From 5659d7c18c5dca206858c683122b1a524e27bc7e Mon Sep 17 00:00:00 2001
From: Erik Brakkee <erik@brakkee.org>
Date: Thu, 2 Jan 2025 19:01:05 +0100
Subject: [PATCH] apiserver cilium rules.

---
 cmd/policygen/config.go                       |  5 +-
 cmd/policygen/generator.go                    |  5 +-
 cmd/policygen/main.go                         |  5 +-
 cmd/policygen/netpol_generator.go             | 57 ++++++++++++++-----
 cmd/policygen/templates.go                    |  2 +-
 .../pod/{cilium.yaml => apiserver.yaml}       | 14 ++---
 cmd/policygen/templates/netpol/pod/pod.yaml   |  2 +-
 example/config.yaml                           |  1 +
 8 files changed, 64 insertions(+), 27 deletions(-)
 rename cmd/policygen/templates/netpol/pod/{cilium.yaml => apiserver.yaml} (61%)

diff --git a/cmd/policygen/config.go b/cmd/policygen/config.go
index 660fb3e..abe6c2d 100644
--- a/cmd/policygen/config.go
+++ b/cmd/policygen/config.go
@@ -102,8 +102,9 @@ func (c Config) Validate() error {
 	}
 
 	// application names must be unique and may not conflict with predefined applications
-	apps := map[string]bool{
-		"apiserver": true,
+	apps := make(map[string]bool)
+	for _, predefined := range PREDEFINED_APPS {
+		apps[predefined] = true
 	}
 	// application names may also not conflict with network names.
 	for _, network := range c.Networks {
diff --git a/cmd/policygen/generator.go b/cmd/policygen/generator.go
index 2341572..0658e38 100644
--- a/cmd/policygen/generator.go
+++ b/cmd/policygen/generator.go
@@ -107,7 +107,10 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 			fmt.Fprintf(os.Stderr, "RULE %s\n", app)
 			fmt.Fprintf(os.Stderr, "  IN %s\n", ingress)
 			fmt.Fprintf(os.Stderr, "  OUT %s\n", egress)
-			generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			err := generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			if err != nil {
+				return err
+			}
 		}
 	}
 
diff --git a/cmd/policygen/main.go b/cmd/policygen/main.go
index dcaeb69..33dcb6f 100644
--- a/cmd/policygen/main.go
+++ b/cmd/policygen/main.go
@@ -32,7 +32,10 @@ func execute(files []string, options *Options) error {
 			config:          config,
 			policyTemplates: policyTemplates,
 		}
-		Generate(os.Stdout, generator, config)
+		err = Generate(os.Stdout, generator, config)
+		if err != nil {
+			return err
+		}
 
 	}
 	return nil
diff --git a/cmd/policygen/netpol_generator.go b/cmd/policygen/netpol_generator.go
index 66e0961..6fd3f3a 100644
--- a/cmd/policygen/netpol_generator.go
+++ b/cmd/policygen/netpol_generator.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"slices"
 )
 
 type NetworkPolicyGenerrator struct {
@@ -40,21 +41,49 @@ func (g NetworkPolicyGenerrator) GenerateCommunicationRule(
 		// non-trivial regular network policy
 
