Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement manifest command #16

Merged
merged 5 commits into from
Nov 25, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cmd/npv/app/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,9 @@ var gvrClusterwideNetworkPolicy schema.GroupVersionResource = schema.GroupVersio
Version: "v2",
Resource: "ciliumclusterwidenetworkpolicies",
}

var gvkNetworkPolicy schema.GroupVersionKind = schema.GroupVersionKind{
Group: "cilium.io",
Version: "v2",
Kind: "CiliumNetworkPolicy",
}
17 changes: 17 additions & 0 deletions cmd/npv/app/helper.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,23 @@ func getPodEndpointID(ctx context.Context, d *dynamic.DynamicClient, namespace,
return endpointID, nil
}

func getPodIdentity(ctx context.Context, d *dynamic.DynamicClient, namespace, name string) (int64, error) {
ep, err := d.Resource(gvrEndpoint).Namespace(namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil {
return 0, err
}

identity, found, err := unstructured.NestedInt64(ep.Object, "status", "identity", "id")
if err != nil {
return 0, err
}
if !found {
return 0, errors.New("pod does not have security identity")
yokaze marked this conversation as resolved.
Show resolved Hide resolved
}

return identity, nil
}

// key: identity number
// value: CiliumIdentity resource
func getIdentityResourceMap(ctx context.Context, d *dynamic.DynamicClient) (map[int]*unstructured.Unstructured, error) {
Expand Down
13 changes: 13 additions & 0 deletions cmd/npv/app/manifest.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package app

import "github.com/spf13/cobra"

func init() {
rootCmd.AddCommand(manifestCmd)
}

var manifestCmd = &cobra.Command{
Use: "manifest",
Short: "Generate CiliumNetworkPolicy",
Long: `Generate CiliumNetworkPolicy`,
}
106 changes: 106 additions & 0 deletions cmd/npv/app/manifest_blast.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
package app

import (
"context"
"errors"
"io"
"sort"
"strings"

"github.com/spf13/cobra"
)

var manifestBlastOptions struct {
from string
to string
}

func init() {
manifestBlastCmd.Flags().StringVar(&manifestBlastOptions.from, "from", "", "egress pod")
manifestBlastCmd.Flags().StringVar(&manifestBlastOptions.to, "to", "", "ingress pod")
manifestCmd.AddCommand(manifestBlastCmd)
}

var manifestBlastCmd = &cobra.Command{
Use: "blast",
chez-shanpu marked this conversation as resolved.
Show resolved Hide resolved
Short: "Show blast radius of a generated manifest",
chez-shanpu marked this conversation as resolved.
Show resolved Hide resolved
Long: `Show blast radius of a generated manifest`,

Args: cobra.ExactArgs(0),
RunE: func(cmd *cobra.Command, args []string) error {
return runManifestBlast(context.Background(), cmd.OutOrStdout())
},
}

type manifestBlastEntry struct {
Direction string `json:"direction"`
Namespace string `json:"namespace"`
Name string `json:"name"`
}

func lessManifestBlastEntry(x, y *manifestBlastEntry) bool {
ret := strings.Compare(x.Direction, y.Direction)
if ret == 0 {
ret = strings.Compare(x.Namespace, y.Namespace)
}
if ret == 0 {
ret = strings.Compare(x.Name, y.Name)
}
return ret < 0
}

func runManifestBlast(ctx context.Context, w io.Writer) error {
if manifestBlastOptions.from == "" || manifestBlastOptions.to == "" {
return errors.New("--from and --to options are required")
}

fromSlice := strings.Split(manifestBlastOptions.from, "/")
chez-shanpu marked this conversation as resolved.
Show resolved Hide resolved
toSlice := strings.Split(manifestBlastOptions.to, "/")
if len(fromSlice) != 2 || len(toSlice) != 2 {
return errors.New("--from and --to should be NAMESPACE/POD")
}

