Examples with NetworkPolicyIngressRule io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule used on opensource projects

Example 1 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class KafkaConnectCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Kafka Connect nodes
 *
 * @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
    if (connectorOperatorEnabled) {
        List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
        // Give CO access to the REST API
        NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
        // OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
        // Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
        // Therefore these rules are set only when using something else than OCP 3.11 and leaving
        // the `from` section empty on 3.11
        List<NetworkPolicyPeer> peers = new ArrayList<>(2);
        // Other connect pods in the same cluster need to talk with each other over the REST API
        NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
        peers.add(connectPeer);
        // CO needs to talk with the Connect pods to manage connectors
        NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
        ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
        peers.add(clusterOperatorPeer);
        restApiRule.setFrom(peers);
        rules.add(restApiRule);
        // If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
        if (isMetricsEnabled) {
            NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
            rules.add(metricsRule);
        }
        NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
        LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
        return networkPolicy;
    } else {
        return null;
    }
}

Example 2 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicyWithNamespaceLabels.

@ParallelTest
public void testRestApiPortNetworkPolicyWithNamespaceLabels() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().withMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue")).endNamespaceSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy(null, Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 3 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class KafkaClusterTest method testReplicationPortNetworkPolicy.

@ParallelTest
public void testReplicationPortNetworkPolicy() {
    NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaCluster.kafkaClusterName(cluster))).endPodSelector().build();
    NetworkPolicyPeer eoPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, EntityOperator.entityOperatorName(cluster))).endPodSelector().build();
    NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaExporter.kafkaExporterName(cluster))).endPodSelector().build();
    NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, CruiseControl.cruiseControlName(cluster))).endPodSelector().build();
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().endNamespaceSelector().build();
    NetworkPolicyPeer clusterOperatorPeerSameNamespace = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().build();
    NetworkPolicyPeer clusterOperatorPeerNamespaceWithLabels = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().withMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue")).endNamespaceSelector().build();
    Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap());
    KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
    // Check Network Policies => Different namespace
    NetworkPolicy np = k.generateNetworkPolicy("operator-namespace", null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(5));
    assertThat(rules.contains(kafkaBrokersPeer), is(true));
    assertThat(rules.contains(eoPeer), is(true));
    assertThat(rules.contains(kafkaExporterPeer), is(true));
    assertThat(rules.contains(cruiseControlPeer), is(true));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
    // Check Network Policies => Same namespace
    np = k.generateNetworkPolicy(namespace, null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
    rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(5));
    assertThat(rules.contains(kafkaBrokersPeer), is(true));
    assertThat(rules.contains(eoPeer), is(true));
    assertThat(rules.contains(kafkaExporterPeer), is(true));
    assertThat(rules.contains(cruiseControlPeer), is(true));
    assertThat(rules.contains(clusterOperatorPeerSameNamespace), is(true));
    // Check Network Policies => Namespace with Labels
    np = k.generateNetworkPolicy("operator-namespace", Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
    rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(5));
    assertThat(rules.contains(kafkaBrokersPeer), is(true));
    assertThat(rules.contains(eoPeer), is(true));
    assertThat(rules.contains(kafkaExporterPeer), is(true));
    assertThat(rules.contains(cruiseControlPeer), is(true));
    assertThat(rules.contains(clusterOperatorPeerNamespaceWithLabels), is(true));
}

Example 4 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class KafkaClusterTest method testControlPlanePortNetworkPolicy.

@ParallelTest
public void testControlPlanePortNetworkPolicy() {
    NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaCluster.kafkaClusterName(cluster))).endPodSelector().build();
    Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap());
    KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
    // Check Network Policies => Different namespace
    NetworkPolicy np = k.generateNetworkPolicy("operator-namespace", null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CONTROLPLANE_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CONTROLPLANE_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(kafkaBrokersPeer), is(true));
}

Example 5 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class KafkaClusterTest method testNetworkPolicyPeers.

@ParallelTest
public void testNetworkPolicyPeers() {
    NetworkPolicyPeer peer1 = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key1").withValues("my-value1").build()).endPodSelector().build();
    NetworkPolicyPeer peer2 = new NetworkPolicyPeerBuilder().withNewNamespaceSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key2").withValues("my-value2").build()).endNamespaceSelector().build();
    Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap())).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withNetworkPolicyPeers(peer1).withTls(false).build(), new GenericKafkaListenerBuilder().withName("tls").withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNetworkPolicyPeers(peer2).build(), new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).withNetworkPolicyPeers(peer1, peer2).build()).endKafka().endSpec().build();
    KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
    // Check Network Policies
    NetworkPolicy np = k.generateNetworkPolicy(null, null);
    List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9092))).collect(Collectors.toList());
    assertThat(rules.size(), is(1));
    assertThat(rules.get(0).getFrom().get(0), is(peer1));
    rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9093))).collect(Collectors.toList());
    assertThat(rules.size(), is(1));
    assertThat(rules.get(0).getFrom().get(0), is(peer2));
    rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9094))).collect(Collectors.toList());
    assertThat(rules.size(), is(1));
    assertThat(rules.get(0).getFrom().size(), is(2));
    assertThat(rules.get(0).getFrom().contains(peer1), is(true));
    assertThat(rules.get(0).getFrom().contains(peer2), is(true));
}