def simple_networkpolicy():
"""Return the Kubernetes config matching the simple-networkpolicy.yaml manifest."""
return client.V1NetworkPolicy(
api_version='networking.k8s.io/v1',
kind='NetworkPolicy',
metadata=client.V1ObjectMeta(name='default-deny'),
spec=client.V1NetworkPolicySpec(
pod_selector=client.V1LabelSelector(),
policy_types=["Egress", "Ingress"],
))
def create_network_policy(policy_name, **kwargs):
networkingv1 = client.NetworkingV1Api()
policy_namespace = kwargs[
'namespace'] if 'namespace' in kwargs else 'default'
policy_labels = kwargs['labels'] if 'labels' in kwargs else {}
policy_annotations = kwargs[
'annotations'] if 'annotations' in kwargs else {}
match_labels = kwargs['match_labels'] if 'match_labels' in kwargs else {}
match_expressions = kwargs[
'match_expressions'] if 'match_expressions' in kwargs else []
egress = kwargs['egress'] if 'egress' in kwargs else []
ingress = kwargs['ingress'] if 'ingress' in kwargs else []
egress_len = len(egress)
ingress_len = len(ingress)
policy_types = \
["Ingress", "Egress"] if ingress_len > 0 and egress_len > 0 else \
["Ingress"] if ingress_len > 0 and egress_len == 0 else \
["Egress"] if egress_len > 0 and ingress_len == 0 else \
[]
if not policy_types:
logger.warning(
"Warning: Creating NetworkPolicy with empty policy_types")
if not match_labels and not match_expressions:
logger.warning(
"Warning: Creating NetworkPolicy that would operate on all resources"
)
policy = networkingv1.create_namespaced_network_policy(
namespace=policy_namespace,
body=client.V1NetworkPolicy(
api_version='v1',
kind='NetworkPolicy',
metadata=client.V1ObjectMeta(name=policy_name,
namespace=policy_namespace,
annotations=policy_annotations,
labels=policy_labels),
spec=client.V1NetworkPolicySpec(
egress=egress,
ingress=ingress,
policy_types=policy_types,
pod_selector=client.V1LabelSelector(
match_expressions=match_expressions,
match_labels=match_labels))))
return policy
def create_network_policy(cls, name=None, namespace='default',
match_labels=None, match_expressions=None,
ingress_port=None, ingress_port_protocol='TCP',
ingress_ipblock_cidr=None,
ingress_ipblock_except=[],
egress_port=None, egress_port_protocol='TCP',
egress_ipblock_cidr=None,
egress_ipblock_except=[]):
if not name:
name = data_utils.rand_name(prefix='kuryr-network-policy')
np = k8s_client.V1NetworkPolicy()
np.kind = 'NetworkPolicy'
np.api_version = 'networking.k8s.io/v1'
np.metadata = k8s_client.V1ObjectMeta(name=name,
namespace=namespace)
to, _from = None, None
if egress_ipblock_cidr:
to = [k8s_client.V1NetworkPolicyPeer(
ip_block=k8s_client.V1IPBlock(cidr=egress_ipblock_cidr,
_except=egress_ipblock_except))]
if ingress_ipblock_cidr:
_from = [k8s_client.V1NetworkPolicyPeer(
ip_block=k8s_client.V1IPBlock(cidr=ingress_ipblock_cidr,
_except=ingress_ipblock_except))]
if ingress_port:
ingress_port = [k8s_client.V1NetworkPolicyPort(
port=ingress_port, protocol=ingress_port_protocol)]
if egress_port:
egress_port = [k8s_client.V1NetworkPolicyPort(
port=egress_port, protocol=egress_port_protocol)]
np.spec = k8s_client.V1NetworkPolicySpec(
egress=[k8s_client.V1NetworkPolicyEgressRule(
ports=egress_port,
to=to)],
ingress=[k8s_client.V1NetworkPolicyIngressRule(
ports=ingress_port,
_from=_from)],
pod_selector=k8s_client.V1LabelSelector(
match_expressions=match_expressions,
match_labels=match_labels),
policy_types=['Ingress', 'Egress'])
return k8s_client.NetworkingV1Api(
).create_namespaced_network_policy(namespace=namespace, body=np)
def create_namespace(self, body, message):
"""
Listen to the `exchange` namespace,
| and create the namespace accordly to the messages.
| Idempotent.
:param body: The message's content.
:type body: dict
:param message: The namespace to create.