_, dynamicClient, err := createK8sClients()
if err != nil {
return err
}

fromIdentity, err := getPodIdentity(ctx, dynamicClient, fromSlice[0], fromSlice[1])
if err != nil {
return err
}

toIdentity, err := getPodIdentity(ctx, dynamicClient, toSlice[0], toSlice[1])
if err != nil {
return err
}

idEndpoints, err := getIdentityEndpoints(ctx, dynamicClient)
if err != nil {
return err
}

arr := make([]manifestBlastEntry, 0)
sort.Slice(arr, func(i, j int) bool { return lessManifestBlastEntry(&arr[i], &arr[j]) })

for _, ep := range idEndpoints[int(fromIdentity)] {
entry := manifestBlastEntry{
Direction: directionEgress,
Namespace: ep.GetNamespace(),
Name: ep.GetName(),
}
arr = append(arr, entry)
}
for _, ep := range idEndpoints[int(toIdentity)] {
entry := manifestBlastEntry{
Direction: directionIngress,
Namespace: ep.GetNamespace(),
Name: ep.GetName(),
}
arr = append(arr, entry)
}
return writeSimpleOrJson(w, arr, []string{"DIRECTION", "NAMESPACE", "NAME"}, len(arr), func(index int) []any {
ep := arr[index]
return []any{ep.Direction, ep.Namespace, ep.Name}
})
}
193 changes: 193 additions & 0 deletions cmd/npv/app/manifest_generate.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
package app

import (
"context"
"errors"
"fmt"
"io"
"strconv"
"strings"

"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/yaml"
)

var manifestGenerateOptions struct {
name string
egress bool
ingress bool
allow bool
deny bool
from string
to string
}

func init() {
manifestGenerateCmd.Flags().StringVar(&manifestGenerateOptions.name, "name", "", "resource name")
manifestGenerateCmd.Flags().BoolVar(&manifestGenerateOptions.egress, "egress", false, "generate egress rule")
manifestGenerateCmd.Flags().BoolVar(&manifestGenerateOptions.ingress, "ingress", false, "generate ingress rule")
manifestGenerateCmd.Flags().BoolVar(&manifestGenerateOptions.allow, "allow", false, "generate allow rule")
manifestGenerateCmd.Flags().BoolVar(&manifestGenerateOptions.deny, "deny", false, "generate deny rule")
manifestGenerateCmd.Flags().StringVar(&manifestGenerateOptions.from, "from", "", "egress pod")
manifestGenerateCmd.Flags().StringVar(&manifestGenerateOptions.to, "to", "", "ingress pod")
manifestCmd.AddCommand(manifestGenerateCmd)
}

var manifestGenerateCmd = &cobra.Command{
Use: "generate",
Short: "Generate CiliumNetworkPolicy",
Long: `Generate CiliumNetworkPolicy`,

Args: cobra.ExactArgs(0),
RunE: func(cmd *cobra.Command, args []string) error {
return runManifestGenerate(context.Background(), cmd.OutOrStdout())
},
}

func parseNamespacedName(nn string) (types.NamespacedName, error) {
li := strings.Split(nn, "/")
if len(li) != 2 {
return types.NamespacedName{}, errors.New("input is not NAMESPACE/NAME")
}
return types.NamespacedName{Namespace: li[0], Name: li[1]}, nil
}

func runManifestGenerate(ctx context.Context, w io.Writer) error {
egress := manifestGenerateOptions.egress
ingress := manifestGenerateOptions.ingress
allow := manifestGenerateOptions.allow
deny := manifestGenerateOptions.deny
from := manifestGenerateOptions.from
to := manifestGenerateOptions.to

if egress == ingress {
return errors.New("one of --egress or --ingress should be specified")
}
if allow == deny {
return errors.New("one of --allow or --deny should be specified")
}

sub, err := parseNamespacedName(from)
if err != nil {
return errors.New("--from and --to should be specified as NAMESPACE/POD")
}

obj, err := parseNamespacedName(to)
if err != nil {
return errors.New("--from and --to should be specified as NAMESPACE/POD")
}

