Skip to content

Commit d725e96

Browse files
AcedusAcedus
committed
namespaced, factory: add networkpolicies function
This commit adds an additional factory function that isn't included as part of the standard create all resources to generate the network policies required by CDI to function properly. This new function will be used in following commits to generate network policies as part of manifest-generator and csv-gen. Signed-off-by: Adi Aloni <[email protected]>
1 parent 369bdbf commit d725e96

File tree

3 files changed

+183
-1
lines changed

3 files changed

+183
-1
lines changed

pkg/operator/resources/namespaced/BUILD.bazel

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ go_library(
77
"controller.go",
88
"cronjob.go",
99
"factory.go",
10+
"networkpolicies.go",
1011
"prometheus.go",
1112
"uploadproxy.go",
1213
],
@@ -20,10 +21,13 @@ go_library(
2021
"//vendor/github.com/openshift/api/security/v1:go_default_library",
2122
"//vendor/k8s.io/api/apps/v1:go_default_library",
2223
"//vendor/k8s.io/api/core/v1:go_default_library",
24+
"//vendor/k8s.io/api/networking/v1:go_default_library",
2325
"//vendor/k8s.io/api/rbac/v1:go_default_library",
2426
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
27+
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
2528
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
2629
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
30+
"//vendor/k8s.io/utils/ptr:go_default_library",
2731
"//vendor/kubevirt.io/controller-lifecycle-operator-sdk/api:go_default_library",
2832
"//vendor/kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk/resources:go_default_library",
2933
"//vendor/sigs.k8s.io/controller-runtime/pkg/client:go_default_library",

pkg/operator/resources/namespaced/factory.go

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,10 @@ var factoryFunctions = map[string]factoryFunc{
6565
"cronjob": createCronJobResources,
6666
}
6767

68+
var additionalFactoryFunctions = map[string]factoryFunc{
69+
"networkpolicies": createNetworkPolicies,
70+
}
71+
6872
// CreateAllResources creates all namespaced resources
6973
func CreateAllResources(args *FactoryArgs) ([]client.Object, error) {
7074
var resources []client.Object
@@ -80,7 +84,7 @@ func CreateAllResources(args *FactoryArgs) ([]client.Object, error) {
8084

8185
// CreateResourceGroup creates namespaced resources for a specific group/component
8286
func CreateResourceGroup(group string, args *FactoryArgs) ([]client.Object, error) {
83-
f, ok := factoryFunctions[group]
87+
f, ok := getFactoryFunc(group)
8488
if !ok {
8589
return nil, fmt.Errorf("group %s does not exist", group)
8690
}
@@ -111,3 +115,13 @@ func GetRolePolicyRules() []rbacv1.PolicyRule {
111115
result = append(result, GetPrometheusNamespacedRules()...)
112116
return result
113117
}
118+
119+
func getFactoryFunc(group string) (factoryFunc, bool) {
120+
if f, ok := factoryFunctions[group]; ok {
121+
return f, true
122+
}
123+
if f, ok := additionalFactoryFunctions[group]; ok {
124+
return f, true
125+
}
126+
return nil, false
127+
}