:type message: kombu.message.Message
:returns: The creation state
:rtype: bool
"""
payload = client.V1Namespace()
payload.metadata = client.V1ObjectMeta(name=body['namespace'])
core_v1 = client.CoreV1Api()
network_v1 = client.NetworkingV1Api()
policy = client.V1NetworkPolicy(api_version='networking.k8s.io/v1',
kind='NetworkPolicy')
policy.metadata = client.V1ObjectMeta(name='deny-namespaces-traffic',
namespace=body['namespace'])
policy.spec = client.V1NetworkPolicySpec(
pod_selector=client.V1LabelSelector(match_labels={}),
ingress=[
client.V1NetworkPolicyIngressRule(_from=[
client.V1NetworkPolicyPeer(
pod_selector=client.V1LabelSelector())
])
])
#Idempotent
try:
core_v1.create_namespace(payload)
core_v1.patch_namespaced_service_account(
'default', body['namespace'],
{'automount_service_account_token': False})
network_v1.create_namespaced_network_policy(
body['namespace'], policy)
except ApiException as e:
LOGGER.error(e)
if e.status != 409: # 409 == Conclict => Already exist
raise
message.ack()
return True
def test_network_policy_hairpin_traffic(self):
namespace_name, namespace = self.create_namespace()
self.addCleanup(self.delete_namespace, namespace_name)
svc_name, svc_pods = self.create_setup_for_service_test(
namespace=namespace_name, cleanup=False, save=False, pod_num=1)
self.check_service_internal_connectivity(namespace=namespace_name,
pod_num=1,
service_name=svc_name,
pod_name=svc_pods[0])
policy_name = data_utils.rand_name(prefix='kuryr-policy')
np = k8s_client.V1NetworkPolicy(
kind='NetworkPolicy',
api_version='networking.k8s.io/v1',
metadata=k8s_client.V1ObjectMeta(name=policy_name,
namespace=namespace_name),
spec=k8s_client.V1NetworkPolicySpec(
pod_selector=k8s_client.V1LabelSelector(),
policy_types=['Egress', 'Ingress'],
ingress=[
k8s_client.V1NetworkPolicyIngressRule(_from=[
k8s_client.V1NetworkPolicyPeer(
pod_selector=k8s_client.V1LabelSelector(), ),
], ),
],
egress=[
k8s_client.V1NetworkPolicyEgressRule(to=[
k8s_client.V1NetworkPolicyPeer(
pod_selector=k8s_client.V1LabelSelector(), ),
], ),
],
),
)
k8s_client.NetworkingV1Api().create_namespaced_network_policy(
namespace=namespace_name, body=np)
# Just to wait for SGs.
self.get_sg_rules_for_np(namespace_name, policy_name)
self.check_service_internal_connectivity(namespace=namespace_name,
pod_num=1,
service_name=svc_name,
pod_name=svc_pods[0])
def create_network_policy(self,
namespace='default',
name=None,
metadata=None,
spec=None):
'''
spec = {
'ingress' : [ { 'from': [
{ 'namespace_selector' :
{ 'match_labels' : {'project': 'test'} }
},
{ 'pod_selector':
{ 'match_labels' : {'role': 'db'} }
}
],
'ports': [
{ 'protocol' : 'tcp',
'port' : 70,
}
]
}
]
}
Returns V1NetworkPolicy object
'''
if metadata is None:
metadata = {}
if spec is None:
spec = {}
metadata_obj = self._get_metadata(metadata)
if name:
metadata_obj.name = name
spec_obj = self._get_network_policy_spec(spec)
body = client.V1NetworkPolicy(
metadata=metadata_obj,
spec=spec_obj)
self.logger.info('Creating Network Policy %s' % (metadata_obj.name))
resp = self.v1_networking.create_namespaced_network_policy(namespace, body)
return resp
def update_network_policy(self,
policy_name,
namespace='default',
metadata=None,
spec=None):
'''
Returns V1NetworkPolicy object
'''
if metadata is None: metadata = {}
if spec is None: spec = {}
policy_obj = self.v1_networking.read_namespaced_network_policy(
policy_name, namespace)
metadata_obj = self._get_metadata(metadata)
spec_obj = self._get_network_policy_spec(spec)
body = client.V1NetworkPolicy(metadata=metadata_obj, spec=spec_obj)
self.logger.info('Updating Network Policy %s' % (policy_name))
resp = self.v1_networking.patch_namespaced_network_policy(
policy_name, namespace, body)
return resp
def test_simple_policy(self):
with DiagsCollector():
# Check we can talk to service.
retry_until_success(self.can_connect,
retries=10,
wait_time=1,
function_args=["access"])
_log.info("Client 'access' connected to open service")
retry_until_success(self.can_connect,
retries=10,
wait_time=1,
function_args=["no-access"])
_log.info("Client 'no-access' connected to open service")
# Create default-deny policy
policy = client.V1NetworkPolicy(metadata=client.V1ObjectMeta(
name="default-deny", namespace="policy-demo"),
spec={
"podSelector": {
"matchLabels": {},
},
})
client.ExtensionsV1beta1Api().create_namespaced_network_policy(
body=policy,
namespace="policy-demo",
)
_log.debug("Isolation policy created")
# Check we cannot talk to service
retry_until_success(self.cannot_connect,
retries=10,
wait_time=1,
function_args=["access"])
_log.info("Client 'access' failed to connect to isolated service")
retry_until_success(self.cannot_connect,
retries=10,
wait_time=1,
function_args=["no-access"])
_log.info(
"Client 'no-access' failed to connect to isolated service")
# Create allow policy
policy = client.V1NetworkPolicy(metadata=client.V1ObjectMeta(
name="access-nginx", namespace="policy-demo"),
spec={
'ingress': [{
'from': [{
'podSelector': {
'matchLabels': {
'run': 'access'
}
}
}]
}],
'podSelector': {
'matchLabels': {
'app': 'nginx'
}
}
})
client.ExtensionsV1beta1Api().create_namespaced_network_policy(
body=policy,
namespace="policy-demo",
)
_log.debug("Allow policy created.")
# Check we can talk to service as 'access'
retry_until_success(self.can_connect,
retries=10,
wait_time=1,
function_args=["access"])
_log.info("Client 'access' connected to protected service")
# Check we cannot talk to service as 'no-access'
retry_until_success(self.cannot_connect,
retries=10,
wait_time=1,
function_args=["no-access"])
_log.info(
"Client 'no-access' failed to connect to protected service")
