From 512da2bb2035fd730b82b2880578875dcbe28005 Mon Sep 17 00:00:00 2001 From: ushabelgur Date: Fri, 6 Dec 2024 11:29:27 +0530 Subject: [PATCH] create default network policy for shoot --- pkg/apis/ironcore/types_infrastructure.go | 4 ++ .../ironcore/v1alpha1/types_infrastructure.go | 4 ++ .../v1alpha1/zz_generated.conversion.go | 5 ++ .../v1alpha1/zz_generated.deepcopy.go | 7 +++ pkg/apis/ironcore/zz_generated.deepcopy.go | 7 +++ .../infrastructure/actuator_reconcile.go | 55 ++++++++++++++++++- .../infrastructure/actuator_reconcile_test.go | 41 +++++++++++++- 7 files changed, 120 insertions(+), 3 deletions(-) diff --git a/pkg/apis/ironcore/types_infrastructure.go b/pkg/apis/ironcore/types_infrastructure.go index eec8842d..ba7685ad 100644 --- a/pkg/apis/ironcore/types_infrastructure.go +++ b/pkg/apis/ironcore/types_infrastructure.go @@ -21,6 +21,8 @@ type InfrastructureConfig struct { // NATPortsPerNetworkInterface defines the minimum number of ports per network interface the NAT gateway should use. // Has to be a power of 2. If empty, 2048 is the default. NATPortsPerNetworkInterface *int32 + //NetworkPolicy is reference to the NetworkPolicy to use for the Shoot creation. + NetworkPolicyRef *commonv1alpha1.LocalUIDReference } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -35,4 +37,6 @@ type InfrastructureStatus struct { NATGatewayRef commonv1alpha1.LocalUIDReference // PrefixRef is the reference to the Prefix used PrefixRef commonv1alpha1.LocalUIDReference + //NetworkPolicy is reference to the NetworkPolicy defined + NetworkPolicyRef commonv1alpha1.LocalUIDReference } diff --git a/pkg/apis/ironcore/v1alpha1/types_infrastructure.go b/pkg/apis/ironcore/v1alpha1/types_infrastructure.go index 58c3ffb0..f205e092 100644 --- a/pkg/apis/ironcore/v1alpha1/types_infrastructure.go +++ b/pkg/apis/ironcore/v1alpha1/types_infrastructure.go @@ -21,6 +21,8 @@ type InfrastructureConfig struct { // NATPortsPerNetworkInterface defines the minimum number of ports per network interface the NAT gateway should use. // Has to be a power of 2. If empty, 2048 is the default. NATPortsPerNetworkInterface *int32 `json:"natPortsPerNetworkInterface,omitempty"` + //NetworkPolicy is reference to the NetworkPolicy to use for the Shoot creation. + NetworkPolicyRef *commonv1alpha1.LocalUIDReference `json:"networkPolicyRef,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -35,4 +37,6 @@ type InfrastructureStatus struct { NATGatewayRef commonv1alpha1.LocalUIDReference `json:"natGatewayRef,omitempty"` // PrefixRef is the reference to the Prefix used PrefixRef commonv1alpha1.LocalUIDReference `json:"prefixRef,omitempty"` + //NetworkPolicy is reference to the NetworkPolicy defined + NetworkPolicyRef commonv1alpha1.LocalUIDReference `json:"networkPolicyRef,omitempty"` } diff --git a/pkg/apis/ironcore/v1alpha1/zz_generated.conversion.go b/pkg/apis/ironcore/v1alpha1/zz_generated.conversion.go index 3409dc4f..06b66c95 100644 --- a/pkg/apis/ironcore/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/ironcore/v1alpha1/zz_generated.conversion.go @@ -12,6 +12,7 @@ import ( unsafe "unsafe" ironcore "github.com/ironcore-dev/gardener-extension-provider-ironcore/pkg/apis/ironcore" + commonv1alpha1 "github.com/ironcore-dev/ironcore/api/common/v1alpha1" v1 "k8s.io/api/core/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -218,6 +219,7 @@ func Convert_ironcore_ControlPlaneConfig_To_v1alpha1_ControlPlaneConfig(in *iron