Example 11 with NetworkPolicyPeer
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer in project strimzi-kafka-operator by strimzi.
the class KafkaClusterTest method testNetworkPolicyPeers.
@ParallelTest
public void testNetworkPolicyPeers() {
NetworkPolicyPeer peer1 = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key1").withValues("my-value1").build()).endPodSelector().build();
NetworkPolicyPeer peer2 = new NetworkPolicyPeerBuilder().withNewNamespaceSelector().withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key2").withValues("my-value2").build()).endNamespaceSelector().build();
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap())).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withNetworkPolicyPeers(peer1).withTls(false).build(), new GenericKafkaListenerBuilder().withName("tls").withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNetworkPolicyPeers(peer2).build(), new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).withNetworkPolicyPeers(peer1, peer2).build()).endKafka().endSpec().build();
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(null, null);
List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9092))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer1));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9093))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer2));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(9094))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(2));
assertThat(rules.get(0).getFrom().contains(peer1), is(true));
assertThat(rules.get(0).getFrom().contains(peer2), is(true));
}
Also used :
Quantity(io.fabric8.kubernetes.api.model.Quantity)
VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount)
ExternalTrafficPolicy(io.strimzi.api.kafka.model.template.ExternalTrafficPolicy)
PersistentClaimStorageOverrideBuilder(io.strimzi.api.kafka.model.storage.PersistentClaimStorageOverrideBuilder)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
KafkaExporterResources(io.strimzi.api.kafka.model.KafkaExporterResources)
Rack(io.strimzi.api.kafka.model.Rack)
GenericKafkaListenerConfigurationBrokerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBrokerBuilder)
SecurityContextBuilder(io.fabric8.kubernetes.api.model.SecurityContextBuilder)
PodDisruptionBudget(io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget)
Collections.singletonList(java.util.Collections.singletonList)
ResourceRequirements(io.fabric8.kubernetes.api.model.ResourceRequirements)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Arrays.asList(java.util.Arrays.asList)
Map(java.util.Map)
ContainerEnvVar(io.strimzi.api.kafka.model.ContainerEnvVar)
KafkaJmxOptionsBuilder(io.strimzi.api.kafka.model.KafkaJmxOptionsBuilder)
LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
JbodStorageBuilder(io.strimzi.api.kafka.model.storage.JbodStorageBuilder)
Matchers.allOf(org.hamcrest.Matchers.allOf)
Set(java.util.Set)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
HasMetadata(io.fabric8.kubernetes.api.model.HasMetadata)
ZoneId(java.time.ZoneId)
GenericSecretSourceBuilder(io.strimzi.api.kafka.model.GenericSecretSourceBuilder)
PodSecurityContextBuilder(io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)
Matchers.contains(org.hamcrest.Matchers.contains)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
HostAliasBuilder(io.fabric8.kubernetes.api.model.HostAliasBuilder)
KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)
PersistentVolumeClaim(io.fabric8.kubernetes.api.model.PersistentVolumeClaim)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows)
ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding)
EnvVar(io.fabric8.kubernetes.api.model.EnvVar)
CoreMatchers.equalTo(org.hamcrest.CoreMatchers.equalTo)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
IpFamily(io.strimzi.api.kafka.model.template.IpFamily)
LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
GenericKafkaListenerConfigurationBootstrapBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBootstrapBuilder)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
Matchers.hasProperty(org.hamcrest.Matchers.hasProperty)
PersistentClaimStorageBuilder(io.strimzi.api.kafka.model.storage.PersistentClaimStorageBuilder)
GenericKafkaListenerConfigurationBroker(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBroker)
SecurityContext(io.fabric8.kubernetes.api.model.SecurityContext)
KafkaVersionTestUtils(io.strimzi.operator.cluster.KafkaVersionTestUtils)
PodSpec(io.fabric8.kubernetes.api.model.PodSpec)
KafkaListenerAuthenticationCustomBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustomBuilder)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CoreMatchers.nullValue(org.hamcrest.CoreMatchers.nullValue)
KafkaJmxAuthenticationPasswordBuilder(io.strimzi.api.kafka.model.KafkaJmxAuthenticationPasswordBuilder)
IOException(java.io.IOException)
StatefulSet(io.fabric8.kubernetes.api.model.apps.StatefulSet)
ConfigMap(io.fabric8.kubernetes.api.model.ConfigMap)
ContainerPort(io.fabric8.kubernetes.api.model.ContainerPort)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Util(io.strimzi.operator.common.Util)
KafkaListenerType(io.strimzi.api.kafka.model.listener.arraylistener.KafkaListenerType)
SystemPropertyBuilder(io.strimzi.api.kafka.model.SystemPropertyBuilder)
ConfigMapKeySelectorBuilder(io.fabric8.kubernetes.api.model.ConfigMapKeySelectorBuilder)
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
CoreMatchers(org.hamcrest.CoreMatchers)
CoreMatchers.hasItem(org.hamcrest.CoreMatchers.hasItem)
Storage(io.strimzi.api.kafka.model.storage.Storage)
ParallelSuite(io.strimzi.test.annotations.ParallelSuite)
Matchers.hasKey(org.hamcrest.Matchers.hasKey)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
Route(io.fabric8.openshift.api.model.Route)
SystemProperty(io.strimzi.api.kafka.model.SystemProperty)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder)
IpFamilyPolicy(io.strimzi.api.kafka.model.template.IpFamilyPolicy)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Collections.emptyList(java.util.Collections.emptyList)
Collectors(java.util.stream.Collectors)
CruiseControlResources(io.strimzi.api.kafka.model.CruiseControlResources)
List(java.util.List)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
Labels(io.strimzi.operator.common.model.Labels)
NodeAddressType(io.strimzi.api.kafka.model.listener.NodeAddressType)
RackBuilder(io.strimzi.api.kafka.model.RackBuilder)
Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder)
Ingress(io.fabric8.kubernetes.api.model.networking.v1.Ingress)
Secret(io.fabric8.kubernetes.api.model.Secret)
TopologySpreadConstraintBuilder(io.fabric8.kubernetes.api.model.TopologySpreadConstraintBuilder)
NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)
Uuid(org.apache.kafka.common.Uuid)
PodManagementPolicy(io.strimzi.api.kafka.model.template.PodManagementPolicy)
ContainerTemplate(io.strimzi.api.kafka.model.template.ContainerTemplate)
Container(io.fabric8.kubernetes.api.model.Container)
WeightedPodAffinityTerm(io.fabric8.kubernetes.api.model.WeightedPodAffinityTerm)
EphemeralStorageBuilder(io.strimzi.api.kafka.model.storage.EphemeralStorageBuilder)
CertificateParsingException(java.security.cert.CertificateParsingException)
HashMap(java.util.HashMap)
GenericKafkaListenerConfigurationBootstrap(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBootstrap)
MetricsAndLogging(io.strimzi.operator.common.MetricsAndLogging)
HashSet(java.util.HashSet)
HostAlias(io.fabric8.kubernetes.api.model.HostAlias)
JmxPrometheusExporterMetrics(io.strimzi.api.kafka.model.JmxPrometheusExporterMetrics)
JmxPrometheusExporterMetricsBuilder(io.strimzi.api.kafka.model.JmxPrometheusExporterMetricsBuilder)
InlineLogging(io.strimzi.api.kafka.model.InlineLogging)
MetricsConfig(io.strimzi.api.kafka.model.MetricsConfig)
TestUtils(io.strimzi.test.TestUtils)
Collections.singletonMap(java.util.Collections.singletonMap)
Service(io.fabric8.kubernetes.api.model.Service)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Volume(io.fabric8.kubernetes.api.model.Volume)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters)
Collections.emptyMap(java.util.Collections.emptyMap)
TopologySpreadConstraint(io.fabric8.kubernetes.api.model.TopologySpreadConstraint)
Matchers(org.hamcrest.Matchers)
TestUtils.set(io.strimzi.test.TestUtils.set)
LabelSelectorRequirementBuilder(io.fabric8.kubernetes.api.model.LabelSelectorRequirementBuilder)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
ServiceAccount(io.fabric8.kubernetes.api.model.ServiceAccount)
Kafka(io.strimzi.api.kafka.model.Kafka)
Collections(java.util.Collections)
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
LabelSelectorRequirementBuilder(io.fabric8.kubernetes.api.model.LabelSelectorRequirementBuilder)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
Kafka(io.strimzi.api.kafka.model.Kafka)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Example 12 with NetworkPolicyPeer
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer in project strimzi-kafka-operator by strimzi.
