netpol

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 8, 2021 License: MIT Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	SCTP        = v1.ProtocolSCTP
	TCP         = v1.ProtocolTCP
	UDP         = v1.ProtocolUDP
	Port53      = intstr.FromInt(53)
	Port80      = intstr.FromInt(80)
	Port443     = intstr.FromInt(443)
	Port988     = intstr.FromInt(988)
	Port9001Ref = intstr.FromInt(9001)
	PortHello   = intstr.FromString("hello")
)
View Source
var (
	LabelsAB = map[string]string{"a": "b"}
	LabelsCD = map[string]string{"b": "d"}
	LabelsEF = map[string]string{"e": "f"}
	LabelsGH = map[string]string{"g": "g"}

	SelectorAB = &metav1.LabelSelector{
		MatchLabels: LabelsAB,
	}
	SelectorCD = &metav1.LabelSelector{
		MatchLabels: LabelsCD,
	}
	SelectorEF = &metav1.LabelSelector{
		MatchLabels: LabelsEF,
	}
	SelectorGH = &metav1.LabelSelector{
		MatchLabels: LabelsGH,
	}

	SelectorEmpty = &metav1.LabelSelector{}

	Namespace = "pathological-namespace"

	IPBlock_10_0_0_1_24 = &networkingv1.IPBlock{CIDR: "10.0.0.1/24",
		Except: []string{
			"10.0.0.2/30",
		},
	}

