diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index d631c0eb9d0..2de100c5208 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3090,7 +3090,7 @@ func describeNetworkPolicy(networkPolicy *networking.NetworkPolicy) (string, err func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) { w.Write(LEVEL_0, "Spec:\n") - w.Write(LEVEL_1, "Pod Selector: ") + w.Write(LEVEL_1, "PodSelector: ") if len(nps.PodSelector.MatchLabels) == 0 && len(nps.PodSelector.MatchExpressions) == 0 { w.Write(LEVEL_2, " (Allowing the specific traffic to all pods in this namespace)\n") } else { @@ -3098,11 +3098,14 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) } w.Write(LEVEL_1, "Allowing ingress traffic:\n") printNetworkPolicySpecIngressFrom(nps.Ingress, " ", w) + w.Write(LEVEL_1, "Allowing egress traffic:\n") + printNetworkPolicySpecEgressTo(nps.Egress, " ", w) + w.Write(LEVEL_1, "Policy Types: %v\n", policyTypesToString(nps.PolicyTypes)) } func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) { if len(npirs) == 0 { - w.WriteLine(" (Selected pods are isolated for ingress connectivity)") + w.Write(LEVEL_0, "%s%s\n", initialIndent, " (Selected pods are isolated for ingress connectivity)") return } for i, npir := range npirs { @@ -3125,9 +3128,13 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu for _, from := range npir.From { w.Write(LEVEL_0, "%s", initialIndent) if from.PodSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "From Pod Selector", metav1.FormatLabelSelector(from.PodSelector)) + w.Write(LEVEL_0, "%s: %s\n", "From PodSelector", metav1.FormatLabelSelector(from.PodSelector)) } else if from.NamespaceSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "From Namespace Selector", metav1.FormatLabelSelector(from.NamespaceSelector)) + w.Write(LEVEL_0, "%s: %s\n", "From NamespaceSelector", metav1.FormatLabelSelector(from.NamespaceSelector)) + } else if from.IPBlock != nil { + w.Write(LEVEL_0, "From IPBlock:\n") + w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, from.IPBlock.CIDR) + w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(from.IPBlock.Except, ", ")) } } } @@ -3137,6 +3144,47 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu } } +func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, initialIndent string, w PrefixWriter) { + if len(npers) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, " (Selected pods are isolated for egress connectivity)") + return + } + for i, nper := range npers { + if len(nper.Ports) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "To Port: (traffic allowed to all ports)") + } else { + for _, port := range nper.Ports { + var proto api.Protocol + if port.Protocol != nil { + proto = *port.Protocol + } else { + proto = api.ProtocolTCP + } + w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto) + } + } + if len(nper.To) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "To: (traffic not restricted by source)") + } else { + for _, to := range nper.To { + w.Write(LEVEL_0, "%s", initialIndent) + if to.PodSelector != nil { + w.Write(LEVEL_0, "%s: %s\n", "To PodSelector", metav1.FormatLabelSelector(to.PodSelector)) + } else if to.NamespaceSelector != nil { + w.Write(LEVEL_0, "%s: %s\n", "To NamespaceSelector", metav1.FormatLabelSelector(to.NamespaceSelector)) + } else if to.IPBlock != nil { + w.Write(LEVEL_0, "To IPBlock:\n") + w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, to.IPBlock.CIDR) + w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(to.IPBlock.Except, ", ")) + } + } + } + if i != len(npers)-1 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "----------") + } + } +} + type StorageClassDescriber struct { clientset.Interface } @@ -3317,13 +3365,6 @@ func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error }) } -func stringOrAll(s string) string { - if len(s) > 0 { - return s - } - return "*" -} - func stringOrNone(s string) string { if len(s) > 0 { return s @@ -3387,6 +3428,18 @@ func capsToString(caps []api.Capability) string { return stringOrNone(formattedString) } +func policyTypesToString(pts []networking.PolicyType) string { + formattedString := "" + if pts != nil { + strPts := []string{} + for _, p := range pts { + strPts = append(strPts, string(p)) + } + formattedString = strings.Join(strPts, ", ") + } + return stringOrNone(formattedString) +} + // newErrNoDescriber creates a new ErrNoDescriber with the names of the provided types. func newErrNoDescriber(types ...reflect.Type) error { names := make([]string, 0, len(types)) diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index ff21a8b335a..83caca946a6 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1682,16 +1682,32 @@ Created on: 2017-06-04 21:45:56 -0700 PDT Labels: Annotations: Spec: - Pod Selector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2 + PodSelector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2 Allowing ingress traffic: To Port: 80/TCP To Port: 82/TCP - From Pod Selector: id=app2,id2=app3 - From Namespace Selector: id=app2,id2=app3 - From Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 + From PodSelector: id=app2,id2=app3 + From NamespaceSelector: id=app2,id2=app3 + From NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3 + From IPBlock: + CIDR: 192.168.0.0/16 + Except: 192.168.3.0/24, 192.168.4.0/24 ---------- To Port: (traffic allowed to all ports) From: (traffic not restricted by source) + Allowing egress traffic: + To Port: 80/TCP + To Port: 82/TCP + To PodSelector: id=app2,id2=app3 + To NamespaceSelector: id=app2,id2=app3 + To NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3 + To IPBlock: + CIDR: 192.168.0.0/16 + Except: 192.168.3.0/24, 192.168.4.0/24 + ---------- + To Port: (traffic allowed to all ports) + To: (traffic not restricted by source) + Policy Types: Ingress, Egress ` port80 := intstr.FromInt(80) @@ -1749,10 +1765,61 @@ Spec: }, }, }, + { + IPBlock: &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + }, + }, }, }, {}, }, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + {Port: &port80}, + {Port: &port82, Protocol: &protoTCP}, + }, + To: []networking.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + }, + }, + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + }, + }, + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + MatchExpressions: []metav1.LabelSelectorRequirement{ + {Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}}, + }, + }, + }, + { + IPBlock: &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + }, + }, + }, + }, + {}, + }, + PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, }, }) d := NetworkPolicyDescriber{versionedFake}