Skip to content

Commit 8fdff90

Browse files
Peac36Peac36
committed
wip
1 parent f9b3cab commit 8fdff90

File tree

7 files changed

+185
-326
lines changed

7 files changed

+185
-326
lines changed

cmd/policy-assistant/examples/example.go

+4-40
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import (
99
var CoreGressRulesCombinedANB = []*v1alpha1.AdminNetworkPolicy{
1010
{
1111
ObjectMeta: v1.ObjectMeta{
12-
Name: "Example ANP",
12+
Name: "example-anp",
1313
},
1414
Spec: v1alpha1.AdminNetworkPolicySpec{
1515
Priority: 20,
@@ -19,7 +19,6 @@ var CoreGressRulesCombinedANB = []*v1alpha1.AdminNetworkPolicy{
1919
{
2020
Key: "kubernetes.io/metadata.name",
2121
Operator: v1.LabelSelectorOpExists,
22-
Values: []string{"network-policy-conformance-gryffindor"},
2322
},
2423
},
2524
},
@@ -308,7 +307,7 @@ var CoreGressRulesCombinedANB = []*v1alpha1.AdminNetworkPolicy{
308307
},
309308
{
310309
ObjectMeta: v1.ObjectMeta{
311-
Name: "Example ANP 2",
310+
Name: "example-anp-2",
312311
},
313312
Spec: v1alpha1.AdminNetworkPolicySpec{
314313
Priority: 16,
@@ -318,7 +317,6 @@ var CoreGressRulesCombinedANB = []*v1alpha1.AdminNetworkPolicy{
318317
{
319318
Key: "kubernetes.io/metadata.name",
320319
Operator: v1.LabelSelectorOpExists,
321-
Values: []string{"network-policy-conformance-gryffindor"},
322320
},
323321
},
324322
},
@@ -618,7 +616,6 @@ var CoreGressRulesCombinedBANB *v1alpha1.BaselineAdminNetworkPolicy = &v1alpha1.
618616
{
619617
Key: "kubernetes.io/metadata.name",
620618
Operator: v1.LabelSelectorOpExists,
621-
Values: []string{"network-policy-conformance-gryffindor"},
622619
},
623620
},
624621
},
@@ -657,7 +654,6 @@ var CoreGressRulesCombinedBANB *v1alpha1.BaselineAdminNetworkPolicy = &v1alpha1.
657654
{
658655
Key: "kubernetes.io/metadata.name",
659656
Operator: v1.LabelSelectorOpExists,
660-
Values: []string{"network-policy-conformance-gryffindor"},
661657
},
662658
},
663659
},
@@ -808,7 +804,7 @@ var CoreGressRulesCombinedBANB *v1alpha1.BaselineAdminNetworkPolicy = &v1alpha1.
808804
var SimpleANPs = []*v1alpha1.AdminNetworkPolicy{
809805
{
810806
ObjectMeta: v1.ObjectMeta{
811-
Name: "Simple ANP 1",
807+
Name: "simple-anp-1",
812808
},
813809
Spec: v1alpha1.AdminNetworkPolicySpec{
814810
Priority: 34,
@@ -840,7 +836,7 @@ var SimpleANPs = []*v1alpha1.AdminNetworkPolicy{
840836
},
841837
{
842838
ObjectMeta: v1.ObjectMeta{
843-
Name: "Simple ANP 2",
839+
Name: "simple-anp-2",
844840
},
845841
Spec: v1alpha1.AdminNetworkPolicySpec{
846842
Priority: 50,
@@ -871,35 +867,3 @@ var SimpleANPs = []*v1alpha1.AdminNetworkPolicy{
871867
},
872868
},
873869
}
874-
875-
var SimpleBANP *v1alpha1.BaselineAdminNetworkPolicy = &v1alpha1.BaselineAdminNetworkPolicy{
876-
ObjectMeta: v1.ObjectMeta{
877-
Name: "Simple BANP",
878-
},
879-
Spec: v1alpha1.BaselineAdminNetworkPolicySpec{
880-
Subject: v1alpha1.AdminNetworkPolicySubject{
881-
Namespaces: &v1.LabelSelector{
882-
MatchLabels: map[string]string{
883-
"test": "test",
884-
},
885-
},
886-
},
887-
Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{
888-
{
889-
Name: "allow-to-ravenclaw-everything",
890-
Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow,
891-
To: []v1alpha1.AdminNetworkPolicyPeer{
892-
{
893-
Namespaces: &v1alpha1.NamespacedPeer{
894-
NamespaceSelector: &v1.LabelSelector{
895-
MatchLabels: map[string]string{
896-
"kubernetes.io/metadata.name": "network-policy-conformance-ravenclaw",
897-
},
898-
},
899-
},
900-
},
901-
},
902-
},
903-
},
904-
},
905-
}

