From 8e0a554c3290e835074c6a5187c36417434ca17e Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Wed, 18 Dec 2019 19:41:30 +0000 Subject: [PATCH] apply policies in a way where the network policy may seem order agnostic --- npm/translatePolicy.go | 34 ++++++++++++++++--------- npm/translatePolicy_test.go | 50 ++++++++++++++++++------------------- 2 files changed, 47 insertions(+), 37 deletions(-) diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 1636ab64c4..373eca4c90 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -144,9 +144,10 @@ func craftPartialIptablesCommentFromSelector(ns string, selector *metav1.LabelSe func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyIngressRule) ([]string, []string, []*iptm.IptEntry) { var ( - sets []string // ipsets with type: net:hash - lists []string // ipsets with type: list:set - entries []*iptm.IptEntry + sets []string // ipsets with type: net:hash + lists []string // ipsets with type: list:set + entries []*iptm.IptEntry + fromRuleEntries []*iptm.IptEntry addedIngressFromEntry, addedPortEntry bool // add drop entries at the end of the chain when there are non ALLOW-ALL* rules ) @@ -264,7 +265,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne "DROP-"+except+ "-TO-"+targetSelectorComment, ) - entries = append(entries, exceptEntry) + fromRuleEntries = append(fromRuleEntries, exceptEntry) } addedIngressFromEntry = true } @@ -295,7 +296,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne "-:-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag)+ "-TO-"+targetSelectorComment, ) - entries = append(entries, entry) + fromRuleEntries = append(fromRuleEntries, entry) } } else { cidrEntry := &iptm.IptEntry{ @@ -317,7 +318,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne "ALLOW-"+fromRule.IPBlock.CIDR+ "-TO-"+targetSelectorComment, ) - entries = append(entries, cidrEntry) + fromRuleEntries = append(fromRuleEntries, cidrEntry) addedIngressFromEntry = true } } @@ -569,6 +570,10 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne } } + if len(fromRuleEntries) > 0 { + entries = append(entries, fromRuleEntries...) + } + if addedPortEntry && !addedIngressFromEntry { entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -627,9 +632,10 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyEgressRule) ([]string, []string, []*iptm.IptEntry) { var ( - sets []string // ipsets with type: net:hash - lists []string // ipsets with type: list:set - entries []*iptm.IptEntry + sets []string // ipsets with type: net:hash + lists []string // ipsets with type: list:set + entries []*iptm.IptEntry + toRuleEntries []*iptm.IptEntry addedEgressToEntry, addedPortEntry bool // add drop entry when there are non ALLOW-ALL* rules ) @@ -742,7 +748,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net "DROP-"+except+ "-FROM-"+targetSelectorComment, ) - entries = append(entries, exceptEntry) + toRuleEntries = append(toRuleEntries, exceptEntry) } addedEgressToEntry = true } @@ -773,7 +779,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net "-:-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag)+ "-FROM-"+targetSelectorComment, ) - entries = append(entries, entry) + toRuleEntries = append(toRuleEntries, entry) } } else { cidrEntry := &iptm.IptEntry{ @@ -798,7 +804,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net "ALLOW-"+toRule.IPBlock.CIDR+ "-FROM-"+targetSelectorComment, ) - entries = append(entries, cidrEntry) + toRuleEntries = append(toRuleEntries, cidrEntry) addedEgressToEntry = true } } @@ -1051,6 +1057,10 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net } } + if len(toRuleEntries) > 0 { + entries = append(entries, toRuleEntries...) + } + if addedPortEntry && !addedEgressToEntry { entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index 639fa145d3..3a2ea93743 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -2989,33 +2989,18 @@ func TestTranslatePolicy(t *testing.T) { expectedIptEntries = []*iptm.IptEntry{} nonKubeSystemEntries = []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressPortChain, Specs: []string{ - util.IptablesSFlag, - "172.17.1.0/24", util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, - util.IptablesJumpFlag, - util.IptablesDrop, - util.IptablesModuleFlag, - util.IptablesCommentModuleFlag, - util.IptablesCommentFlag, - "DROP-172.17.1.0/24-TO-role:db", - }, - }, - &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, - Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, - util.GetHashedName("role:db"), - util.IptablesDstFlag, - util.IptablesSFlag, - "172.17.0.0/16", + util.GetHashedName("ns-project:myproject"), + util.IptablesSrcFlag, util.IptablesProtFlag, "TCP", util.IptablesDstPortFlag, @@ -3025,7 +3010,7 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db", + "ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{ @@ -3039,7 +3024,7 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, - util.GetHashedName("ns-project:myproject"), + util.GetHashedName("role:frontend"), util.IptablesSrcFlag, util.IptablesProtFlag, "TCP", @@ -3050,22 +3035,37 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db", + "ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressFromChain, Specs: []string{ + util.IptablesSFlag, + "172.17.1.0/24", util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesDrop, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "DROP-172.17.1.0/24-TO-role:db", + }, + }, + &iptm.IptEntry{ + Chain: util.IptablesAzureIngressPortChain, + Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, - util.GetHashedName("role:frontend"), - util.IptablesSrcFlag, + util.GetHashedName("role:db"), + util.IptablesDstFlag, + util.IptablesSFlag, + "172.17.0.0/16", util.IptablesProtFlag, "TCP", util.IptablesDstPortFlag, @@ -3075,7 +3075,7 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db", + "ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{