public/policy-generator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ports specified at communications now override the default ports of

Browse Source 
the application.

Also added some comments to the generated output.
This commit is contained in:
Erik Brakkee 2025-01-02 22:49:47 +01:00
parent 01700876cf
commit eba04ec132
4 changed files with 75 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/policygen/config.go
View File

@ -69,7 +69,7 @@ type Namespace struct {
type Communication struct { type Communication struct {
From []string `yaml:"from"` From []string `yaml:"from"`
To []string `yaml:"to"` To []string `yaml:"to"`
Ports []string `yaml:"ports"` Ports []Port `yaml:"ports"`
} }
// Config represents the top-level YAML structure // Config represents the top-level YAML structure

70
cmd/policygen/generator.go
View File

@ -10,13 +10,23 @@ type Generator interface {
GenerateCommunicationRule(writer io.Writer, app *Application, ingress *Ingress, egress *Egress) error GenerateCommunicationRule(writer io.Writer, app *Application, ingress *Ingress, egress *Egress) error
} }
type ApplicationPeer struct {
Application *Application
Ports []Port
}
type NetworkPeer struct {
Network *Network
Ports []Port
}
type Peer struct { type Peer struct {
Applications []*Application Applications []*ApplicationPeer
Networks []*Network Networks []*NetworkPeer
Predefined []string Predefined []string
} }
func (p *Peer) append(app *Application, network *Network, predefined string) { func (p *Peer) append(app *ApplicationPeer, network *NetworkPeer, predefined string) {
if app != nil { if app != nil {
p.Applications = append(p.Applications, app) p.Applications = append(p.Applications, app)
} }
@ -35,10 +45,10 @@ func (p *Peer) Empty() bool {
func (p Peer) String() string { func (p Peer) String() string {
res := "" res := ""
for _, app := range p.Applications { for _, app := range p.Applications {
res += "app:" + app.Name + " " res += "app:" + app.Application.Name + " "
} }
for _, net := range p.Networks { for _, net := range p.Networks {
res += "net:" + net.Name + " " res += "net:" + net.Network.Name + " "
} }
for _, pre := range p.Predefined { for _, pre := range p.Predefined {
res += "pre:" + pre + " " res += "pre:" + pre + " "
@ -83,14 +93,56 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
for _, to := range communication.To { for _, to := range communication.To {
appTo, networkTo, predefinedTo := config.GetApplication(to) appTo, networkTo, predefinedTo := config.GetApplication(to)
if appFrom != nil { if appFrom != nil {
// we have an egress // we have an egress from appFrom
egress := egresses[from] egress := egresses[from]
egress.append(appTo, networkTo, predefinedTo) ports := communication.Ports
var appPeer *ApplicationPeer = nil
var networkPeer *NetworkPeer = nil
if appTo != nil {
if len(ports) == 0 {
ports = appTo.Ports
}
appPeer = &ApplicationPeer{
Application: appTo,
Ports: ports,
}
} else if networkTo != nil {
if len(ports) == 0 {
ports = networkTo.Ports
}
networkPeer = &NetworkPeer{
Network: networkTo,
Ports: ports,
}
}
egress.append(appPeer, networkPeer, predefinedTo)
} }
if appTo != nil { if appTo != nil {
// we have an ingress // we have an ingress on appTo
ingress := ingresses[to] ingress := ingresses[to]
ingress.append(appFrom, networkFrom, predefinedFrom) ports := communication.Ports
var appPeer *ApplicationPeer = nil
var networkPeer *NetworkPeer = nil
if appFrom != nil {
if len(ports) == 0 {
ports = appTo.Ports
}
appPeer = &ApplicationPeer{
Application: appFrom,
Ports: ports,
}
} else if networkFrom != nil {
if len(ports) == 0 {
ports = appTo.Ports
}
networkPeer = &NetworkPeer{
Network: networkFrom,
Ports: ports,
}
}
ingress.append(appPeer, networkPeer, predefinedFrom)
} }
} }
} }

11
cmd/policygen/templates/netpol/pod/pod.yaml
View File

@ -8,11 +8,12 @@
{{- end }} {{- end }}
{{- define "peers" }} {{- define "peers" }}
{{- range .Applications }} {{- range .Applications }}
# {{ .Application.Namespace.Name }}/{{ .Application.Name }}
- podSelector: - podSelector:
matchLabels: {{ .MatchLabels | toYaml | nindent 12 }} matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
namespaceSelector: namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: {{ .Namespace.Name }} kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
{{- if .Ports }} {{- if .Ports }}
ports: ports:
{{- template "ports" .Ports }} {{- template "ports" .Ports }}
@ -21,10 +22,11 @@
{{- end }} {{- end }}
{{- define "networks" }} {{- define "networks" }}
{{- range .Networks }} {{- range .Networks }}
# {{ .Network.Name }}
- ipBlock: - ipBlock:
cidr: {{ .CIDR}} cidr: {{ .Network.CIDR}}
except: except:
{{- range $except := .Except }} {{- range $except := .Network.Except }}
- {{ $except }} - {{ $except }}
{{- end }} {{- end }}
{{- if .Ports }} {{- if .Ports }}
@ -43,6 +45,7 @@ metadata:
namespace: "{{.app.Namespace.Name }}" namespace: "{{.app.Namespace.Name }}"
labels: {{ .labels | toYaml | nindent 4 }} labels: {{ .labels | toYaml | nindent 4 }}
spec: spec:
# {{ .app.Namespace.Name }}/{{ .app.Name }}
podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }} podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
policyTypes: policyTypes:
{{- if or .ingress.Applications .ingress.Networks }} {{- if or .ingress.Applications .ingress.Networks }}

8
example/config.yaml
View File

@ -42,10 +42,14 @@ namespaces:
communications: communications:
- from: # can we support both string and list of strings? - from: # can we support both string and list of strings?
- httpd-wamblee-org - httpd-wamblee-org
- internet #- internet
- apiserver #- apiserver
to: to:
- nexus-server - nexus-server
- internet
ports:
- port: 53
protocol: UDP
# # or limiting ports further # # or limiting ports further