cmd/policy-assistant/pkg/matcher/builder.go

+17-43
Original file line numberDiff line numberDiff line change
@@ -21,30 +21,21 @@ func BuildV1AndV2NetPols(simplify bool, netpols []*networkingv1.NetworkPolicy, a
2121
np.AddTarget(false, egress)
2222
}
2323

24-
var banpIngress *Target
25-
var banpEgress *Target
26-
27-
if banp != nil {
28-
// there can only be one BANP by definition
29-
banpIngress, banpEgress = BuildTargetBANP(banp)
30-
np.AddTarget(true, banpIngress)
31-
np.AddTarget(false, banpEgress)
32-
}
33-
3424
priorities := make(map[int32]struct{})
3525
for _, p := range anps {
3626
if _, ok := priorities[p.Spec.Priority]; ok {
37-
panic(errors.Errorf("duplicate priorities are now allowed. priority: %d", p.Spec.Priority))
27+
panic(errors.Errorf("duplicate priorities are undefined. priority: %d", p.Spec.Priority))
3828
}
3929
priorities[p.Spec.Priority] = struct{}{}
4030

4131
ingress, egress := BuildTargetANP(p)
42-
if banpIngress != nil && ingress.GetPrimaryKey() == banpIngress.GetPrimaryKey() {
43-
ingress.CombineCommonPeers(banpIngress)
44-
egress.CombineCommonPeers(banpEgress)
45-
46-
}
32+
np.AddTarget(true, ingress)
33+
np.AddTarget(false, egress)
34+
}
4735

36+
if banp != nil {
37+
// there can only be one BANP by definition
38+
ingress, egress := BuildTargetBANP(banp)
4839
np.AddTarget(true, ingress)
4940
np.AddTarget(false, egress)
5041
}
@@ -73,27 +64,16 @@ func BuildTarget(netpol *networkingv1.NetworkPolicy) (*Target, *Target) {
7364
for _, pType := range netpol.Spec.PolicyTypes {
7465
switch pType {
7566
case networkingv1.PolicyTypeIngress:
76-
p := map[string][]PeerMatcher{}
77-
ingressPeers := BuildIngressMatcher(policyNamespace, netpol.Spec.Ingress)
78-
if len(ingressPeers) > 0 {
79-
p[""] = ingressPeers
80-
}
81-
8267
ingress = &Target{
8368
SubjectMatcher: NewSubjectV1(policyNamespace, netpol.Spec.PodSelector),
8469
SourceRules: []NetPolID{netPolID(netpol)},
85-
Peers: p,
70+
Peers: BuildIngressMatcher(policyNamespace, netpol.Spec.Ingress),
8671
}
8772
case networkingv1.PolicyTypeEgress:
88-
p := map[string][]PeerMatcher{}
89-
egressPeers := BuildEgressMatcher(policyNamespace, netpol.Spec.Egress)
90-
if len(egressPeers) > 0 {
91-
p[""] = egressPeers
92-
}
9373
egress = &Target{
9474
SubjectMatcher: NewSubjectV1(policyNamespace, netpol.Spec.PodSelector),
9575
SourceRules: []NetPolID{netPolID(netpol)},
96-
Peers: p,
76+
Peers: BuildEgressMatcher(policyNamespace, netpol.Spec.Egress),
9777
}
9878
}
9979
}
@@ -238,36 +218,34 @@ func BuildTargetANP(anp *v1alpha1.AdminNetworkPolicy) (*Target, *Target) {
238218
ingress = &Target{
239219
SubjectMatcher: NewSubjectAdmin(&anp.Spec.Subject),
240220
SourceRules: []NetPolID{netPolID(anp)},
241-
Peers: make(map[string][]PeerMatcher),
242221
}
243222

