use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.
the class NetworkPolicyResource method allowNetworkPolicySettingsForResource.
/**
* Method for allowing network policies for Connect
* @param resource mean Connect resource
* @param deploymentName name of resource deployment - for setting strimzi.io/name
*/
public static void allowNetworkPolicySettingsForResource(ExtensionContext extensionContext, HasMetadata resource, String deploymentName) {
LabelSelector labelSelector = new LabelSelectorBuilder().addToMatchLabels(Constants.KAFKA_CLIENTS_LABEL_KEY, Constants.KAFKA_CLIENTS_LABEL_VALUE).build();
final String namespaceName = StUtils.isParallelNamespaceTest(extensionContext) && !Environment.isNamespaceRbacScope() ? // if parallel namespace test use namespace from store and if RBAC is enable we don't run tests in parallel mode and with that said we don't create another namespaces
extensionContext.getStore(ExtensionContext.Namespace.GLOBAL).get(Constants.NAMESPACE_KEY).toString() : // otherwise use resource namespace
resource.getMetadata().getNamespace();
if (kubeClient(namespaceName).listPods(namespaceName, labelSelector).size() == 0) {
List<String> pods = kubeClient(namespaceName).listPods(namespaceName).stream().map(pod -> pod.getMetadata().getName()).collect(Collectors.toList());
LOGGER.error("Pods inside {} namespace are {}", namespaceName, pods.toString());
throw new RuntimeException("You did not create the Kafka Client instance(pod) before using the " + resource.getKind() + " in namespace:" + namespaceName);
}
LOGGER.info("Apply NetworkPolicy access to {} from pods with LabelSelector {}", deploymentName, labelSelector);
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withApiVersion("networking.k8s.io/v1").withKind(Constants.NETWORK_POLICY).withNewMetadata().withName(resource.getMetadata().getName() + "-allow").withNamespace(namespaceName).endMetadata().withNewSpec().addNewIngress().addNewFrom().withPodSelector(labelSelector).endFrom().addNewPort().withNewPort(8083).withProtocol("TCP").endPort().addNewPort().withNewPort(9404).withProtocol("TCP").endPort().addNewPort().withNewPort(8080).withProtocol("TCP").endPort().addNewPort().withNewPort(Constants.JMX_PORT).withProtocol("TCP").endPort().endIngress().withNewPodSelector().addToMatchLabels("strimzi.io/cluster", resource.getMetadata().getName()).addToMatchLabels("strimzi.io/kind", resource.getKind()).addToMatchLabels("strimzi.io/name", deploymentName).endPodSelector().withPolicyTypes("Ingress").endSpec().build();
LOGGER.debug("Creating NetworkPolicy: {}", networkPolicy.toString());
ResourceManager.getInstance().createResource(extensionContext, networkPolicy);
LOGGER.info("Network policy for LabelSelector {} successfully created", labelSelector);
}
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.
the class TracingST method deployJaegerOperator.
private void deployJaegerOperator(ExtensionContext extensionContext) throws IOException, FileNotFoundException {
LOGGER.info("=== Applying jaeger operator install files ===");
deployJaegerContent(extensionContext);
ResourceManager.STORED_RESOURCES.computeIfAbsent(extensionContext.getDisplayName(), k -> new Stack<>());
ResourceManager.STORED_RESOURCES.get(extensionContext.getDisplayName()).push(new ResourceItem(() -> this.deleteJaeger()));
DeploymentUtils.waitForDeploymentAndPodsReady(namespace, JAEGER_OPERATOR_DEPLOYMENT_NAME, 1);
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withApiVersion("networking.k8s.io/v1").withKind(Constants.NETWORK_POLICY).withNewMetadata().withName("jaeger-allow").withNamespace(namespace).endMetadata().withNewSpec().addNewIngress().endIngress().withNewPodSelector().addToMatchLabels("app", "jaeger").endPodSelector().withPolicyTypes("Ingress").endSpec().build();
LOGGER.debug("Creating NetworkPolicy: {}", networkPolicy.toString());
resourceManager.createResource(extensionContext, networkPolicy);
LOGGER.info("Network policy for jaeger successfully created");
}
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.
the class KafkaConnectCluster method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for Kafka Connect nodes
*
* @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
if (connectorOperatorEnabled) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
// Give CO access to the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
// OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
// Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
// Therefore these rules are set only when using something else than OCP 3.11 and leaving
// the `from` section empty on 3.11
List<NetworkPolicyPeer> peers = new ArrayList<>(2);
// Other connect pods in the same cluster need to talk with each other over the REST API
NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
peers.add(connectPeer);
// CO needs to talk with the Connect pods to manage connectors
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
peers.add(clusterOperatorPeer);
restApiRule.setFrom(peers);
rules.add(restApiRule);
// If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
} else {
return null;
}
}
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi-kafka-operator by strimzi.
the class CruiseControl method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for Cruise Control
*
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(1);
// CO can access the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
restApiRule.setFrom(Collections.singletonList(clusterOperatorPeer));
rules.add(restApiRule);
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(policyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, cruiseControlName(cluster)).endPodSelector().withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
}
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi-kafka-operator by strimzi.
the class KafkaConnectCluster method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for Kafka Connect nodes
*
* @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
if (connectorOperatorEnabled) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
// Give CO access to the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
// OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
// Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
// Therefore these rules are set only when using something else than OCP 3.11 and leaving
// the `from` section empty on 3.11
List<NetworkPolicyPeer> peers = new ArrayList<>(2);
// Other connect pods in the same cluster need to talk with each other over the REST API
NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
peers.add(connectPeer);
// CO needs to talk with the Connect pods to manage connectors
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
peers.add(clusterOperatorPeer);
restApiRule.setFrom(peers);
rules.add(restApiRule);
// If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
} else {
return null;
}
}
Aggregations