mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #97638 from knabben/netpol-egress-func
Moving egress deny with DNS to a policy function
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
f6e04cd3ad
@ -18,7 +18,6 @@ package netpol
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -159,39 +158,9 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
|
|||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
|
||||||
np := &networkingv1.NetworkPolicy{}
|
policy := GetDenyAllWithEgressDNS()
|
||||||
policy := `
|
|
||||||
{
|
|
||||||
"kind": "NetworkPolicy",
|
|
||||||
"apiVersion": "networking.k8s.io/v1",
|
|
||||||
"metadata": {
|
|
||||||
"name": "deny-all-tcp-allow-dns"
|
|
||||||
},
|
|
||||||
"spec": {
|
|
||||||
"podSelector": {
|
|
||||||
"matchLabels": {}
|
|
||||||
},
|
|
||||||
"ingress": [],
|
|
||||||
"egress": [{
|
|
||||||
"ports": [
|
|
||||||
{
|
|
||||||
"protocol": "UDP",
|
|
||||||
"port": 53
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}],
|
|
||||||
"policyTypes": [
|
|
||||||
"Ingress",
|
|
||||||
"Egress"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
`
|
|
||||||
err := json.Unmarshal([]byte(policy), np)
|
|
||||||
framework.ExpectNoError(err, "unmarshal network policy")
|
|
||||||
|
|
||||||
nsX, _, _, model, k8s := getK8SModel(f)
|
nsX, _, _, model, k8s := getK8SModel(f)
|
||||||
CreatePolicy(k8s, np, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)
|
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)
|
||||||
|
|||||||
@ -157,6 +157,31 @@ func GetDenyAll(name string) *networkingv1.NetworkPolicy {
|
|||||||
return policy
|
return policy
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
|
||||||
|
func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy {
|
||||||
|
protocolUDP := v1.ProtocolUDP
|
||||||
|
return &networkingv1.NetworkPolicy{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "deny-all-tcp-allow-dns",
|
||||||
|
},
|
||||||
|
Spec: networkingv1.NetworkPolicySpec{
|
||||||
|
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
|
||||||
|
PodSelector: metav1.LabelSelector{},
|
||||||
|
Ingress: []networkingv1.NetworkPolicyIngressRule{},
|
||||||
|
Egress: []networkingv1.NetworkPolicyEgressRule{
|
||||||
|
{
|
||||||
|
Ports: []networkingv1.NetworkPolicyPort{
|
||||||
|
{
|
||||||
|
Protocol: &protocolUDP,
|
||||||
|
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// GetAllowIngressByPod allows ingress by pod labels
|
// GetAllowIngressByPod allows ingress by pod labels
|
||||||
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
|
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
|
||||||
policy := &networkingv1.NetworkPolicy{
|
policy := &networkingv1.NetworkPolicy{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user