mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-10-10 01:11:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #193 from cloudnativelabs/ntwk-policy-cidr-selector

Browse Source 
Support CIDR in network policy ingress and egress rules
This commit is contained in:
Murali Reddy 2017-10-12 13:23:31 +05:30 committed by GitHub
commit ea459a32a9
1 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
app/controllers/network_policy_controller.go
View File

@ -80,6 +80,7 @@ type ingressRule struct {
ports []protocolAndPort ports []protocolAndPort
matchAllSource bool matchAllSource bool
srcPods []podInfo srcPods []podInfo
cidrs []string
} }
// internal structure to represent NetworkPolicyEgressRule in the spec // internal structure to represent NetworkPolicyEgressRule in the spec
@ -88,6 +89,7 @@ type egressRule struct {
ports []protocolAndPort ports []protocolAndPort
matchAllDestinations bool matchAllDestinations bool
dstPods []podInfo dstPods []podInfo
cidrs []string
} }
type protocolAndPort struct { type protocolAndPort struct {
@ -399,6 +401,37 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
return fmt.Errorf("Failed to run iptables command: %s", err.Error()) return fmt.Errorf("Failed to run iptables command: %s", err.Error())
} }
} }
for _, cidr := range ingressRule.cidrs {
if !ingressRule.matchAllPorts {
for _, portProtocol := range ingressRule.ports {
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
"-p", portProtocol.protocol,
"--dport", portProtocol.port,
"-s", cidr,
"-j", "ACCEPT"}
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
if err != nil {
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
if ingressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
"-s", cidr,
"-j", "ACCEPT"}
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
if err != nil {
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
} }
return nil return nil
@ -505,6 +538,37 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
return fmt.Errorf("Failed to run iptables command: %s", err.Error()) return fmt.Errorf("Failed to run iptables command: %s", err.Error())
} }
} }
for _, cidr := range egressRule.cidrs {
if !egressRule.matchAllPorts {
for _, portProtocol := range egressRule.ports {
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
"-p", portProtocol.protocol,
"--dport", portProtocol.port,
"-d", cidr,
"-j", "ACCEPT"}
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
if err != nil {
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
if egressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
"-d", cidr,
"-j", "ACCEPT"}
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
if err != nil {
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
} }
return nil return nil
@ -1001,6 +1065,7 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
} }
ingressRule.srcPods = make([]podInfo, 0) ingressRule.srcPods = make([]podInfo, 0)
ingressRule.cidrs = make([]string, 0)
// If this field is empty or missing in the spec, this rule matches all sources // If this field is empty or missing in the spec, this rule matches all sources
if len(specIngressRule.From) == 0 { if len(specIngressRule.From) == 0 {
@ -1026,6 +1091,8 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
} }
matchingPods = append(matchingPods, namespacePods...) matchingPods = append(matchingPods, namespacePods...)
} }
} else if peer.IPBlock != nil {
ingressRule.cidrs = append(ingressRule.cidrs, peer.IPBlock.CIDR)
} }
if err == nil { if err == nil {
for _, matchingPod := range matchingPods { for _, matchingPod := range matchingPods {
@ -1059,6 +1126,7 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
} }
egressRule.dstPods = make([]podInfo, 0) egressRule.dstPods = make([]podInfo, 0)
egressRule.cidrs = make([]string, 0)
// If this field is empty or missing in the spec, this rule matches all sources // If this field is empty or missing in the spec, this rule matches all sources
if len(specEgressRule.To) == 0 { if len(specEgressRule.To) == 0 {
@ -1084,6 +1152,8 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
} }
matchingPods = append(matchingPods, namespacePods...) matchingPods = append(matchingPods, namespacePods...)
} }
} else if peer.IPBlock != nil {
egressRule.cidrs = append(egressRule.cidrs, peer.IPBlock.CIDR)
} }
if err == nil { if err == nil {
for _, matchingPod := range matchingPods { for _, matchingPod := range matchingPods {