From cd2af69ef96c1a787af7a975b00ff263b21f7bbf Mon Sep 17 00:00:00 2001 From: jornshen Date: Wed, 3 Mar 2021 17:47:09 +0800 Subject: [PATCH] refector netpol/policies.go --- test/e2e/network/netpol/network_policy.go | 225 +++++--- test/e2e/network/netpol/policies.go | 591 ++-------------------- 2 files changed, 210 insertions(+), 606 deletions(-) diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index f254e39bb5f..7c9ad341d8f 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -134,7 +134,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetDenyIngress("deny-ingress") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -144,7 +144,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() { - policy := GetDenyAllWithEgressDNS() + egressRule := networkingv1.NetworkPolicyEgressRule{} + egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policy := GenNetworkPolicyWithNameAndPodSelector("deny-all-tcp-allow-dns", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules(egressRule)) + nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -161,7 +164,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "b", }, } - policy := GetAllowIngressByPod("x-a-allows-x-b", map[string]string{"pod": "a"}, &allowedPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &allowedPods}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -177,12 +183,14 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("having a deny all ingress policy", func() { // Deny all Ingress traffic policy to pods on namespace nsX - policy := GetDenyIngress("deny-all") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) }) // Allow Ingress traffic only to pod x/a from any pod - allowPolicy := GetAllowIngressForTarget("allow-all-to-a", map[string]string{"pod": "a"}) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}}) + allowPolicy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-to-a", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPolicy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -196,10 +204,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce policy to allow ingress traffic from pods in all namespaces [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - emptyLabel := &metav1.LabelSelector{ - MatchLabels: map[string]string{}, - } - policy := GetAllowIngressByNamespace("allow-from-another-ns", map[string]string{"pod": "a"}, emptyLabel) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-another-ns", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -208,12 +215,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, model, k8s := getK8SModel(f) - allowedLabels := &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "ns": nsY, - }, - } - policy := GetAllowIngressByNamespace("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, allowedLabels) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"ns": nsY}}}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -232,7 +236,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { Values: []string{"b"}, }}, } - policy := GetAllowIngressByPod("x-a-allows-x-b", map[string]string{"pod": "a"}, &allowedPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &allowedPods}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -252,7 +259,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { Values: []string{nsY}, }}, } - policy := GetAllowIngressByNamespace("allow-ns-y-match-selector", map[string]string{"pod": "a"}, allowedNamespaces) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-match-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -277,7 +286,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "b", }, } - policy := GetAllowIngressByNamespaceOrPod("allow-ns-y-match-selector", map[string]string{"pod": "a"}, allowedNamespaces, podBAllowlisting) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces}, networkingv1.NetworkPolicyPeer{PodSelector: podBAllowlisting}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-match-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -301,7 +312,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "b", }, } - policy := GetAllowIngressByNamespaceAndPod("allow-ns-y-podselector-and-nsselector", map[string]string{"pod": "a"}, allowedNamespaces, allowedPod) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPod}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-podselector-and-nsselector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -328,7 +341,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { Values: []string{"b", "c"}, }}, } - policy := GetAllowIngressByNamespaceAndPod("allow-ns-y-z-pod-b-c", map[string]string{"pod": "a"}, allowedNamespaces, allowedPod) + + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPod}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-z-pod-b-c", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -342,8 +358,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce policy based on any PodSelectors [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - peers := []map[string]string{{"pod": "b"}, {"pod": "c"}} - policy := GetAllowIngressByAnyPod("allow-ns-x-pod-b-c", map[string]string{"pod": "a"}, peers) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + for _, label := range []map[string]string{{"pod": "b"}, {"pod": "c"}} { + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: label}}) + } + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-x-pod-b-c", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -368,7 +387,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "a", }, } - policy := GetAllowIngressByNamespaceAndPod("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, allowedNamespaces, allowedPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPods}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -386,7 +407,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "ns": nsY, }, } - allowPort81Policy := GetAllowIngressByNamespaceAndPort("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{IntVal: 81}, &protocolTCP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolTCP}) + allowPort81Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPort81Policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -405,7 +429,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "ns": nsY, }, } - allowPort81Policy := GetAllowIngressByNamespaceAndPort("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{IntVal: 81}, &protocolTCP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolTCP}) + allowPort81Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPort81Policy, nsX) reachabilityALLOW := NewReachability(model.AllPods(), true) @@ -422,7 +449,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Verifying traffic on port 80.") ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachabilityDENY}) - allowPort80Policy := GetAllowIngressByNamespaceAndPort("allow-client-a-via-ns-selector-80", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{IntVal: 80}, &protocolTCP) + ingressRule = networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolTCP}) + + allowPort80Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPort80Policy, nsX) ginkgo.By("Verifying that we can add a policy to unblock port 80") @@ -431,7 +462,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should support allow-all policy [Feature:NetworkPolicy]", func() { ginkgo.By("Creating a network policy which allows all traffic.") - policy := GetAllowIngress("allow-all") + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{})) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -442,7 +473,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.It("should allow ingress access on one named port [Feature:NetworkPolicy]", func() { - policy := GetAllowIngressByPort("allow-all", &intstr.IntOrString{Type: intstr.String, StrVal: "serve-81-tcp"}) + IngressRules := networkingv1.NetworkPolicyIngressRule{} + IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-81-tcp"}}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules)) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -464,7 +497,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "ns": nsY, }, } - policy := GetAllowIngressByNamespaceAndPort("allow-client-a-via-ns-selector-80", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}, &protocolTCP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}, Protocol: &protocolTCP}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -483,7 +519,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should allow egress access on one named port [Feature:NetworkPolicy]", func() { ginkgo.By("validating egress from port 81 to port 80") - policy := GetAllowEgressByPort("allow-egress", &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}) + egressRule := networkingv1.NetworkPolicyEgressRule{} + egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}}) + egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress", map[string]string{}, SetSpecEgressRules(egressRule)) + nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -499,7 +539,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce updated policy [Feature:NetworkPolicy]", func() { ginkgo.By("Using the simplest possible mutation: start with allow all, then switch to deny all") // part 1) allow all - policy := GetAllowIngress("allow-all-mutate-to-deny-all") + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{})) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -524,7 +564,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "ns2": "updated", }, } - policy := GetAllowIngressByNamespace("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, allowedLabels) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -554,7 +596,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { // add a new label, we'll remove it after this test is done matchLabels := map[string]string{"pod": "b", "pod2": "updated"} allowedLabels := &metav1.LabelSelector{MatchLabels: matchLabels} - policy := GetAllowIngressByPod("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, allowedLabels) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedLabels}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -575,7 +619,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, model, k8s := getK8SModel(f) - policy := GetDenyIngressEmptyPeerSelector("deny-empty-policy") + IngressRules := networkingv1.NetworkPolicyIngressRule{} + IngressRules.From = append(IngressRules.