the class KafkaClusterTest method testReplicationPortNetworkPolicy.
@ParallelTest
public void testReplicationPortNetworkPolicy() {
NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster))).endPodSelector().build();
NetworkPolicyPeer eoPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaResources.entityOperatorDeploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaExporterResources.deploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, CruiseControlResources.deploymentName(cluster))).endPodSelector().build();
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().endNamespaceSelector().build();
NetworkPolicyPeer clusterOperatorPeerSameNamespace = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().build();
NetworkPolicyPeer clusterOperatorPeerNamespaceWithLabels = new NetworkPolicyPeerBuilder().withNewPodSelector().withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator")).endPodSelector().withNewNamespaceSelector().withMatchLabels(Collections.singletonMap("nsLabelKey", "nsLabelValue")).endNamespaceSelector().build();
Kafka kafkaAssembly = ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout, jmxMetricsConfig, configuration, emptyMap());
KafkaCluster k = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
// Check Network Policies => Different namespace
NetworkPolicy np = k.generateNetworkPolicy("operator-namespace", null);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeer), is(true));
// Check Network Policies => Same namespace
np = k.generateNetworkPolicy(namespace, null);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeerSameNamespace), is(true));
// Check Network Policies => Namespace with Labels
np = k.generateNetworkPolicy("operator-namespace", Labels.fromMap(Collections.singletonMap("nsLabelKey", "nsLabelValue")));
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElseThrow();
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeerNamespaceWithLabels), is(true));
}
Also used :
Quantity(io.fabric8.kubernetes.api.model.Quantity)
VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount)
ExternalTrafficPolicy(io.strimzi.api.kafka.model.template.ExternalTrafficPolicy)
PersistentClaimStorageOverrideBuilder(io.strimzi.api.kafka.model.storage.PersistentClaimStorageOverrideBuilder)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
KafkaExporterResources(io.strimzi.api.kafka.model.KafkaExporterResources)
Rack(io.strimzi.api.kafka.model.Rack)
GenericKafkaListenerConfigurationBrokerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBrokerBuilder)
SecurityContextBuilder(io.fabric8.kubernetes.api.model.SecurityContextBuilder)
PodDisruptionBudget(io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget)
Collections.singletonList(java.util.Collections.singletonList)
ResourceRequirements(io.fabric8.kubernetes.api.model.ResourceRequirements)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Arrays.asList(java.util.Arrays.asList)
Map(java.util.Map)
ContainerEnvVar(io.strimzi.api.kafka.model.ContainerEnvVar)
KafkaJmxOptionsBuilder(io.strimzi.api.kafka.model.KafkaJmxOptionsBuilder)
LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
JbodStorageBuilder(io.strimzi.api.kafka.model.storage.JbodStorageBuilder)
Matchers.allOf(org.hamcrest.Matchers.allOf)
Set(java.util.Set)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
HasMetadata(io.fabric8.kubernetes.api.model.HasMetadata)
ZoneId(java.time.ZoneId)
GenericSecretSourceBuilder(io.strimzi.api.kafka.model.GenericSecretSourceBuilder)
PodSecurityContextBuilder(io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)
Matchers.contains(org.hamcrest.Matchers.contains)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
HostAliasBuilder(io.fabric8.kubernetes.api.model.HostAliasBuilder)
KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)
