github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #54853 from xiangpengzhao/des-netpol 

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Describe NetworkPolicyEgressRule and IPBlock

**What this PR does / why we need it**:
- Describe IPBlock for NetworkPolicyIngressRule.
- Describe NetworkPolicyEgressRule
- Add test case for NetworkPolicyEgressRule
- Describe PolicyTypes

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:
/cc @thockin @caseydavenport @cmluciano 

**Release note**:

```release-note
NONE
```
pull/6/head
Kubernetes Submit Queue 2017-11-06 13:21:19 -08:00 committed by GitHub
parent e6df9abbc8 c691be3acf
commit 9459f4753a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 135 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
pkg/printers/internalversion/describe.go
View File

@ -3090,7 +3090,7 @@ func describeNetworkPolicy(networkPolicy *networking.NetworkPolicy) (string, err
func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter) {
w.Write(LEVEL_0, "Spec:\n")
w.Write(LEVEL_1, "Pod Selector: ")
w.Write(LEVEL_1, "PodSelector: ")
if len(nps.PodSelector.MatchLabels) == 0 && len(nps.PodSelector.MatchExpressions) == 0 {
w.Write(LEVEL_2, "<none> (Allowing the specific traffic to all pods in this namespace)\n")
} else {
@ -3098,11 +3098,14 @@ func describeNetworkPolicySpec(nps networking.NetworkPolicySpec, w PrefixWriter)
}
w.Write(LEVEL_1, "Allowing ingress traffic:\n")
printNetworkPolicySpecIngressFrom(nps.Ingress, " ", w)
w.Write(LEVEL_1, "Allowing egress traffic:\n")
printNetworkPolicySpecEgressTo(nps.Egress, " ", w)
w.Write(LEVEL_1, "Policy Types: %v\n", policyTypesToString(nps.PolicyTypes))
}
func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRule, initialIndent string, w PrefixWriter) {
if len(npirs) == 0 {
w.WriteLine("<none> (Selected pods are isolated for ingress connectivity)")
w.Write(LEVEL_0, "%s%s\n", initialIndent, "<none> (Selected pods are isolated for ingress connectivity)")
return
}
for i, npir := range npirs {
@ -3125,9 +3128,13 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu
for _, from := range npir.From {
w.Write(LEVEL_0, "%s", initialIndent)
if from.PodSelector != nil {
w.Write(LEVEL_0, "%s: %s\n", "From Pod Selector", metav1.FormatLabelSelector(from.PodSelector))
w.Write(LEVEL_0, "%s: %s\n", "From PodSelector", metav1.FormatLabelSelector(from.PodSelector))
} else if from.NamespaceSelector != nil {
w.Write(LEVEL_0, "%s: %s\n", "From Namespace Selector", metav1.FormatLabelSelector(from.NamespaceSelector))
w.Write(LEVEL_0, "%s: %s\n", "From NamespaceSelector", metav1.FormatLabelSelector(from.NamespaceSelector))
} else if from.IPBlock != nil {
w.Write(LEVEL_0, "From IPBlock:\n")
w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, from.IPBlock.CIDR)
w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(from.IPBlock.Except, ", "))
}
}
}
@ -3137,6 +3144,47 @@ func printNetworkPolicySpecIngressFrom(npirs []networking.NetworkPolicyIngressRu
}
}
func printNetworkPolicySpecEgressTo(npers []networking.NetworkPolicyEgressRule, initialIndent string, w PrefixWriter) {
if len(npers) == 0 {
w.Write(LEVEL_0, "%s%s\n", initialIndent, "<none> (Selected pods are isolated for egress connectivity)")
return
}
for i, nper := range npers {
if len(nper.Ports) == 0 {
w.Write(LEVEL_0, "%s%s\n", initialIndent, "To Port: <any> (traffic allowed to all ports)")
} else {
for _, port := range nper.Ports {
var proto api.Protocol
if port.Protocol != nil {
proto = *port.Protocol
} else {
proto = api.ProtocolTCP
}
w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto)
}
}
if len(nper.To) == 0 {
w.Write(LEVEL_0, "%s%s\n", initialIndent, "To: <any> (traffic not restricted by source)")
} else {
for _, to := range nper.To {
w.Write(LEVEL_0, "%s", initialIndent)
if to.PodSelector != nil {
w.Write(LEVEL_0, "%s: %s\n", "To PodSelector", metav1.FormatLabelSelector(to.PodSelector))
} else if to.NamespaceSelector != nil {
w.Write(LEVEL_0, "%s: %s\n", "To NamespaceSelector", metav1.FormatLabelSelector(to.NamespaceSelector))
} else if to.IPBlock != nil {
w.Write(LEVEL_0, "To IPBlock:\n")
w.Write(LEVEL_0, "%s%sCIDR: %s\n", initialIndent, initialIndent, to.IPBlock.CIDR)
w.Write(LEVEL_0, "%s%sExcept: %v\n", initialIndent, initialIndent, strings.Join(to.IPBlock.Except, ", "))
}
}
}
if i != len(npers)-1 {
w.Write(LEVEL_0, "%s%s\n", initialIndent, "----------")
}
}
}
type StorageClassDescriber struct {
clientset.Interface
}
@ -3317,13 +3365,6 @@ func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error
})
}
func stringOrAll(s string) string {
if len(s) > 0 {
return s
}
return "*"
}
func stringOrNone(s string) string {
if len(s) > 0 {
return s
@ -3387,6 +3428,18 @@ func capsToString(caps []api.Capability) string {
return stringOrNone(formattedString)
}
func policyTypesToString(pts []networking.PolicyType) string {
formattedString := ""
if pts != nil {
strPts := []string{}
for _, p := range pts {
strPts = append(strPts, string(p))
}
formattedString = strings.Join(strPts, ", ")
}
return stringOrNone(formattedString)
}
// newErrNoDescriber creates a new ErrNoDescriber with the names of the provided types.
func newErrNoDescriber(types ...reflect.Type) error {
names := make([]string, 0, len(types))