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}}) + policy := GenNetworkPolicyWithNameAndPodSelector("deny-empty-policy", metav1.LabelSelector{}, SetSpecIngressRules(IngressRules)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -591,7 +637,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { framework.ExpectNoError(err, "find pod x/a") defer ResetPodLabels(k8s, podXA) - policy := GetDenyIngressForTarget(metav1.LabelSelector{MatchLabels: map[string]string{"target": "isolated"}}) + policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress-via-label-selector", + metav1.LabelSelector{MatchLabels: map[string]string{"target": "isolated"}}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) ginkgo.By("Verify that everything can reach x/a") @@ -607,7 +654,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should deny egress from pods based on PodSelector [Feature:NetworkPolicy] ", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetDenyEgressForTarget("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}) + policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}, SetSpecEgressRules()) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -618,7 +665,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should deny egress from all pods in a namespace [Feature:NetworkPolicy] ", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetDenyEgress("deny-egress-ns-x") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-ns-x", metav1.LabelSelector{}, SetSpecEgressRules()) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -629,7 +676,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should work with Ingress, Egress specified together [Feature:NetworkPolicy]", func() { allowedPodLabels := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "b"}} - policy := GetAllowIngressByPod("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, allowedPodLabels) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedPodLabels}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) // add an egress rule on to it... policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ @@ -683,7 +732,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "a", }, } - egressPolicy := GetAllowEgressByNamespaceAndPod("allow-to-ns-y-pod-a", map[string]string{"pod": "a"}, allowedEgressNamespaces, allowedEgressPods) + egressRule1 := networkingv1.NetworkPolicyEgressRule{} + egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedEgressNamespaces, PodSelector: allowedEgressPods}) + egressRule2 := networkingv1.NetworkPolicyEgressRule{} + egressRule2.Ports = append(egressRule2.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + egressPolicy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-to-ns-y-pod-a", map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule1, egressRule2)) CreatePolicy(k8s, egressPolicy, nsX) // Creating ingress policy to allow from x/a to y/a and y/b @@ -697,8 +750,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "a", }, } - allowIngressPolicyPodA := GetAllowIngressByNamespaceAndPod("allow-from-xa-on-ya-match-selector", map[string]string{"pod": "a"}, allowedIngressNamespaces, allowedIngressPods) - allowIngressPolicyPodB := GetAllowIngressByNamespaceAndPod("allow-from-xa-on-yb-match-selector", map[string]string{"pod": "b"}, allowedIngressNamespaces, allowedIngressPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedIngressNamespaces, PodSelector: allowedIngressPods}) + allowIngressPolicyPodA := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-xa-on-ya-match-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + allowIngressPolicyPodB := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-xa-on-yb-match-selector", map[string]string{"pod": "b"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowIngressPolicyPodA, nsY) CreatePolicy(k8s, allowIngressPolicyPodB, nsY) @@ -765,7 +820,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { "pod": "a", }, } - policy := GetAllowEgressByNamespaceAndPod("allow-to-ns-y-pod-a", map[string]string{"pod": "a"}, allowedNamespaces, allowedPods) + egressRule1 := networkingv1.NetworkPolicyEgressRule{} + egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPods}) + egressRule2 := networkingv1.NetworkPolicyEgressRule{} + egressRule2.Ports = append(egressRule2.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-to-ns-y-pod-a", map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule1, egressRule2)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -777,7 +836,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce ingress policy allowing any port traffic to a server on a specific protocol [Feature:NetworkPolicy] [Feature:UDP]", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetAllowIngressByProtocol("allow-ingress-by-proto", map[string]string{"pod": "a"}, &protocolTCP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolTCP}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-by-proto", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachabilityTCP := NewReachability(model.AllPods(), true) @@ -790,7 +851,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce multiple ingress policies with ingress allow-all policy taking precedence [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - policyAllowOnlyPort80 := GetAllowIngressByPort("allow-ingress-port-80", &intstr.IntOrString{Type: intstr.Int, IntVal: 80}) + IngressRules := networkingv1.NetworkPolicyIngressRule{} + IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}) + policyAllowOnlyPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-port-80", map[string]string{}, SetSpecIngressRules(IngressRules)) CreatePolicy(k8s, policyAllowOnlyPort80, nsX) ginkgo.By("The