From d735f660bcc67f18cf747368910acf61d1dc8930 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Tue, 31 Oct 2017 17:42:44 +0800 Subject: [PATCH 1/6] Describe IPBlock for NetworkPolicyIngressRule. --- pkg/printers/internalversion/describe.go | 6 +++++- pkg/printers/internalversion/describe_test.go | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index 1de31478639..01dc79aba2a 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3118,7 +3118,7 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) { if len(npirs) == 0 { - w.WriteLine(" (Selected pods are isolated for ingress connectivity)") + w.Write(LEVEL_0, "%s%s\n", initialIndent, " (Selected pods are isolated for ingress connectivity)") return } for i, npir := range npirs { @@ -3144,6 +3144,10 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu w.Write(LEVEL_0, "%s: %s\n", "From Pod Selector", metav1.FormatLabelSelector(from.PodSelector)) } else if from.NamespaceSelector != nil { w.Write(LEVEL_0, "%s: %s\n", "From Namespace Selector", metav1.FormatLabelSelector(from.NamespaceSelector)) + } else if from.IPBlock != nil { + w.Write(LEVEL_0, "From IPBlock:\n") + w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, from.IPBlock.CIDR) + w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(from.IPBlock.Except, ", ")) } } } diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index e86dc6e9809..fef1f70fe9a 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1664,6 +1664,9 @@ Spec: From Pod Selector: id=app2,id2=app3 From Namespace Selector: id=app2,id2=app3 From Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 + From IPBlock: + CIDR: 192.168.0.0/16 + Except: 192.168.3.0/24, 192.168.4.0/24 ---------- To Port: (traffic allowed to all ports) From: (traffic not restricted by source) @@ -1724,6 +1727,12 @@ Spec: }, }, }, + { + IPBlock: &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + }, + }, }, }, {}, From 0cf5a2dedc123bf86490ebde9a4396e074feb7e6 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Tue, 31 Oct 2017 18:04:40 +0800 Subject: [PATCH 2/6] Describe NetworkPolicyEgressRule. --- pkg/printers/internalversion/describe.go | 43 ++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index 01dc79aba2a..c6de8b13916 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3114,6 +3114,8 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) } w.Write(LEVEL_1, "Allowing ingress traffic:\n") printNetworkPolicySpecIngressFrom(nps.Ingress, " ", w) + w.Write(LEVEL_1, "Allowing egress traffic:\n") + printNetworkPolicySpecEgressTo(nps.Egress, " ", w) } func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) { @@ -3157,6 +3159,47 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu } } +func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, initialIndent string, w PrefixWriter) { + if len(npers) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, " (Selected pods are isolated for egress connectivity)") + return + } + for i, nper := range npers { + if len(nper.Ports) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "From Port: (traffic allowed to all ports)") + } else { + for _, port := range nper.Ports { + var proto api.Protocol + if port.Protocol != nil { + proto = *port.Protocol + } else { + proto = api.ProtocolTCP + } + w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "From Port", port.Port, proto) + } + } + if len(nper.To) == 0 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "To: (traffic not restricted by source)") + } else { + for _, to := range nper.To { + w.Write(LEVEL_0, "%s", initialIndent) + if to.PodSelector != nil { + w.Write(LEVEL_0, "%s: %s\n", "To Pod Selector", metav1.FormatLabelSelector(to.PodSelector)) + } else if to.NamespaceSelector != nil { + w.Write(LEVEL_0, "%s: %s\n", "To Namespace Selector", metav1.FormatLabelSelector(to.NamespaceSelector)) + } else if to.IPBlock != nil { + w.Write(LEVEL_0, "To IPBlock:\n") + w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, to.IPBlock.CIDR) + w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(to.IPBlock.Except, ", ")) + } + } + } + if i != len(npers)-1 { + w.Write(LEVEL_0, "%s%s\n", initialIndent, "----------") + } + } +} + type StorageClassDescriber struct { clientset.Interface } From 1aaac98e7af894f116a1e1f5f73fedf0da8f4057 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Tue, 31 Oct 2017 19:39:25 +0800 Subject: [PATCH 3/6] Add test case for NetworkPolicyEgressRule. --- pkg/printers/internalversion/describe_test.go | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index fef1f70fe9a..0eb6f3af13c 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1670,6 +1670,18 @@ Spec: ---------- To Port: (traffic allowed to all ports) From: (traffic not restricted by source) + Allowing egress traffic: + From Port: 80/TCP + From Port: 82/TCP + To Pod Selector: id=app2,id2=app3 + To Namespace Selector: id=app2,id2=app3 + To Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 + To IPBlock: + CIDR: 192.168.0.0/16 + Except: 192.168.3.0/24, 192.168.4.0/24 + ---------- + From Port: (traffic allowed to all ports) + To: (traffic not restricted by source) ` port80 := intstr.FromInt(80) @@ -1737,6 +1749,50 @@ Spec: }, {}, }, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + {Port: &port80}, + {Port: &port82, Protocol: &protoTCP}, + }, + To: []networking.