	IPBlock_192_168_242_213_24 = &networkingv1.IPBlock{CIDR: "192.168.242.213/24"}
)
View Source
var AllExamples = []*networkingv1.NetworkPolicy{
	AllowNothingTo("default", map[string]string{"app": "web"}),
	AllowNothingToEmptyIngress("default", label("all", "web")),
	AllowFromTo("default", map[string]string{"app": "bookstore"}, map[string]string{"app": "bookstore", "role": "api"}),
	AllowAllTo("default", map[string]string{"app": "web"}),
	AllowNothingToAnything("default"),
	AllowAllWithinNamespace("default"),
	AccidentalAnd("default", label("a", "b"), label("user", "alice"), label("role", "client")),
	AccidentalOr("default", label("a", "b"), label("user", "alice"), label("role", "client")),
	AllowAllTo_Version2("default", label("app", "web")),
	AllowAllTo_Version3("default", label("app", "web")),
	AllowAllTo_Version4("default", label("app", "web")),
	AllowFromNamespaceTo("default", label("purpose", "production"), label("app", "web")),
	AllowFromDifferentNamespaceWithLabelsTo("default", label("type", "monitoring"), label("team", "operations"), label("app", "web")),
	AllowFromAnywhere("default", label("app", "web")),
	AllowSpecificPortTo("default", label("role", "monitoring"), label("app", "apiserver"), 5000),
	AllowFromMultipleTo(
		"default",
		[]map[string]string{
			{"app": "bookstore", "role": "search"},
			{"app": "bookstore", "role": "api"},
			{"app": "inventory", "role": "web"},
		},
		map[string]string{"app": "bookstore", "role": "db"}),
	AllowNoEgressFromLabels("default", label("app", "foo")),
	AllowEgressOnPort("default", label("app", "foo"), 53),
	AllowNoEgressFromNamespace("default"),
	AllowEgressToAllNamespacesOnPort("default", label("app", "foo"), 53),
	AllowNoIngressNorEgress("default", label("app", "foo")),
}
View Source
var AllowAllEgress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-all-egress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
		Egress: []networkingv1.NetworkPolicyEgressRule{
			{},
		},
	},
}
View Source
var AllowAllIngress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-all-ingress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
		Ingress: []networkingv1.NetworkPolicyIngressRule{
			{},
		},
	},
}
View Source
var AllowAllIngressAllowAllEgress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-all-ingress-allow-all-egress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
		Egress: []networkingv1.NetworkPolicyEgressRule{
			{},
		},
		Ingress: []networkingv1.NetworkPolicyIngressRule{
			{},
		},
	},
}
View Source
var AllowAllPodsInAllNamespacesPeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       nil,
	NamespaceSelector: &metav1.LabelSelector{},
}
View Source
var AllowAllPodsInAllNamespacesPeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{
	PodSelector:       &metav1.LabelSelector{},
	NamespaceSelector: &metav1.LabelSelector{},
}
View Source
var AllowAllPodsInMatchingNamespacesPeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       nil,
	NamespaceSelector: SelectorAB,
}
View Source
var AllowAllPodsInMatchingNamespacesPeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{
	PodSelector:       &metav1.LabelSelector{},
	NamespaceSelector: SelectorAB,
}
View Source
var AllowAllPodsInPolicyNamespacePeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       nil,
	NamespaceSelector: nil,
}
View Source
var AllowAllPodsInPolicyNamespacePeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{
	PodSelector:       &metav1.LabelSelector{},
	NamespaceSelector: nil,
}
View Source
var AllowAllPortsOnProtocol = networkingv1.NetworkPolicyPort{
	Protocol: &SCTP,
	Port:     nil,
}
View Source
var AllowIPBlockPeer = networkingv1.NetworkPolicyPeer{
	IPBlock: IPBlock_10_0_0_1_24,
}
View Source
var AllowMatchingPodsInAllNamespacesPeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       SelectorEF,
	NamespaceSelector: &metav1.LabelSelector{},
}
View Source
var AllowMatchingPodsInMatchingNamespacesPeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       SelectorGH,
	NamespaceSelector: SelectorAB,
}
View Source
var AllowMatchingPodsInPolicyNamespacePeer = networkingv1.NetworkPolicyPeer{
	PodSelector:       SelectorCD,
	NamespaceSelector: nil,
}
View Source
var AllowNamedPortOnProtocol = networkingv1.NetworkPolicyPort{
	Protocol: &UDP,
	Port:     &PortHello,
}
View Source
var AllowNoEgress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-egress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
	},
}
View Source
var AllowNoEgress_EmptyEgress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-egress-empty-egress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		Egress:      []networkingv1.NetworkPolicyEgressRule{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
	},
}
View Source
var AllowNoIngress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-ingress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
	},
}
View Source
var AllowNoIngressAllowNoEgress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-ingress-allow-no-egress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
	},
}
View Source
var AllowNoIngressAllowNoEgress_EmptyEgressEmptyIngress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-ingress-allow-no-egress-empty-egress-empty-ingress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		Ingress:     []networkingv1.NetworkPolicyIngressRule{},
		Egress:      []networkingv1.NetworkPolicyEgressRule{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
	},
}
View Source
var AllowNoIngress_EmptyIngress = &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
		Name:      "allow-no-ingress-empty-ingress",
		Namespace: Namespace,
	},
	Spec: networkingv1.NetworkPolicySpec{
		PodSelector: metav1.LabelSelector{},
		Ingress:     []networkingv1.NetworkPolicyIngressRule{},
		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
	},
}
View Source
var AllowNumberedPortOnProtocol = networkingv1.NetworkPolicyPort{
	Protocol: &TCP,
	Port:     &Port9001Ref,
}

Functions

func AccidentalAnd added in v0.0.8

func AccidentalAnd(namespace string, targetLabels, ingressNamespaceLabels, ingressPodLabels map[string]string) *networkingv1.NetworkPolicy

https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

ingress:
- from:
  - namespaceSelector:
      matchLabels:
        user: alice
    podSelector:
      matchLabels:
        role: client

func AccidentalOr added in v0.0.8

func AccidentalOr(namespace string, targetLabels, ingressNamespaceLabels, ingressPodLabels map[string]string) *networkingv1.NetworkPolicy

https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

ingress:
- from:
  - namespaceSelector:
      matchLabels:
        user: alice
  - podSelector:
      matchLabels:
        role: client

func AllowAllEgressNetworkingPolicy added in v0.0.8

func AllowAllEgressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy

func AllowAllIngressNetworkingPolicy added in v0.0.8

func AllowAllIngressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy

func AllowAllTo added in v0.0.8

func AllowAllTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02a-allow-all-traffic-to-an-application.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: web-allow-all
Namespace: default

spec:

podSelector:
  matchLabels:
    app: web
ingress:
- {}

func AllowAllTo_Version2 added in v0.0.8

func AllowAllTo_Version2(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/05-allow-traffic-from-all-namespaces.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