if ingress {
sub, obj = obj, sub
}

// Parameters are all up, let's start querying API server
_, dynamicClient, err := createK8sClients()
if err != nil {
return err
}

subIdentity, err := getPodIdentity(ctx, dynamicClient, sub.Namespace, sub.Name)
if err != nil {
return err
}

subResource, err := dynamicClient.Resource(gvrIdentity).Get(ctx, strconv.Itoa(int(subIdentity)), metav1.GetOptions{})
if err != nil {
return err
}

subLabels, ok, err := unstructured.NestedStringMap(subResource.Object, "security-labels")
if err != nil {
return err
}
if !ok {
return errors.New("subject does not have security labels")
}

objIdentity, err := getPodIdentity(ctx, dynamicClient, obj.Namespace, obj.Name)
if err != nil {
return err
}

objResource, err := dynamicClient.Resource(gvrIdentity).Get(ctx, strconv.Itoa(int(objIdentity)), metav1.GetOptions{})
if err != nil {
return err
}

objLabels, ok, err := unstructured.NestedStringMap(objResource.Object, "security-labels")
if err != nil {
return err
}
if !ok {
return errors.New("object does not have security labels")
}

policyName := manifestGenerateOptions.name
if policyName == "" {
direction := "egress"
policy := "allow"
if ingress {
direction = "ingress"
}
if deny {
policy = "deny"
}
policyName = fmt.Sprintf("%s-%s-%d-%d", direction, policy, subIdentity, objIdentity)
}

var manifest unstructured.Unstructured
manifest.SetGroupVersionKind(gvkNetworkPolicy)
manifest.SetNamespace(sub.Namespace)
manifest.SetName(policyName)
err = unstructured.SetNestedStringMap(manifest.Object, subLabels, "spec", "endpointSelector", "matchLabels")
if err != nil {
return err
}

objMap := make(map[string]any)
for k, v := range objLabels {
objMap[k] = v
}

var section, field string
switch {
case egress && allow:
section = "egress"
field = "toEndpoints"
case egress && deny:
section = "egressDeny"
field = "toEndpoints"
case ingress && allow:
section = "ingress"
field = "fromEndpoints"
case ingress && deny:
section = "ingressDeny"
field = "fromEndpoints"
}

err = unstructured.SetNestedField(manifest.Object, []any{
map[string]any{
field: []any{
map[string]any{
"matchLabels": objMap,
},
},
},
}, "spec", section)
if err != nil {
return err
}

data, err := yaml.Marshal(manifest.Object)
if err != nil {
return err
}
if _, err := fmt.Fprintf(w, "%s", string(data)); err != nil {
return err
}
return nil
}
5 changes: 4 additions & 1 deletion e2e/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ CACHE_DIR := $(shell pwd)/../cache
POLICY_VIEWER := $(BIN_DIR)/npv
HELM := helm --repository-cache $(CACHE_DIR)/helm/repository --repository-config $(CACHE_DIR)/helm/repositories.yaml

DEPLOYMENT_REPLICAS ?= 1

##@ Basic

.PHONY: help
Expand Down Expand Up @@ -41,14 +43,15 @@ run-test-pod-%:
@echo Hello | yq > /dev/null
cat testdata/template/ubuntu.yaml | \
yq '.metadata.name = "$*"' | \
yq '.spec.replicas = $(DEPLOYMENT_REPLICAS)' | \
yq '.spec.selector.matchLabels = {"test": "$*"}' | \
yq '.spec.template.metadata.labels = {"test": "$*", "group": "test"}' | \
kubectl apply -f -

.PHONY: install-test-pod
install-test-pod:
$(MAKE) --no-print-directory run-test-pod-self
$(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-allow-all
$(MAKE) --no-print-directory DEPLOYMENT_REPLICAS=2 run-test-pod-l3-ingress-explicit-allow-all
$(MAKE) --no-print-directory run-test-pod-l3-ingress-implicit-deny-all
$(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-deny-all
$(MAKE) --no-print-directory run-test-pod-l3-egress-implicit-deny-all
Expand Down
Loading