network: support network isolate

Add new crd to convert kubesphere network policy to k8s network policy, and then other network plugin will do the rest work. Use cache.go from calico project's kube-controller, it aim to sync nsnp with k8s np, delete unused np, and relieve the pressure on k8s restful client. If you want higher performance, you can implement interface NsNetworkPolicyProvider in pkg/controller/provider/namespace_np.go. Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
2020-04-15 21:42:29 +08:00
parent fc373b18e3
commit d3bdcd0465
85 changed files with 4130 additions and 6254 deletions
--- a/pkg/controller/network/nsnetworkpolicy/webhook.go
+++ b/pkg/controller/network/nsnetworkpolicy/webhook.go
@@ -0,0 +1,38 @@
+package nsnetworkpolicy
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// +kubebuilder:webhook:path=/validate-service-nsnp-kubesphere-io-v1alpha1-network,name=validate-v1-service,mutating=false,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1
+
+// serviceValidator validates service
+type ServiceValidator struct {
+	decoder *admission.Decoder
+}
+
+// Service must hash label, becasue nsnp will use it
+func (v *ServiceValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	service := &corev1.Service{}
+
+	err := v.decoder.Decode(req, service)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	if service.Spec.Selector == nil {
+		return admission.Denied(fmt.Sprintf("missing label"))
+	}
+
+	return admission.Allowed("")
+}
+
+func (a *ServiceValidator) InjectDecoder(d *admission.Decoder) error {
+	a.decoder = d
+	return nil
+}