Add network policies for admission controller feature (#1515)

DataDog · Nov 25, 2024 · 9891de6 · 9891de6
1 parent a20d854
commit 9891de6
Showing 1 changed file with 63 additions and 1 deletion.
diff --git a/internal/controller/datadogagent/feature/admissioncontroller/feature.go b/internal/controller/datadogagent/feature/admissioncontroller/feature.go
@@ -7,15 +7,19 @@ package admissioncontroller
 
 import (
 	"encoding/json"
+	"strconv"
 
 	apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common"
 	"github.com/DataDog/datadog-operator/api/datadoghq/v2alpha1"
 	apiutils "github.com/DataDog/datadog-operator/api/utils"
 	componentdca "github.com/DataDog/datadog-operator/internal/controller/datadogagent/component/clusteragent"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/component/objects"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
+	cilium "github.com/DataDog/datadog-operator/pkg/cilium/v1"
 	"github.com/DataDog/datadog-operator/pkg/defaulting"
 
 	corev1 "k8s.io/api/core/v1"
+	netv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
@@ -38,6 +42,7 @@ type admissionControllerFeature struct {
 	registry               string
 	serviceAccountName     string
 	owner                  metav1.Object
+	networkPolicy          v2alpha1.NetworkPolicyFlavor
 
 	cwsInstrumentationEnabled bool
 	cwsInstrumentationMode    string
@@ -118,6 +123,8 @@ func (f *admissionControllerFeature) Configure(dda *v2alpha1.DatadogAgent) (reqC
 			f.cwsInstrumentationMode = apiutils.StringValue(ac.CWSInstrumentation.Mode)
 		}
 
+		_, f.networkPolicy = v2alpha1.IsNetworkPolicyEnabled(dda)
+
 		sidecarConfig := dda.Spec.Features.AdmissionController.AgentSidecarInjection
 		if shouldEnablesidecarInjection(sidecarConfig) {
 			f.agentSidecarConfig = &AgentSidecarInjectionConfig{}
@@ -224,7 +231,62 @@ func (f *admissionControllerFeature) ManageDependencies(managers feature.Resourc
 	if err := managers.RBACManager().AddClusterPolicyRules(ns, rbacName, f.serviceAccountName, getRBACClusterPolicyRules(f.webhookName, f.cwsInstrumentationEnabled, f.cwsInstrumentationMode)); err != nil {
 		return err
 	}
-	return managers.RBACManager().AddPolicyRules(ns, rbacName, f.serviceAccountName, getRBACPolicyRules())
+	if err := managers.RBACManager().AddPolicyRules(ns, rbacName, f.serviceAccountName, getRBACPolicyRules()); err != nil {
+		return err
+	}
+
+	if f.networkPolicy != "" {
+		policyName, podSelector := objects.GetNetworkPolicyMetadata(f.owner, v2alpha1.ClusterAgentComponentName)
+		switch f.networkPolicy {
+		case v2alpha1.NetworkPolicyFlavorKubernetes:
+			ingressRules := []netv1.NetworkPolicyIngressRule{
+				{
+					Ports: []netv1.NetworkPolicyPort{
+						{
+							Port: &intstr.IntOrString{
+								Type:   intstr.Int,
+								IntVal: v2alpha1.DefaultAdmissionControllerTargetPort,
+							},
+						},
+					},
+				},
+			}
+			return managers.NetworkPolicyManager().AddKubernetesNetworkPolicy(
+				policyName,
+				f.owner.GetNamespace(),
+				podSelector,
+				nil,
+				ingressRules,
+				nil,
+			)
+		case v2alpha1.NetworkPolicyFlavorCilium:
+			policySpecs := []cilium.NetworkPolicySpec{
+				{
+					Description:      "Ingress from API server for admission controller",
+					EndpointSelector: podSelector,
+					Ingress: []cilium.IngressRule{
+						{
+							FromEntities: []cilium.Entity{
+								"kube-apiserver",
+							},
+							ToPorts: []cilium.PortRule{
+								{
+									Ports: []cilium.PortProtocol{
+										{
+											Port:     strconv.Itoa(v2alpha1.DefaultAdmissionControllerTargetPort),
+											Protocol: cilium.ProtocolTCP,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			}
+			return managers.CiliumPolicyManager().AddCiliumPolicy(policyName, f.owner.GetNamespace(), policySpecs)
+		}
+	}
+	return nil
 }
 
 func (f *admissionControllerFeature) ManageClusterAgent(managers feature.PodTemplateManagers) error {