Namespace: secondary
name: web-allow-all-namespaces

spec:

podSelector:
  matchLabels:
    app: web
ingress:
- from:
  - namespaceSelector: {}

func AllowAllTo_Version3 added in v0.0.8

func AllowAllTo_Version3(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

Namespace: secondary
name: web-allow-all-namespaces

spec:

podSelector:
  matchLabels:
    app: web
ingress:
- from:

func AllowAllTo_Version4 added in v0.0.8

func AllowAllTo_Version4(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy

func AllowAllWithinNamespace added in v0.0.8

func AllowAllWithinNamespace(namespace string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

Namespace: secondary
name: deny-from-other-namespaces

spec:

podSelector:
  matchLabels:
ingress:
- from:
  - podSelector: {}

func AllowEgressOnPort added in v0.0.8

func AllowEgressOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:

name: foo-deny-egress

spec:

podSelector:
  matchLabels:
    app: foo
policyTypes:
- Egress
egress:
# allow DNS resolution
- ports:
  - port: 53
    protocol: UDP
  - port: 53
    protocol: TCP

func AllowEgressToAllNamespacesOnPort added in v0.0.8

func AllowEgressToAllNamespacesOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/14-deny-external-egress-traffic.md

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:

name: foo-deny-external-egress

spec:

podSelector:
  matchLabels:
    app: foo
policyTypes:
- Egress
egress:
- ports:
  - port: 53
    protocol: UDP
  - port: 53
    protocol: TCP
  to:
  - namespaceSelector: {}

func AllowFromAnywhere added in v0.0.8

func AllowFromAnywhere(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08-allow-external-traffic.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: web-allow-external

spec:

podSelector:
  matchLabels:
    app: web
ingress:
- from: []

func AllowFromDifferentNamespaceWithLabelsTo added in v0.0.8

func AllowFromDifferentNamespaceWithLabelsTo(namespace string, fromLabels, namespaceLabels, toLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: web-allow-all-ns-monitoring
Namespace: default

spec:

podSelector:
  matchLabels:
    app: web
ingress:
  - from:
    - namespaceSelector:     # chooses all pods in namespaces labelled with team=operations
        matchLabels:
          team: operations
      podSelector:           # chooses pods with type=monitoring
        matchLabels:
          type: monitoring

func AllowFromMultipleTo added in v0.0.8

func AllowFromMultipleTo(namespace string, fromLabels []map[string]string, targetLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/10-allowing-traffic-with-multiple-selectors.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: redis-allow-services

spec:

podSelector:
  matchLabels:
    app: bookstore
    role: db
ingress:
- from:
  - podSelector:
      matchLabels:
        app: bookstore
        role: search
  - podSelector:
      matchLabels:
        app: bookstore
        role: api
  - podSelector:
      matchLabels:
        app: inventory
        role: web

func AllowFromNamespaceTo added in v0.0.8

func AllowFromNamespaceTo(namespace string, namespaceLabels map[string]string, toLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/06-allow-traffic-from-a-namespace.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: web-allow-prod

spec:

podSelector:
  matchLabels:
    app: web
ingress:
- from:
  - namespaceSelector:
      matchLabels:
        purpose: production

func AllowFromTo added in v0.0.8

func AllowFromTo(namespace string, fromLabels map[string]string, toLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02-limit-traffic-to-an-application.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: api-allow

spec:

podSelector:
  matchLabels:
    app: bookstore
    role: api
ingress:
- from:
    - podSelector:
        matchLabels:
          app: bookstore

func AllowFromToNsLabels added in v0.0.8

func AllowFromToNsLabels(namespace string, selector metav1.LabelSelector, nsLabels map[string]string) *networkingv1.NetworkPolicy

func AllowNoEgressFromLabels added in v0.0.8

func AllowNoEgressFromLabels(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/11-deny-egress-traffic-from-an-application.md

