def create_policy(namespace, use_kubectl=USE_KUBECTL): if use_kubectl: response = kubemunch('create', '-n', namespace, '-f', POLICY_FILENAME) else: md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME, namespace=namespace) match_expression = client.V1LabelSelectorRequirement( key='k8s-app', operator='DoesNotExist') pod_selector = client.V1LabelSelector( match_expressions=[match_expression]) ip_block = client.V1beta1IPBlock( cidr='0.0.0.0/0', _except=['169.254.0.0/16']) peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block) egress = client.V1beta1NetworkPolicyEgressRule(to=[peer]) spec = client.V1beta1NetworkPolicySpec( pod_selector=pod_selector, egress=[egress], policy_types=['Egress']) policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec) networkingv1 = client.NetworkingV1Api() response = networkingv1.create_namespaced_network_policy(namespace, policy) print("\tCreated {} in ns {}".format(response.metadata.name, response.metadata.namespace))
def addSecurityGroup(self, payload): service_logger.info("%s %s %s ", sys._getframe().f_code.co_name, "payload :", payload) namespace = payload['namespace'] body = client.V1beta1NetworkPolicy() # V1beta1NetworkPolicy | pretty = 'pretty_example' # str | If 'true', then the output is pretty printed. (optional) body.metadata = client.V1ObjectMeta() body.metadata.name = payload['name'] try: body.metadata.name = payload['name'] #api_response = self.v1_ext.create_namespaced_network_policy(namespace, body, pretty=pretty) except ApiException as e: service_logger.error( "Exception when calling ExtensionsV1beta1Api->create_namespaced_network_policy: %s\n" % e)
def update_network_policy(self, policy_name, namespace='default', metadata={}, spec={}): ''' Returns V1beta1NetworkPolicy object ''' policy_obj = self.v1_beta_h.read_namespaced_network_policy( policy_name, namespace) metadata_obj = self._get_metadata(metadata) spec_obj = self._get_network_policy_spec(spec) body = client.V1beta1NetworkPolicy( metadata=metadata_obj, spec=spec_obj) self.logger.info('Updating Network Policy %s' % (policy_name)) resp = self.v1_beta_h.patch_namespaced_network_policy(policy_name, namespace, body) return resp
def create_network_policy(self, namespace='default', name=None, metadata=None, spec=None): ''' spec = { 'ingress' : [ { 'from': [ { 'namespace_selector' : { 'match_labels' : {'project': 'test'} } }, { 'pod_selector': { 'match_labels' : {'role': 'db'} } } ], 'ports': [ { 'protocol' : 'tcp', 'port' : 70, } ] } ] } Returns V1beta1NetworkPolicy object ''' if metadata is None: metadata = {} if spec is None: spec = {} metadata_obj = self._get_metadata(metadata) if name: metadata_obj.name = name spec_obj = self._get_network_policy_spec(spec) body = client.V1beta1NetworkPolicy(metadata=metadata_obj, spec=spec_obj) self.logger.info('Creating Network Policy %s' % (metadata_obj.name)) resp = self.v1_beta_h.create_namespaced_network_policy(namespace, body) return resp
print("\tskipping, ns whitelisted") continue ns_policy_response = v1beta1.list_namespaced_network_policy(name) local_policies = [ ns_policy.metadata.name for ns_policy in ns_policy_response.items] if AWS_NETWORK_POLICY_NAME not in local_policies: print("\tnamespace doesn't block AWS") md = client.V1ObjectMeta(name=AWS_NETWORK_POLICY_NAME, namespace=name) match_expression = client.V1LabelSelectorRequirement( key='k8s-app', operator='DoesNotExist') pod_selector = client.V1LabelSelector( match_expressions=[match_expression]) ip_block = client.V1beta1IPBlock( cidr='0.0.0.0/0', _except=['169.254.0.0/16']) peer = client.V1beta1NetworkPolicyPeer(ip_block=ip_block) egress = client.V1beta1NetworkPolicyEgressRule(to=[peer]) spec = client.V1beta1NetworkPolicySpec( pod_selector=pod_selector, egress=[egress], policy_types=['Egress']) policy = client.V1beta1NetworkPolicy(metadata=md, spec=spec) response = networkingv1.create_namespaced_network_policy(name, policy) print( "\tCreated {} in NS {}".format( response.metadata.name, response.metadata.namespace)) else: print("\tAWS already blocked")
def V1beta1NetworkPolicy(api_version, kind, metadata, spec): v1beta1NetworkPolicy = client.V1beta1NetworkPolicy( api_version=api_version, kind=kind, metadata=metadata, spec=spec) return v1beta1NetworkPolicy