policy targets port 80 -- so let's make sure traffic on port 81 is blocked") @@ -801,7 +864,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Allowing all ports") - policyAllowAll := GetAllowIngress("allow-ingress") + policyAllowAll := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{})) CreatePolicy(k8s, policyAllowAll, nsX) reachabilityAll := NewReachability(model.AllPods(), true) @@ -809,7 +872,10 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.It("should enforce multiple egress policies with egress allow-all policy taking precedence [Feature:NetworkPolicy]", func() { - policyAllowPort80 := GetAllowEgressByPort("allow-egress-port-80", &intstr.IntOrString{Type: intstr.Int, IntVal: 80}) + egressRule := networkingv1.NetworkPolicyEgressRule{} + egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}) + egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule)) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policyAllowPort80, nsX) @@ -821,7 +887,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Allowing all ports") - policyAllowAll := GetAllowEgress() + policyAllowAll := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress", map[string]string{}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{})) CreatePolicy(k8s, policyAllowAll, nsX) reachabilityAll := NewReachability(model.AllPods(), true) @@ -832,7 +898,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Creating a network policy for the server which denies all traffic.") // Deny all traffic into and out of "x". - policy := GetDenyAll("deny-all") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules()) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -865,7 +931,12 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { hostMask = 128 } podServerCIDR := fmt.Sprintf("%s/%d", pod.Status.PodIP, hostMask) - policyAllowCIDR := GetAllowEgressByCIDR("a", podServerCIDR) + egressRule1 := networkingv1.NetworkPolicyEgressRule{} + egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podServerCIDR}}) + egressRule2 := networkingv1.NetworkPolicyEgressRule{} + egressRule2.Ports = append(egressRule2.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policyAllowCIDR := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule", + map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule1, egressRule2)) CreatePolicy(k8s, policyAllowCIDR, nsX) reachability := NewReachability(model.AllPods(), true) @@ -893,7 +964,11 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { } podServerExceptList := []string{fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask)} - policyAllowCIDR := GetAllowEgressByCIDRExcept("a", podServerAllowCIDR, podServerExceptList) + egressRule1 := networkingv1.NetworkPolicyEgressRule{} + egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podServerAllowCIDR, Except: podServerExceptList}}) + egressRule2 := networkingv1.NetworkPolicyEgressRule{} + egressRule2.Ports = append(egressRule2.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policyAllowCIDR := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule", map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule1, egressRule2)) CreatePolicy(k8s, policyAllowCIDR, nsX) @@ -922,7 +997,12 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { podServerAllowCIDR := fmt.Sprintf("%s/4", podA.Status.PodIP) podServerExceptList := []string{fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask)} - policyAllowCIDR := GetAllowEgressByCIDRExcept("a", podServerAllowCIDR, podServerExceptList) + egressRule1 := networkingv1.NetworkPolicyEgressRule{} + egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podServerAllowCIDR, Except: podServerExceptList}}) + egressRule2 := networkingv1.NetworkPolicyEgressRule{} + egressRule2.Ports = append(egressRule2.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + policyAllowCIDR := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule", + map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule1, egressRule2)) CreatePolicy(k8s, policyAllowCIDR, nsX) reachability := NewReachability(model.AllPods(), true) @@ -932,7 +1012,12 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { podBIP := fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask) //// Create NetworkPolicy which allows access to the podServer using podServer's IP in allow CIDR. - allowPolicy := GetAllowEgressByCIDR("a", podBIP) + egressRule3 := networkingv1.NetworkPolicyEgressRule{} + egressRule3.To = append(egressRule3.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podBIP}}) + egressRule4 := networkingv1.NetworkPolicyEgressRule{} + egressRule4.Ports = append(egressRule4.