Examples with NetworkPolicyIngressRule io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule used on opensource projects

Example 21 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicyWithNamespaceLabels.

@ParallelTest
public void testRestApiPortNetworkPolicyWithNamespaceLabels() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().withMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue")).endNamespaceSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy(null, Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 22 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicyInTheSameNamespace.

@ParallelTest
public void testRestApiPortNetworkPolicyInTheSameNamespace() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy(namespace, null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 23 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class CruiseControlTest method testRestApiPortNetworkPolicy.

@ParallelTest
public void testRestApiPortNetworkPolicy() {
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().endNamespaceSelector().build();
    NetworkPolicy np = cc.generateNetworkPolicy("operator-namespace", null);
    assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
    List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
    assertThat(rules.size(), is(1));
    assertThat(rules.contains(clusterOperatorPeer), is(true));
}

Example 24 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class ZookeeperCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for ZooKeeper nodes
 *
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
    List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
    NetworkPolicyPort clientsPort = new NetworkPolicyPort();
    clientsPort.setPort(new IntOrString(CLIENT_TLS_PORT));
    clientsPort.setProtocol("TCP");
    NetworkPolicyPort clusteringPort = new NetworkPolicyPort();
    clusteringPort.setPort(new IntOrString(CLUSTERING_PORT));
    clusteringPort.setProtocol("TCP");
    NetworkPolicyPort leaderElectionPort = new NetworkPolicyPort();
    leaderElectionPort.setPort(new IntOrString(LEADER_ELECTION_PORT));
    leaderElectionPort.setProtocol("TCP");
    NetworkPolicyPeer zookeeperClusterPeer = new NetworkPolicyPeer();
    LabelSelector labelSelector2 = new LabelSelector();
    Map<String, String> expressions2 = new HashMap<>(1);
    expressions2.put(Labels.STRIMZI_NAME_LABEL, zookeeperClusterName(cluster));
    labelSelector2.setMatchLabels(expressions2);
    zookeeperClusterPeer.setPodSelector(labelSelector2);
    // Zookeeper only ports - 2888 & 3888 which need to be accessed by the Zookeeper cluster members only
    NetworkPolicyIngressRule zookeeperClusteringIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clusteringPort, leaderElectionPort).withFrom(zookeeperClusterPeer).build();
    rules.add(zookeeperClusteringIngressRule);
    // Clients port - needs to be access from outside the Zookeeper cluster as well
    NetworkPolicyIngressRule clientsIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clientsPort).withFrom().build();
    NetworkPolicyPeer kafkaClusterPeer = new NetworkPolicyPeer();
    LabelSelector labelSelector = new LabelSelector();
    Map<String, String> expressions = new HashMap<>(1);
    expressions.put(Labels.STRIMZI_NAME_LABEL, KafkaCluster.kafkaClusterName(cluster));
    labelSelector.setMatchLabels(expressions);
    kafkaClusterPeer.setPodSelector(labelSelector);
    NetworkPolicyPeer entityOperatorPeer = new NetworkPolicyPeer();
    LabelSelector labelSelector3 = new LabelSelector();
    Map<String, String> expressions3 = new HashMap<>(1);
    expressions3.put(Labels.STRIMZI_NAME_LABEL, EntityOperator.entityOperatorName(cluster));
    labelSelector3.setMatchLabels(expressions3);
    entityOperatorPeer.setPodSelector(labelSelector3);
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeer();
    LabelSelector labelSelector4 = new LabelSelector();
    Map<String, String> expressions4 = new HashMap<>(1);
    expressions4.put(Labels.STRIMZI_KIND_LABEL, "cluster-operator");
    labelSelector4.setMatchLabels(expressions4);
    clusterOperatorPeer.setPodSelector(labelSelector4);
    ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
    NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeer();
    LabelSelector labelSelector5 = new LabelSelector();
    Map<String, String> expressions5 = new HashMap<>(1);
    expressions5.put(Labels.STRIMZI_NAME_LABEL, CruiseControl.cruiseControlName(cluster));
    labelSelector5.setMatchLabels(expressions5);
    cruiseControlPeer.setPodSelector(labelSelector5);
    // This is a hack because we have no guarantee that the CO namespace has some particular labels
    List<NetworkPolicyPeer> clientsPortPeers = new ArrayList<>(4);
    clientsPortPeers.add(kafkaClusterPeer);
    clientsPortPeers.add(zookeeperClusterPeer);
    clientsPortPeers.add(entityOperatorPeer);
    clientsPortPeers.add(clusterOperatorPeer);
    clientsPortPeers.add(cruiseControlPeer);
    clientsIngressRule.setFrom(clientsPortPeers);
    rules.add(clientsIngressRule);
    if (isMetricsEnabled) {
        NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
        rules.add(metricsRule);
    }
    if (isJmxEnabled) {
        NetworkPolicyPort jmxPort = new NetworkPolicyPort();
        jmxPort.setPort(new IntOrString(JMX_PORT));
        NetworkPolicyIngressRule jmxRule = new NetworkPolicyIngressRuleBuilder().withPorts(jmxPort).withFrom().build();
        rules.add(jmxRule);
    }
    NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(policyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withPodSelector(labelSelector2).withIngress(rules).endSpec().build();
    LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
    return networkPolicy;
}

