admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2599 from duanjiong/networkpolicy-fix

Browse Source 
add new parameters allowedIngressNamespaces for user customization
This commit is contained in:
KubeSphere CI Bot
2020-07-28 14:05:51 +08:00
committed by GitHub
parent 324bc38ea2 eb21606602
commit 822f5f25d7
6 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/controller-manager/app/controllers.go
View File

@@ -49,6 +49,7 @@ import (
"kubesphere.io/kubesphere/pkg/simple/client/devops" "kubesphere.io/kubesphere/pkg/simple/client/devops"
"kubesphere.io/kubesphere/pkg/simple/client/k8s" "kubesphere.io/kubesphere/pkg/simple/client/k8s"
ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap" ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
"kubesphere.io/kubesphere/pkg/simple/client/network"
"kubesphere.io/kubesphere/pkg/simple/client/openpitrix" "kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
"kubesphere.io/kubesphere/pkg/simple/client/s3" "kubesphere.io/kubesphere/pkg/simple/client/s3"
"sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/manager"
@@ -65,7 +66,7 @@ func addControllers(
authenticationOptions *authoptions.AuthenticationOptions, authenticationOptions *authoptions.AuthenticationOptions,
openpitrixClient openpitrix.Client, openpitrixClient openpitrix.Client,
multiClusterEnabled bool, multiClusterEnabled bool,
networkPolicyEnabled bool, networkOptions *network.Options,
serviceMeshEnabled bool, serviceMeshEnabled bool,
kubectlImage string, kubectlImage string,
stopCh <-chan struct{}) error { stopCh <-chan struct{}) error {
@@ -267,7 +268,7 @@ func addControllers(
} }
var nsnpController manager.Runnable var nsnpController manager.Runnable
if networkPolicyEnabled { if networkOptions.EnableNetworkPolicy {
nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies()) nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
if err != nil { if err != nil {
return err return err
@@ -279,7 +280,7 @@ func addControllers(
kubernetesInformer.Core().V1().Services(), kubernetesInformer.Core().V1().Services(),
kubernetesInformer.Core().V1().Nodes(), kubernetesInformer.Core().V1().Nodes(),
kubesphereInformer.Tenant().V1alpha1().Workspaces(), kubesphereInformer.Tenant().V1alpha1().Workspaces(),
kubernetesInformer.Core().V1().Namespaces(), nsnpProvider) kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions)
} }
controllers := map[string]manager.Runnable{ controllers := map[string]manager.Runnable{

2
cmd/controller-manager/app/server.go
View File

@@ -205,7 +205,7 @@ func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
s.AuthenticationOptions, s.AuthenticationOptions,
openpitrixClient, openpitrixClient,
s.MultiClusterOptions.Enable, s.MultiClusterOptions.Enable,
s.NetworkOptions.EnableNetworkPolicy, s.NetworkOptions,
servicemeshEnabled, servicemeshEnabled,
s.AuthenticationOptions.KubectlImage, stopCh); err != nil { s.AuthenticationOptions.KubectlImage, stopCh); err != nil {
klog.Fatalf("unable to register controllers to the manager: %v", err) klog.Fatalf("unable to register controllers to the manager: %v", err)

3
pkg/apiserver/config/config_test.go
View File

@@ -102,6 +102,9 @@ func newTestConfig() (*Config, error) {
}, },
NetworkOptions: &network.Options{ NetworkOptions: &network.Options{
EnableNetworkPolicy: true, EnableNetworkPolicy: true,
NSNPOptions: network.NSNPOptions{
AllowedIngressNamespaces: []string{},
},
}, },
MonitoringOptions: &prometheus.Options{ MonitoringOptions: &prometheus.Options{
Endpoint: "http://prometheus.kubesphere-monitoring-system.svc", Endpoint: "http://prometheus.kubesphere-monitoring-system.svc",

21
pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
View File

@@ -29,6 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/controller/network" "kubesphere.io/kubesphere/pkg/controller/network"
"kubesphere.io/kubesphere/pkg/controller/network/provider" "kubesphere.io/kubesphere/pkg/controller/network/provider"
options "kubesphere.io/kubesphere/pkg/simple/client/network"
) )
const ( const (
@@ -77,6 +78,7 @@ type NSNetworkPolicyController struct {
namespaceInformerSynced cache.InformerSynced namespaceInformerSynced cache.InformerSynced
provider provider.NsNetworkPolicyProvider provider provider.NsNetworkPolicyProvider
options options.NSNPOptions
nsQueue workqueue.RateLimitingInterface nsQueue workqueue.RateLimitingInterface
nsnpQueue workqueue.RateLimitingInterface nsnpQueue workqueue.RateLimitingInterface
@@ -301,7 +303,7 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre
return rule, nil return rule, nil
} }
func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy { func (c *NSNetworkPolicyController) generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
policy := &netv1.NetworkPolicy{ policy := &netv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: AnnotationNPNAME, Name: AnnotationNPNAME,
@@ -328,6 +330,17 @@ func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv
policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace
} }
for _, allowedIngressNamespace := range c.options.AllowedIngressNamespaces {
defaultAllowedIngress := netv1.NetworkPolicyPeer{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
constants.NamespaceLabelKey: allowedIngressNamespace,
},
},
}
policy.Spec.Ingress[0].From = append(policy.Spec.Ingress[0].From, defaultAllowedIngress)
}
return policy return policy
} }
@@ -445,7 +458,7 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
} }
} }
policy := generateNSNP(workspaceName, ns.Name, matchWorkspace) policy := c.generateNSNP(workspaceName, ns.Name, matchWorkspace)
if shouldAddDNSRule(nsnpList) { if shouldAddDNSRule(nsnpList) {
ruleDNS, err := generateDNSRule([]string{DNSLocalIP}) ruleDNS, err := generateDNSRule([]string{DNSLocalIP})
if err != nil { if err != nil {
@@ -589,7 +602,8 @@ func NewNSNetworkPolicyController(
nodeInformer v1.NodeInformer, nodeInformer v1.NodeInformer,
workspaceInformer workspace.WorkspaceInformer, workspaceInformer workspace.WorkspaceInformer,
namespaceInformer v1.NamespaceInformer, namespaceInformer v1.NamespaceInformer,
policyProvider provider.NsNetworkPolicyProvider) *NSNetworkPolicyController { policyProvider provider.NsNetworkPolicyProvider,
options options.NSNPOptions) *NSNetworkPolicyController {
controller := &NSNetworkPolicyController{ controller := &NSNetworkPolicyController{
client: client, client: client,
@@ -607,6 +621,7 @@ func NewNSNetworkPolicyController(
provider: policyProvider, provider: policyProvider,
nsQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"), nsQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
nsnpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"), nsnpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"),
options: options,
} }
workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{

