addes support for matchExpressions

cmd/policygen/config.go

@@ -54,10 +54,17 @@ type Network struct {
 	Ports  []Port `yaml:"ports,omitempty"  validate:"dive,required"`
 }
 
+type MatchExpression struct {
+	Key      string   `json:"key" yaml:"key" validate:"required"`
+	Operator string   `json:"operator" yaml:"operator" validate:"oneof=In NotIn Exists DoesNotExist"`
+	Values   []string `json:"values" yaml:"values"`
+}
+
 type Application struct {
 	Name             string            `yaml:"name"`
 	Ports            []Port            `yaml:"ports,omitempty"`
 	MatchLabels      map[string]string `yaml:"matchLabels"`
+	MatchExpressions []MatchExpression `yaml:"matchExpressions" validate:"omitempty,dive"`
 	Namespace        *Namespace        `yaml:"-" validate:"-"`
 }
 
@@ -138,12 +145,12 @@ func (c Config) Validate() error {
 	for _, communication := range c.Communications {
 		for _, from := range communication.From {
 			if !apps[from] {
-				errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", from, communication))
+				errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", from, communication))
 			}
 		}
 		for _, to := range communication.To {
 			if !apps[to] {
-				errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", to, communication))
+				errs = append(errs, fmt.Errorf("Application does not exist: '%s' referenced in a communication (%+v)", to, communication))
 			}
 		}
 	}

cmd/policygen/templates/netpol/pod/apiserver.yaml

@@ -5,9 +5,11 @@ apiVersion: cilium.io/v2
 metadata:
   name: {{.app.Name}}-apiserver
   namespace: {{.app.Namespace.Name}}
-  labels: {{ .labels | toYaml | nindent 4 }}
+  labels: {{ .labels | toJson }}
 spec:
-  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  endpointSelector:
+    matchLabels: {{ .app.MatchLabels | toJson }}
+    matchExpressions: {{ .app.MatchExpressions | toJson }}
   {{- if .ingress }}
   ingress:
   - fromEntities:

cmd/policygen/templates/netpol/pod/pod.yaml

@@ -12,6 +12,7 @@
       # {{ .Application.Namespace.Name }}/{{ .Application.Name }}
       - podSelector:
           matchLabels: {{ .Application.MatchLabels | toJson }}
+          matchExpressions: {{ .Application.MatchExpressions | toJson }}
         namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
@@ -45,11 +46,12 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: "{{.app.Name}}"
   namespace: "{{.app.Namespace.Name }}"
-  labels: {{ .labels | toYaml | nindent 4 }}
+  labels: {{ .labels | toJson }}
 spec:
   # {{ .app.Namespace.Name }}/{{ .app.Name }}
   podSelector:
     matchLabels: {{ .app.MatchLabels | toJson }}
+    matchExpressions: {{ .app.MatchExpressions | toJson }}
   policyTypes:
     {{- if or .ingress.Applications .ingress.Networks }}
     - Ingress

example/config.yaml

@@ -28,6 +28,10 @@ namespaces:
             protocol: UDP
         matchLabels:
           app: nexus-server
+        matchExpressions:
+          - key: jenkins/label
+            operator: Exists
+
 
   - name: exposure
     open: false