Search in sources :

Example 1 with NetworkPolicyBuilder

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.

the class NetworkPolicyResource method allowNetworkPolicySettingsForResource.

/**
 * Method for allowing network policies for Connect
 * @param resource mean Connect resource
 * @param deploymentName name of resource deployment - for setting strimzi.io/name
 */
public static void allowNetworkPolicySettingsForResource(ExtensionContext extensionContext, HasMetadata resource, String deploymentName) {
    LabelSelector labelSelector = new LabelSelectorBuilder().addToMatchLabels(Constants.KAFKA_CLIENTS_LABEL_KEY, Constants.KAFKA_CLIENTS_LABEL_VALUE).build();
    final String namespaceName = StUtils.isParallelNamespaceTest(extensionContext) && !Environment.isNamespaceRbacScope() ? // if parallel namespace test use namespace from store and if RBAC is enable we don't run tests in parallel mode and with that said we don't create another namespaces
    extensionContext.getStore(ExtensionContext.Namespace.GLOBAL).get(Constants.NAMESPACE_KEY).toString() : // otherwise use resource namespace
    resource.getMetadata().getNamespace();
    if (kubeClient(namespaceName).listPods(namespaceName, labelSelector).size() == 0) {
        List<String> pods = kubeClient(namespaceName).listPods(namespaceName).stream().map(pod -> pod.getMetadata().getName()).collect(Collectors.toList());
        LOGGER.error("Pods inside {} namespace are {}", namespaceName, pods.toString());
        throw new RuntimeException("You did not create the Kafka Client instance(pod) before using the " + resource.getKind() + " in namespace:" + namespaceName);
    }
    LOGGER.info("Apply NetworkPolicy access to {} from pods with LabelSelector {}", deploymentName, labelSelector);
    NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withApiVersion("networking.k8s.io/v1").withKind(Constants.NETWORK_POLICY).withNewMetadata().withName(resource.getMetadata().getName() + "-allow").withNamespace(namespaceName).endMetadata().withNewSpec().addNewIngress().addNewFrom().withPodSelector(labelSelector).endFrom().addNewPort().withNewPort(8083).withProtocol("TCP").endPort().addNewPort().withNewPort(9404).withProtocol("TCP").endPort().addNewPort().withNewPort(8080).withProtocol("TCP").endPort().addNewPort().withNewPort(Constants.JMX_PORT).withProtocol("TCP").endPort().endIngress().withNewPodSelector().addToMatchLabels("strimzi.io/cluster", resource.getMetadata().getName()).addToMatchLabels("strimzi.io/kind", resource.getKind()).addToMatchLabels("strimzi.io/name", deploymentName).endPodSelector().withPolicyTypes("Ingress").endSpec().build();
    LOGGER.debug("Creating NetworkPolicy: {}", networkPolicy.toString());
    ResourceManager.getInstance().createResource(extensionContext, networkPolicy);
    LOGGER.info("Network policy for LabelSelector {} successfully created", labelSelector);
}
Also used : Environment(io.strimzi.systemtest.Environment) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder) KafkaExporterResources(io.strimzi.api.kafka.model.KafkaExporterResources) Constants(io.strimzi.systemtest.Constants) ExtensionContext(org.junit.jupiter.api.extension.ExtensionContext) HasMetadata(io.fabric8.kubernetes.api.model.HasMetadata) Spec(io.strimzi.api.kafka.model.Spec) Collectors(java.util.stream.Collectors) NetworkPolicyTemplates(io.strimzi.systemtest.templates.kubernetes.NetworkPolicyTemplates) KubeClusterResource.kubeClient(io.strimzi.test.k8s.KubeClusterResource.kubeClient) List(java.util.List) Logger(org.apache.logging.log4j.Logger) ResourceManager(io.strimzi.systemtest.resources.ResourceManager) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Status(io.strimzi.api.kafka.model.status.Status) NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder) DefaultNetworkPolicy(io.strimzi.systemtest.enums.DefaultNetworkPolicy) ResourceType(io.strimzi.systemtest.resources.ResourceType) Kafka(io.strimzi.api.kafka.model.Kafka) StUtils(io.strimzi.systemtest.utils.StUtils) LogManager(org.apache.logging.log4j.LogManager) CustomResource(io.fabric8.kubernetes.client.CustomResource) LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder) NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) DefaultNetworkPolicy(io.strimzi.systemtest.enums.DefaultNetworkPolicy) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder)

Example 2 with NetworkPolicyBuilder

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.

the class TracingST method deployJaegerOperator.

