def _create_sg_rule_on_text_port(sg_id, direction, port, rule_selected_pods, crd_rules, matched, crd, allow_all=False, namespace=None): matched_pods = {} spec_pod_selector = crd['spec'].get('podSelector') policy_namespace = crd['metadata']['namespace'] spec_pods = driver_utils.get_pods(spec_pod_selector, policy_namespace).get('items') if direction == 'ingress': for spec_pod in spec_pods: container_ports = driver_utils.get_ports(spec_pod, port) for rule_selected_pod in rule_selected_pods: matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) elif direction == 'egress': for rule_selected_pod in rule_selected_pods: pod_label = rule_selected_pod['metadata'].get('labels') pod_ns = rule_selected_pod['metadata'].get('namespace') # NOTE(maysams) Do not allow egress traffic to the actual # set of pods the NP is enforced on. if (driver_utils.match_selector(spec_pod_selector, pod_label) and policy_namespace == pod_ns): continue container_ports = driver_utils.get_ports(rule_selected_pod, port) matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) for container_port, pods in matched_pods.items(): if allow_all: sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), pods=pods) else: namespace_obj = driver_utils.get_namespace(namespace) namespace_cidr = driver_utils.get_namespace_subnet_cidr( namespace_obj) sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), cidr=namespace_cidr, pods=pods) sgr_id = driver_utils.create_security_group_rule(sg_rule) sg_rule['security_group_rule']['id'] = sgr_id crd_rules.append(sg_rule) return matched
def _create_sg_rule_body_on_text_port(self, sg_id, direction, port, resources, crd_rules, pod_selector, policy_namespace, allow_all=False): """Create SG rules when named port is used in the NP rule In case of ingress, the pods selected by NetworkPolicySpec's podSelector have its containers checked for ports with same name as the named port. If true, rules are created for the resource matched in the NP rule selector with that port. In case of egress, all the pods selected by the NetworkPolicyEgressRule's selector have its containers checked for containers ports with same name as the ones defined in NP rule, and if true the rule is created. param sg_id: String with the Security Group ID param direction: String with ingress or egress param port: dict containing port and protocol param resources: list of K8S resources(pod/namespace) or a dict with cird param crd_rules: list of parsed SG rules param pod_selector: dict with NetworkPolicySpec's podSelector param policy_namespace: string with policy namespace param allow_all: True if should parse a allow from/to all rule, False otherwise """ matched_pods = {} if direction == "ingress": selected_pods = driver_utils.get_pods( pod_selector, policy_namespace).get('items') for selected_pod in selected_pods: container_ports = driver_utils.get_ports(selected_pod, port) for resource in resources: self._create_sg_rules_with_container_ports( container_ports, allow_all, resource, matched_pods, crd_rules, sg_id, direction, port) elif direction == "egress": for resource in resources: # NOTE(maysams) Skipping objects that refers to ipblocks # and consequently do not contains a spec field if not resource.get('spec'): LOG.warning("IPBlock for egress with named ports is " "not supported.") continue container_ports = driver_utils.get_ports(resource, port) self._create_sg_rules_with_container_ports( container_ports, allow_all, resource, matched_pods, crd_rules, sg_id, direction, port, pod_selector, policy_namespace) if allow_all: for container_port, pods in matched_pods.items(): sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), pods=pods) crd_rules.append(sg_rule) if direction == 'egress': rules = self._create_svc_egress_sg_rule( sg_id, policy_namespace, port=container_port, protocol=port.get('protocol')) crd_rules.extend(rules)
def _create_sg_rule_body_on_text_port(self, direction, port, resources, crd_rules, pod_selector, policy_namespace, allowed_cidrs=None): """Create SG rules when named port is used in the NP rule In case of ingress, the pods selected by NetworkPolicySpec's podSelector have its containers checked for ports with same name as the named port. If true, rules are created for the resource matched in the NP rule selector with that port. In case of egress, all the pods selected by the NetworkPolicyEgressRule's selector have its containers checked for containers ports with same name as the ones defined in NP rule, and if true the rule is created. param sg_id: String with the Security Group ID param direction: String with ingress or egress param port: dict containing port and protocol param resources: list of K8S resources(pod/namespace) or a dict with cird param crd_rules: list of parsed SG rules param pod_selector: dict with NetworkPolicySpec's podSelector param policy_namespace: string with policy namespace param allowed_cidrs: None, or a list of cidrs, where/from the traffic should be allowed. """ matched_pods = {} if direction == "ingress": selected_pods = driver_utils.get_pods( pod_selector, policy_namespace).get('items') for selected_pod in selected_pods: container_ports = driver_utils.get_ports(selected_pod, port) for resource in resources: self._create_sg_rules_with_container_ports( container_ports, allowed_cidrs, resource, matched_pods, crd_rules, direction, port) elif direction == "egress": for resource in resources: # NOTE(maysams) Skipping objects that refers to ipblocks # and consequently do not contains a spec field if not resource.get('spec'): LOG.warning("IPBlock for egress with named ports is " "not supported.") continue container_ports = driver_utils.get_ports(resource, port) self._create_sg_rules_with_container_ports( container_ports, allowed_cidrs, resource, matched_pods, crd_rules, direction, port, pod_selector, policy_namespace) if allowed_cidrs: for container_port, pods in matched_pods.items(): for cidr in allowed_cidrs: sg_rule = driver_utils.create_security_group_rule_body( direction, container_port, # Pod's spec.containers[].port.protocol defaults to TCP protocol=port.get('protocol', 'TCP'), cidr=cidr, pods=pods) crd_rules.append(sg_rule)
def _create_sg_rule_on_text_port(direction, port, rule_selected_pods, matched, crd): spec_pod_selector = crd['spec'].get('podSelector') policy_namespace = crd['metadata']['namespace'] spec_pods = driver_utils.get_pods(spec_pod_selector, policy_namespace).get('items') if direction == 'ingress': for spec_pod in spec_pods: container_ports = driver_utils.get_ports(spec_pod, port) matched = _create_sg_rules_with_container_ports( container_ports, matched) elif direction == 'egress': for rule_selected_pod in rule_selected_pods: pod_label = rule_selected_pod['metadata'].get('labels') pod_ns = rule_selected_pod['metadata'].get('namespace') # NOTE(maysams) Do not allow egress traffic to the actual # set of pods the NP is enforced on. if (driver_utils.match_selector(spec_pod_selector, pod_label) and policy_namespace == pod_ns): continue container_ports = driver_utils.get_ports(rule_selected_pod, port) matched = _create_sg_rules_with_container_ports( container_ports, matched) return matched