def _get_network_policy_peer_list(self, rule_list):
peer_list = []
for item in rule_list:
pod_selector = item.get('pod_selector') or {}
namespace_selector = item.get('namespace_selector') or {}
ip_block = item.get('ip_block') or {}
pod_selector_obj = None
namespace_selector_obj = None
ip_block_obj = None
if pod_selector:
pod_selector_obj = self._get_label_selector(**pod_selector)
if namespace_selector:
namespace_selector_obj = self._get_label_selector(
**namespace_selector)
if ip_block:
ip_block_obj = self._get_ip_block_selector(
**ip_block)
peer = client.V1NetworkPolicyPeer(
namespace_selector=namespace_selector_obj,
pod_selector=pod_selector_obj,
ip_block=ip_block_obj
)
peer_list.append(peer)
return peer_list
def create_network_policy(cls, name=None, namespace='default',
match_labels=None, match_expressions=None,
ingress_port=None, ingress_port_protocol='TCP',
ingress_ipblock_cidr=None,
ingress_ipblock_except=[],
egress_port=None, egress_port_protocol='TCP',
egress_ipblock_cidr=None,
egress_ipblock_except=[]):
if not name:
name = data_utils.rand_name(prefix='kuryr-network-policy')
np = k8s_client.V1NetworkPolicy()
np.kind = 'NetworkPolicy'
np.api_version = 'networking.k8s.io/v1'
np.metadata = k8s_client.V1ObjectMeta(name=name,
namespace=namespace)
to, _from = None, None
if egress_ipblock_cidr:
to = [k8s_client.V1NetworkPolicyPeer(
ip_block=k8s_client.V1IPBlock(cidr=egress_ipblock_cidr,
_except=egress_ipblock_except))]
if ingress_ipblock_cidr:
_from = [k8s_client.V1NetworkPolicyPeer(
ip_block=k8s_client.V1IPBlock(cidr=ingress_ipblock_cidr,
_except=ingress_ipblock_except))]
if ingress_port:
ingress_port = [k8s_client.V1NetworkPolicyPort(
port=ingress_port, protocol=ingress_port_protocol)]
if egress_port:
egress_port = [k8s_client.V1NetworkPolicyPort(
port=egress_port, protocol=egress_port_protocol)]
np.spec = k8s_client.V1NetworkPolicySpec(
egress=[k8s_client.V1NetworkPolicyEgressRule(
ports=egress_port,
to=to)],
ingress=[k8s_client.V1NetworkPolicyIngressRule(
ports=ingress_port,
_from=_from)],
pod_selector=k8s_client.V1LabelSelector(
match_expressions=match_expressions,
match_labels=match_labels),
policy_types=['Ingress', 'Egress'])
return k8s_client.NetworkingV1Api(
).create_namespaced_network_policy(namespace=namespace, body=np)
def test_network_policy_hairpin_traffic(self):
namespace_name, namespace = self.create_namespace()
self.addCleanup(self.delete_namespace, namespace_name)
svc_name, svc_pods = self.create_setup_for_service_test(
namespace=namespace_name, cleanup=False, save=False, pod_num=1)
self.check_service_internal_connectivity(namespace=namespace_name,
pod_num=1,
service_name=svc_name,
pod_name=svc_pods[0])
policy_name = data_utils.rand_name(prefix='kuryr-policy')
np = k8s_client.V1NetworkPolicy(
kind='NetworkPolicy',
api_version='networking.k8s.io/v1',
metadata=k8s_client.V1ObjectMeta(name=policy_name,
namespace=namespace_name),
spec=k8s_client.V1NetworkPolicySpec(
pod_selector=k8s_client.V1LabelSelector(),
policy_types=['Egress', 'Ingress'],
ingress=[
k8s_client.V1NetworkPolicyIngressRule(_from=[
k8s_client.V1NetworkPolicyPeer(
pod_selector=k8s_client.V1LabelSelector(), ),
], ),
],
egress=[
k8s_client.V1NetworkPolicyEgressRule(to=[
k8s_client.V1NetworkPolicyPeer(
pod_selector=k8s_client.V1LabelSelector(), ),
], ),
],
),
)
k8s_client.NetworkingV1Api().create_namespaced_network_policy(
namespace=namespace_name, body=np)
# Just to wait for SGs.
self.get_sg_rules_for_np(namespace_name, policy_name)
self.check_service_internal_connectivity(namespace=namespace_name,
pod_num=1,
service_name=svc_name,
pod_name=svc_pods[0])
def create_namespace(self, body, message):
"""
Listen to the `exchange` namespace,
| and create the namespace accordly to the messages.
| Idempotent.
:param body: The message's content.
:type body: dict
:param message: The namespace to create.
:type message: kombu.message.Message
:returns: The creation state
:rtype: bool
"""
payload = client.V1Namespace()
payload.metadata = client.V1ObjectMeta(name=body['namespace'])
core_v1 = client.CoreV1Api()
network_v1 = client.NetworkingV1Api()
policy = client.V1NetworkPolicy(api_version='networking.k8s.io/v1',
kind='NetworkPolicy')
policy.metadata = client.V1ObjectMeta(name='deny-namespaces-traffic',
namespace=body['namespace'])
policy.spec = client.V1NetworkPolicySpec(
pod_selector=client.V1LabelSelector(match_labels={}),
ingress=[
client.V1NetworkPolicyIngressRule(_from=[
client.V1NetworkPolicyPeer(
pod_selector=client.V1LabelSelector())
])
])
#Idempotent
try:
core_v1.create_namespace(payload)
core_v1.patch_namespaced_service_account(
'default', body['namespace'],
{'automount_service_account_token': False})
network_v1.create_namespaced_network_policy(
body['namespace'], policy)
except ApiException as e:
LOGGER.error(e)
if e.status != 409: # 409 == Conclict => Already exist
raise
message.ack()
return True