private void deployJaegerOperator(ExtensionContext extensionContext) throws IOException, FileNotFoundException {
    LOGGER.info("=== Applying jaeger operator install files ===");
    deployJaegerContent(extensionContext);
    ResourceManager.STORED_RESOURCES.computeIfAbsent(extensionContext.getDisplayName(), k -> new Stack<>());
    ResourceManager.STORED_RESOURCES.get(extensionContext.getDisplayName()).push(new ResourceItem(() -> this.deleteJaeger()));
    DeploymentUtils.waitForDeploymentAndPodsReady(namespace, JAEGER_OPERATOR_DEPLOYMENT_NAME, 1);
    NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withApiVersion("networking.k8s.io/v1").withKind(Constants.NETWORK_POLICY).withNewMetadata().withName("jaeger-allow").withNamespace(namespace).endMetadata().withNewSpec().addNewIngress().endIngress().withNewPodSelector().addToMatchLabels("app", "jaeger").endPodSelector().withPolicyTypes("Ingress").endSpec().build();
    LOGGER.debug("Creating NetworkPolicy: {}", networkPolicy.toString());
    resourceManager.createResource(extensionContext, networkPolicy);
    LOGGER.info("Network policy for jaeger successfully created");
}
Also used : NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) ResourceItem(io.strimzi.systemtest.resources.ResourceItem) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder)

Example 3 with NetworkPolicyBuilder

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi by strimzi.

the class KafkaConnectCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Kafka Connect nodes
 *
 * @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
    if (connectorOperatorEnabled) {
        List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
        // Give CO access to the REST API
        NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
        // OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
        // Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
        // Therefore these rules are set only when using something else than OCP 3.11 and leaving
        // the `from` section empty on 3.11
        List<NetworkPolicyPeer> peers = new ArrayList<>(2);
        // Other connect pods in the same cluster need to talk with each other over the REST API
        NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
        peers.add(connectPeer);
        // CO needs to talk with the Connect pods to manage connectors
        NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
        ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
        peers.add(clusterOperatorPeer);
        restApiRule.setFrom(peers);
        rules.add(restApiRule);
        // If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
        if (isMetricsEnabled) {
            NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
            rules.add(metricsRule);
        }
        NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
        LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
        return networkPolicy;
    } else {
        return null;
    }
}
Also used : NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer) NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule) NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) ArrayList(java.util.ArrayList) NetworkPolicyIngressRuleBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder) NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)

Example 4 with NetworkPolicyBuilder

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi-kafka-operator by strimzi.

the class CruiseControl method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Cruise Control
 *
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
    List<NetworkPolicyIngressRule> rules = new ArrayList<>(1);
    // CO can access the REST API
    NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
    ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
    restApiRule.setFrom(Collections.singletonList(clusterOperatorPeer));
    rules.add(restApiRule);
    if (isMetricsEnabled) {
        NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
        rules.add(metricsRule);
    }
    NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(policyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, cruiseControlName(cluster)).endPodSelector().withIngress(rules).endSpec().build();
    LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
    return networkPolicy;
}
Also used : NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer) NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule) NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) ArrayList(java.util.ArrayList) NetworkPolicyIngressRuleBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder) NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)

Example 5 with NetworkPolicyBuilder

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder in project strimzi-kafka-operator by strimzi.

the class KafkaConnectCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Kafka Connect nodes
 *
 * @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
    if (connectorOperatorEnabled) {
        List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
        // Give CO access to the REST API
        NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
        // OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
        // Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
        // Therefore these rules are set only when using something else than OCP 3.11 and leaving
        // the `from` section empty on 3.11
        List<NetworkPolicyPeer> peers = new ArrayList<>(2);
        // Other connect pods in the same cluster need to talk with each other over the REST API
        NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
        peers.add(connectPeer);
        // CO needs to talk with the Connect pods to manage connectors
        NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
        ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
        peers.add(clusterOperatorPeer);
        restApiRule.setFrom(peers);
        rules.add(restApiRule);
        // If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
        if (isMetricsEnabled) {
            NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
            rules.add(metricsRule);
        }
        NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
        LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
        return networkPolicy;
    } else {
        return null;
    }
}
Also used : NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer) NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule) NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy) ArrayList(java.util.ArrayList) NetworkPolicyIngressRuleBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder) NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder) NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)

Aggregations

NetworkPolicy (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)14 NetworkPolicyBuilder (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder)14 NetworkPolicyIngressRule (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)8 NetworkPolicyIngressRuleBuilder (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder)8 NetworkPolicyPeer (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)8 ArrayList (java.util.ArrayList)8 NetworkPolicyPeerBuilder (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)6 LabelSelector (io.fabric8.kubernetes.api.model.LabelSelector)4 DefaultNetworkPolicy (io.strimzi.systemtest.enums.DefaultNetworkPolicy)4 HasMetadata (io.fabric8.kubernetes.api.model.HasMetadata)2 IntOrString (io.fabric8.kubernetes.api.model.IntOrString)2 LabelSelectorBuilder (io.fabric8.kubernetes.api.model.LabelSelectorBuilder)2 NetworkPolicyPort (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPort)2 CustomResource (io.fabric8.kubernetes.client.CustomResource)2 Kafka (io.strimzi.api.kafka.model.Kafka)2 KafkaExporterResources (io.strimzi.api.kafka.model.KafkaExporterResources)2 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)2 Spec (io.strimzi.api.kafka.model.Spec)2 GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)2 Status (io.strimzi.api.kafka.model.status.Status)2