def _get_network_policy_spec(self, spec):
''' Return V1beta1NetworkPolicySpec
'''
ingress_rules = spec.get('ingress', [])
ingress_rules_obj = []
egress_rules = spec.get('egress', [])
egress_rules_obj = []
policy_types = spec.get('policy_types', None)
pod_selector = self._get_label_selector(**spec['pod_selector'])
for rule in ingress_rules:
_from = self._get_network_policy_peer_list(
rule_list=rule.get('from', []))
ports = self._get_network_policy_port_list(rule.get('ports', []))
ingress_rules_obj.append(
client.V1beta1NetworkPolicyIngressRule(_from=_from,
ports=ports))
for rule in egress_rules:
to = self._get_network_policy_peer_list(
rule_list=rule.get('to', []))
ports = self._get_network_policy_port_list(
rule.get('egress_ports', []))
egress_rules_obj.append(
client.V1beta1NetworkPolicyEgressRule(to=to, ports=ports))
return client.V1beta1NetworkPolicySpec(ingress=ingress_rules_obj,
egress=egress_rules_obj,
pod_selector=pod_selector,
policy_types=policy_types)
def create_policy(namespace, use_kubectl=USE_KUBECTL):
if use_kubectl:
response = kubemunch('create', '-n', namespace, '-f', POLICY_FILENAME)
else:
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME,
namespace=namespace)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
networkingv1 = client.NetworkingV1Api()
response = networkingv1.create_namespaced_network_policy(namespace,
policy)
print("\tCreated {} in ns {}".format(response.metadata.name,
response.metadata.namespace))
def network_policy_pods_only(selector, destination):
'''
Creates a NetworkPolicy spec for only allowing egress traffic to other pods.
- `selector` provides the selector that matches the pods to which the network policy will apply.
- `destination` provides the selector that matches the destination pods to which traffic will be allowed.
'''
return k8s.V1beta1NetworkPolicySpec(egress=[
k8s.V1beta1NetworkPolicyEgressRule(
to=[k8s.V1beta1NetworkPolicyPeer(pod_selector=destination)])
],
pod_selector=selector,
policy_types=['Egress'])
def network_policy_dns_only(selector):
'''
Creates a NetworkPolicy spec for only allowing DNS resolution egress traffic.
- `selector` provides the selector that matches the pods to which the network policy will apply.
'''
return k8s.V1beta1NetworkPolicySpec(egress=[
k8s.V1beta1NetworkPolicyEgressRule(ports=[
k8s.V1beta1NetworkPolicyPort(port=53, protocol='TCP'),
k8s.V1beta1NetworkPolicyPort(port=53, protocol='UDP')
])
],
pod_selector=selector,
policy_types=['Egress'])
print("\tskipping, ns whitelisted")
continue
ns_policy_response = v1beta1.list_namespaced_network_policy(name)
local_policies = [
ns_policy.metadata.name for ns_policy in ns_policy_response.items]
if AWS_NETWORK_POLICY_NAME not in local_policies:
print("\tnamespace doesn't block AWS")
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME, namespace=name)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
response = networkingv1.create_namespaced_network_policy(name, policy)
print(
"\tCreated {} in NS {}".format(
response.metadata.name,
response.metadata.namespace))
else:
print("\tAWS already blocked")
def V1beta1NetworkPolicySpec(policy_types, pod_selector, ingress):
v1beta1NetworkPolicySpec = client.V1beta1NetworkPolicySpec(
policy_types=policy_types,
pod_selector=pod_selector,
ingress=ingress)
return v1beta1NetworkPolicySpec