pkg/operator/resources/namespaced/networkpolicies.go

Lines changed: 164 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,164 @@
1+
package namespaced
2+
3+
import (
4+
corev1 "k8s.io/api/core/v1"
5+
networkv1 "k8s.io/api/networking/v1"
6+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
7+
"k8s.io/apimachinery/pkg/util/intstr"
8+
"k8s.io/utils/ptr"
9+
"kubevirt.io/containerized-data-importer/pkg/common"
10+
11+
"sigs.k8s.io/controller-runtime/pkg/client"
12+
)
13+
14+
const (
15+
allowIngressToMetrics = "cdi-allow-ingress-to-metrics"
16+
allowUploadProxyCommunications = "cdi-allow-uploadproxy-communications"
17+
allowIngressToCdiAPIWebhook = "cdi-allow-cdi-api-webhook-server"
18+
allowEgressToImporterMetrics = "cdi-allow-cdi-deployment-importer-metrics"
19+
)
20+
21+
func createNetworkPolicies(args *FactoryArgs) []client.Object {
22+
return []client.Object{
23+
newIngressToMetricsNP(args.Namespace),
24+
newUploadProxyCommunicationsNP(args.Namespace),
25+
newIngressToCdiAPIWebhookNP(args.Namespace),
26+
newCdiDeploymentToImporterMetricsNP(args.Namespace),
27+
}
28+
}
29+
30+
func newNetworkPolicy(namespace, name string, spec *networkv1.NetworkPolicySpec) *networkv1.NetworkPolicy {
31+
return &networkv1.NetworkPolicy{
32+
TypeMeta: metav1.TypeMeta{
33+
APIVersion: "networking.k8s.io/v1",
34+
Kind: "NetworkPolicy",
35+
},
36+
ObjectMeta: metav1.ObjectMeta{
37+
Name: name,
38+
Namespace: namespace,
39+
Labels: map[string]string{common.CDIComponentLabel: ""},
40+
},
41+
Spec: *spec,
42+
}
43+
}
44+
45+
func newIngressToMetricsNP(namespace string) *networkv1.NetworkPolicy {
46+
return newNetworkPolicy(
47+
namespace,
48+
allowIngressToMetrics,
49+
&networkv1.NetworkPolicySpec{
50+
PodSelector: metav1.LabelSelector{
51+
MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},
52+
},
53+
PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},
54+
Ingress: []networkv1.NetworkPolicyIngressRule{
55+
{
56+
Ports: []networkv1.NetworkPolicyPort{
57+
{
58+
Port: ptr.To(intstr.FromInt32(8443)),
59+
Protocol: ptr.To(corev1.ProtocolTCP),
60+
},
61+
},
62+
},
63+
},
64+
},
65+
)
66+
}
67+
68+
func newUploadProxyCommunicationsNP(namespace string) *networkv1.NetworkPolicy {
69+
return newNetworkPolicy(
70+
namespace,
71+
allowUploadProxyCommunications,
72+
&networkv1.NetworkPolicySpec{
73+
PodSelector: metav1.LabelSelector{
74+
MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIUploadProxyResourceName},
75+
},
76+
PolicyTypes: []networkv1.PolicyType{
77+
networkv1.PolicyTypeIngress,
78+
networkv1.PolicyTypeEgress,
79+
},
80+
Egress: []networkv1.NetworkPolicyEgressRule{
81+
{
82+
To: []networkv1.NetworkPolicyPeer{
83+
{
84+
PodSelector: &metav1.LabelSelector{
85+
MatchLabels: map[string]string{common.CDIComponentLabel: common.UploadServerCDILabel},
86+
},
87+
NamespaceSelector: &metav1.LabelSelector{},
88+
},
89+
},
90+
Ports: []networkv1.NetworkPolicyPort{
91+
{
92+
Port: ptr.To(intstr.FromInt32(8443)),
93+
Protocol: ptr.To(corev1.ProtocolTCP),
94+
},
95+
},
96+
},
97+
},
98+
Ingress: []networkv1.NetworkPolicyIngressRule{
99+
{
100+
Ports: []networkv1.NetworkPolicyPort{
101+
{
102+
Port: ptr.To(intstr.FromInt32(8443)),
103+
Protocol: ptr.To(corev1.ProtocolTCP),
104+
},
105+
},
106+
},
107+
},
108+
},
109+
)
110+
}
111+
112+
func newIngressToCdiAPIWebhookNP(namespace string) *networkv1.NetworkPolicy {
113+
return newNetworkPolicy(
114+
namespace,
115+
allowIngressToCdiAPIWebhook,
116+
&networkv1.NetworkPolicySpec{
117+
PodSelector: metav1.LabelSelector{
118+
MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIApiServerResourceName},
119+
},
120+
PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},
121+
Ingress: []networkv1.NetworkPolicyIngressRule{
122+
{
123+
Ports: []networkv1.NetworkPolicyPort{
124+
{
125+
Port: ptr.To(intstr.FromInt32(8443)),
126+
Protocol: ptr.To(corev1.ProtocolTCP),
127+
},
128+
},
129+
},
130+
},
131+
},
132+
)
133+
}
134+
135+
func newCdiDeploymentToImporterMetricsNP(namespace string) *networkv1.NetworkPolicy {
136+
return newNetworkPolicy(
137+
namespace,
138+
allowEgressToImporterMetrics,
139+
&networkv1.NetworkPolicySpec{
140+
PodSelector: metav1.LabelSelector{
141+
MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIControllerResourceName},
142+
},
143+
PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeEgress},
144+
Egress: []networkv1.NetworkPolicyEgressRule{
145+
{
146+
To: []networkv1.NetworkPolicyPeer{
147+
{
148+
PodSelector: &metav1.LabelSelector{
149+
MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},
150+
},
151+
NamespaceSelector: &metav1.LabelSelector{},
152+
},
153+
},
154+
Ports: []networkv1.NetworkPolicyPort{
155+
{
156+
Port: ptr.To(intstr.FromInt32(8443)),
157+
Protocol: ptr.To(corev1.ProtocolTCP),
158+
},
159+
},
160+
},
161+
},
162+
},
163+
)
164+
}

0 commit comments

Comments
 (0)