 		tmpl := g.policyTemplates.ApplicationTemplate("netpol")
-		log.Printf("Found template %v for pod %s", tmpl, app.Name)
-		if tmpl != nil {
-
-			err := tmpl.Execute(writer, map[string]any{
-				"app":     app,
-				"ingress": ingress,
-				"egress":  egress,
-				"labels": map[string]string{
-					"policy-generator": "1",
-				},
-			})
-			if err != nil {
-				return err
-			}
+		if tmpl == nil {
+			return fmt.Errorf("Could not find policy template for 'netpol'")
+		}
+		err := tmpl.Execute(writer, map[string]any{
+			"app":     app,
+			"ingress": ingress,
+			"egress":  egress,
+			"labels": map[string]string{
+				"policy-generator": "1",
+			},
+		})
+		if err != nil {
+			return err
 		}
 	}
+
+	allPredefined := make(map[string]bool)
+	for _, pre := range ingress.Predefined {
+		allPredefined[pre] = true
+	}
+	for _, pre := range egress.Predefined {
+		allPredefined[pre] = true
+	}
+	log.Printf("ALl PREDEFINED %v", allPredefined)
+
+	for predefined, _ := range allPredefined {
+		tmpl := g.policyTemplates.PredefineApplicationPolicyTemplate("netpol", predefined)
+		if tmpl == nil {
+			return fmt.Errorf("Could not find predefined template for netpol/%s", predefined)
+		}
+		log.Printf("PREDEFINED FOR %s", app.Name)
+		err := tmpl.Execute(writer, map[string]any{
+			"app":     app,
+			"ingress": slices.Contains(ingress.Predefined, predefined),
+			"egress":  slices.Contains(egress.Predefined, predefined),
+			"labels": map[string]string{
+				"policy-generator": "1",
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
diff --git a/cmd/policygen/templates.go b/cmd/policygen/templates.go
index 80de7c6..5c7578f 100644
--- a/cmd/policygen/templates.go
+++ b/cmd/policygen/templates.go
@@ -121,6 +121,6 @@ func (t *PolicyTemplates) ApplicationTemplate(policyType string) *template.Templ
 }
 
 func (t *PolicyTemplates) PredefineApplicationPolicyTemplate(policyType string, predefined string) *template.Template {
-	tmpl := t.templates.Lookup(fmt.Sprintf("templates/pod/%s/%s.yaml", policyType, predefined))
+	tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/pod/%s.yaml", policyType, predefined))
 	return tmpl
 }
diff --git a/cmd/policygen/templates/netpol/pod/cilium.yaml b/cmd/policygen/templates/netpol/pod/apiserver.yaml
similarity index 61%
rename from cmd/policygen/templates/netpol/pod/cilium.yaml
rename to cmd/policygen/templates/netpol/pod/apiserver.yaml
index a3c5713..b57d042 100644
--- a/cmd/policygen/templates/netpol/pod/cilium.yaml
+++ b/cmd/policygen/templates/netpol/pod/apiserver.yaml
@@ -1,20 +1,20 @@
+---
 kind: CiliumNetworkPolicy
 apiVersion: cilium.io/v2
 metadata:
-  name: {{.name}}
-  namespace: {{.namespace}}
-  labels: "{{ .labels | toYaml | nindent 4 }}"
+  name: {{.app.Name}}
+  namespace: {{.app.Namespace.Name}}
+  labels: {{ .labels | toYaml | nindent 4 }}
 spec:
-  endpointSelector:
-    {{ .selector }}
-  {{- if .from }}
+  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  {{- if .ingress }}
   ingress:
   - fromEntities:
     - kube-apiserver
     # See https://github.com/cilium/cilium/issues/35401
     - remote-node
   {{- end }}
-  {{- if .to }}
+  {{- if .egress }}
   egress:
   - toEntities:
       - kube-apiserver
diff --git a/cmd/policygen/templates/netpol/pod/pod.yaml b/cmd/policygen/templates/netpol/pod/pod.yaml
index 5f60669..42f90df 100644
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@@ -13,7 +13,7 @@
           matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
         namespaceSelector:
           matchLabels:
-            kubernetes.io/metadata.name: {{ .Namespace }}
+            kubernetes.io/metadata.name: {{ .Namespace.Name }}
         {{- if .Ports }}
         ports:
           {{- template "ports" .Ports }}
diff --git a/example/config.yaml b/example/config.yaml
index 78bbe8e..ef5dac5 100644
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -42,6 +42,7 @@ communications:
   - from: # can we support both string and list of strings?
       - httpd-wamblee-org
       - internet
+      - apiserver
     to:
       - nexus-server