fixed issues with schema of network policy

also fixed encoding of matahLabels. Now using json format so that it also works for empty maps.
2025-01-03 00:10:32 +01:00 · 2025-01-03 00:10:32 +01:00 · b8dfaa55a4
commit b8dfaa55a4
parent d85baf3beb
6 changed files with 40 additions and 10 deletions
--- a/cmd/policygen/generator.go
+++ b/cmd/policygen/generator.go
@ -13,11 +13,13 @@ type Generator interface {
 type ApplicationPeer struct {
 	Application *Application
 	Ports       []Port
+	Rule        string
 }

 type NetworkPeer struct {
 	Network *Network
 	Ports   []Port
+	Rule    string
 }

 type Peer struct {
@ -103,6 +105,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						appPeer = &ApplicationPeer{
 							Application: appTo,
 							Ports:       ports,
+							Rule:        "to",
 						}
 					} else if networkTo != nil {
 						if len(ports) == 0 {
@ -111,6 +114,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						networkPeer = &NetworkPeer{
 							Network: networkTo,
 							Ports:   ports,
+							Rule:    "to",
 						}
 					}

@ -129,6 +133,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						appPeer = &ApplicationPeer{
 							Application: appFrom,
 							Ports:       ports,
+							Rule:        "from",
 						}
 					} else if networkFrom != nil {
 						if len(ports) == 0 {
@ -137,6 +142,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						networkPeer = &NetworkPeer{
 							Network: networkFrom,
 							Ports:   ports,
+							Rule:    "from",
 						}
 					}

--- a/cmd/policygen/main.go
+++ b/cmd/policygen/main.go
@ -25,11 +25,10 @@ func execute(files []string, options *Options) error {
 			return err
 		}
 		config.Update(configNew)
-		err = config.Validate()
-		if err != nil {
-			return fmt.Errorf("Error loading config %s: %w", file, err)
-		}
-		log.Printf("Namespaces %v", config.Namespaces)
+	}
+	err := config.Validate()
+	if err != nil {
+		return fmt.Errorf("Error loading configuration: %w", err)
 	}

 	policyTemplates, err := NewPolicyTemplates()
--- a/cmd/policygen/templates.go
+++ b/cmd/policygen/templates.go
@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"io/fs"
+	"log"
 	"os"
 	"strings"
 	"text/template"
@ -108,7 +109,10 @@ func (t *PolicyTemplates) NamespaceTemplates(policyType string, capabilities []s
 	for _, capability := range capabilities {
 		tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/namespace/%s.yaml", policyType, capability))
 		if tmpl != nil {
+			log.Printf("Found template for capability '%s'", capability)
 			res = append(res, tmpl)
+		} else {
+			log.Printf("Capability '%s' not found", capability)
 		}
 	}
 	return res
--- a/cmd/policygen/templates/netpol/namespace/dns.yaml
+++ b/cmd/policygen/templates/netpol/namespace/dns.yaml
@ -0,0 +1,19 @@
+{{- if not .Open }}
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-dns-in-namespace
+  namespace: {{ .Name }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: TCP
+        - port: 53
+          protocol: UDP
+{{- end }}
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@ -8,9 +8,10 @@
 {{- end }}
 {{- define "peers" }}
      {{- range .Applications }}
+  - {{.Rule}}:
      # {{ .Application.Namespace.Name }}/{{ .Application.Name }}
      - podSelector:
-          matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
+          matchLabels: {{ .Application.MatchLabels | toJson }}
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
@ -22,6 +23,7 @@
 {{- end }}
 {{- define "networks" }}
      {{- range .Networks }}
+  - {{.Rule}}:
      # {{ .Network.Name }}
      - ipBlock:
          cidr: {{ .Network.CIDR}}
@ -46,7 +48,8 @@ metadata:
  labels: {{ .labels | toYaml | nindent 4 }}
 spec:
  # {{ .app.Namespace.Name }}/{{ .app.Name }}
-  podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  podSelector:
+    matchLabels: {{ .app.MatchLabels | toJson }}
  policyTypes:
    {{- if or .ingress.Applications .ingress.Networks }}
    - Ingress
@ -57,14 +60,12 @@ spec:

  {{- if or .ingress.Applications .ingress.Networks }}
  ingress:
-    from:
      {{- template "peers" .ingress }}
      {{- template "networks" .ingress }}
  {{- end }}

  {{- if or .egress.Applications .egress.Networks }}
  egress:
-    to:
      {{- template "peers" .egress }}
      {{- template "networks" .egress }}
  {{- end }}
--- a/example/config.yaml
+++ b/example/config.yaml
@ -16,7 +16,8 @@ namespaces:
  - name: wamblee-org
    #open: true
    capabilities:
-      - linkerd
+      - linkerdd
+      - dns
    applications:
      - name: nexus-server
        # ports when specified at the application level are used when