def _get_network_policy_peer_list(self, rule_list): peer_list = [] for item in rule_list: pod_selector = item.get('pod_selector') or {} namespace_selector = item.get('namespace_selector') or {} ip_block = item.get('ip_block') or {} pod_selector_obj = None namespace_selector_obj = None ip_block_obj = None if pod_selector: pod_selector_obj = self._get_label_selector(**pod_selector) if namespace_selector: namespace_selector_obj = self._get_label_selector( **namespace_selector) if ip_block: ip_block_obj = self._get_ip_block_selector( **ip_block) peer = client.V1NetworkPolicyPeer( namespace_selector=namespace_selector_obj, pod_selector=pod_selector_obj, ip_block=ip_block_obj ) peer_list.append(peer) return peer_list
def create_network_policy(cls, name=None, namespace='default', match_labels=None, match_expressions=None, ingress_port=None, ingress_port_protocol='TCP', ingress_ipblock_cidr=None, ingress_ipblock_except=[], egress_port=None, egress_port_protocol='TCP', egress_ipblock_cidr=None, egress_ipblock_except=[]): if not name: name = data_utils.rand_name(prefix='kuryr-network-policy') np = k8s_client.V1NetworkPolicy() np.kind = 'NetworkPolicy' np.api_version = 'networking.k8s.io/v1' np.metadata = k8s_client.V1ObjectMeta(name=name, namespace=namespace) to, _from = None, None if egress_ipblock_cidr: to = [k8s_client.V1NetworkPolicyPeer( ip_block=k8s_client.V1IPBlock(cidr=egress_ipblock_cidr, _except=egress_ipblock_except))] if ingress_ipblock_cidr: _from = [k8s_client.V1NetworkPolicyPeer( ip_block=k8s_client.V1IPBlock(cidr=ingress_ipblock_cidr, _except=ingress_ipblock_except))] if ingress_port: ingress_port = [k8s_client.V1NetworkPolicyPort( port=ingress_port, protocol=ingress_port_protocol)] if egress_port: egress_port = [k8s_client.V1NetworkPolicyPort( port=egress_port, protocol=egress_port_protocol)] np.spec = k8s_client.V1NetworkPolicySpec( egress=[k8s_client.V1NetworkPolicyEgressRule( ports=egress_port, to=to)], ingress=[k8s_client.V1NetworkPolicyIngressRule( ports=ingress_port, _from=_from)], pod_selector=k8s_client.V1LabelSelector( match_expressions=match_expressions, match_labels=match_labels), policy_types=['Ingress', 'Egress']) return k8s_client.NetworkingV1Api( ).create_namespaced_network_policy(namespace=namespace, body=np)
def test_network_policy_hairpin_traffic(self): namespace_name, namespace = self.create_namespace() self.addCleanup(self.delete_namespace, namespace_name) svc_name, svc_pods = self.create_setup_for_service_test( namespace=namespace_name, cleanup=False, save=False, pod_num=1) self.check_service_internal_connectivity(namespace=namespace_name, pod_num=1, service_name=svc_name, pod_name=svc_pods[0]) policy_name = data_utils.rand_name(prefix='kuryr-policy') np = k8s_client.V1NetworkPolicy( kind='NetworkPolicy', api_version='networking.k8s.io/v1', metadata=k8s_client.V1ObjectMeta(name=policy_name, namespace=namespace_name), spec=k8s_client.V1NetworkPolicySpec( pod_selector=k8s_client.V1LabelSelector(), policy_types=['Egress', 'Ingress'], ingress=[ k8s_client.V1NetworkPolicyIngressRule(_from=[ k8s_client.V1NetworkPolicyPeer( pod_selector=k8s_client.V1LabelSelector(), ), ], ), ], egress=[ k8s_client.V1NetworkPolicyEgressRule(to=[ k8s_client.V1NetworkPolicyPeer( pod_selector=k8s_client.V1LabelSelector(), ), ], ), ], ), ) k8s_client.NetworkingV1Api().create_namespaced_network_policy( namespace=namespace_name, body=np) # Just to wait for SGs. self.get_sg_rules_for_np(namespace_name, policy_name) self.check_service_internal_connectivity(namespace=namespace_name, pod_num=1, service_name=svc_name, pod_name=svc_pods[0])
def create_namespace(self, body, message): """ Listen to the `exchange` namespace, | and create the namespace accordly to the messages. | Idempotent. :param body: The message's content. :type body: dict :param message: The namespace to create. :type message: kombu.message.Message :returns: The creation state :rtype: bool """ payload = client.V1Namespace() payload.metadata = client.V1ObjectMeta(name=body['namespace']) core_v1 = client.CoreV1Api() network_v1 = client.NetworkingV1Api() policy = client.V1NetworkPolicy(api_version='networking.k8s.io/v1', kind='NetworkPolicy') policy.metadata = client.V1ObjectMeta(name='deny-namespaces-traffic', namespace=body['namespace']) policy.spec = client.V1NetworkPolicySpec( pod_selector=client.V1LabelSelector(match_labels={}), ingress=[ client.V1NetworkPolicyIngressRule(_from=[ client.V1NetworkPolicyPeer( pod_selector=client.V1LabelSelector()) ]) ]) #Idempotent try: core_v1.create_namespace(payload) core_v1.patch_namespaced_service_account( 'default', body['namespace'], {'automount_service_account_token': False}) network_v1.create_namespaced_network_policy( body['namespace'], policy) except ApiException as e: LOGGER.error(e) if e.status != 409: # 409 == Conclict => Already exist raise message.ack() return True