fixed issues with schema of network policy
also fixed encoding of matahLabels. Now using json format so that it also works for empty maps.
This commit is contained in:
parent
d85baf3beb
commit
b8dfaa55a4
@ -13,11 +13,13 @@ type Generator interface {
|
|||||||
type ApplicationPeer struct {
|
type ApplicationPeer struct {
|
||||||
Application *Application
|
Application *Application
|
||||||
Ports []Port
|
Ports []Port
|
||||||
|
Rule string
|
||||||
}
|
}
|
||||||
|
|
||||||
type NetworkPeer struct {
|
type NetworkPeer struct {
|
||||||
Network *Network
|
Network *Network
|
||||||
Ports []Port
|
Ports []Port
|
||||||
|
Rule string
|
||||||
}
|
}
|
||||||
|
|
||||||
type Peer struct {
|
type Peer struct {
|
||||||
@ -103,6 +105,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
|||||||
appPeer = &ApplicationPeer{
|
appPeer = &ApplicationPeer{
|
||||||
Application: appTo,
|
Application: appTo,
|
||||||
Ports: ports,
|
Ports: ports,
|
||||||
|
Rule: "to",
|
||||||
}
|
}
|
||||||
} else if networkTo != nil {
|
} else if networkTo != nil {
|
||||||
if len(ports) == 0 {
|
if len(ports) == 0 {
|
||||||
@ -111,6 +114,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
|||||||
networkPeer = &NetworkPeer{
|
networkPeer = &NetworkPeer{
|
||||||
Network: networkTo,
|
Network: networkTo,
|
||||||
Ports: ports,
|
Ports: ports,
|
||||||
|
Rule: "to",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -129,6 +133,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
|||||||
appPeer = &ApplicationPeer{
|
appPeer = &ApplicationPeer{
|
||||||
Application: appFrom,
|
Application: appFrom,
|
||||||
Ports: ports,
|
Ports: ports,
|
||||||
|
Rule: "from",
|
||||||
}
|
}
|
||||||
} else if networkFrom != nil {
|
} else if networkFrom != nil {
|
||||||
if len(ports) == 0 {
|
if len(ports) == 0 {
|
||||||
@ -137,6 +142,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
|||||||
networkPeer = &NetworkPeer{
|
networkPeer = &NetworkPeer{
|
||||||
Network: networkFrom,
|
Network: networkFrom,
|
||||||
Ports: ports,
|
Ports: ports,
|
||||||
|
Rule: "from",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -25,11 +25,10 @@ func execute(files []string, options *Options) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
config.Update(configNew)
|
config.Update(configNew)
|
||||||
err = config.Validate()
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("Error loading config %s: %w", file, err)
|
|
||||||
}
|
}
|
||||||
log.Printf("Namespaces %v", config.Namespaces)
|
err := config.Validate()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error loading configuration: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
policyTemplates, err := NewPolicyTemplates()
|
policyTemplates, err := NewPolicyTemplates()
|
||||||
|
|||||||
@ -3,6 +3,7 @@ package main
|
|||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
|
"log"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"text/template"
|
"text/template"
|
||||||
@ -108,7 +109,10 @@ func (t *PolicyTemplates) NamespaceTemplates(policyType string, capabilities []s
|
|||||||
for _, capability := range capabilities {
|
for _, capability := range capabilities {
|
||||||
tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/namespace/%s.yaml", policyType, capability))
|
tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/namespace/%s.yaml", policyType, capability))
|
||||||
if tmpl != nil {
|
if tmpl != nil {
|
||||||
|
log.Printf("Found template for capability '%s'", capability)
|
||||||
res = append(res, tmpl)
|
res = append(res, tmpl)
|
||||||
|
} else {
|
||||||
|
log.Printf("Capability '%s' not found", capability)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return res
|
return res
|
||||||
|
|||||||
19
cmd/policygen/templates/netpol/namespace/dns.yaml
Normal file
19
cmd/policygen/templates/netpol/namespace/dns.yaml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{{- if not .Open }}
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: NetworkPolicy
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: allow-dns-in-namespace
|
||||||
|
namespace: {{ .Name }}
|
||||||
|
spec:
|
||||||
|
podSelector: {}
|
||||||
|
policyTypes:
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
- ports:
|
||||||
|
- port: 53
|
||||||
|
protocol: TCP
|
||||||
|
- port: 53
|
||||||
|
protocol: UDP
|
||||||
|
{{- end }}
|
||||||
@ -8,9 +8,10 @@
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- define "peers" }}
|
{{- define "peers" }}
|
||||||
{{- range .Applications }}
|
{{- range .Applications }}
|
||||||
|
- {{.Rule}}:
|
||||||
# {{ .Application.Namespace.Name }}/{{ .Application.Name }}
|
# {{ .Application.Namespace.Name }}/{{ .Application.Name }}
|
||||||
- podSelector:
|
- podSelector:
|
||||||
matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
|
matchLabels: {{ .Application.MatchLabels | toJson }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
|
kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
|
||||||
@ -22,6 +23,7 @@
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- define "networks" }}
|
{{- define "networks" }}
|
||||||
{{- range .Networks }}
|
{{- range .Networks }}
|
||||||
|
- {{.Rule}}:
|
||||||
# {{ .Network.Name }}
|
# {{ .Network.Name }}
|
||||||
- ipBlock:
|
- ipBlock:
|
||||||
cidr: {{ .Network.CIDR}}
|
cidr: {{ .Network.CIDR}}
|
||||||
@ -46,7 +48,8 @@ metadata:
|
|||||||
labels: {{ .labels | toYaml | nindent 4 }}
|
labels: {{ .labels | toYaml | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
# {{ .app.Namespace.Name }}/{{ .app.Name }}
|
# {{ .app.Namespace.Name }}/{{ .app.Name }}
|
||||||
podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
|
podSelector:
|
||||||
|
matchLabels: {{ .app.MatchLabels | toJson }}
|
||||||
policyTypes:
|
policyTypes:
|
||||||
{{- if or .ingress.Applications .ingress.Networks }}
|
{{- if or .ingress.Applications .ingress.Networks }}
|
||||||
- Ingress
|
- Ingress
|
||||||
@ -57,14 +60,12 @@ spec:
|
|||||||
|
|
||||||
{{- if or .ingress.Applications .ingress.Networks }}
|
{{- if or .ingress.Applications .ingress.Networks }}
|
||||||
ingress:
|
ingress:
|
||||||
from:
|
|
||||||
{{- template "peers" .ingress }}
|
{{- template "peers" .ingress }}
|
||||||
{{- template "networks" .ingress }}
|
{{- template "networks" .ingress }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if or .egress.Applications .egress.Networks }}
|
{{- if or .egress.Applications .egress.Networks }}
|
||||||
egress:
|
egress:
|
||||||
to:
|
|
||||||
{{- template "peers" .egress }}
|
{{- template "peers" .egress }}
|
||||||
{{- template "networks" .egress }}
|
{{- template "networks" .egress }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -16,7 +16,8 @@ namespaces:
|
|||||||
- name: wamblee-org
|
- name: wamblee-org
|
||||||
#open: true
|
#open: true
|
||||||
capabilities:
|
capabilities:
|
||||||
- linkerd
|
- linkerdd
|
||||||
|
- dns
|
||||||
applications:
|
applications:
|
||||||
- name: nexus-server
|
- name: nexus-server
|
||||||
# ports when specified at the application level are used when
|
# ports when specified at the application level are used when
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user