diff --git a/cmd/controller-manager/app/controllers.go b/cmd/controller-manager/app/controllers.go index 1d39370ba..374f2d88d 100644 --- a/cmd/controller-manager/app/controllers.go +++ b/cmd/controller-manager/app/controllers.go @@ -49,6 +49,7 @@ import ( "kubesphere.io/kubesphere/pkg/simple/client/devops" "kubesphere.io/kubesphere/pkg/simple/client/k8s" ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap" + "kubesphere.io/kubesphere/pkg/simple/client/network" "kubesphere.io/kubesphere/pkg/simple/client/openpitrix" "kubesphere.io/kubesphere/pkg/simple/client/s3" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -65,7 +66,7 @@ func addControllers( authenticationOptions *authoptions.AuthenticationOptions, openpitrixClient openpitrix.Client, multiClusterEnabled bool, - networkPolicyEnabled bool, + networkOptions *network.Options, serviceMeshEnabled bool, kubectlImage string, stopCh <-chan struct{}) error { @@ -267,7 +268,7 @@ func addControllers( } var nsnpController manager.Runnable - if networkPolicyEnabled { + if networkOptions.EnableNetworkPolicy { nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies()) if err != nil { return err @@ -279,7 +280,7 @@ func addControllers( kubernetesInformer.Core().V1().Services(), kubernetesInformer.Core().V1().Nodes(), kubesphereInformer.Tenant().V1alpha1().Workspaces(), - kubernetesInformer.Core().V1().Namespaces(), nsnpProvider) + kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions) } controllers := map[string]manager.Runnable{ diff --git a/cmd/controller-manager/app/server.go b/cmd/controller-manager/app/server.go index 51b6b9141..d9db11ad2 100644 --- a/cmd/controller-manager/app/server.go +++ b/cmd/controller-manager/app/server.go @@ -205,7 +205,7 @@ func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{}) s.AuthenticationOptions, openpitrixClient, s.MultiClusterOptions.Enable, - s.NetworkOptions.EnableNetworkPolicy, + s.NetworkOptions, servicemeshEnabled, s.AuthenticationOptions.KubectlImage, stopCh); err != nil { klog.Fatalf("unable to register controllers to the manager: %v", err) diff --git a/pkg/apiserver/config/config_test.go b/pkg/apiserver/config/config_test.go index ed8b09647..b6232e27d 100644 --- a/pkg/apiserver/config/config_test.go +++ b/pkg/apiserver/config/config_test.go @@ -102,6 +102,9 @@ func newTestConfig() (*Config, error) { }, NetworkOptions: &network.Options{ EnableNetworkPolicy: true, + NSNPOptions: network.NSNPOptions{ + AllowedIngressNamespaces: []string{}, + }, }, MonitoringOptions: &prometheus.Options{ Endpoint: "http://prometheus.kubesphere-monitoring-system.svc", diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go index ea4e3aedd..dbdcf47a5 100644 --- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go +++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go @@ -29,6 +29,7 @@ import ( "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/controller/network" "kubesphere.io/kubesphere/pkg/controller/network/provider" + options "kubesphere.io/kubesphere/pkg/simple/client/network" ) const ( @@ -77,6 +78,7 @@ type NSNetworkPolicyController struct { namespaceInformerSynced cache.InformerSynced provider provider.NsNetworkPolicyProvider + options options.NSNPOptions nsQueue workqueue.RateLimitingInterface nsnpQueue workqueue.RateLimitingInterface @@ -301,7 +303,7 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre return rule, nil } -func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy { +func (c *NSNetworkPolicyController) generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy { policy := &netv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: AnnotationNPNAME, @@ -328,6 +330,17 @@ func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace } + for _, allowedIngressNamespace := range c.options.AllowedIngressNamespaces { + defaultAllowedIngress := netv1.NetworkPolicyPeer{ + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + constants.NamespaceLabelKey: allowedIngressNamespace, + }, + }, + } + policy.Spec.Ingress[0].From = append(policy.Spec.Ingress[0].From, defaultAllowedIngress) + } + return policy } @@ -445,7 +458,7 @@ func (c *NSNetworkPolicyController) syncNs(key string) error { } } - policy := generateNSNP(workspaceName, ns.Name, matchWorkspace) + policy := c.generateNSNP(workspaceName, ns.Name, matchWorkspace) if shouldAddDNSRule(nsnpList) { ruleDNS, err := generateDNSRule([]string{DNSLocalIP}) if err != nil { @@ -589,7 +602,8 @@ func NewNSNetworkPolicyController( nodeInformer v1.NodeInformer, workspaceInformer workspace.WorkspaceInformer, namespaceInformer v1.NamespaceInformer, - policyProvider provider.NsNetworkPolicyProvider) *NSNetworkPolicyController { + policyProvider provider.NsNetworkPolicyProvider, + options options.NSNPOptions) *NSNetworkPolicyController { controller := &NSNetworkPolicyController{ client: client, @@ -607,6 +621,7 @@ func NewNSNetworkPolicyController( provider: policyProvider, nsQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"), nsnpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"), + options: options, } workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ diff --git a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go index 899218f15..8b45aae03 100644 --- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go +++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go @@ -22,6 +22,7 @@ import ( workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1" "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/controller/network/provider" + options "kubesphere.io/kubesphere/pkg/simple/client/network" ) var ( @@ -48,6 +49,9 @@ spec: - namespaceSelector: matchLabels: %s: %s + - namespaceSelector: + matchLabels: + "kubesphere.io/namespace" : "kubesphere-monitoring-system" policyTypes: - Ingress` @@ -113,8 +117,12 @@ var _ = Describe("Nsnetworkpolicy", func() { nodeInforemer := kubeInformer.Core().V1().Nodes() workspaceInformer := ksInformer.Tenant().V1alpha1().Workspaces() namespaceInformer := kubeInformer.Core().V1().Namespaces() + nsnpOptions := options.NewNetworkOptions() + nsnpOptions.NSNPOptions.AllowedIngressNamespaces = append(nsnpOptions.NSNPOptions.AllowedIngressNamespaces, "kubesphere-monitoring-system") - c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(), nsnpInformer, serviceInformer, nodeInforemer, workspaceInformer, namespaceInformer, calicoProvider) + c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(), + nsnpInformer, serviceInformer, nodeInforemer, + workspaceInformer, namespaceInformer, calicoProvider, nsnpOptions.NSNPOptions) serviceObj := &corev1.Service{} Expect(StringToObject(serviceTmp, serviceObj)).ShouldNot(HaveOccurred()) @@ -158,7 +166,7 @@ var _ = Describe("Nsnetworkpolicy", func() { obj := &netv1.NetworkPolicy{} Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred()) - policy := generateNSNP("testworkspace", "testns", true) + policy := c.generateNSNP("testworkspace", "testns", true) Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue()) }) @@ -167,7 +175,7 @@ var _ = Describe("Nsnetworkpolicy", func() { obj := &netv1.NetworkPolicy{} Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred()) - policy := generateNSNP("testworkspace", "testns", false) + policy := c.generateNSNP("testworkspace", "testns", false) Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue()) }) diff --git a/pkg/simple/client/network/options.go b/pkg/simple/client/network/options.go index 10d0e9717..64dd6880d 100644 --- a/pkg/simple/client/network/options.go +++ b/pkg/simple/client/network/options.go @@ -2,14 +2,22 @@ package network import "github.com/spf13/pflag" +type NSNPOptions struct { + AllowedIngressNamespaces []string `json:"allowedIngressNamespaces,omitempty" yaml:"allowedIngressNamespaces,omitempty"` +} + type Options struct { - EnableNetworkPolicy bool `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"` + EnableNetworkPolicy bool `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"` + NSNPOptions NSNPOptions `json:"nsnpOptions,omitempty" yaml:"nsnpOptions,omitempty"` } // NewNetworkOptions returns a `zero` instance func NewNetworkOptions() *Options { return &Options{ EnableNetworkPolicy: false, + NSNPOptions: NSNPOptions{ + AllowedIngressNamespaces: []string{}, + }, } } @@ -20,6 +28,7 @@ func (s *Options) Validate() []error { func (s *Options) ApplyTo(options *Options) { options.EnableNetworkPolicy = s.EnableNetworkPolicy + options.NSNPOptions = s.NSNPOptions } func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) {