networkpolicy: add new parameters allowedIngressNamespaces for user customization

Signed-off-by: Duan Jiong <djduanjiong@gmail.com>

pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go

@@ -29,6 +29,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/controller/network"
 	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	options "kubesphere.io/kubesphere/pkg/simple/client/network"
 )
 
 const (
@@ -77,6 +78,7 @@ type NSNetworkPolicyController struct {
 	namespaceInformerSynced cache.InformerSynced
 
 	provider provider.NsNetworkPolicyProvider
+	options  options.NSNPOptions
 
 	nsQueue   workqueue.RateLimitingInterface
 	nsnpQueue workqueue.RateLimitingInterface
@@ -301,7 +303,7 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre
 	return rule, nil
 }
 
-func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
+func (c *NSNetworkPolicyController) generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
 	policy := &netv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      AnnotationNPNAME,
@@ -328,6 +330,17 @@ func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv
 		policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace
 	}
 
+	for _, allowedIngressNamespace := range c.options.AllowedIngressNamespaces {
+		defaultAllowedIngress := netv1.NetworkPolicyPeer{
+			NamespaceSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					constants.NamespaceLabelKey: allowedIngressNamespace,
+				},
+			},
+		}
+		policy.Spec.Ingress[0].From = append(policy.Spec.Ingress[0].From, defaultAllowedIngress)
+	}
+
 	return policy
 }
 
@@ -445,7 +458,7 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
 		}
 	}
 
-	policy := generateNSNP(workspaceName, ns.Name, matchWorkspace)
+	policy := c.generateNSNP(workspaceName, ns.Name, matchWorkspace)
 	if shouldAddDNSRule(nsnpList) {
 		ruleDNS, err := generateDNSRule([]string{DNSLocalIP})
 		if err != nil {
@@ -589,7 +602,8 @@ func NewNSNetworkPolicyController(
 	nodeInformer v1.NodeInformer,
 	workspaceInformer workspace.WorkspaceInformer,
 	namespaceInformer v1.NamespaceInformer,
-	policyProvider provider.NsNetworkPolicyProvider) *NSNetworkPolicyController {
+	policyProvider provider.NsNetworkPolicyProvider,
+	options options.NSNPOptions) *NSNetworkPolicyController {
 
 	controller := &NSNetworkPolicyController{
 		client:                  client,
@@ -607,6 +621,7 @@ func NewNSNetworkPolicyController(
 		provider:                policyProvider,
 		nsQueue:                 workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
 		nsnpQueue:               workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"),
+		options:                 options,
 	}
 
 	workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{

pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go

@@ -22,6 +22,7 @@ import (
 	workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	options "kubesphere.io/kubesphere/pkg/simple/client/network"
 )
 
 var (
@@ -48,6 +49,9 @@ spec:
         - namespaceSelector:
             matchLabels:
               %s: %s
+        - namespaceSelector:
+            matchLabels:
+              "kubesphere.io/namespace" : "kubesphere-monitoring-system"
   policyTypes:
     - Ingress`
 
@@ -113,8 +117,12 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		nodeInforemer := kubeInformer.Core().V1().Nodes()
 		workspaceInformer := ksInformer.Tenant().V1alpha1().Workspaces()
 		namespaceInformer := kubeInformer.Core().V1().Namespaces()
+		nsnpOptions := options.NewNetworkOptions()
+		nsnpOptions.NSNPOptions.AllowedIngressNamespaces = append(nsnpOptions.NSNPOptions.AllowedIngressNamespaces, "kubesphere-monitoring-system")
 
-		c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(), nsnpInformer, serviceInformer, nodeInforemer, workspaceInformer, namespaceInformer, calicoProvider)
+		c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(),
+			nsnpInformer, serviceInformer, nodeInforemer,
+			workspaceInformer, namespaceInformer, calicoProvider, nsnpOptions.NSNPOptions)
 
 		serviceObj := &corev1.Service{}
 		Expect(StringToObject(serviceTmp, serviceObj)).ShouldNot(HaveOccurred())
@@ -158,7 +166,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		obj := &netv1.NetworkPolicy{}
 		Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())
 
-		policy := generateNSNP("testworkspace", "testns", true)
+		policy := c.generateNSNP("testworkspace", "testns", true)
 		Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
 	})
 
@@ -167,7 +175,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		obj := &netv1.NetworkPolicy{}
 		Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())
 
-		policy := generateNSNP("testworkspace", "testns", false)
+		policy := c.generateNSNP("testworkspace", "testns", false)
 		Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
 	})