75
pkg/printers/internalversion/describe_test.go
View File

@ -1682,16 +1682,32 @@ Created on: 2017-06-04 21:45:56 -0700 PDT
Labels: <none>
Annotations: <none>
Spec:
Pod Selector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2
PodSelector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2
Allowing ingress traffic:
To Port: 80/TCP
To Port: 82/TCP
From Pod Selector: id=app2,id2=app3
From Namespace Selector: id=app2,id2=app3
From Namespace Selector: foo in (bar1,bar2),id=app2,id2=app3
From PodSelector: id=app2,id2=app3
From NamespaceSelector: id=app2,id2=app3
From NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3
From IPBlock:
CIDR: 192.168.0.0/16
Except: 192.168.3.0/24, 192.168.4.0/24
----------
To Port: <any> (traffic allowed to all ports)
From: <any> (traffic not restricted by source)
Allowing egress traffic:
To Port: 80/TCP
To Port: 82/TCP
To PodSelector: id=app2,id2=app3
To NamespaceSelector: id=app2,id2=app3
To NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3
To IPBlock:
CIDR: 192.168.0.0/16
Except: 192.168.3.0/24, 192.168.4.0/24
----------
To Port: <any> (traffic allowed to all ports)
To: <any> (traffic not restricted by source)
Policy Types: Ingress, Egress
`
port80 := intstr.FromInt(80)
@ -1749,10 +1765,61 @@ Spec:
},
},
},
{
IPBlock: &networking.IPBlock{
CIDR: "192.168.0.0/16",
Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
},
},
},
},
{},
},
Egress: []networking.NetworkPolicyEgressRule{
{
Ports: []networking.NetworkPolicyPort{
{Port: &port80},
{Port: &port82, Protocol: &protoTCP},
},
To: []networking.NetworkPolicyPeer{
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
{Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}},
},
},
},
{
IPBlock: &networking.IPBlock{
CIDR: "192.168.0.0/16",
Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
},
},
},
},
{},
},
PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress},
},
})
d := NetworkPolicyDescriber{versionedFake}