PersistentVolumeClaim(io.fabric8.kubernetes.api.model.PersistentVolumeClaim)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows)
ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding)
EnvVar(io.fabric8.kubernetes.api.model.EnvVar)
CoreMatchers.equalTo(org.hamcrest.CoreMatchers.equalTo)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
IpFamily(io.strimzi.api.kafka.model.template.IpFamily)
LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
GenericKafkaListenerConfigurationBootstrapBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBootstrapBuilder)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
Matchers.hasProperty(org.hamcrest.Matchers.hasProperty)
PersistentClaimStorageBuilder(io.strimzi.api.kafka.model.storage.PersistentClaimStorageBuilder)
GenericKafkaListenerConfigurationBroker(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBroker)
SecurityContext(io.fabric8.kubernetes.api.model.SecurityContext)
KafkaVersionTestUtils(io.strimzi.operator.cluster.KafkaVersionTestUtils)
PodSpec(io.fabric8.kubernetes.api.model.PodSpec)
KafkaListenerAuthenticationCustomBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustomBuilder)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CoreMatchers.nullValue(org.hamcrest.CoreMatchers.nullValue)
KafkaJmxAuthenticationPasswordBuilder(io.strimzi.api.kafka.model.KafkaJmxAuthenticationPasswordBuilder)
IOException(java.io.IOException)
StatefulSet(io.fabric8.kubernetes.api.model.apps.StatefulSet)
ConfigMap(io.fabric8.kubernetes.api.model.ConfigMap)
ContainerPort(io.fabric8.kubernetes.api.model.ContainerPort)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Util(io.strimzi.operator.common.Util)
KafkaListenerType(io.strimzi.api.kafka.model.listener.arraylistener.KafkaListenerType)
SystemPropertyBuilder(io.strimzi.api.kafka.model.SystemPropertyBuilder)
ConfigMapKeySelectorBuilder(io.fabric8.kubernetes.api.model.ConfigMapKeySelectorBuilder)
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
CoreMatchers(org.hamcrest.CoreMatchers)
CoreMatchers.hasItem(org.hamcrest.CoreMatchers.hasItem)
Storage(io.strimzi.api.kafka.model.storage.Storage)
ParallelSuite(io.strimzi.test.annotations.ParallelSuite)
Matchers.hasKey(org.hamcrest.Matchers.hasKey)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
Route(io.fabric8.openshift.api.model.Route)
SystemProperty(io.strimzi.api.kafka.model.SystemProperty)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder)
IpFamilyPolicy(io.strimzi.api.kafka.model.template.IpFamilyPolicy)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Collections.emptyList(java.util.Collections.emptyList)
Collectors(java.util.stream.Collectors)
CruiseControlResources(io.strimzi.api.kafka.model.CruiseControlResources)
List(java.util.List)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
Labels(io.strimzi.operator.common.model.Labels)
NodeAddressType(io.strimzi.api.kafka.model.listener.NodeAddressType)
RackBuilder(io.strimzi.api.kafka.model.RackBuilder)
Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder)
Ingress(io.fabric8.kubernetes.api.model.networking.v1.Ingress)
Secret(io.fabric8.kubernetes.api.model.Secret)
TopologySpreadConstraintBuilder(io.fabric8.kubernetes.api.model.TopologySpreadConstraintBuilder)
NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)
Uuid(org.apache.kafka.common.Uuid)
PodManagementPolicy(io.strimzi.api.kafka.model.template.PodManagementPolicy)
ContainerTemplate(io.strimzi.api.kafka.model.template.ContainerTemplate)
Container(io.fabric8.kubernetes.api.model.Container)
WeightedPodAffinityTerm(io.fabric8.kubernetes.api.model.WeightedPodAffinityTerm)
EphemeralStorageBuilder(io.strimzi.api.kafka.model.storage.EphemeralStorageBuilder)
CertificateParsingException(java.security.cert.CertificateParsingException)
HashMap(java.util.HashMap)
GenericKafkaListenerConfigurationBootstrap(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBootstrap)
