public/policy-generator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

network policy now fully generated

Browse Source
This commit is contained in:
Erik Brakkee 2025-01-02 18:16:24 +01:00
parent 207043d38f
commit 6d05f0501f
5 changed files with 55 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/policygen/config.go
View File

@ -39,17 +39,22 @@ func (c CIDR) MarshalYAML() ([]byte, error) {
return []byte(string(c)), nil return []byte(string(c)), nil
} }
type Port struct {
Port string `yaml:"port"`
Protocol string `yaml:"protocol"`
}
// Network represents each network entry in the YAML // Network represents each network entry in the YAML
type Network struct { type Network struct {
Name string `yaml:"name"` Name string `yaml:"name"`
CIDR CIDR `yaml:"cidr"` CIDR CIDR `yaml:"cidr"`
Except []CIDR `yaml:"except,omitempty"` Except []CIDR `yaml:"except,omitempty"`
Ports []string `yaml:"ports,omitempty"` Ports []Port `yaml:"ports,omitempty"`
} }
type Application struct { type Application struct {
Name string `yaml:"name"` Name string `yaml:"name"`
Ports []string `yaml:"ports,omitempty"` Ports []Port `yaml:"ports,omitempty"`
MatchLabels map[string]string `yaml:"matchLabels"` MatchLabels map[string]string `yaml:"matchLabels"`
Namespace string `yaml:"-"` Namespace string `yaml:"-"`
} }

1
cmd/policygen/main.go
View File

@ -22,7 +22,6 @@ func execute(files []string, options *Options) error {
if err != nil { if err != nil {
return err return err
} }
fmt.Printf("PARSED %+v\n", config)
policyTemplates, err := NewPolicyTemplates() policyTemplates, err := NewPolicyTemplates()
if err != nil { if err != nil {

2
cmd/policygen/templates.go
View File

@ -55,7 +55,7 @@ func showContents(files fs.FS) {
panic(err) panic(err)
} }
for _, entry := range entries { for _, entry := range entries {
fmt.Printf("entry %s %s\n", entry.Name(), entry.Type()) fmt.Fprintf(os.Stderr, "entry %s %s\n", entry.Name(), entry.Type())
if entry.Type().IsDir() { if entry.Type().IsDir() {
subdir, err := fs.Sub(files, entry.Name()) subdir, err := fs.Sub(files, entry.Name())
if err != nil { if err != nil {

60
cmd/policygen/templates/netpol/pod/pod.yaml
View File

@ -1,5 +1,14 @@
--- ---
{{- define "peer" }} {{- define "ports" }}
{{- range $port := . }}
- port: {{ $port.Port }}
{{- if $port.Protocol }}
protocol: {{ $port.Protocol }}
{{- end }}
{{- end }}
{{- end }}
{{- define "peers" }}
{{- range .Applications }}
- podSelector: - podSelector:
matchLabels: {{ .MatchLabels | toYaml | nindent 12 }} matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
namespaceSelector: namespaceSelector:
@ -7,19 +16,24 @@
kubernetes.io/metadata.name: {{ .Namespace }} kubernetes.io/metadata.name: {{ .Namespace }}
{{- if .Ports }} {{- if .Ports }}
ports: ports:
# TODO: add protocol {{- template "ports" .Ports }}
{{- range $port := .Ports }}
- port: {{ $port }}
{{- end }}
{{- end }} {{- end }}
{{- end }}
{{- end }}
{{- define "networks" }}
{{- range .Networks }}
- ipBlock:
cidr: {{ .CIDR}}
except:
{{- range $except := .Except }}
- {{ $except }}
{{- end }}
{{- if .Ports }}
ports:
{{- template "ports" .Ports }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
-
{{- define "ports" }}
{{- range $port := . }}
PORT {{ $port }}
{{- end }}
{{- end }}
kind: NetworkPolicy kind: NetworkPolicy
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
@ -40,17 +54,15 @@ spec:
{{- if or .ingress.Applications .ingress.Networks }} {{- if or .ingress.Applications .ingress.Networks }}
ingress: ingress:
from: from:
{{- range $ingress := .ingress.Applications }} {{- template "peers" .ingress }}
{{- template "peer" $ingress }} {{- template "networks" .ingress }}
{{- template "ports" $ingress.Ports }}
{{- end }}
{{- range $ingress := .ingress.Networks }}
- ipBlock:
cidr: {{ $ingress.CIDR}}
except:
{{- range $except := $ingress.Except }}
- {{ $except }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if or .egress.Applications .egress.Networks }}
egress:
tp:
{{- template "peers" .egress }}
{{- template "networks" .egress }}
{{- end }}
THEEND THEEND

11
example/config.yaml
View File

@ -8,6 +8,8 @@ networks:
- 10.0.0.0/8 - 10.0.0.0/8
- 172.16.0.0/12 - 172.16.0.0/12
- 192.168.0.0/16 - 192.168.0.0/16
ports:
- port: 2303
namespaces: namespaces:
@ -20,8 +22,9 @@ namespaces:
# ports when specified at the application level are used when # ports when specified at the application level are used when
# not explicitly mentioned when a link is made # not explicitly mentioned when a link is made
ports: ports:
- 8081 - port: 8081
- 8082 - port: 8082
protocol: UDP
matchLabels: matchLabels:
app: nexus-server app: nexus-server
@ -31,7 +34,9 @@ namespaces:
matchLabels: matchLabels:
app: wamblee-org app: wamblee-org
ports: ports:
- 1000 - port: 1000
- port: 1001
protocol: UDP
communications: communications:
- from: # can we support both string and list of strings? - from: # can we support both string and list of strings?