14
pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
View File

@@ -22,6 +22,7 @@ import (
workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1" workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1"
"kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/controller/network/provider" "kubesphere.io/kubesphere/pkg/controller/network/provider"
options "kubesphere.io/kubesphere/pkg/simple/client/network"
) )
var ( var (
@@ -48,6 +49,9 @@ spec:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
%s: %s %s: %s
- namespaceSelector:
matchLabels:
"kubesphere.io/namespace" : "kubesphere-monitoring-system"
policyTypes: policyTypes:
- Ingress` - Ingress`
@@ -113,8 +117,12 @@ var _ = Describe("Nsnetworkpolicy", func() {
nodeInforemer := kubeInformer.Core().V1().Nodes() nodeInforemer := kubeInformer.Core().V1().Nodes()
workspaceInformer := ksInformer.Tenant().V1alpha1().Workspaces() workspaceInformer := ksInformer.Tenant().V1alpha1().Workspaces()
namespaceInformer := kubeInformer.Core().V1().Namespaces() namespaceInformer := kubeInformer.Core().V1().Namespaces()
nsnpOptions := options.NewNetworkOptions()
nsnpOptions.NSNPOptions.AllowedIngressNamespaces = append(nsnpOptions.NSNPOptions.AllowedIngressNamespaces, "kubesphere-monitoring-system")
c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(), nsnpInformer, serviceInformer, nodeInforemer, workspaceInformer, namespaceInformer, calicoProvider) c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(),
nsnpInformer, serviceInformer, nodeInforemer,
workspaceInformer, namespaceInformer, calicoProvider, nsnpOptions.NSNPOptions)
serviceObj := &corev1.Service{} serviceObj := &corev1.Service{}
Expect(StringToObject(serviceTmp, serviceObj)).ShouldNot(HaveOccurred()) Expect(StringToObject(serviceTmp, serviceObj)).ShouldNot(HaveOccurred())
@@ -158,7 +166,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
obj := &netv1.NetworkPolicy{} obj := &netv1.NetworkPolicy{}
Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred()) Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())
policy := generateNSNP("testworkspace", "testns", true) policy := c.generateNSNP("testworkspace", "testns", true)
Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue()) Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
}) })
@@ -167,7 +175,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
obj := &netv1.NetworkPolicy{} obj := &netv1.NetworkPolicy{}
Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred()) Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())
policy := generateNSNP("testworkspace", "testns", false) policy := c.generateNSNP("testworkspace", "testns", false)
Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue()) Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
}) })

9
pkg/simple/client/network/options.go
View File

@@ -2,14 +2,22 @@ package network
import "github.com/spf13/pflag" import "github.com/spf13/pflag"
type NSNPOptions struct {
AllowedIngressNamespaces []string `json:"allowedIngressNamespaces,omitempty" yaml:"allowedIngressNamespaces,omitempty"`
}
type Options struct { type Options struct {
EnableNetworkPolicy bool `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"` EnableNetworkPolicy bool `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"`
NSNPOptions NSNPOptions `json:"nsnpOptions,omitempty" yaml:"nsnpOptions,omitempty"`
} }
// NewNetworkOptions returns a `zero` instance // NewNetworkOptions returns a `zero` instance
func NewNetworkOptions() *Options { func NewNetworkOptions() *Options {
return &Options{ return &Options{
EnableNetworkPolicy: false, EnableNetworkPolicy: false,
NSNPOptions: NSNPOptions{
AllowedIngressNamespaces: []string{},
},
} }
} }
@@ -20,6 +28,7 @@ func (s *Options) Validate() []error {
func (s *Options) ApplyTo(options *Options) { func (s *Options) ApplyTo(options *Options) {
options.EnableNetworkPolicy = s.EnableNetworkPolicy options.EnableNetworkPolicy = s.EnableNetworkPolicy
options.NSNPOptions = s.NSNPOptions
} }
func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) { func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) {