func autoConvert_v1alpha1_InfrastructureConfig_To_ironcore_InfrastructureConfig(in *InfrastructureConfig, out *ironcore.InfrastructureConfig, s conversion.Scope) error { out.NetworkRef = (*v1.LocalObjectReference)(unsafe.Pointer(in.NetworkRef)) out.NATPortsPerNetworkInterface = (*int32)(unsafe.Pointer(in.NATPortsPerNetworkInterface)) + out.NetworkPolicyRef = (*commonv1alpha1.LocalUIDReference)(unsafe.Pointer(in.NetworkPolicyRef)) return nil } @@ -229,6 +231,7 @@ func Convert_v1alpha1_InfrastructureConfig_To_ironcore_InfrastructureConfig(in * func autoConvert_ironcore_InfrastructureConfig_To_v1alpha1_InfrastructureConfig(in *ironcore.InfrastructureConfig, out *InfrastructureConfig, s conversion.Scope) error { out.NetworkRef = (*v1.LocalObjectReference)(unsafe.Pointer(in.NetworkRef)) out.NATPortsPerNetworkInterface = (*int32)(unsafe.Pointer(in.NATPortsPerNetworkInterface)) + out.NetworkPolicyRef = (*commonv1alpha1.LocalUIDReference)(unsafe.Pointer(in.NetworkPolicyRef)) return nil } @@ -241,6 +244,7 @@ func autoConvert_v1alpha1_InfrastructureStatus_To_ironcore_InfrastructureStatus( out.NetworkRef = in.NetworkRef out.NATGatewayRef = in.NATGatewayRef out.PrefixRef = in.PrefixRef + out.NetworkPolicyRef = in.NetworkPolicyRef return nil } @@ -253,6 +257,7 @@ func autoConvert_ironcore_InfrastructureStatus_To_v1alpha1_InfrastructureStatus( out.NetworkRef = in.NetworkRef out.NATGatewayRef = in.NATGatewayRef out.PrefixRef = in.PrefixRef + out.NetworkPolicyRef = in.NetworkPolicyRef return nil } diff --git a/pkg/apis/ironcore/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ironcore/v1alpha1/zz_generated.deepcopy.go index 5b95c1c6..8de43190 100644 --- a/pkg/apis/ironcore/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/ironcore/v1alpha1/zz_generated.deepcopy.go @@ -9,6 +9,7 @@ package v1alpha1 import ( + commonv1alpha1 "github.com/ironcore-dev/ironcore/api/common/v1alpha1" v1 "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -120,6 +121,11 @@ func (in *InfrastructureConfig) DeepCopyInto(out *InfrastructureConfig) { *out = new(int32) **out = **in } + if in.NetworkPolicyRef != nil { + in, out := &in.NetworkPolicyRef, &out.NetworkPolicyRef + *out = new(commonv1alpha1.LocalUIDReference) + **out = **in + } return } @@ -148,6 +154,7 @@ func (in *InfrastructureStatus) DeepCopyInto(out *InfrastructureStatus) { out.NetworkRef = in.NetworkRef out.NATGatewayRef = in.NATGatewayRef out.PrefixRef = in.PrefixRef + out.NetworkPolicyRef = in.NetworkPolicyRef return } diff --git a/pkg/apis/ironcore/zz_generated.deepcopy.go b/pkg/apis/ironcore/zz_generated.deepcopy.go index 66a2a788..7458d95c 100644 --- a/pkg/apis/ironcore/zz_generated.deepcopy.go +++ b/pkg/apis/ironcore/zz_generated.deepcopy.go @@ -9,6 +9,7 @@ package ironcore import ( + v1alpha1 "github.com/ironcore-dev/ironcore/api/common/v1alpha1" v1 "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -120,6 +121,11 @@ func (in *InfrastructureConfig) DeepCopyInto(out *InfrastructureConfig) { *out = new(int32) **out = **in } + if in.NetworkPolicyRef != nil { + in, out := &in.NetworkPolicyRef, &out.NetworkPolicyRef + *out = new(v1alpha1.LocalUIDReference) + **out = **in + } return } @@ -148,6 +154,7 @@ func (in *InfrastructureStatus) DeepCopyInto(out *InfrastructureStatus) { out.NetworkRef = in.NetworkRef out.NATGatewayRef = in.NATGatewayRef out.PrefixRef = in.PrefixRef + out.NetworkPolicyRef = in.NetworkPolicyRef return } diff --git