From f17945d4c312abc1211bb25c991e842de6dc8de2 Mon Sep 17 00:00:00 2001 From: Jesus Rodriguez Date: Fri, 19 Oct 2018 12:24:50 -0400 Subject: [PATCH] Bug 1613280 - only create netpolicy if one already exists (#1102) * Bug 1613280 - only create netpolicy if one already exists If there are other services in the target namespace talking to each other with no network policy, during APB deployments we automatically create one that blocks the other services. This change looks to see if there are any network policies on the target namespace. If there are none, we forgo creating the network policy, assuming things are open and the transient namespace should be able to talk to the target with no issues. If there are existing network policies, then we will add ours to give the transient namespace access to the target. There is still the chance that our network policy could still affect things depending on the variety of existing network policies in place, too many to verify. --- pkg/runtime/runtime.go | 62 ++++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 20 deletions(-) diff --git a/pkg/runtime/runtime.go b/pkg/runtime/runtime.go index 9c25ee7386..df715f52da 100644 --- a/pkg/runtime/runtime.go +++ b/pkg/runtime/runtime.go @@ -147,6 +147,10 @@ func (p provider) CreateSandbox(podName string, targets []string, apbRole string) (string, error) { + if len(targets) < 1 { + return "", fmt.Errorf("Must supply at least one target namespace") + } + k8scli, err := clients.Kubernetes() if err != nil { return "", err @@ -186,32 +190,45 @@ func (p provider) CreateSandbox(podName string, } } - // Must create a Network policy to allow for comunication from the APB pod to the target namespace. - networkPolicy := &networkingv1.NetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: podName, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networkingv1.NetworkPolicyIngressRule{ - networkingv1.NetworkPolicyIngressRule{ - From: []networkingv1.NetworkPolicyPeer{ - networkingv1.NetworkPolicyPeer{ - NamespaceSelector: metav1.AddLabelToSelector(&metav1.LabelSelector{}, "apb-pod-name", podName), + // Check to see if there are already namespaces available before + // creating ours + policies, err := k8scli.Client.NetworkingV1().NetworkPolicies(targets[0]).List(metav1.ListOptions{}) + if err != nil { + return "", err + } + + // If there are already network policies, let's add one to allow for + // communication from the APB pod to the target namespace + if len(policies.Items) > 0 { + networkPolicy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + Ingress: []networkingv1.NetworkPolicyIngressRule{ + networkingv1.NetworkPolicyIngressRule{ + From: []networkingv1.NetworkPolicyPeer{ + networkingv1.NetworkPolicyPeer{ + NamespaceSelector: metav1.AddLabelToSelector( + &metav1.LabelSelector{}, "apb-pod-name", podName), + }, }, }, }, }, - }, - } + } - log.Debugf("Creating network policy for pod: %v to grant network access to ns: %v", podName, targets[0]) - _, err = k8scli.Client.NetworkingV1().NetworkPolicies(targets[0]).Create(networkPolicy) - if err != nil { - log.Errorf("unable to create network policy object - %v", err) - return "", err + log.Debugf("Creating network policy for pod: %v to grant network access to ns: %v", podName, targets[0]) + _, err = k8scli.Client.NetworkingV1().NetworkPolicies(targets[0]).Create(networkPolicy) + if err != nil { + log.Errorf("unable to create network policy object - %v", err) + return "", err + } + log.Debugf("Successfully created network policy for pod: %v to grant network access to ns: %v", podName, targets[0]) + } else { + log.Info("No network policies found. Assuming things are open, skip network policy creation") } - log.Debugf("Successfully created network policy for pod: %v to grant network access to ns: %v", podName, targets[0]) log.Info("Successfully created apb sandbox: [ %s ], with %s permissions in namespace %s", podName, apbRole, namespace) log.Info("Running post create sandbox fuctions if defined.") @@ -237,6 +254,11 @@ func (p provider) DestroySandbox(podName string, keepNamespaceOnError bool) { log.Info("Destroying APB sandbox...") + if len(targets) < 1 { + log.Error("Must supply at least one target namespace") + return + } + if podName == "" { log.Info("Requested destruction of APB sandbox with empty handle, skipping.") return