MetricsAndLogging(io.strimzi.operator.common.MetricsAndLogging)
HashSet(java.util.HashSet)
HostAlias(io.fabric8.kubernetes.api.model.HostAlias)
JmxPrometheusExporterMetrics(io.strimzi.api.kafka.model.JmxPrometheusExporterMetrics)
JmxPrometheusExporterMetricsBuilder(io.strimzi.api.kafka.model.JmxPrometheusExporterMetricsBuilder)
InlineLogging(io.strimzi.api.kafka.model.InlineLogging)
MetricsConfig(io.strimzi.api.kafka.model.MetricsConfig)
TestUtils(io.strimzi.test.TestUtils)
Collections.singletonMap(java.util.Collections.singletonMap)
Service(io.fabric8.kubernetes.api.model.Service)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Volume(io.fabric8.kubernetes.api.model.Volume)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters)
Collections.emptyMap(java.util.Collections.emptyMap)
TopologySpreadConstraint(io.fabric8.kubernetes.api.model.TopologySpreadConstraint)
Matchers(org.hamcrest.Matchers)
TestUtils.set(io.strimzi.test.TestUtils.set)
LabelSelectorRequirementBuilder(io.fabric8.kubernetes.api.model.LabelSelectorRequirementBuilder)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
ServiceAccount(io.fabric8.kubernetes.api.model.ServiceAccount)
Kafka(io.strimzi.api.kafka.model.Kafka)
Collections(java.util.Collections)
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
Kafka(io.strimzi.api.kafka.model.Kafka)
NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Example 13 with NetworkPolicyPeer
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer in project strimzi-kafka-operator by strimzi.
the class ModelUtilsTest method testCONetworkPolicyPeerNamespaceSelectorDifferentNSWithLabels.
@ParallelTest
public void testCONetworkPolicyPeerNamespaceSelectorDifferentNSWithLabels() {
NetworkPolicyPeer peer = new NetworkPolicyPeer();
Labels nsLabels = Labels.fromMap(singletonMap("labelKey", "labelValue"));
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(peer, "my-ns", "my-operator-ns", nsLabels);
assertThat(peer.getNamespaceSelector().getMatchLabels(), is(nsLabels.toMap()));
}
Also used :
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
Labels(io.strimzi.operator.common.model.Labels)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Example 14 with NetworkPolicyPeer
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer in project strimzi by strimzi.
the class KafkaCluster method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for Kafka brokers
*
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
// Internal peers => Strimzi components which need access
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator").endPodSelector().build();
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
NetworkPolicyPeer kafkaClusterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster)).endPodSelector().build();
NetworkPolicyPeer entityOperatorPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, KafkaResources.entityOperatorDeploymentName(cluster)).endPodSelector().build();
NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, KafkaExporterResources.deploymentName(cluster)).endPodSelector().build();
NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, CruiseControlResources.deploymentName(cluster)).endPodSelector().build();
// List of network policy rules for all ports
// Default size is number of listeners configured by the user + 4 (Control Plane listener, replication listener, metrics and JMX)
List<NetworkPolicyIngressRule> rules = new ArrayList<>(listeners.size() + 4);
// Control Plane rule covers the control plane listener.
// Control plane listener is used by Kafka for internal coordination only
NetworkPolicyIngressRule controlPlaneRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(CONTROLPLANE_PORT).withProtocol("TCP").endPort().build();
controlPlaneRule.setFrom(List.of(kafkaClusterPeer));
rules.add(controlPlaneRule);
// Replication rule covers the replication listener.
