apiserver cilium rules.

2025-01-02 19:01:05 +01:00 · 2025-01-02 19:01:05 +01:00 · 5659d7c18c
commit 5659d7c18c
parent 933b46c68c
8 changed files with 64 additions and 27 deletions
--- a/cmd/policygen/config.go
+++ b/cmd/policygen/config.go
@ -102,8 +102,9 @@ func (c Config) Validate() error {
 	}

 	// application names must be unique and may not conflict with predefined applications
-	apps := map[string]bool{
-		"apiserver": true,
+	apps := make(map[string]bool)
+	for _, predefined := range PREDEFINED_APPS {
+		apps[predefined] = true
 	}
 	// application names may also not conflict with network names.
 	for _, network := range c.Networks {
--- a/cmd/policygen/generator.go
+++ b/cmd/policygen/generator.go
@ -107,7 +107,10 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 			fmt.Fprintf(os.Stderr, "RULE %s\n", app)
 			fmt.Fprintf(os.Stderr, "  IN %s\n", ingress)
 			fmt.Fprintf(os.Stderr, "  OUT %s\n", egress)
-			generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			err := generator.GenerateCommunicationRule(writer, applications[app], ingress, egress)
+			if err != nil {
+				return err
+			}
 		}
 	}

--- a/cmd/policygen/main.go
+++ b/cmd/policygen/main.go
@ -32,7 +32,10 @@ func execute(files []string, options *Options) error {
 			config:          config,
 			policyTemplates: policyTemplates,
 		}
-		Generate(os.Stdout, generator, config)
+		err = Generate(os.Stdout, generator, config)
+		if err != nil {
+			return err
+		}

 	}
 	return nil
--- a/cmd/policygen/netpol_generator.go
+++ b/cmd/policygen/netpol_generator.go
@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"slices"
 )

 type NetworkPolicyGenerrator struct {
@ -40,9 +41,9 @@ func (g NetworkPolicyGenerrator) GenerateCommunicationRule(
 		// non-trivial regular network policy

 		tmpl := g.policyTemplates.ApplicationTemplate("netpol")
-		log.Printf("Found template %v for pod %s", tmpl, app.Name)
-		if tmpl != nil {
-
+		if tmpl == nil {
+			return fmt.Errorf("Could not find policy template for 'netpol'")
+		}
 		err := tmpl.Execute(writer, map[string]any{
 			"app":     app,
 			"ingress": ingress,
@ -55,6 +56,34 @@ func (g NetworkPolicyGenerrator) GenerateCommunicationRule(
 			return err
 		}
 	}
+
+	allPredefined := make(map[string]bool)
+	for _, pre := range ingress.Predefined {
+		allPredefined[pre] = true
 	}
+	for _, pre := range egress.Predefined {
+		allPredefined[pre] = true
+	}
+	log.Printf("ALl PREDEFINED %v", allPredefined)
+
+	for predefined, _ := range allPredefined {
+		tmpl := g.policyTemplates.PredefineApplicationPolicyTemplate("netpol", predefined)
+		if tmpl == nil {
+			return fmt.Errorf("Could not find predefined template for netpol/%s", predefined)
+		}
+		log.Printf("PREDEFINED FOR %s", app.Name)
+		err := tmpl.Execute(writer, map[string]any{
+			"app":     app,
+			"ingress": slices.Contains(ingress.Predefined, predefined),
+			"egress":  slices.Contains(egress.Predefined, predefined),
+			"labels": map[string]string{
+				"policy-generator": "1",
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/cmd/policygen/templates.go
+++ b/cmd/policygen/templates.go
@ -121,6 +121,6 @@ func (t *PolicyTemplates) ApplicationTemplate(policyType string) *template.Templ
 }

 func (t *PolicyTemplates) PredefineApplicationPolicyTemplate(policyType string, predefined string) *template.Template {
-	tmpl := t.templates.Lookup(fmt.Sprintf("templates/pod/%s/%s.yaml", policyType, predefined))
+	tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/pod/%s.yaml", policyType, predefined))
 	return tmpl
 }
--- a/cmd/policygen/templates/netpol/pod/apiserver.yaml
+++ b/cmd/policygen/templates/netpol/pod/apiserver.yaml
@ -1,20 +1,20 @@
+---
 kind: CiliumNetworkPolicy
 apiVersion: cilium.io/v2
 metadata:
-  name: {{.name}}
-  namespace: {{.namespace}}
-  labels: "{{ .labels | toYaml | nindent 4 }}"
+  name: {{.app.Name}}
+  namespace: {{.app.Namespace.Name}}
+  labels: {{ .labels | toYaml | nindent 4 }}
 spec:
-  endpointSelector:
-    {{ .selector }}
-  {{- if .from }}
+  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  {{- if .ingress }}
  ingress:
  - fromEntities:
    - kube-apiserver
    # See https://github.com/cilium/cilium/issues/35401
    - remote-node
  {{- end }}
-  {{- if .to }}
+  {{- if .egress }}
  egress:
  - toEntities:
      - kube-apiserver
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@ -13,7 +13,7 @@
          matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
        namespaceSelector:
          matchLabels:
-            kubernetes.io/metadata.name: {{ .Namespace }}
+            kubernetes.io/metadata.name: {{ .Namespace.Name }}
        {{- if .Ports }}
        ports:
          {{- template "ports" .Ports }}
--- a/example/config.yaml
+++ b/example/config.yaml
@ -42,6 +42,7 @@ communications:
  - from: # can we support both string and list of strings?
      - httpd-wamblee-org
      - internet
+      - apiserver
    to:
      - nexus-server