fixed issues with schema of network policy
also fixed encoding of matahLabels. Now using json format so that it also works for empty maps.
This commit is contained in:
parent
d85baf3beb
commit
b8dfaa55a4
@ -13,11 +13,13 @@ type Generator interface {
|
||||
type ApplicationPeer struct {
|
||||
Application *Application
|
||||
Ports []Port
|
||||
Rule string
|
||||
}
|
||||
|
||||
type NetworkPeer struct {
|
||||
Network *Network
|
||||
Ports []Port
|
||||
Rule string
|
||||
}
|
||||
|
||||
type Peer struct {
|
||||
@ -103,6 +105,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
||||
appPeer = &ApplicationPeer{
|
||||
Application: appTo,
|
||||
Ports: ports,
|
||||
Rule: "to",
|
||||
}
|
||||
} else if networkTo != nil {
|
||||
if len(ports) == 0 {
|
||||
@ -111,6 +114,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
||||
networkPeer = &NetworkPeer{
|
||||
Network: networkTo,
|
||||
Ports: ports,
|
||||
Rule: "to",
|
||||
}
|
||||
}
|
||||
|
||||
@ -129,6 +133,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
||||
appPeer = &ApplicationPeer{
|
||||
Application: appFrom,
|
||||
Ports: ports,
|
||||
Rule: "from",
|
||||
}
|
||||
} else if networkFrom != nil {
|
||||
if len(ports) == 0 {
|
||||
@ -137,6 +142,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
|
||||
networkPeer = &NetworkPeer{
|
||||
Network: networkFrom,
|
||||
Ports: ports,
|
||||
Rule: "from",
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -25,11 +25,10 @@ func execute(files []string, options *Options) error {
|
||||
return err
|
||||
}
|
||||
config.Update(configNew)
|
||||
err = config.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error loading config %s: %w", file, err)
|
||||
}
|
||||
log.Printf("Namespaces %v", config.Namespaces)
|
||||
}
|
||||
err := config.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error loading configuration: %w", err)
|
||||
}
|
||||
|
||||
policyTemplates, err := NewPolicyTemplates()
|
||||
|
||||
@ -3,6 +3,7 @@ package main
|
||||
import (
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
"text/template"
|
||||
@ -108,7 +109,10 @@ func (t *PolicyTemplates) NamespaceTemplates(policyType string, capabilities []s
|
||||
for _, capability := range capabilities {
|
||||
tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/namespace/%s.yaml", policyType, capability))
|
||||
if tmpl != nil {
|
||||
log.Printf("Found template for capability '%s'", capability)
|
||||
res = append(res, tmpl)
|
||||
} else {
|
||||
log.Printf("Capability '%s' not found", capability)
|
||||
}
|
||||
}
|
||||
return res
|
||||
|
||||
19
cmd/policygen/templates/netpol/namespace/dns.yaml
Normal file
19
cmd/policygen/templates/netpol/namespace/dns.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
{{- if not .Open }}
|
||||
|
||||
---
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: allow-dns-in-namespace
|
||||
namespace: {{ .Name }}
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
{{- end }}
|
||||
@ -8,9 +8,10 @@
|
||||
{{- end }}
|
||||
{{- define "peers" }}
|
||||
{{- range .Applications }}
|
||||
- {{.Rule}}:
|
||||
# {{ .Application.Namespace.Name }}/{{ .Application.Name }}
|
||||
- podSelector:
|
||||
matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
|
||||
matchLabels: {{ .Application.MatchLabels | toJson }}
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
|
||||
@ -22,6 +23,7 @@
|
||||
{{- end }}
|
||||
{{- define "networks" }}
|
||||
{{- range .Networks }}
|
||||
- {{.Rule}}:
|
||||
# {{ .Network.Name }}
|
||||
- ipBlock:
|
||||
cidr: {{ .Network.CIDR}}
|
||||
@ -46,7 +48,8 @@ metadata:
|
||||
labels: {{ .labels | toYaml | nindent 4 }}
|
||||
spec:
|
||||
# {{ .app.Namespace.Name }}/{{ .app.Name }}
|
||||
podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
|
||||
podSelector:
|
||||
matchLabels: {{ .app.MatchLabels | toJson }}
|
||||
policyTypes:
|
||||
{{- if or .ingress.Applications .ingress.Networks }}
|
||||
- Ingress
|
||||
@ -57,14 +60,12 @@ spec:
|
||||
|
||||
{{- if or .ingress.Applications .ingress.Networks }}
|
||||
ingress:
|
||||
from:
|
||||
{{- template "peers" .ingress }}
|
||||
{{- template "networks" .ingress }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .egress.Applications .egress.Networks }}
|
||||
egress:
|
||||
to:
|
||||
{{- template "peers" .egress }}
|
||||
{{- template "networks" .egress }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,7 +16,8 @@ namespaces:
|
||||
- name: wamblee-org
|
||||
#open: true
|
||||
capabilities:
|
||||
- linkerd
|
||||
- linkerdd
|
||||
- dns
|
||||
applications:
|
||||
- name: nexus-server
|
||||
# ports when specified at the application level are used when
|
||||
|
||||
Loading…
Reference in New Issue
Block a user