apiserver cilium rules.

cmd/policygen/config.go

@@ -102,8 +102,9 @@ func (c Config) Validate() error {
 	}
 
 	// application names must be unique and may not conflict with predefined applications
-	apps := map[string]bool{
+	apps := make(map[string]bool)
-		"apiserver": true,
+	for _, predefined := range PREDEFINED_APPS {
+		apps[predefined] = true
 	}
 	// application names may also not conflict with network names.
 	for _, network := range c.Networks {

cmd/policygen/generator.go

@@ -107,7 +107,10 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 			fmt.Fprintf(os.Stderr, "RULE %s\n", app)
 			fmt.Fprintf(os.Stderr, "  IN %s\n", ingress)
 			fmt.Fprintf(os.Stderr, "  OUT %s\n", egress)
-			generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			err := generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			if err != nil {
+				return err
+			}
 		}
 	}
 

cmd/policygen/main.go

@@ -32,7 +32,10 @@ func execute(files []string, options *Options) error {
 			config:          config,
 			policyTemplates: policyTemplates,
 		}
-		Generate(os.Stdout, generator, config)
+		err = Generate(os.Stdout, generator, config)
+		if err != nil {
+			return err
+		}
 
 	}
 	return nil

cmd/policygen/netpol_generator.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"slices"
 )
 
 type NetworkPolicyGenerrator struct {
@@ -40,21 +41,49 @@ func (g NetworkPolicyGenerrator) GenerateCommunicationRule(
 		// non-trivial regular network policy
 
 		tmpl := g.policyTemplates.ApplicationTemplate("netpol")
-		log.Printf("Found template %v for pod %s", tmpl, app.Name)
+		if tmpl == nil {
-		if tmpl != nil {
+			return fmt.Errorf("Could not find policy template for 'netpol'")
-
+		}
-			err := tmpl.Execute(writer, map[string]any{
+		err := tmpl.Execute(writer, map[string]any{
-				"app":     app,
+			"app":     app,
-				"ingress": ingress,
+			"ingress": ingress,
-				"egress":  egress,
+			"egress":  egress,
-				"labels": map[string]string{
+			"labels": map[string]string{
-					"policy-generator": "1",
+				"policy-generator": "1",
-				},
+			},
-			})
+		})
-			if err != nil {
+		if err != nil {
-				return err
+			return err
-			}
 		}
 	}
+
+	allPredefined := make(map[string]bool)
+	for _, pre := range ingress.Predefined {
+		allPredefined[pre] = true
+	}
+	for _, pre := range egress.Predefined {
+		allPredefined[pre] = true
+	}
+	log.Printf("ALl PREDEFINED %v", allPredefined)
+
+	for predefined, _ := range allPredefined {
+		tmpl := g.policyTemplates.PredefineApplicationPolicyTemplate("netpol", predefined)
+		if tmpl == nil {
+			return fmt.Errorf("Could not find predefined template for netpol/%s", predefined)
+		}
+		log.Printf("PREDEFINED FOR %s", app.Name)
+		err := tmpl.Execute(writer, map[string]any{
+			"app":     app,
+			"ingress": slices.Contains(ingress.Predefined, predefined),
+			"egress":  slices.Contains(egress.Predefined, predefined),
+			"labels": map[string]string{
+				"policy-generator": "1",
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

cmd/policygen/templates.go

@@ -121,6 +121,6 @@ func (t *PolicyTemplates) ApplicationTemplate(policyType string) *template.Templ
 }
 
 func (t *PolicyTemplates) PredefineApplicationPolicyTemplate(policyType string, predefined string) *template.Template {
-	tmpl := t.templates.Lookup(fmt.Sprintf("templates/pod/%s/%s.yaml", policyType, predefined))
+	tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/pod/%s.yaml", policyType, predefined))
 	return tmpl
 }

cmd/policygen/templates/netpol/pod/apiserver.yaml

@@ -1,20 +1,20 @@
+---
 kind: CiliumNetworkPolicy
 apiVersion: cilium.io/v2
 metadata:
-  name: {{.name}}
+  name: {{.app.Name}}
-  namespace: {{.namespace}}
+  namespace: {{.app.Namespace.Name}}
-  labels: "{{ .labels | toYaml | nindent 4 }}"
+  labels: {{ .labels | toYaml | nindent 4 }}
 spec:
-  endpointSelector:
+  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
-    {{ .selector }}
+  {{- if .ingress }}
-  {{- if .from }}
   ingress:
   - fromEntities:
     - kube-apiserver
     # See https://github.com/cilium/cilium/issues/35401
     - remote-node
   {{- end }}
-  {{- if .to }}
+  {{- if .egress }}
   egress:
   - toEntities:
       - kube-apiserver

cmd/policygen/templates/netpol/pod/pod.yaml

@@ -13,7 +13,7 @@
           matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
         namespaceSelector:
           matchLabels:
-            kubernetes.io/metadata.name: {{ .Namespace }}
+            kubernetes.io/metadata.name: {{ .Namespace.Name }}
         {{- if .Ports }}
         ports:
           {{- template "ports" .Ports }}

example/config.yaml

@@ -42,6 +42,7 @@ communications:
   - from: # can we support both string and list of strings?
       - httpd-wamblee-org
       - internet
+      - apiserver
     to:
       - nexus-server