Examples with NetworkPolicyIngressRule io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule used on opensource projects

Example 11 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class KafkaConnectCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Kafka Connect nodes
 *
 * @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(boolean connectorOperatorEnabled, String operatorNamespace, Labels operatorNamespaceLabels) {
    if (connectorOperatorEnabled) {
        List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
        // Give CO access to the REST API
        NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REST_API_PORT).withProtocol("TCP").endPort().build();
        // OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
        // Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
        // Therefore these rules are set only when using something else than OCP 3.11 and leaving
        // the `from` section empty on 3.11
        List<NetworkPolicyPeer> peers = new ArrayList<>(2);
        // Other connect pods in the same cluster need to talk with each other over the REST API
        NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().build();
        peers.add(connectPeer);
        // CO needs to talk with the Connect pods to manage connectors
        NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
        ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
        peers.add(clusterOperatorPeer);
        restApiRule.setFrom(peers);
        rules.add(restApiRule);
        // If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
        if (isMetricsEnabled) {
            NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
            rules.add(metricsRule);
        }
        NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(name).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(getSelectorLabels().toMap()).endPodSelector().withIngress(rules).endSpec().build();
        LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
        return networkPolicy;
    } else {
        return null;
    }
}

Example 12 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project onos by opennetworkinglab.

the class K8sNetworkPolicyHandler method setAllowRulesByPolicy.

private void setAllowRulesByPolicy(NetworkPolicy policy, boolean install) {
    Map<String, Map<String, List<NetworkPolicyPort>>> white = Maps.newConcurrentMap();
    int nsHash = namespaceHashByNamespace(k8sNamespaceService, policy.getMetadata().getNamespace());
    List<NetworkPolicyIngressRule> ingress = policy.getSpec().getIngress();
    if (ingress != null && ingress.size() == 1) {
        NetworkPolicyIngressRule rule = ingress.get(0);
        if (rule.getFrom().size() == 0 && rule.getPorts().size() == 0) {
            setAllowAllRule(nsHash, DIRECTION_INGRESS, install);
        }
    }
    policy.getSpec().getIngress().forEach(i -> {
        Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();
        direction.put(DIRECTION_INGRESS, i.getPorts());
        i.getFrom().forEach(peer -> {
            // IP block
            if (peer.getIpBlock() != null) {
                if (peer.getIpBlock().getExcept() != null && peer.getIpBlock().getExcept().size() > 0) {
                    Map<String, List<NetworkPolicyPort>> blkDirection = Maps.newConcurrentMap();
                    blkDirection.put(DIRECTION_INGRESS, i.getPorts());
                    white.compute(peer.getIpBlock().getCidr(), (k, v) -> blkDirection);
                    setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_INGRESS, peer.getIpBlock().getExcept(), install);
                } else {
                    white.compute(peer.getIpBlock().getCidr(), (k, v) -> direction);
                }
            }
            // POD selector
            Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());
            pods.stream().filter(pod -> pod.getStatus().getPodIP() != null).forEach(pod -> {
                white.compute(shiftIpDomain(pod.getStatus().getPodIP(), SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> direction);
                white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> direction);
            });
            // Namespace selector
            setAllowNamespaceRules(nsHash, namespacesByPolicyPeer(peer), DIRECTION_INGRESS, install);
        });
    });
    List<NetworkPolicyEgressRule> egress = policy.getSpec().getEgress();
    if (egress != null && egress.size() == 1) {
        NetworkPolicyEgressRule rule = egress.get(0);
        if (rule.getTo().size() == 0 && rule.getPorts().size() == 0) {
            setAllowAllRule(nsHash, DIRECTION_EGRESS, install);
        }
    }
    policy.getSpec().getEgress().forEach(e -> {
        Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();
        direction.put(DIRECTION_EGRESS, e.getPorts());
        e.getTo().forEach(peer -> {
            // IP block
            if (peer.getIpBlock() != null) {
                if (peer.getIpBlock().getExcept() != null && peer.getIpBlock().getExcept().size() > 0) {
                    Map<String, List<NetworkPolicyPort>> blkDirection = Maps.newConcurrentMap();
                    blkDirection.put(DIRECTION_EGRESS, e.getPorts());
                    white.compute(peer.getIpBlock().getCidr(), (k, v) -> {
                        if (v != null) {
                            v.put(DIRECTION_EGRESS, e.getPorts());
                            return v;
                        } else {
                            return blkDirection;
                        }
                    });
                    setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_EGRESS, peer.getIpBlock().getExcept(), install);
                } else {
                    white.compute(peer.getIpBlock().getCidr(), (k, v) -> {
                        if (v != null) {
                            v.put(DIRECTION_EGRESS, e.getPorts());
                            return v;
                        } else {
                            return direction;
                        }
                    });
                }
            }
            // POD selector
            Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());
            pods.stream().filter(pod -> pod.getStatus().getPodIP() != null).forEach(pod -> {
                white.compute(shiftIpDomain(pod.getStatus().getPodIP(), SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> {
                    if (n != null) {
                        n.put(DIRECTION_EGRESS, e.getPorts());
                        return n;
                    } else {
                        return direction;
                    }
                });
                white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> {
                    if (n != null) {
                        n.put(DIRECTION_EGRESS, e.getPorts());
                        return n;
                    } else {
                        return direction;
                    }
                });
            });
            // Namespace selector
            setAllowNamespaceRules(nsHash, namespacesByPolicyPeer(peer), DIRECTION_EGRESS, install);
        });
    });
    setAllowRules(namespaceHashByNamespace(k8sNamespaceService, policy.getMetadata().getNamespace()), white, install);
    setBlackToRouteRules(true);
}

