Merge branch 'support-netpols'

This commit merges Jesutomi's (@tomilashy) work for network policies. Thank you! Signed-off-by: Elis Lulja <[email protected]>
CloudNativeSDWAN · Jan 13, 2023 · c122ddd · c122ddd
2 parents b5358c1 + 292eb8d
commit c122ddd
Show file tree

Hide file tree

Showing 6 changed files with 365 additions and 6 deletions.
diff --git a/artifacts/yamls/istio/service_entry.yaml → ...s/yamls/examples/istio/service_entry.yaml b/artifacts/yamls/istio/service_entry.yaml → ...s/yamls/examples/istio/service_entry.yaml
diff --git a/artifacts/yamls/examples/network_policy/network_policy.yaml b/artifacts/yamls/examples/network_policy/network_policy.yaml
@@ -0,0 +1,60 @@
+apiVersion: networking.k8s.io/v1
+
+kind: NetworkPolicy
+
+metadata:
+  name: test-network-policy
+  namespace: default
+
+spec:
+  podSelector:
+    matchLabels:
+      role: db
+
+  policyTypes:
+    - Ingress
+
+    - Egress
+
+  ingress:
+    - from:
+        - ipBlock:
+            cidr: 172.17.0.0/16
+
+            except:
+              - 172.17.1.0/24
+
+        - namespaceSelector:
+            matchLabels:
+              project: myproject
+
+        - podSelector:
+            matchLabels:
+              role: frontend
+
+      ports:
+        - protocol: TCP
+
+          port: 6379
+
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.1/32
+        - ipBlock:
+            cidr: 10.0.0.2/32
+        - ipBlock:
+            cidr: 10.0.0.3/32
+        - ipBlock:
+            cidr: 10.0.0.4/32
+        - ipBlock:
+            cidr: 10.0.0.5/32
+        - ipBlock:
+            cidr: 10.0.0.6/32
+        - ipBlock:
+            cidr: 10.0.0.7/32
+
+      ports:
+        - protocol: TCP
+
+          port: 5978
diff --git a/artifacts/yamls/k8s/01_service_account.yaml b/artifacts/yamls/k8s/01_service_account.yaml
@@ -19,6 +19,14 @@ rules:
   - watch
   - get
   - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - watch
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/pkg/command/run.go b/pkg/command/run.go
@@ -48,10 +48,11 @@ type kubeConfigOptions struct {
 }
 
 type Options struct {
-	ServiceEntryController *controllers.ServiceEntryOptions `yaml:"serviceEntry,omitempty"`
-	Sdwan                  *sdwan.Options                   `yaml:"sdwan,omitempty"`
-	Verbosity              int                              `yaml:"verbosity"`
-	PrettyLogs             bool                             `yaml:"prettyLogs"`
+	ServiceEntryController  *controllers.ServiceEntryOptions  `yaml:"serviceEntry,omitempty"`
+	NetworkPolicyController *controllers.NetworkPolicyOptions `yaml:"networkPolicy,omitempty"`
+	Sdwan                   *sdwan.Options                    `yaml:"sdwan,omitempty"`
+	Verbosity               int                               `yaml:"verbosity"`
+	PrettyLogs              bool                              `yaml:"prettyLogs"`
 }
 
 func getRunCommand() *cobra.Command {
@@ -63,7 +64,8 @@ func getRunCommand() *cobra.Command {
 	kopts := &kubeConfigOptions{}
 	waitingWindow := sdwan.DefaultWaitingWindow
 	flagOpts := &Options{
-		ServiceEntryController: &controllers.ServiceEntryOptions{},
+		ServiceEntryController:  &controllers.ServiceEntryOptions{},
+		NetworkPolicyController: &controllers.NetworkPolicyOptions{},
 		Sdwan: &sdwan.Options{
 			Authentication: &sdwan.Authentication{},
 			WaitingWindow:  &waitingWindow,
@@ -177,6 +179,9 @@ The following controllers are supported:
 				fileOpts.Verbosity = flagOpts.Verbosity
 			}
 
+			if cmd.Flag("watch-all-network-policies").Changed {
+				opts.NetworkPolicyController.WatchAllNetworkPolicies = flagOpts.NetworkPolicyController.WatchAllNetworkPolicies
+			}
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -202,6 +207,9 @@ The following controllers are supported:
 	cmd.Flags().BoolVarP(&flagOpts.ServiceEntryController.WatchAllServiceEntries,
 		"watch-all-service-entries", "w", false,
 		"whether to watch all service entries by default.")
+	cmd.Flags().BoolVarP(&flagOpts.NetworkPolicyController.WatchAllNetworkPolicies,
+		"watch-all-network-policies", "n", false,
+		"whether to watch all service entries by default.")
 	cmd.Flags().StringVarP(&flagOpts.Sdwan.BaseURL, "sdwan.base-url", "a", "",
 		"the base url where to send data.")
 	cmd.Flags().StringVar(&fileSettingsPath, "settings-file", "",
@@ -290,6 +298,12 @@ func runWithVmanage(kopts *kubeConfigOptions, opts *Options) error {
 			return
 		}
 
+		_, err = controllers.NewNetworkPolicyController(mgr, opts.NetworkPolicyController, opsChan, log)
+		if err != nil {
+			log.Err(err).Msg("could not get controller")
+			return
+		}
+
 		exitWatch := make(chan struct{})
 		go func() {
 			defer close(exitWatch)