// Replication listener is used by Kafka but also by our own tools => Operators, Cruise Control, and Kafka Exporter
NetworkPolicyIngressRule replicationRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(REPLICATION_PORT).withProtocol("TCP").endPort().build();
replicationRule.setFrom(List.of(clusterOperatorPeer, kafkaClusterPeer, entityOperatorPeer, kafkaExporterPeer, cruiseControlPeer));
rules.add(replicationRule);
// User-configured listeners are by default open for all. Users can pass peers in the Kafka CR.
for (GenericKafkaListener listener : listeners) {
NetworkPolicyIngressRule plainRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(listener.getPort()).withProtocol("TCP").endPort().withFrom(listener.getNetworkPolicyPeers()).build();
rules.add(plainRule);
}
// The Metrics port (if enabled) is opened to all by default
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
// The JMX port (if enabled) is opened to all by default
if (isJmxEnabled) {
NetworkPolicyIngressRule jmxRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(JMX_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(jmxRule);
}
// Build the final network policy with all rules covering all the ports
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(KafkaResources.kafkaNetworkPolicyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withNewPodSelector().addToMatchLabels(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster)).endPodSelector().withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
}
Also used :
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
ArrayList(java.util.ArrayList)
NetworkPolicyIngressRuleBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder)
NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder)
NetworkPolicyPeerBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)
Example 15 with NetworkPolicyPeer
use of io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer in project strimzi by strimzi.
the class ZookeeperCluster method generateNetworkPolicy.
/**
* Generates the NetworkPolicies relevant for ZooKeeper nodes
*
* @param operatorNamespace Namespace where the Strimzi Cluster Operator runs. Null if not configured.
* @param operatorNamespaceLabels Labels of the namespace where the Strimzi Cluster Operator runs. Null if not configured.
*
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(String operatorNamespace, Labels operatorNamespaceLabels) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
NetworkPolicyPort clientsPort = new NetworkPolicyPort();
clientsPort.setPort(new IntOrString(CLIENT_TLS_PORT));
clientsPort.setProtocol("TCP");
NetworkPolicyPort clusteringPort = new NetworkPolicyPort();
clusteringPort.setPort(new IntOrString(CLUSTERING_PORT));
clusteringPort.setProtocol("TCP");
NetworkPolicyPort leaderElectionPort = new NetworkPolicyPort();
leaderElectionPort.setPort(new IntOrString(LEADER_ELECTION_PORT));
leaderElectionPort.setProtocol("TCP");
NetworkPolicyPeer zookeeperClusterPeer = new NetworkPolicyPeer();
LabelSelector labelSelector2 = new LabelSelector();
Map<String, String> expressions2 = new HashMap<>(1);
expressions2.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.zookeeperStatefulSetName(cluster));
labelSelector2.setMatchLabels(expressions2);
zookeeperClusterPeer.setPodSelector(labelSelector2);
// Zookeeper only ports - 2888 & 3888 which need to be accessed by the Zookeeper cluster members only
NetworkPolicyIngressRule zookeeperClusteringIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clusteringPort, leaderElectionPort).withFrom(zookeeperClusterPeer).build();
rules.add(zookeeperClusteringIngressRule);
// Clients port - needs to be access from outside the Zookeeper cluster as well
NetworkPolicyIngressRule clientsIngressRule = new NetworkPolicyIngressRuleBuilder().withPorts(clientsPort).withFrom().build();
NetworkPolicyPeer kafkaClusterPeer = new NetworkPolicyPeer();
LabelSelector labelSelector = new LabelSelector();
Map<String, String> expressions = new HashMap<>(1);
expressions.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.kafkaStatefulSetName(cluster));
labelSelector.setMatchLabels(expressions);
