Ports specified at communications now override the default ports of

the application. Also added some comments to the generated output.
2025-01-02 22:49:47 +01:00 · 2025-01-02 22:49:47 +01:00 · eba04ec132
commit eba04ec132
parent 01700876cf
4 changed files with 75 additions and 16 deletions
--- a/cmd/policygen/config.go
+++ b/cmd/policygen/config.go
@ -69,7 +69,7 @@ type Namespace struct {
 type Communication struct {
 	From  []string `yaml:"from"`
 	To    []string `yaml:"to"`
-	Ports []string `yaml:"ports"`
+	Ports []Port   `yaml:"ports"`
 }

 // Config represents the top-level YAML structure
--- a/cmd/policygen/generator.go
+++ b/cmd/policygen/generator.go
@ -10,13 +10,23 @@ type Generator interface {
 	GenerateCommunicationRule(writer io.Writer, app *Application, ingress *Ingress, egress *Egress) error
 }

+type ApplicationPeer struct {
+	Application *Application
+	Ports       []Port
+}
+
+type NetworkPeer struct {
+	Network *Network
+	Ports   []Port
+}
+
 type Peer struct {
-	Applications []*Application
-	Networks     []*Network
+	Applications []*ApplicationPeer
+	Networks     []*NetworkPeer
 	Predefined   []string
 }

-func (p *Peer) append(app *Application, network *Network, predefined string) {
+func (p *Peer) append(app *ApplicationPeer, network *NetworkPeer, predefined string) {
 	if app != nil {
 		p.Applications = append(p.Applications, app)
 	}
@ -35,10 +45,10 @@ func (p *Peer) Empty() bool {
 func (p Peer) String() string {
 	res := ""
 	for _, app := range p.Applications {
-		res += "app:" + app.Name + " "
+		res += "app:" + app.Application.Name + " "
 	}
 	for _, net := range p.Networks {
-		res += "net:" + net.Name + " "
+		res += "net:" + net.Network.Name + " "
 	}
 	for _, pre := range p.Predefined {
 		res += "pre:" + pre + " "
@ -83,14 +93,56 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 			for _, to := range communication.To {
 				appTo, networkTo, predefinedTo := config.GetApplication(to)
 				if appFrom != nil {
-					// we have an egress
+					// we have an egress from appFrom
 					egress := egresses[from]
-					egress.append(appTo, networkTo, predefinedTo)
+					ports := communication.Ports
+					var appPeer *ApplicationPeer = nil
+					var networkPeer *NetworkPeer = nil
+					if appTo != nil {
+						if len(ports) == 0 {
+							ports = appTo.Ports
+						}
+						appPeer = &ApplicationPeer{
+							Application: appTo,
+							Ports:       ports,
+						}
+					} else if networkTo != nil {
+						if len(ports) == 0 {
+							ports = networkTo.Ports
+						}
+						networkPeer = &NetworkPeer{
+							Network: networkTo,
+							Ports:   ports,
+						}
+					}
+
+					egress.append(appPeer, networkPeer, predefinedTo)
 				}
 				if appTo != nil {
-					// we have an ingress
+					// we have an ingress on appTo
 					ingress := ingresses[to]
-					ingress.append(appFrom, networkFrom, predefinedFrom)
+					ports := communication.Ports
+					var appPeer *ApplicationPeer = nil
+					var networkPeer *NetworkPeer = nil
+					if appFrom != nil {
+						if len(ports) == 0 {
+							ports = appTo.Ports
+						}
+						appPeer = &ApplicationPeer{
+							Application: appFrom,
+							Ports:       ports,
+						}
+					} else if networkFrom != nil {
+						if len(ports) == 0 {
+							ports = appTo.Ports
+						}
+						networkPeer = &NetworkPeer{
+							Network: networkFrom,
+							Ports:   ports,
+						}
+					}
+
+					ingress.append(appPeer, networkPeer, predefinedFrom)
 				}
 			}
 		}
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@ -8,11 +8,12 @@
 {{- end }}
 {{- define "peers" }}
      {{- range .Applications }}
+      # {{ .Application.Namespace.Name }}/{{ .Application.Name }}
      - podSelector:
-          matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
+          matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
        namespaceSelector:
          matchLabels:
-            kubernetes.io/metadata.name: {{ .Namespace.Name }}
+            kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
        {{- if .Ports }}
        ports:
          {{- template "ports" .Ports }}
@ -21,10 +22,11 @@
 {{- end }}
 {{- define "networks" }}
      {{- range .Networks }}
+      # {{ .Network.Name }}
      - ipBlock:
-          cidr: {{ .CIDR}}
+          cidr: {{ .Network.CIDR}}
          except:
-          {{- range $except := .Except }}
+          {{- range $except := .Network.Except }}
          - {{ $except }}
          {{- end }}
        {{- if .Ports }}
@ -43,6 +45,7 @@ metadata:
  namespace: "{{.app.Namespace.Name }}"
  labels: {{ .labels | toYaml | nindent 4 }}
 spec:
+  # {{ .app.Namespace.Name }}/{{ .app.Name }}
  podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
  policyTypes:
    {{- if or .ingress.Applications .ingress.Networks }}
--- a/example/config.yaml
+++ b/example/config.yaml
@ -42,10 +42,14 @@ namespaces:
 communications:
  - from: # can we support both string and list of strings?
      - httpd-wamblee-org
-      - internet
-      - apiserver
+      #- internet
+      #- apiserver
    to:
      - nexus-server
+      - internet
+    ports:
+      - port: 53
+        protocol: UDP


 #  # or limiting ports further