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:

name: foo-deny-egress

spec:

podSelector:
  matchLabels:
    app: foo
policyTypes:
- Egress
egress: []

func AllowNoEgressFromNamespace added in v0.0.8

func AllowNoEgressFromNamespace(namespace string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/12-deny-all-non-whitelisted-traffic-from-the-namespace.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: default-deny-all-egress
Namespace: default

spec:

policyTypes:
- Egress
podSelector: {}
egress: []

func AllowNoIngressNorEgress added in v0.0.8

func AllowNoIngressNorEgress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:

name: allow-nothing

spec:

podSelector:
  matchLabels:
    app: foo
policyTypes:
- Egress
- Ingress

func AllowNothingFrom added in v0.0.8

func AllowNothingFrom(namespace string, selector metav1.LabelSelector) *networkingv1.NetworkPolicy

func AllowNothingTo added in v0.0.8

func AllowNothingTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/01-deny-all-traffic-to-an-application.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: web-deny-all

spec:

podSelector:
  matchLabels:
    app: web
ingress: []

func AllowNothingToAnything added in v0.0.8

func AllowNothingToAnything(namespace string) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: default-deny-all
Namespace: default

spec:

podSelector: {}
ingress: []

func AllowNothingToEmptyIngress added in v0.0.8

func AllowNothingToEmptyIngress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy

Same as above, but with empty slice instead of nil slice

func AllowSpecificPortTo added in v0.0.8

func AllowSpecificPortTo(namespace string, fromLabels, targetLabels map[string]string, targetPort int) *networkingv1.NetworkPolicy

https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/09-allow-traffic-only-to-a-port.md

kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:

name: api-allow-5000

spec:

podSelector:
  matchLabels:
    app: apiserver
ingress:
- ports:
  - port: 5000
  from:
  - podSelector:
      matchLabels:
        role: monitoring

func ExampleComplicatedNetworkPolicy added in v0.0.8

func ExampleComplicatedNetworkPolicy() *networkingv1.NetworkPolicy

func LabelString added in v0.0.8

func LabelString(labels map[string]string) string

Types

type IPBlock

type IPBlock struct {
	CIDR   string
	Except []string
}

type LabelSelector

type LabelSelector struct {
	MatchLabels      map[string]string
	MatchExpressions []LabelSelectorRequirement // metav1.LabelSelectorRequirement
}

type LabelSelectorOperator

type LabelSelectorOperator string
const (
	LabelSelectorOpIn           LabelSelectorOperator = "In"
	LabelSelectorOpNotIn        LabelSelectorOperator = "NotIn"
	LabelSelectorOpExists       LabelSelectorOperator = "Exists"
	LabelSelectorOpDoesNotExist LabelSelectorOperator = "DoesNotExist"
)

type LabelSelectorRequirement

type LabelSelectorRequirement struct {
	Key      string
	Operator LabelSelectorOperator // metav1.LabelSelectorOperator
	Values   []string
}

type NetworkPolicyEgressRule

type NetworkPolicyEgressRule struct {
	Ports []NetworkPolicyPort
	To    []NetworkPolicyPeer
}

type NetworkPolicyIngressRule

type NetworkPolicyIngressRule struct {
	Ports []NetworkPolicyPort // networkingv1.NetworkPolicyPort
	From  []NetworkPolicyPeer // networkingv1.NetworkPolicyPeer
}

type NetworkPolicyPeer

type NetworkPolicyPeer struct {
	PodSelector       *LabelSelector // metav1.LabelSelector
	NamespaceSelector *LabelSelector // metav1.LabelSelector
	IPBlock           *IPBlock       // networkingv1.IPBlock
}

type NetworkPolicyPort

type NetworkPolicyPort struct {
	Protocol *Protocol // v1.Protocol
	Port     *intstr.IntOrString
}

type NetworkPolicySpec

type NetworkPolicySpec struct {
	PodSelector LabelSelector              // metav1.LabelSelector
	Ingress     []NetworkPolicyIngressRule // networkingv1.NetworkPolicyIngressRule
	Egress      []NetworkPolicyEgressRule  // networkingv1.NetworkPolicyEgressRule
	PolicyTypes []PolicyType               // networkingv1.PolicyType
}

type PolicyType

type PolicyType string
const (
	PolicyTypeIngress PolicyType = "Ingress"
	PolicyTypeEgress  PolicyType = "Egress"
)

type Protocol

type Protocol string
const (
	ProtocolTCP  Protocol = "TCP"
	ProtocolUDP  Protocol = "UDP"
	ProtocolSCTP Protocol = "SCTP"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL