diff --git a/cmd/policygen/config.go b/cmd/policygen/config.go index 9e7c8ae..398f05a 100644 --- a/cmd/policygen/config.go +++ b/cmd/policygen/config.go @@ -54,11 +54,18 @@ type Network struct { Ports []Port `yaml:"ports,omitempty" validate:"dive,required"` } +type MatchExpression struct { + Key string `json:"key" yaml:"key" validate:"required"` + Operator string `json:"operator" yaml:"operator" validate:"oneof=In NotIn Exists DoesNotExist"` + Values []string `json:"values" yaml:"values"` +} + type Application struct { - Name string `yaml:"name"` - Ports []Port `yaml:"ports,omitempty"` - MatchLabels map[string]string `yaml:"matchLabels"` - Namespace *Namespace `yaml:"-" validate:"-"` + Name string `yaml:"name"` + Ports []Port `yaml:"ports,omitempty"` + MatchLabels map[string]string `yaml:"matchLabels"` + MatchExpressions []MatchExpression `yaml:"matchExpressions" validate:"omitempty,dive"` + Namespace *Namespace `yaml:"-" validate:"-"` } type Namespace struct { @@ -138,12 +145,12 @@ func (c Config) Validate() error { for _, communication := range c.Communications { for _, from := range communication.From { if !apps[from] { - errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", from, communication)) + errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", from, communication)) } } for _, to := range communication.To { if !apps[to] { - errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", to, communication)) + errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", to, communication)) } } } diff --git a/cmd/policygen/templates/netpol/pod/apiserver.yaml b/cmd/policygen/templates/netpol/pod/apiserver.yaml index 991f3fe..4043917 100644 --- a/cmd/policygen/templates/netpol/pod/apiserver.yaml +++ b/cmd/policygen/templates/netpol/pod/apiserver.yaml @@ -5,9 +5,11 @@ apiVersion: cilium.io/v2 metadata: name: {{.app.Name}}-apiserver namespace: {{.app.Namespace.Name}} - labels: {{ .labels | toYaml | nindent 4 }} + labels: {{ .labels | toJson }} spec: - endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }} + endpointSelector: + matchLabels: {{ .app.MatchLabels | toJson }} + matchExpressions: {{ .app.MatchExpressions | toJson }} {{- if .ingress }} ingress: - fromEntities: diff --git a/cmd/policygen/templates/netpol/pod/pod.yaml b/cmd/policygen/templates/netpol/pod/pod.yaml index b507142..9e8d400 100644 --- a/cmd/policygen/templates/netpol/pod/pod.yaml +++ b/cmd/policygen/templates/netpol/pod/pod.yaml @@ -12,6 +12,7 @@ # {{ .Application.Namespace.Name }}/{{ .Application.Name }} - podSelector: matchLabels: {{ .Application.MatchLabels | toJson }} + matchExpressions: {{ .Application.MatchExpressions | toJson }} namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Application.Namespace.Name }} @@ -45,11 +46,12 @@ apiVersion: networking.k8s.io/v1 metadata: name: "{{.app.Name}}" namespace: "{{.app.Namespace.Name }}" - labels: {{ .labels | toYaml | nindent 4 }} + labels: {{ .labels | toJson }} spec: # {{ .app.Namespace.Name }}/{{ .app.Name }} podSelector: matchLabels: {{ .app.MatchLabels | toJson }} + matchExpressions: {{ .app.MatchExpressions | toJson }} policyTypes: {{- if or .ingress.Applications .ingress.Networks }} - Ingress diff --git a/example/config.yaml b/example/config.yaml index 450fc97..757dc49 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -28,6 +28,10 @@ namespaces: protocol: UDP matchLabels: app: nexus-server + matchExpressions: + - key: jenkins/label + operator: Exists + - name: exposure open: false