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolUDP, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}}) + allowPolicy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule", + map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule3, egressRule4)) // SHOULD THIS BE UPDATE OR CREATE JAY TESTING 10/31 UpdatePolicy(k8s, allowPolicy, nsX) @@ -956,7 +1041,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Creating a network policy for pod-a which allows Egress traffic to pod-b.") - allowEgressPolicy := GetAllowEgressForTarget(metav1.LabelSelector{MatchLabels: targetLabels}) + allowEgressPolicy := GenNetworkPolicyWithNameAndPodSelector("allow-egress-for-target", + metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{})) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, allowEgressPolicy, nsX) @@ -965,7 +1051,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.By("Creating a network policy for pod-a that denies traffic from pod-b.") - denyAllIngressPolicy := GetDenyIngressForTarget(metav1.LabelSelector{MatchLabels: targetLabels}) + denyAllIngressPolicy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress-via-label-selector", metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecIngressRules()) CreatePolicy(k8s, denyAllIngressPolicy, nsX) denyIngressToXReachability := NewReachability(model.AllPods(), true) @@ -974,7 +1060,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy] [Feature:SCTP]", func() { - policy := GetAllowIngressOnProtocolByPort("allow-only-sctp-ingress-on-port-81", v1.ProtocolSCTP, map[string]string{"pod": "a"}, &intstr.IntOrString{IntVal: 81}) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolSCTP}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -987,7 +1075,9 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.It("should not allow access by TCP when a policy specifies only UDP [Feature:NetworkPolicy] [Feature:UDP]", func() { - policy := GetAllowIngressOnProtocolByPort("allow-only-udp-ingress-on-port-81", v1.ProtocolUDP, map[string]string{"pod": "a"}, &intstr.IntOrString{IntVal: 81}) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, model, k8s := getK8SModel(f) CreatePolicy(k8s, policy, nsX) @@ -1023,7 +1113,7 @@ var _ = common.SIGDescribe("Netpol [Feature:UDPConnectivity][LinuxOnly]", func() ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetDenyIngress("deny-all") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -1041,7 +1131,10 @@ var _ = common.SIGDescribe("Netpol [Feature:UDPConnectivity][LinuxOnly]", func() }, } - allowPort81Policy := GetAllowIngressByNamespaceAndPort("allow-ingress-on-port-81-ns-x", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{IntVal: 81}, &protocolUDP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP}) + allowPort81Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-on-port-81-ns-x", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPort81Policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -1063,7 +1156,9 @@ var _ = common.SIGDescribe("Netpol [Feature:UDPConnectivity][LinuxOnly]", func() "pod": "a", }, } - policy := GetAllowIngressByNamespaceAndPod("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, allowedNamespaces, allowedPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPods}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -1098,7 +1193,7 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) - policy := GetDenyIngress("deny-all") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -1115,8 +1210,10 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt "ns": nsY, }, } - - allowPort81Policy := GetAllowIngressByNamespaceAndPort("allow-ingress-on-port-81-ns-x", map[string]string{"pod": "a"}, allowedLabels, &intstr.IntOrString{IntVal: 81}, &protocolSCTP) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolSCTP}) + allowPort81Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-on-port-81-ns-x", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, allowPort81Policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -1138,7 +1235,9 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt "pod": "a", }, } - policy := GetAllowIngressByNamespaceAndPod("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, allowedNamespaces, allowedPods) + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPods}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-pod-a-via-namespace-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) diff --git a/test/e2e/network/netpol/policies.go b/test/e2e/network/netpol/policies.go index f08fb84fdf1..d0d4264f7dc 100644 --- a/test/e2e/network/netpol/policies.go +++ b/test/e2e/network/netpol/policies.go @@ -17,565 +17,70 @@ limitations under the License. package netpol import ( - "fmt" - - "k8s.io/apimachinery/pkg/util/intstr" - - v1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// GetDenyIngress returns a default deny ingress policy. -func GetDenyIngress(name string) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, - Ingress: []networkingv1.NetworkPolicyIngressRule{}, - }, +type SetFunc func(policy *networkingv1.NetworkPolicy) + +func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy { + policy := &networkingv1.NetworkPolicy{} + for _, f := range fn { + f(policy) + } + return policy +} + +func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy { + otherFunc = append(otherFunc, SetObjectMetaName(name), SetSpecPodSelectorMatchLabels(targetLabels)) + return GenNetworkPolicy(otherFunc...) +} + +func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy { + otherFunc = append(otherFunc, SetObjectMetaName(name), SetSpecPodSelector(targetSelector)) + return GenNetworkPolicy(otherFunc...) +} + +func SetObjectMetaName(name string) SetFunc { + return func(policy *networkingv1.NetworkPolicy) { + policy.ObjectMeta.Name = name } } -// GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector. -func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - { - From: []networkingv1.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}, - }, - }, - }, - }, - }, +func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc { + return func(policy *networkingv1.NetworkPolicy) { + policy.Spec.PodSelector = targetSelector } } -// GetDenyEgress returns a default deny egress policy. -func GetDenyEgress(name string) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - Egress: []networkingv1.NetworkPolicyEgressRule{}, - }, - } -} - -// GetDenyEgressForTarget returns a default deny egress policy. -func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: targetSelector, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - Egress: []networkingv1.NetworkPolicyEgressRule{}, - }, - } -} - -// GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e. -// unique:1, unique:2, and so on. Used for creating a 'background' set of policies. -func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy { - policies := []*networkingv1.NetworkPolicy{} - - for i := 0; i < num; i++ { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("allow-all-%v", i), - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{ - "unique": fmt.Sprintf("%v", i), - }, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{}}, - }, +func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc { + return func(policy *networkingv1.NetworkPolicy) { + policy.Spec.PodSelector = metav1.LabelSelector{ + MatchLabels: targetLabels, } - policies = append(policies, policy) - } - return policies -} - -// GetAllowIngress allows all ingress -func GetAllowIngress(name string) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - {}, - }, - }, - } - return policy -} - -// GetAllowIngressByPort allows ingress by port -func GetAllowIngressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - { - Ports: []networkingv1.NetworkPolicyPort{ - {Port: port}, - }, - }, - }, - }, - } - return policy -} - -// GetAllowEgressByPort allows egress by port -func GetAllowEgressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy { - protocolUDP := v1.ProtocolUDP - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - Egress: []networkingv1.NetworkPolicyEgressRule{ - { - Ports: []networkingv1.NetworkPolicyPort{ - {Port: port}, - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, - }, - }, - }, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - }, - } - return policy -} - -// GetDenyAll denies ingress traffic, AS WELL as egress traffic. -// - BOTH policy types must be specified -// - The Egress rule must (like the ingress default rule) be a array with 0 values. -func GetDenyAll(name string) *networkingv1.NetworkPolicy { - policy := GetDenyIngress(name) - policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress} - policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} - policy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{} - return policy -} - -// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port -func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy { - protocolUDP := v1.ProtocolUDP - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "deny-all-tcp-allow-dns", - }, - Spec: networkingv1.NetworkPolicySpec{ - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}, - PodSelector: metav1.LabelSelector{}, - Ingress: []networkingv1.NetworkPolicyIngressRule{}, - Egress: []networkingv1.NetworkPolicyEgressRule{ - { - Ports: []networkingv1.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, - }, - }, - }, - }, - }, } } -// GetAllowIngressByPod allows ingress by pod labels -func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{{ - PodSelector: peerPodSelector, - }}, - }}, - }, - } - return policy -} - -// GetAllowIngressForTarget allows ingress for target -func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - { - From: []networkingv1.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{}, - NamespaceSelector: &metav1.LabelSelector{}, - }, - }, - }, - }, - }, +func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc { + return func(policy *networkingv1.NetworkPolicy) { + if policy.Spec.Ingress == nil { + policy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{} + policy.Spec.PolicyTypes = append(policy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) + } + for _, rule := range rules { + policy.Spec.Ingress = append(policy.Spec.Ingress, rule) + } } } -// GetDenyIngressForTarget denies all ingress for target -func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "deny-ingress-via-label-selector", - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: targetSelector, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, - Ingress: []networkingv1.NetworkPolicyIngressRule{}, - }, +func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc { + return func(policy *networkingv1.NetworkPolicy) { + if policy.Spec.Egress == nil { + policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} + policy.Spec.PolicyTypes = append(policy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + } + for _, rule := range rules { + policy.Spec.Egress = append(policy.Spec.Egress, rule) + } } } - -// GetAllowIngressByNamespace allows ingress for namespace -func GetAllowIngressByNamespace(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{{ - NamespaceSelector: peerNamespaceSelector, - }}, - }}, - }, - } - return policy -} - -// GetAllowIngressByNamespaceAndPort allows ingress for namespace AND port AND protocol -func GetAllowIngressByNamespaceAndPort(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, port *intstr.IntOrString, protocol *v1.Protocol) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{{ - NamespaceSelector: peerNamespaceSelector, - }}, - Ports: []networkingv1.NetworkPolicyPort{ - { - Port: port, - Protocol: protocol, - }, - }, - }}, - }, - } - return policy -} - -// GetAllowIngressByProtocol allows ingress for any ports on a specific protocol. -func GetAllowIngressByProtocol(name string, targetLabels map[string]string, protocol *v1.Protocol) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - Ports: []networkingv1.NetworkPolicyPort{ - { - Protocol: protocol, - }, - }, - }}, - }, - } - return policy -} - -// GetAllowIngressByNamespaceOrPod allows ingress for pods with matching namespace OR pod labels -func GetAllowIngressByNamespaceOrPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{ - { - NamespaceSelector: peerNamespaceSelector, - }, - { - PodSelector: peerPodSelector, - }, - }, - }}, - }, - } - return policy -} - -// GetAllowIngressByAnyPod allows ingress for pods with matching multiple pod labels -func GetAllowIngressByAnyPod(name string, targetLabels map[string]string, peersLabel []map[string]string) *networkingv1.NetworkPolicy { - policyPeers := []networkingv1.NetworkPolicyPeer{} - for _, label := range peersLabel { - policyPeers = append(policyPeers, networkingv1.NetworkPolicyPeer{ - PodSelector: &metav1.LabelSelector{MatchLabels: label}, - }) - } - - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - { - From: policyPeers, - }, - }, - }, - } - return policy -} - -// GetAllowIngressByNamespaceAndPod allows ingress for pods with matching namespace AND pod labels -func GetAllowIngressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{{ - NamespaceSelector: peerNamespaceSelector, - PodSelector: peerPodSelector, - }}, - }}, - }, - } - return policy -} - -// GetAllowEgressByNamespaceAndPod allows egress for pods with matching namespace AND pod labels -func GetAllowEgressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { - protocolUDP := v1.ProtocolUDP - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - Egress: []networkingv1.NetworkPolicyEgressRule{ - { - To: []networkingv1.NetworkPolicyPeer{ - { - NamespaceSelector: peerNamespaceSelector, - PodSelector: peerPodSelector, - }, - }, - }, - { - Ports: []networkingv1.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, - }, - }, - }, - }, - }, - } - return policy -} - -// GetAllowEgress allows all egress -func GetAllowEgress() *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "allow-egress", - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - Egress: []networkingv1.NetworkPolicyEgressRule{{}}, - }, - } -} - -// GetAllowEgressForTarget allows all egress for a target -func GetAllowEgressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy { - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "allow-egress-for-target", - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: targetSelector, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - Egress: []networkingv1.NetworkPolicyEgressRule{{}}, - }, - } -} - -// GetAllowEgressByCIDR creates an egress netpol with an ipblock -func GetAllowEgressByCIDR(podname string, podserverCIDR string) *networkingv1.NetworkPolicy { - protocolUDP := v1.ProtocolUDP - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "allow-client-a-via-cidr-egress-rule", - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{ - "pod": podname, - }, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - // Allow traffic to only one CIDR block. - Egress: []networkingv1.NetworkPolicyEgressRule{ - { - To: []networkingv1.NetworkPolicyPeer{ - { - IPBlock: &networkingv1.IPBlock{ - CIDR: podserverCIDR, - }, - }, - }, - }, - { - Ports: []networkingv1.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, - }, - }, - }, - }, - }, - } -} - -// GetAllowEgressByCIDRExcept creates an egress netpol with an ipblock and except -func GetAllowEgressByCIDRExcept(podname string, podserverCIDR string, except []string) *networkingv1.NetworkPolicy { - protocolUDP := v1.ProtocolUDP - return &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "allow-client-a-via-cidr-egress-rule", - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{ - "pod": podname, - }, - }, - PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, - // Allow traffic to only one CIDR block. - Egress: []networkingv1.NetworkPolicyEgressRule{ - { - To: []networkingv1.NetworkPolicyPeer{ - { - IPBlock: &networkingv1.IPBlock{ - CIDR: podserverCIDR, - Except: except, - }, - }, - }, - }, - { - Ports: []networkingv1.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, - }, - }, - }, - }, - }, - } -} - -// GetAllowIngressOnProtocolByPort is a base network policy template which distinguishes between the types of v1.Protocol available in v1 core -func GetAllowIngressOnProtocolByPort(name string, protocol v1.Protocol, targetLabels map[string]string, portNum *intstr.IntOrString) *networkingv1.NetworkPolicy { - policy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: targetLabels, - }, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - Ports: []networkingv1.NetworkPolicyPort{{ - Port: portNum, - Protocol: &protocol, - }}, - }}, - }, - } - return policy -}