a/pkg/controller/infrastructure/actuator_reconcile.go b/pkg/controller/infrastructure/actuator_reconcile.go index 144ac2a6..58b563df 100644 --- a/pkg/controller/infrastructure/actuator_reconcile.go +++ b/pkg/controller/infrastructure/actuator_reconcile.go @@ -66,10 +66,15 @@ func (a *actuator) reconcile(ctx context.Context, log logr.Logger, infra *extens return err } + networkPolicy, err := a.applyNetworkPolicy(ctx, ironcoreClient, namespace, config, cluster, network) + if err != nil { + return err + } + log.V(2).Info("Successfully reconciled infrastructure") // update status - return a.updateProviderStatus(ctx, infra, network, natGateway, prefix) + return a.updateProviderStatus(ctx, infra, network, natGateway, prefix, networkPolicy) } func (a *actuator) applyPrefix(ctx context.Context, ironcoreClient client.Client, namespace string, cluster *controller.Cluster) (*ipamv1alpha1.Prefix, error) { @@ -185,6 +190,49 @@ func (a *actuator) applyNetwork(ctx context.Context, ironcoreClient client.Clien return network, nil } +func (a *actuator) applyNetworkPolicy(ctx context.Context, ironcoreClient client.Client, namespace string, config *api.InfrastructureConfig, cluster *controller.Cluster, network *networkingv1alpha1.Network) (*networkingv1alpha1.NetworkPolicy, error) { + if config != nil && config.NetworkPolicyRef != nil { + networkPolicy := &networkingv1alpha1.NetworkPolicy{} + networkKey := client.ObjectKey{Namespace: namespace, Name: config.NetworkRef.Name} + if err := ironcoreClient.Get(ctx, networkKey, networkPolicy); err != nil { + return nil, fmt.Errorf("failed to get network policy %s: %w", networkKey, err) + } + return networkPolicy, nil + } + + networkPolicy := &networkingv1alpha1.NetworkPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: "NetworkPolicy", + APIVersion: "networking.ironcore.dev/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: generateResourceNameFromCluster(cluster), + }, + Spec: networkingv1alpha1.NetworkPolicySpec{ + NetworkRef: corev1.LocalObjectReference{ + Name: network.Name, + }, + NetworkInterfaceSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{ + ironcore.ClusterNameLabel: cluster.ObjectMeta.Name, + }, + }, + Ingress: []networkingv1alpha1.NetworkPolicyIngressRule{}, + Egress: []networkingv1alpha1.NetworkPolicyEgressRule{}, + PolicyTypes: []networkingv1alpha1.PolicyType{ + networkingv1alpha1.PolicyTypeIngress, + networkingv1alpha1.PolicyTypeEgress, + }, + }, + } + + if _, err := controllerutil.CreateOrPatch(ctx, ironcoreClient, networkPolicy, nil); err != nil { + return nil, fmt.Errorf("failed to apply network policy %s: %w", client.ObjectKeyFromObject(networkPolicy), err) + } + return networkPolicy, nil +} + func generateResourceNameFromCluster(cluster *controller.Cluster) string { // TODO: use cluster.Name // alternatively shoot.status.technicalID @@ -197,6 +245,7 @@ func (a *actuator) updateProviderStatus( network *networkingv1alpha1.Network, natGateway *networkingv1alpha1.NATGateway, prefix *ipamv1alpha1.Prefix, + networkPolicy *networkingv1alpha1.NetworkPolicy, ) error { infraStatus := &apiv1alpha1.InfrastructureStatus{ TypeMeta: metav1.TypeMeta{ @@ -215,6 +264,10 @@ func (a *actuator) updateProviderStatus( Name: prefix.Name, UID: prefix.UID, }, + NetworkPolicyRef: v1alpha1.LocalUIDReference{ + Name: networkPolicy.Name, + UID: networkPolicy.UID, + }, } infraBase := infra.DeepCopy() infra.Status.ProviderStatus = &runtime.RawExtension{ diff --git a/pkg/controller/infrastructure/actuator_reconcile_test.go b/pkg/controller/infrastructure/actuator_reconcile_test.go index 5f146839..0a25e024 100644 --- a/pkg/controller/infrastructure/actuator_reconcile_test.go +++ b/pkg/controller/infrastructure/actuator_reconcile_test.go @@ -28,7 +28,7 @@ import ( var _ = Describe("Infrastructure Reconcile", func() { ns := SetupTest() - It("should create a network, natgateway and prefix for a given infrastructure configuration", func(ctx SpecContext) { + It("should create a network, natgateway, prefix and network policy for a given infrastructure configuration", func(ctx SpecContext) { By("getting the cluster object") cluster, err := extensionscontroller.GetCluster(ctx, k8sClient, ns.Name) Expect(err).NotTo(HaveOccurred()) @@ -115,6 +115,21 @@ var _ = Describe("Infrastructure Reconcile", func() { HaveField("Spec.Prefix", commonv1alpha1.MustParseNewIPPrefix("10.0.0.0/24")), )) + By("expecting a network policy being created") + networkPolicy := &networkingv1alpha1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns.Name, + Name: generateResourceNameFromCluster(cluster), + }, + } + + Eventually(Object(networkPolicy)).Should(SatisfyAll( + HaveField("Spec.NetworkRef", corev1.LocalObjectReference{ + Name: network.Name, + }), + HaveField("Spec.NetworkInterfaceSelector.MatchLabels", HaveKeyWithValue("extension.ironcore.dev/cluster-name", cluster.ObjectMeta.Name)), + )) + By("ensuring that the infrastructure state contains the correct refs") providerStatus := map[string]interface{}{ "apiVersion": "ironcore.provider.extensions.gardener.cloud/v1alpha1", @@ -131,6 +146,10 @@ var _ = Describe("Infrastructure Reconcile", func() { "name": prefix.Name, "uid": prefix.UID, }, + "networkPolicyRef": map[string]interface{}{ + "name": networkPolicy.Name, + "uid": networkPolicy.UID, + }, } providerStatusJSON, err := json.Marshal(providerStatus) Expect(err).NotTo(HaveOccurred()) @@ -139,7 +158,7 @@ var _ = Describe("Infrastructure Reconcile", func() { )) }) - It("should create a network, natgateway and prefix for a given infrastructure configuration", func(ctx SpecContext) { + It("should create a network, natgateway, prefix and network policy for a given infrastructure configuration", func(ctx SpecContext) { By("getting the cluster object") cluster, err := extensionscontroller.GetCluster(ctx, k8sClient, ns.Name) Expect(err).NotTo(HaveOccurred()) @@ -223,6 +242,20 @@ var _ = Describe("Infrastructure Reconcile", func() { HaveField("Spec.Prefix", commonv1alpha1.MustParseNewIPPrefix("10.0.0.0/24")), )) + By("expecting a network policy being created") + networkPolicy := &networkingv1alpha1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns.Name, + Name: generateResourceNameFromCluster(cluster), + }, + } + + Eventually(Object(networkPolicy)).Should(SatisfyAll( + HaveField("Spec.NetworkRef", corev1.LocalObjectReference{ + Name: network.Name, + }), + )) + By("ensuring that the infrastructure state contains the correct refs") providerStatus := map[string]interface{}{ "apiVersion": "ironcore.provider.extensions.gardener.cloud/v1alpha1", @@ -239,6 +272,10 @@ var _ = Describe("Infrastructure Reconcile", func() { "name": prefix.Name, "uid": prefix.UID, }, + "networkPolicyRef": map[string]interface{}{ + "name": networkPolicy.Name, + "uid": networkPolicy.UID, + }, } providerStatusJSON, err := json.Marshal(providerStatus) Expect(err).NotTo(HaveOccurred())