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + }, + }, + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + }, + }, + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "id": "app2", + "id2": "app3", + }, + MatchExpressions: []metav1.LabelSelectorRequirement{ + {Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}}, + }, + }, + }, + { + IPBlock: &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + }, + }, + }, + }, + {}, + }, }, }) d := NetworkPolicyDescriber{versionedFake} From 3921ac9dd19dd18ed7cfc00b0215a48642a17331 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Wed, 1 Nov 2017 16:11:27 +0800 Subject: [PATCH 4/6] Describe PolicyTypes for Network Policy. --- pkg/printers/internalversion/describe.go | 1 + pkg/printers/internalversion/describe_test.go | 2 ++ 2 files changed, 3 insertions(+) diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index c6de8b13916..f2fe559f10b 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3116,6 +3116,7 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) printNetworkPolicySpecIngressFrom(nps.Ingress, " ", w) w.Write(LEVEL_1, "Allowing egress traffic:\n") printNetworkPolicySpecEgressTo(nps.Egress, " ", w) + w.Write(LEVEL_1, "Policy Types: %v\n", nps.PolicyTypes) } func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) { diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index 0eb6f3af13c..98a16d7c1bb 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1682,6 +1682,7 @@ Spec: ---------- From Port: (traffic allowed to all ports) To: (traffic not restricted by source) + Policy Types: [Ingress Egress] ` port80 := intstr.FromInt(80) @@ -1793,6 +1794,7 @@ Spec: }, {}, }, + PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, }, }) d := NetworkPolicyDescriber{versionedFake} From bcdff4f17481b72942b11c13d8402141ecb84ceb Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Fri, 3 Nov 2017 11:47:37 +0800 Subject: [PATCH 5/6] Fix wrong format and output. --- pkg/printers/internalversion/describe.go | 25 +++++++++++-------- pkg/printers/internalversion/describe_test.go | 8 +++--- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index f2fe559f10b..930488990c1 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3116,7 +3116,7 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) printNetworkPolicySpecIngressFrom(nps.Ingress, " ", w) w.Write(LEVEL_1, "Allowing egress traffic:\n") printNetworkPolicySpecEgressTo(nps.Egress, " ", w) - w.Write(LEVEL_1, "Policy Types: %v\n", nps.PolicyTypes) + w.Write(LEVEL_1, "Policy Types: %v\n", policyTypesToString(nps.PolicyTypes)) } func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) { @@ -3167,7 +3167,7 @@ func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, } for i, nper := range npers { if len(nper.Ports) == 0 { - w.Write(LEVEL_0, "%s%s\n", initialIndent, "From Port: (traffic allowed to all ports)") + w.Write(LEVEL_0, "%s%s\n", initialIndent, "To Port: (traffic allowed to all ports)") } else { for _, port := range nper.Ports { var proto api.Protocol @@ -3176,7 +3176,7 @@ func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, } else { proto = api.ProtocolTCP } - w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "From Port", port.Port, proto) + w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto) } } if len(nper.To) == 0 { @@ -3381,13 +3381,6 @@ func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error }) } -func stringOrAll(s string) string { - if len(s) > 0 { - return s - } - return "*" -} - func stringOrNone(s string) string { if len(s) > 0 { return s @@ -3451,6 +3444,18 @@ func capsToString(caps []api.Capability) string { return stringOrNone(formattedString) } +func policyTypesToString(pts []networking.PolicyType) string { + formattedString := "" + if pts != nil { + strPts := []string{} + for _, p := range pts { + strPts = append(strPts, string(p)) + } + formattedString = strings.Join(strPts, ", ") + } + return stringOrNone(formattedString) +} + // newErrNoDescriber creates a new ErrNoDescriber with the names of the