def create_policy(namespace, use_kubectl=USE_KUBECTL):
if use_kubectl:
response = kubemunch('create', '-n', namespace, '-f', POLICY_FILENAME)
else:
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME,
namespace=namespace)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
networkingv1 = client.NetworkingV1Api()
response = networkingv1.create_namespaced_network_policy(namespace,
policy)
print("\tCreated {} in ns {}".format(response.metadata.name,
response.metadata.namespace))
def addSecurityGroup(self, payload):
service_logger.info("%s %s %s ",
sys._getframe().f_code.co_name, "payload :",
payload)
namespace = payload['namespace']
body = client.V1beta1NetworkPolicy() # V1beta1NetworkPolicy |
pretty = 'pretty_example' # str | If 'true', then the output is pretty printed. (optional)
body.metadata = client.V1ObjectMeta()
body.metadata.name = payload['name']
try:
body.metadata.name = payload['name']
#api_response = self.v1_ext.create_namespaced_network_policy(namespace, body, pretty=pretty)
except ApiException as e:
service_logger.error(
"Exception when calling ExtensionsV1beta1Api->create_namespaced_network_policy: %s\n"
% e)
def update_network_policy(self,
policy_name,
namespace='default',
metadata={},
spec={}):
'''
Returns V1beta1NetworkPolicy object
'''
policy_obj = self.v1_beta_h.read_namespaced_network_policy(
policy_name, namespace)
metadata_obj = self._get_metadata(metadata)
spec_obj = self._get_network_policy_spec(spec)
body = client.V1beta1NetworkPolicy(
metadata=metadata_obj,
spec=spec_obj)
self.logger.info('Updating Network Policy %s' % (policy_name))
resp = self.v1_beta_h.patch_namespaced_network_policy(policy_name,
namespace, body)
return resp
def create_network_policy(self,
namespace='default',
name=None,
metadata=None,
spec=None):
'''
spec = {
'ingress' : [ { 'from': [
{ 'namespace_selector' :
{ 'match_labels' : {'project': 'test'} }
},
{ 'pod_selector':
{ 'match_labels' : {'role': 'db'} }
}
],
'ports': [
{ 'protocol' : 'tcp',
'port' : 70,
}
]
}
]
}
Returns V1beta1NetworkPolicy object
'''
if metadata is None: metadata = {}
if spec is None: spec = {}
metadata_obj = self._get_metadata(metadata)
if name:
metadata_obj.name = name
spec_obj = self._get_network_policy_spec(spec)
body = client.V1beta1NetworkPolicy(metadata=metadata_obj,
spec=spec_obj)
self.logger.info('Creating Network Policy %s' % (metadata_obj.name))
resp = self.v1_beta_h.create_namespaced_network_policy(namespace, body)
return resp
print("\tskipping, ns whitelisted")
continue
ns_policy_response = v1beta1.list_namespaced_network_policy(name)
local_policies = [
ns_policy.metadata.name for ns_policy in ns_policy_response.items]
if AWS_NETWORK_POLICY_NAME not in local_policies:
print("\tnamespace doesn't block AWS")
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME, namespace=name)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
response = networkingv1.create_namespaced_network_policy(name, policy)
print(
"\tCreated {} in NS {}".format(
response.metadata.name,
response.metadata.namespace))
else:
print("\tAWS already blocked")
def V1beta1NetworkPolicy(api_version, kind, metadata, spec):
v1beta1NetworkPolicy = client.V1beta1NetworkPolicy(
api_version=api_version, kind=kind, metadata=metadata, spec=spec)
return v1beta1NetworkPolicy