kafkaClusterPeer.setPodSelector(labelSelector);
NetworkPolicyPeer entityOperatorPeer = new NetworkPolicyPeer();
LabelSelector labelSelector3 = new LabelSelector();
Map<String, String> expressions3 = new HashMap<>(1);
expressions3.put(Labels.STRIMZI_NAME_LABEL, KafkaResources.entityOperatorDeploymentName(cluster));
labelSelector3.setMatchLabels(expressions3);
entityOperatorPeer.setPodSelector(labelSelector3);
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeer();
LabelSelector labelSelector4 = new LabelSelector();
Map<String, String> expressions4 = new HashMap<>(1);
expressions4.put(Labels.STRIMZI_KIND_LABEL, "cluster-operator");
labelSelector4.setMatchLabels(expressions4);
clusterOperatorPeer.setPodSelector(labelSelector4);
ModelUtils.setClusterOperatorNetworkPolicyNamespaceSelector(clusterOperatorPeer, namespace, operatorNamespace, operatorNamespaceLabels);
// This is a hack because we have no guarantee that the CO namespace has some particular labels
List<NetworkPolicyPeer> clientsPortPeers = new ArrayList<>(4);
clientsPortPeers.add(kafkaClusterPeer);
clientsPortPeers.add(zookeeperClusterPeer);
clientsPortPeers.add(entityOperatorPeer);
clientsPortPeers.add(clusterOperatorPeer);
clientsIngressRule.setFrom(clientsPortPeers);
rules.add(clientsIngressRule);
if (isMetricsEnabled) {
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder().addNewPort().withNewPort(METRICS_PORT).withProtocol("TCP").endPort().withFrom().build();
rules.add(metricsRule);
}
if (isJmxEnabled) {
NetworkPolicyPort jmxPort = new NetworkPolicyPort();
jmxPort.setPort(new IntOrString(JMX_PORT));
NetworkPolicyIngressRule jmxRule = new NetworkPolicyIngressRuleBuilder().withPorts(jmxPort).withFrom().build();
rules.add(jmxRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder().withNewMetadata().withName(KafkaResources.zookeeperNetworkPolicyName(cluster)).withNamespace(namespace).withLabels(labels.toMap()).withOwnerReferences(createOwnerReference()).endMetadata().withNewSpec().withPodSelector(labelSelector2).withIngress(rules).endSpec().build();
LOGGER.traceCr(reconciliation, "Created network policy {}", networkPolicy);
return networkPolicy;
}
Also used :
NetworkPolicyPort(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPort)
NetworkPolicyPeer(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)
HashMap(java.util.HashMap)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
NetworkPolicy(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)
ArrayList(java.util.ArrayList)
LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
NetworkPolicyBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder)
NetworkPolicyIngressRule(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)
NetworkPolicyIngressRuleBuilder(io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder)
Aggregations
NetworkPolicyPeer (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer)26
NetworkPolicy (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy)20
NetworkPolicyIngressRule (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)20
ArrayList (java.util.ArrayList)20
NetworkPolicyPeerBuilder (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeerBuilder)18
ParallelTest (io.strimzi.test.annotations.ParallelTest)18
IntOrString (io.fabric8.kubernetes.api.model.IntOrString)14
Labels (io.strimzi.operator.common.model.Labels)14
ConfigMapKeySelectorBuilder (io.fabric8.kubernetes.api.model.ConfigMapKeySelectorBuilder)12
Container (io.fabric8.kubernetes.api.model.Container)12
EnvVar (io.fabric8.kubernetes.api.model.EnvVar)12
HostAlias (io.fabric8.kubernetes.api.model.HostAlias)12
HostAliasBuilder (io.fabric8.kubernetes.api.model.HostAliasBuilder)12
PodSecurityContextBuilder (io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)12
Quantity (io.fabric8.kubernetes.api.model.Quantity)12
ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)12
SecurityContext (io.fabric8.kubernetes.api.model.SecurityContext)12
SecurityContextBuilder (io.fabric8.kubernetes.api.model.SecurityContextBuilder)12
Service (io.fabric8.kubernetes.api.model.Service)12
ServiceAccount (io.fabric8.kubernetes.api.model.ServiceAccount)12