244223
for _, r := range anp.Spec.Ingress {
245224
v := AdminActionToVerdict(r.Action)
246225
matchers := BuildPeerMatcherAdmin(r.From, r.Ports)
247226
for _, m := range matchers {
248227
matcherAdmin := NewPeerMatcherANP(m, v, int(anp.Spec.Priority), anp.Name)
249-
k := m.Pod.PrimaryKey() + m.Namespace.PrimaryKey() + m.Port.GetPrimaryKey()
250-
ingress.Peers[k] = append(ingress.Peers[k], matcherAdmin)
228+
ingress.Peers = append(ingress.Peers, matcherAdmin)
251229
}
252230
}
253231
}
232+
254233
if len(anp.Spec.Egress) > 0 {
255234
egress = &Target{
256235
SubjectMatcher: NewSubjectAdmin(&anp.Spec.Subject),
257236
SourceRules: []NetPolID{netPolID(anp)},
258-
Peers: make(map[string][]PeerMatcher),
259237
}
260238

261239
for _, r := range anp.Spec.Egress {
262240
v := AdminActionToVerdict(r.Action)
263241
matchers := BuildPeerMatcherAdmin(r.To, r.Ports)
264242
for _, m := range matchers {
265243
matcherAdmin := NewPeerMatcherANP(m, v, int(anp.Spec.Priority), anp.Name)
266-
k := m.Pod.PrimaryKey() + m.Namespace.PrimaryKey() + m.Port.GetPrimaryKey()
267-
egress.Peers[k] = append(egress.Peers[k], matcherAdmin)
244+
egress.Peers = append(egress.Peers, matcherAdmin)
268245
}
269246
}
270247
}
248+
271249
return ingress, egress
272250
}
273251

@@ -283,16 +261,14 @@ func BuildTargetBANP(banp *v1alpha1.BaselineAdminNetworkPolicy) (*Target, *Targe
283261
ingress = &Target{
284262
SubjectMatcher: NewSubjectAdmin(&banp.Spec.Subject),
285263
SourceRules: []NetPolID{netPolID(banp)},
286-
Peers: make(map[string][]PeerMatcher),
287264
}
288265

289266
for _, r := range banp.Spec.Ingress {
290267
v := BaselineAdminActionToVerdict(r.Action)
291268
matchers := BuildPeerMatcherAdmin(r.From, r.Ports)
292269
for _, m := range matchers {
293-
matcherAdmin := NewPeerMatcherBANP(m, v, r.Name)
294-
k := m.Pod.PrimaryKey() + m.Namespace.PrimaryKey() + m.Port.GetPrimaryKey()
295-
ingress.Peers[k] = append(ingress.Peers[k], matcherAdmin)
270+
matcherAdmin := NewPeerMatcherBANP(m, v, banp.Name)
271+
ingress.Peers = append(ingress.Peers, matcherAdmin)
296272
}
297273
}
298274
}
@@ -301,16 +277,14 @@ func BuildTargetBANP(banp *v1alpha1.BaselineAdminNetworkPolicy) (*Target, *Targe
301277
egress = &Target{
302278
SubjectMatcher: NewSubjectAdmin(&banp.Spec.Subject),
303279
SourceRules: []NetPolID{netPolID(banp)},
304-
Peers: make(map[string][]PeerMatcher),
305280
}
306281

307282
for _, r := range banp.Spec.Egress {
308283
v := BaselineAdminActionToVerdict(r.Action)
309284
matchers := BuildPeerMatcherAdmin(r.To, r.Ports)
310285
for _, m := range matchers {
311-
matcherAdmin := NewPeerMatcherBANP(m, v, r.Name)
312-
k := m.Pod.PrimaryKey() + m.Namespace.PrimaryKey() + m.Port.GetPrimaryKey()
313-
egress.Peers[k] = append(egress.Peers[k], matcherAdmin)
286+
matcherAdmin := NewPeerMatcherBANP(m, v, banp.Name)
287+
egress.Peers = append(egress.Peers, matcherAdmin)
314288
}
315289
}
316290
}

0 commit comments

Comments
 (0)