def _get_network_policy_peer_list(self, _from, to):
peer_list = []
for item in _from:
pod_selector = item.get('pod_selector') or {}
namespace_selector = item.get('namespace_selector') or {}
ip_block = item.get('ip_block') or {}
pod_selector_obj = None
namespace_selector_obj = None
ip_block_obj = None
if pod_selector:
pod_selector_obj = self._get_label_selector(**pod_selector)
if namespace_selector:
namespace_selector_obj = self._get_label_selector(
**namespace_selector)
if ip_block:
ip_block_obj = self._get_ip_block_selector(**ip_block)
peer = client.V1beta1NetworkPolicyPeer(
namespace_selector=namespace_selector_obj,
pod_selector=pod_selector_obj,
ip_block=ip_block_obj)
peer_list.append(peer)
for item in to:
ip_block = item.get('ip_block') or {}
ip_block_obj = None
if ip_block:
ip_block_obj = self._get_ip_block_selector(**ip_block)
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block_obj)
peer_list.append(peer)
return peer_list
def whitelist(policy_name, event_name):
policy = {
'metadata': {
'name': policy_name
},
'spec': {
'pod_selector': {
'match_labels': {}
},
'ingress': [
client.V1beta1NetworkPolicyIngressRule(_from=[
client.V1beta1NetworkPolicyPeer(
namespace_selector=client.V1LabelSelector(
match_labels={'name': 'kube-system'})),
client.V1beta1NetworkPolicyPeer(
pod_selector=client.V1LabelSelector(match_labels={}))
])
]
}
}
try:
kubernetesbetav1.read_namespaced_network_policy(
policy_name, event_name)
except Exception:
try:
kubernetesbetav1.create_namespaced_network_policy(
event_name, policy)
except Exception:
print('Failed creating network policy in namespace %s' %
event_name)
def create_policy(namespace, use_kubectl=USE_KUBECTL):
if use_kubectl:
response = kubemunch('create', '-n', namespace, '-f', POLICY_FILENAME)
else:
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME,
namespace=namespace)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
networkingv1 = client.NetworkingV1Api()
response = networkingv1.create_namespaced_network_policy(namespace,
policy)
print("\tCreated {} in ns {}".format(response.metadata.name,
response.metadata.namespace))
def network_policy_pods_only(selector, destination):
'''
Creates a NetworkPolicy spec for only allowing egress traffic to other pods.
- `selector` provides the selector that matches the pods to which the network policy will apply.
- `destination` provides the selector that matches the destination pods to which traffic will be allowed.
'''
return k8s.V1beta1NetworkPolicySpec(egress=[
k8s.V1beta1NetworkPolicyEgressRule(
to=[k8s.V1beta1NetworkPolicyPeer(pod_selector=destination)])
],
pod_selector=selector,
policy_types=['Egress'])
print("\tskipping, ns whitelisted")
continue
ns_policy_response = v1beta1.list_namespaced_network_policy(name)
local_policies = [
ns_policy.metadata.name for ns_policy in ns_policy_response.items]
if AWS_NETWORK_POLICY_NAME not in local_policies:
print("\tnamespace doesn't block AWS")
md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME, namespace=name)
match_expression = client.V1LabelSelectorRequirement(
key='k8s-app', operator='DoesNotExist')
pod_selector = client.V1LabelSelector(
match_expressions=[match_expression])
ip_block = client.V1beta1IPBlock(
cidr='0.0.0.0/0', _except=['169.254.0.0/16'])
peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block)
egress = client.V1beta1NetworkPolicyEgressRule(to=[peer])
spec = client.V1beta1NetworkPolicySpec(
pod_selector=pod_selector,
egress=[egress],
policy_types=['Egress'])
policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec)
response = networkingv1.create_namespaced_network_policy(name, policy)
print(
"\tCreated {} in NS {}".format(
response.metadata.name,
response.metadata.namespace))
else:
print("\tAWS already blocked")
def V1beta1NetworkPolicyPeer(ip_block, namespace_selector, pod_selector):
v1beta1NetworkPolicyPeer = client.V1beta1NetworkPolicyPeer(
ip_block=ip_block,
namespace_selector=namespace_selector,
pod_selector=pod_selector)
return v1beta1NetworkPolicyPeer