public/policy-generator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

to generate network policy, 'generate netpol' shoul dbe used now. Also

Browse Source 
added subcommand for linkerd ('generate linkerd'
This commit is contained in:
Erik Brakkee 2025-01-19 16:33:21 +01:00
parent 86572e8063
commit 60ebbf0ef4
4 changed files with 38 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/policygen/config.go
View File

@ -6,7 +6,6 @@ import (
"fmt" "fmt"
"github.com/goccy/go-yaml" "github.com/goccy/go-yaml"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"log"
"net" "net"
"os" "os"
"slices" "slices"
@ -187,16 +186,18 @@ func (c *Config) Infer(resolver Resolver) {
for _, app := range ns.Applications { for _, app := range ns.Applications {
if len(app.ServiceAccounts) == 0 { if len(app.ServiceAccounts) == 0 {
app.ServiceAccounts = resolver.ServiceAccounts(app) app.ServiceAccounts = resolver.ServiceAccounts(app)
log.Printf("Inferred service accounts: %s/%s: %v", app.Namespace.Name, app.Name, fmt.Fprintf(os.Stderr, "Inferred service accounts: %s/%s: %v\n", app.Namespace.Name, app.Name,
app.ServiceAccounts) app.ServiceAccounts)
} }
if len(app.Ports) == 0 && !strings.HasPrefix(ns.Name, "linkerd") { if len(app.Ports) == 0 && !strings.HasPrefix(ns.Name, "linkerd") {
app.Ports = resolver.PortNumbers(app) app.Ports = resolver.PortNumbers(app)
log.Printf("Inferred ports: %s/%s: %v", app.Namespace.Name, app.Name, if len(app.Ports) > 0 {
fmt.Fprintf(os.Stderr, "Inferred ports: %s/%s: %v\n", app.Namespace.Name, app.Name,
app.Ports) app.Ports)
} }
} }
} }
}
} }
func LoadConfig(file string) (*Config, error) { func LoadConfig(file string) (*Config, error) {

2
cmd/policygen/configvalidator.go
View File

@ -56,6 +56,8 @@ func validate(files []string, options *Options) error {
config.Infer(cluster) config.Infer(cluster)
fmt.Fprintln(os.Stderr, "")
// map applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace. // map applname1 -> appname2 where appname1 is in an open namespace and app2 is in a closed namespace.
// Exclusing when 'from' side is a CIDR. // Exclusing when 'from' side is a CIDR.
openToClosedAccess := make(map[string]string) openToClosedAccess := make(map[string]string)

36
cmd/policygen/main.go
View File

@ -3,7 +3,6 @@ package main
import ( import (
"fmt" "fmt"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"log"
"os" "os"
) )
@ -15,7 +14,7 @@ type Options struct {
func readConfig(files []string) (*Config, error) { func readConfig(files []string) (*Config, error) {
config := &Config{} config := &Config{}
for _, file := range files { for _, file := range files {
log.Printf("LOADING %s\n", file) fmt.Fprintf(os.Stderr, "Reading %s\n", file)
configNew, err := LoadConfig(file) configNew, err := LoadConfig(file)
if err != nil { if err != nil {
return nil, fmt.Errorf("%s: %w", file, err) return nil, fmt.Errorf("%s: %w", file, err)
@ -29,7 +28,7 @@ func readConfig(files []string) (*Config, error) {
return config, nil return config, nil
} }
func generate(files []string, options *Options) error { func generateNetworkPolicy(files []string, options *Options) error {
if len(files) == 0 { if len(files) == 0 {
return fmt.Errorf("File expected") return fmt.Errorf("File expected")
} }
@ -55,6 +54,10 @@ func generate(files []string, options *Options) error {
return nil return nil
} }
func generateLinkerdPolicies(files []string, options *Options) error {
return fmt.Errorf(("Not yet implemented"))
}
func main() { func main() {
options := Options{ options := Options{
@ -69,14 +72,31 @@ func main() {
generate := &cobra.Command{ generate := &cobra.Command{
Use: "generate", Use: "generate",
Short: "Generate policies", Short: "Generate configuration",
Long: "Generate policies", Long: "Generate configuration",
RunE: func(cmd *cobra.Command, args []string) error {
return generate(args, &options)
},
} }
cmd.AddCommand(generate) cmd.AddCommand(generate)
netpol := &cobra.Command{
Use: "netpol",
Short: "Generate NetworkPolicyp",
Long: "Generate NetworkPolicy",
RunE: func(cmd *cobra.Command, args []string) error {
return generateNetworkPolicy(args, &options)
},
}
generate.AddCommand(netpol)
linkerd := &cobra.Command{
Use: "linkerd",
Short: "Generate linkerd authorization policies",
Long: "Generate linkerd authorization policies",
RunE: func(cmd *cobra.Command, args []string) error {
return generateLinkerdPolicies(args, &options)
},
}
generate.AddCommand(linkerd)
validate := &cobra.Command{ validate := &cobra.Command{
Use: "validate", Use: "validate",
Short: "Validate configuration", Short: "Validate configuration",

6
go.mod
View File

@ -1,6 +1,6 @@
module git.wamblee.org/public/policy-generator module git.wamblee.org/public/policy-generator
go 1.23.4 go 1.23.5
require ( require (
github.com/Masterminds/sprig/v3 v3.3.0 github.com/Masterminds/sprig/v3 v3.3.0
@ -9,6 +9,8 @@ require (
github.com/go-playground/validator/v10 v10.23.0 github.com/go-playground/validator/v10 v10.23.0
github.com/goccy/go-yaml v1.15.13 github.com/goccy/go-yaml v1.15.13
github.com/spf13/cobra v1.8.1 github.com/spf13/cobra v1.8.1
k8s.io/api v0.32.0
k8s.io/apimachinery v0.32.0
k8s.io/client-go v0.32.0 k8s.io/client-go v0.32.0
) )
@ -57,8 +59,6 @@ require (
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.32.0 // indirect
k8s.io/apimachinery v0.32.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect