addes support for matchExpressions

2025-01-03 17:59:11 +01:00 · 2025-01-03 17:59:11 +01:00 · 852833764c
commit 852833764c
parent 8c229f7a93
4 changed files with 24 additions and 9 deletions
--- a/cmd/policygen/config.go
+++ b/cmd/policygen/config.go
@ -54,11 +54,18 @@ type Network struct {
 	Ports  []Port `yaml:"ports,omitempty"  validate:"dive,required"`
 }

+type MatchExpression struct {
+	Key      string   `json:"key" yaml:"key" validate:"required"`
+	Operator string   `json:"operator" yaml:"operator" validate:"oneof=In NotIn Exists DoesNotExist"`
+	Values   []string `json:"values" yaml:"values"`
+}
+
 type Application struct {
-	Name        string            `yaml:"name"`
-	Ports       []Port            `yaml:"ports,omitempty"`
-	MatchLabels map[string]string `yaml:"matchLabels"`
-	Namespace   *Namespace        `yaml:"-" validate:"-"`
+	Name             string            `yaml:"name"`
+	Ports            []Port            `yaml:"ports,omitempty"`
+	MatchLabels      map[string]string `yaml:"matchLabels"`
+	MatchExpressions []MatchExpression `yaml:"matchExpressions" validate:"omitempty,dive"`
+	Namespace        *Namespace        `yaml:"-" validate:"-"`
 }

 type Namespace struct {
@ -138,12 +145,12 @@ func (c Config) Validate() error {
 	for _, communication := range c.Communications {
 		for _, from := range communication.From {
 			if !apps[from] {
-				errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", from, communication))
+				errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", from, communication))
 			}
 		}
 		for _, to := range communication.To {
 			if !apps[to] {
-				errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", to, communication))
+				errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", to, communication))
 			}
 		}
 	}
--- a/cmd/policygen/templates/netpol/pod/apiserver.yaml
+++ b/cmd/policygen/templates/netpol/pod/apiserver.yaml
@ -5,9 +5,11 @@ apiVersion: cilium.io/v2
 metadata:
  name: {{.app.Name}}-apiserver
  namespace: {{.app.Namespace.Name}}
-  labels: {{ .labels | toYaml | nindent 4 }}
+  labels: {{ .labels | toJson }}
 spec:
-  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  endpointSelector:
+    matchLabels: {{ .app.MatchLabels | toJson }}
+    matchExpressions: {{ .app.MatchExpressions | toJson }}
  {{- if .ingress }}
  ingress:
  - fromEntities:
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@ -12,6 +12,7 @@
      # {{ .Application.Namespace.Name }}/{{ .Application.Name }}
      - podSelector:
          matchLabels: {{ .Application.MatchLabels | toJson }}
+          matchExpressions: {{ .Application.MatchExpressions | toJson }}
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
@ -45,11 +46,12 @@ apiVersion: networking.k8s.io/v1
 metadata:
  name: "{{.app.Name}}"
  namespace: "{{.app.Namespace.Name }}"
-  labels: {{ .labels | toYaml | nindent 4 }}
+  labels: {{ .labels | toJson }}
 spec:
  # {{ .app.Namespace.Name }}/{{ .app.Name }}
  podSelector:
    matchLabels: {{ .app.MatchLabels | toJson }}
+    matchExpressions: {{ .app.MatchExpressions | toJson }}
  policyTypes:
    {{- if or .ingress.Applications .ingress.Networks }}
    - Ingress
--- a/example/config.yaml
+++ b/example/config.yaml
@ -28,6 +28,10 @@ namespaces:
            protocol: UDP
        matchLabels:
          app: nexus-server
+        matchExpressions:
+          - key: jenkins/label
+            operator: Exists
+

  - name: exposure
    open: false