Cluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS);
kc.generateMetricsAndLogConfigMap(new MetricsAndLogging(metricsCM, null));
NetworkPolicy np = kc.generateNetworkPolicy(true, "operator-namespace", Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
assertThat(np.getMetadata().getName(), is(kc.getName()));
assertThat(np.getSpec().getPodSelector().getMatchLabels(), is(kc.getSelectorLabels().toMap()));
assertThat(np.getSpec().getIngress().size(), is(2));
assertThat(np.getSpec().getIngress().get(0).getPorts().size(), is(1));
assertThat(np.getSpec().getIngress().get(0).getPorts().get(0).getPort().getIntVal(), is(KafkaConnectCluster.REST_API_PORT));
assertThat(np.getSpec().getIngress().get(0).getFrom().size(), is(2));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(0).getPodSelector().getMatchLabels(), is(kc.getSelectorLabels().toMap()));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(0).getNamespaceSelector(), is(nullValue()));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(1).getPodSelector().getMatchLabels(), is(singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")));
assertThat(np.getSpec().getIngress().get(0).getFrom().get(1).getNamespaceSelector().getMatchLabels(), is(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
assertThat(np.getSpec().getIngress().get(1).getPorts().size(), is(1));
assertThat(np.getSpec().getIngress().get(1).getPorts().get(0).getPort().getIntVal(), is(KafkaConnectCluster.METRICS_PORT));
}
Aggregations