provided types. func newErrNoDescriber(types ...reflect.Type) error { names := make([]string, 0, len(types)) diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index 98a16d7c1bb..4d233b2750e 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1671,8 +1671,8 @@ Spec: To Port: (traffic allowed to all ports) From: (traffic not restricted by source) Allowing egress traffic: - From Port: 80/TCP - From Port: 82/TCP + To Port: 80/TCP + To Port: 82/TCP To Pod Selector: id=app2,id2=app3 To Namespace Selector: id=app2,id2=app3 To Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 @@ -1680,9 +1680,9 @@ Spec: CIDR: 192.168.0.0/16 Except: 192.168.3.0/24, 192.168.4.0/24 ---------- - From Port: (traffic allowed to all ports) + To Port: (traffic allowed to all ports) To: (traffic not restricted by source) - Policy Types: [Ingress Egress] + Policy Types: Ingress, Egress ` port80 := intstr.FromInt(80) From c691be3acfe410b3004d328444da3a142cae5bc7 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Mon, 6 Nov 2017 15:22:50 +0800 Subject: [PATCH 6/6] Switch field types to PodSelector and NamespaceSelector --- pkg/printers/internalversion/describe.go | 10 +++++----- pkg/printers/internalversion/describe_test.go | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index 930488990c1..3ca56a68047 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3106,7 +3106,7 @@ func describeNetworkPolicy(networkPolicy *networking.NetworkPolicy) (string, err func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) { w.Write(LEVEL_0, "Spec:\n") - w.Write(LEVEL_1, "Pod Selector: ") + w.Write(LEVEL_1, "PodSelector: ") if len(nps.PodSelector.MatchLabels) == 0 && len(nps.PodSelector.MatchExpressions) == 0 { w.Write(LEVEL_2, " (Allowing the specific traffic to all pods in this namespace)\n") } else { @@ -3144,9 +3144,9 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu for _, from := range npir.From { w.Write(LEVEL_0, "%s", initialIndent) if from.PodSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "From Pod Selector", metav1.FormatLabelSelector(from.PodSelector)) + w.Write(LEVEL_0, "%s: %s\n", "From PodSelector", metav1.FormatLabelSelector(from.PodSelector)) } else if from.NamespaceSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "From Namespace Selector", metav1.FormatLabelSelector(from.NamespaceSelector)) + w.Write(LEVEL_0, "%s: %s\n", "From NamespaceSelector", metav1.FormatLabelSelector(from.NamespaceSelector)) } else if from.IPBlock != nil { w.Write(LEVEL_0, "From IPBlock:\n") w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, from.IPBlock.CIDR) @@ -3185,9 +3185,9 @@ func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, for _, to := range nper.To { w.Write(LEVEL_0, "%s", initialIndent) if to.PodSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "To Pod Selector", metav1.FormatLabelSelector(to.PodSelector)) + w.Write(LEVEL_0, "%s: %s\n", "To PodSelector", metav1.FormatLabelSelector(to.PodSelector)) } else if to.NamespaceSelector != nil { - w.Write(LEVEL_0, "%s: %s\n", "To Namespace Selector", metav1.FormatLabelSelector(to.NamespaceSelector)) + w.Write(LEVEL_0, "%s: %s\n", "To NamespaceSelector", metav1.FormatLabelSelector(to.NamespaceSelector)) } else if to.IPBlock != nil { w.Write(LEVEL_0, "To IPBlock:\n") w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, to.IPBlock.CIDR) diff --git a/pkg/printers/internalversion/describe_test.go b/pkg/printers/internalversion/describe_test.go index 4d233b2750e..f026a45a4b6 100644 --- a/pkg/printers/internalversion/describe_test.go +++ b/pkg/printers/internalversion/describe_test.go @@ -1657,13 +1657,13 @@ Created on: 2017-06-04 21:45:56 -0700 PDT Labels: Annotations: Spec: - Pod Selector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2 + PodSelector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2 Allowing ingress traffic: To Port: 80/TCP To Port: 82/TCP - From Pod Selector: id=app2,id2=app3 - From Namespace Selector: id=app2,id2=app3 - From Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 + From PodSelector: id=app2,id2=app3 + From NamespaceSelector: id=app2,id2=app3 + From NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3 From IPBlock: CIDR: 192.168.0.0/16 Except: 192.168.3.0/24, 192.168.4.0/24 @@ -1673,9 +1673,9 @@ Spec: Allowing egress traffic: To Port: 80/TCP To Port: 82/TCP - To Pod Selector: id=app2,id2=app3 - To Namespace Selector: id=app2,id2=app3 - To Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3 + To PodSelector: id=app2,id2=app3 + To NamespaceSelector: id=app2,id2=app3 + To NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3 To IPBlock: CIDR: 192.168.0.0/16 Except: 192.168.3.0/24, 192.168.4.0/24