Example 13 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicyInTheSameNamespace.

@ParallelTest
public void testRestApiPortNetworkPolicyInTheSameNamespace() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy(namespace, null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 14 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicy.

@ParallelTest
public void testRestApiPortNetworkPolicy() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().endNamespaceSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy("operator-namespace", null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 15 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi by strimzi.

the class ZookeeperClusterTest method testNetworkPolicyNewKubernetesVersions.

@ParallelTest
public void testNetworkPolicyNewKubernetesVersions() {
    Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configurationJson, emptyMap());
    kafkaAssembly.getSpec().getKafka().setRack(new RackBuilder().withTopologyKey("topology-key").build());
    ZookeeperCluster zc = ZookeeperCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
    // Check Network Policies => Other namespace
    NetworkPolicy np = zc.generateNetworkPolicy("operator-namespace", null);
    LabelSelector podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, ZookeeperCluster.zookeeperClusterName(zc.getCluster())));
    assertThat(np.getSpec().getPodSelector(), is(podSelector));
    List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress();
    assertThat(rules.size(), is(3));
    // Ports 2888 and 3888
    NetworkPolicyIngressRule zooRule = rules.get(0);
    assertThat(zooRule.getPorts().size(), is(2));
    assertThat(zooRule.getPorts().get(0).getPort(), is(new IntOrString(2888)));
    assertThat(zooRule.getPorts().get(1).getPort(), is(new IntOrString(3888)));
    assertThat(zooRule.getFrom().size(), is(1));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, ZookeeperCluster.zookeeperClusterName(zc.getCluster())));
    assertThat(zooRule.getFrom().get(0), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    // Port 2181
    NetworkPolicyIngressRule clientsRule = rules.get(1);
    assertThat(clientsRule.getPorts().size(), is(1));
    assertThat(clientsRule.getPorts().get(0).getPort(), is(new IntOrString(ZookeeperCluster.CLIENT_TLS_PORT)));
    assertThat(clientsRule.getFrom().size(), is(5));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaCluster.kafkaClusterName(zc.getCluster())));
    assertThat(clientsRule.getFrom().get(0), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, ZookeeperCluster.zookeeperClusterName(zc.getCluster())));
    assertThat(clientsRule.getFrom().get(1), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, EntityOperator.entityOperatorName(zc.getCluster())));
    assertThat(clientsRule.getFrom().get(2), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"));
    assertThat(clientsRule.getFrom().get(3), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).withNamespaceSelector(new LabelSelector()).build()));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, CruiseControl.cruiseControlName(zc.getCluster())));
    assertThat(clientsRule.getFrom().get(4), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    // Port 9404
    NetworkPolicyIngressRule metricsRule = rules.get(2);
    assertThat(metricsRule.getPorts().size(), is(1));
    assertThat(metricsRule.getPorts().get(0).getPort(), is(new IntOrString(9404)));
    assertThat(metricsRule.getFrom().size(), is(0));
    // Check Network Policies => The same namespace
    np = zc.generateNetworkPolicy(namespace, null);
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"));
    assertThat(np.getSpec().getIngress().get(1).getFrom().get(3), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    // Check Network Policies => The same namespace with namespace labels
    np = zc.generateNetworkPolicy(namespace, Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"));
    assertThat(np.getSpec().getIngress().get(1).getFrom().get(3), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).build()));
    // Check Network Policies => Other namespace with namespace labels
    np = zc.generateNetworkPolicy("operator-namespace", Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
    podSelector = new LabelSelector();
    podSelector.setMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"));
    LabelSelector namespaceSelector = new LabelSelector();
    namespaceSelector.setMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue"));
    assertThat(np.getSpec().getIngress().get(1).getFrom().get(3), is(new NetworkPolicyPeerBuilder().withPodSelector(podSelector).withNamespaceSelector(namespaceSelector).build()));
}