2020-10-24 23:57:45 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
module Kubernetes
|
|
|
|
class CiliumNetworkPolicy
|
|
|
|
include NetworkPolicyCommon
|
|
|
|
extend ::Gitlab::Utils::Override
|
|
|
|
|
|
|
|
API_VERSION = "cilium.io/v2"
|
|
|
|
KIND = 'CiliumNetworkPolicy'
|
|
|
|
|
2021-11-11 11:23:49 +05:30
|
|
|
PREDEFINED_POLICIES = {
|
|
|
|
'allow-inbound-http' => <<~YAML.rstrip,
|
|
|
|
apiVersion: cilium.io/v2
|
|
|
|
kind: CiliumNetworkPolicy
|
|
|
|
metadata:
|
|
|
|
name: allow-inbound-http
|
|
|
|
spec:
|
|
|
|
endpointSelector:
|
|
|
|
matchLabels:
|
|
|
|
network-policy.gitlab.com/disabled_by: gitlab
|
|
|
|
ingress:
|
|
|
|
- toPorts:
|
|
|
|
- ports:
|
|
|
|
- port: '80'
|
|
|
|
- port: '443'
|
|
|
|
YAML
|
|
|
|
'drop-outbound' => <<~YAML.rstrip
|
|
|
|
apiVersion: cilium.io/v2
|
|
|
|
kind: CiliumNetworkPolicy
|
|
|
|
metadata:
|
|
|
|
name: drop-outbound
|
|
|
|
spec:
|
|
|
|
endpointSelector:
|
|
|
|
matchLabels:
|
|
|
|
network-policy.gitlab.com/disabled_by: gitlab
|
|
|
|
egress:
|
|
|
|
- {}
|
|
|
|
YAML
|
|
|
|
}.freeze
|
|
|
|
|
2020-11-24 15:15:51 +05:30
|
|
|
# We are modeling existing kubernetes resource and don't have
|
|
|
|
# control over amount of parameters.
|
|
|
|
# rubocop:disable Metrics/ParameterLists
|
2021-09-30 23:02:18 +05:30
|
|
|
def initialize(name:, namespace:, selector:, ingress:, resource_version: nil, description: nil, labels: nil, creation_timestamp: nil, egress: nil, annotations: nil, environment_ids: [])
|
2020-10-24 23:57:45 +05:30
|
|
|
@name = name
|
2020-11-24 15:15:51 +05:30
|
|
|
@description = description
|
2020-10-24 23:57:45 +05:30
|
|
|
@namespace = namespace
|
|
|
|
@labels = labels
|
|
|
|
@creation_timestamp = creation_timestamp
|
|
|
|
@selector = selector
|
|
|
|
@resource_version = resource_version
|
|
|
|
@ingress = ingress
|
|
|
|
@egress = egress
|
2021-03-08 18:12:59 +05:30
|
|
|
@annotations = annotations
|
2021-09-30 23:02:18 +05:30
|
|
|
@environment_ids = environment_ids
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
2020-11-24 15:15:51 +05:30
|
|
|
# rubocop:enable Metrics/ParameterLists
|
2020-10-24 23:57:45 +05:30
|
|
|
|
|
|
|
def self.from_yaml(manifest)
|
|
|
|
return unless manifest
|
|
|
|
|
|
|
|
policy = YAML.safe_load(manifest, symbolize_names: true)
|
|
|
|
return if !policy[:metadata] || !policy[:spec]
|
|
|
|
|
|
|
|
metadata = policy[:metadata]
|
|
|
|
spec = policy[:spec]
|
|
|
|
self.new(
|
|
|
|
name: metadata[:name],
|
2020-11-24 15:15:51 +05:30
|
|
|
description: policy[:description],
|
2020-10-24 23:57:45 +05:30
|
|
|
namespace: metadata[:namespace],
|
2021-03-08 18:12:59 +05:30
|
|
|
annotations: metadata[:annotations],
|
2020-10-24 23:57:45 +05:30
|
|
|
resource_version: metadata[:resourceVersion],
|
|
|
|
labels: metadata[:labels],
|
|
|
|
selector: spec[:endpointSelector],
|
|
|
|
ingress: spec[:ingress],
|
|
|
|
egress: spec[:egress]
|
|
|
|
)
|
|
|
|
rescue Psych::SyntaxError, Psych::DisallowedClass
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
2021-09-30 23:02:18 +05:30
|
|
|
def self.from_resource(resource, environment_ids = [])
|
2020-10-24 23:57:45 +05:30
|
|
|
return unless resource
|
|
|
|
return if !resource[:metadata] || !resource[:spec]
|
|
|
|
|
|
|
|
metadata = resource[:metadata]
|
|
|
|
spec = resource[:spec].to_h
|
|
|
|
self.new(
|
|
|
|
name: metadata[:name],
|
2020-11-24 15:15:51 +05:30
|
|
|
description: resource[:description],
|
2020-10-24 23:57:45 +05:30
|
|
|
namespace: metadata[:namespace],
|
2021-03-08 18:12:59 +05:30
|
|
|
annotations: metadata[:annotations]&.to_h,
|
2020-10-24 23:57:45 +05:30
|
|
|
resource_version: metadata[:resourceVersion],
|
|
|
|
labels: metadata[:labels]&.to_h,
|
|
|
|
creation_timestamp: metadata[:creationTimestamp],
|
|
|
|
selector: spec[:endpointSelector],
|
|
|
|
ingress: spec[:ingress],
|
2021-09-30 23:02:18 +05:30
|
|
|
egress: spec[:egress],
|
|
|
|
environment_ids: environment_ids
|
2020-10-24 23:57:45 +05:30
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2020-11-24 15:15:51 +05:30
|
|
|
override :resource
|
|
|
|
def resource
|
|
|
|
resource = {
|
|
|
|
apiVersion: API_VERSION,
|
|
|
|
kind: KIND,
|
|
|
|
metadata: metadata,
|
|
|
|
spec: spec
|
|
|
|
}
|
|
|
|
resource[:description] = description if description
|
|
|
|
resource
|
|
|
|
end
|
|
|
|
|
2020-10-24 23:57:45 +05:30
|
|
|
private
|
|
|
|
|
2021-09-30 23:02:18 +05:30
|
|
|
attr_reader :name, :description, :namespace, :labels, :creation_timestamp, :resource_version, :ingress, :egress, :annotations, :environment_ids
|
2020-10-24 23:57:45 +05:30
|
|
|
|
|
|
|
def selector
|
|
|
|
@selector ||= {}
|
|
|
|
end
|
|
|
|
|
2020-11-24 15:15:51 +05:30
|
|
|
def metadata
|
|
|
|
meta = { name: name, namespace: namespace }
|
|
|
|
meta[:labels] = labels if labels
|
|
|
|
meta[:resourceVersion] = resource_version if resource_version
|
2021-03-08 18:12:59 +05:30
|
|
|
meta[:annotations] = annotations if annotations
|
2020-11-24 15:15:51 +05:30
|
|
|
meta
|
|
|
|
end
|
|
|
|
|
2020-10-24 23:57:45 +05:30
|
|
|
def spec
|
|
|
|
{
|
|
|
|
endpointSelector: selector,
|
|
|
|
ingress: ingress,
|
|
|
|
egress: egress
|
2020-11-24 15:15:51 +05:30
|
|
|
}.compact
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|