Example 25 with NetworkPolicyIngressRule

use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule in project strimzi-kafka-operator by strimzi.

the class KafkaCluster method generateNetworkPolicy.

/**
 * Generates the NetworkPolicies relevant for Kafka brokers
 *
 * @param operatorNamespace                             Namespace where the Strimzi Cluster Operator runs. Null if not configured.
 * @param operatorNamespaceLabels                       Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
 *
 * @return The network policy.
 */
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
    // Internal peers => Strimzi components which need access
    NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
    ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
    NetworkPolicyPeer kafkaClusterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, kafkaClusterName(cluster)).endPodSelector().build();
    NetworkPolicyPeer entityOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, EntityOperator.entityOperatorName(cluster)).endPodSelector().build();
    NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, KafkaExporter.kafkaExporterName(cluster)).endPodSelector().build();
    NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, CruiseControl.cruiseControlName(cluster)).endPodSelector().build();
    // List of network policy rules for all ports
    // Default size is number of listeners configured by the user + 4 (Control Plane listener, replication listener, metrics and JMX)
    List<NetworkPolicyIngressRule> rules = new ArrayList<>(listeners.size() + 4);
    // Control Plane rule covers the control plane listener.
    // Control plane listener is used by Kafka for internal coordination only
    NetworkPolicyIngressRule controlPlaneRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(CONTROLPLANE_PORT).withProtocol("TCP").endPort().build();
    controlPlaneRule.setFrom(List.of(kafkaClusterPeer));
    rules.add(controlPlaneRule);
    // Replication rule covers the replication listener.
    // Replication listener is used by Kafka but also by our own tools => Operators, Cruise Control, and Kafka Exporter
    NetworkPolicyIngressRule replicationRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REPLICATION_PORT).withProtocol("TCP").endPort().build();
    replicationRule.setFrom(List.of(clusterOperatorPeer, kafkaClusterPeer, entityOperatorPeer, kafkaExporterPeer, cruiseControlPeer));
    rules.add(replicationRule);
    // But users can pass peers in the Kafka CR
    for (GenericKafkaListener listener : listeners) {
        NetworkPolicyIngressRule plainRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(listener.getPort()).withProtocol("TCP").endPort().withFrom(listener.getNetworkPolicyPeers()).build();
        rules.add(plainRule);
    }
    // The Metrics port (if enabled) is opened to all by default
    if (isMetricsEnabled) {
        NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
        rules.add(metricsRule);
    }
    // The JMX port (if enabled) is opened to all by default
    if (isJmxEnabled()) {
        NetworkPolicyIngressRule jmxRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(JMX_PORT).withProtocol("TCP").endPort().withFrom().build();
        rules.add(jmxRule);
    }
    // Build the final network policy with all rules covering all the ports
    NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(networkPolicyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, kafkaClusterName(cluster)).endPodSelector().withIngress(rules).endSpec().build();
    LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
    return networkPolicy;
}