admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

networkpolicy: add new parameters allowedIngressNamespaces for user customization

Browse Source 
Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
This commit is contained in:
Duan Jiong
2020-07-23 14:14:27 +08:00
parent afcd0efea2
commit eb21606602
6 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
View File

@@ -29,6 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/controller/network"
"kubesphere.io/kubesphere/pkg/controller/network/provider"
options "kubesphere.io/kubesphere/pkg/simple/client/network"
)
const (
@@ -77,6 +78,7 @@ type NSNetworkPolicyController struct {
namespaceInformerSynced cache.InformerSynced
provider provider.NsNetworkPolicyProvider
options options.NSNPOptions
nsQueue workqueue.RateLimitingInterface
nsnpQueue workqueue.RateLimitingInterface
@@ -301,7 +303,7 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre
return rule, nil
}
func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
func (c *NSNetworkPolicyController) generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
policy := &netv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: AnnotationNPNAME,
@@ -328,6 +330,17 @@ func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv
policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace
}
for _, allowedIngressNamespace := range c.options.AllowedIngressNamespaces {
defaultAllowedIngress := netv1.NetworkPolicyPeer{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
constants.NamespaceLabelKey: allowedIngressNamespace,
},
},
}
policy.Spec.Ingress[0].From = append(policy.Spec.Ingress[0].From, defaultAllowedIngress)
}
return policy
}
@@ -445,7 +458,7 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
}
}
policy := generateNSNP(workspaceName, ns.Name, matchWorkspace)
policy := c.generateNSNP(workspaceName, ns.Name, matchWorkspace)
if shouldAddDNSRule(nsnpList) {
ruleDNS, err := generateDNSRule([]string{DNSLocalIP})
if err != nil {
@@ -589,7 +602,8 @@ func NewNSNetworkPolicyController(
nodeInformer v1.NodeInformer,
workspaceInformer workspace.WorkspaceInformer,
namespaceInformer v1.NamespaceInformer,
policyProvider provider.NsNetworkPolicyProvider) *NSNetworkPolicyController {
policyProvider provider.NsNetworkPolicyProvider,
options options.NSNPOptions) *NSNetworkPolicyController {
controller := &NSNetworkPolicyController{
client: client,
@@ -607,6 +621,7 @@ func NewNSNetworkPolicyController(
provider: policyProvider,
nsQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
nsnpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"),
options: options,
}
workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{