mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Moving egress deny with DNS to policy function
This commit is contained in:
Amim Knabben
@@ -18,7 +18,6 @@ package netpol
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
@@ -159,39 +158,9 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
|
||||
})
|
||||
|
||||
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
|
||||
np := &networkingv1.NetworkPolicy{}
|
||||
policy := `
|
||||
{
|
||||
"kind": "NetworkPolicy",
|
||||
"apiVersion": "networking.k8s.io/v1",
|
||||
"metadata": {
|
||||
"name": "deny-all-tcp-allow-dns"
|
||||
},
|
||||
"spec": {
|
||||
"podSelector": {
|
||||
"matchLabels": {}
|
||||
},
|
||||
"ingress": [],
|
||||
"egress": [{
|
||||
"ports": [
|
||||
{
|
||||
"protocol": "UDP",
|
||||
"port": 53
|
||||
}
|
||||
]
|
||||
}],
|
||||
"policyTypes": [
|
||||
"Ingress",
|
||||
"Egress"
|
||||
]
|
||||
}
|
||||
}
|
||||
`
|
||||
err := json.Unmarshal([]byte(policy), np)
|
||||
framework.ExpectNoError(err, "unmarshal network policy")
|
||||
|
||||
policy := GetDenyAllWithEgressDNS()
|
||||
nsX, _, _, model, k8s := getK8SModel(f)
|
||||
CreatePolicy(k8s, np, nsX)
|
||||
CreatePolicy(k8s, policy, nsX)
|
||||
|
||||
reachability := NewReachability(model.AllPods(), true)
|
||||
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)
|
||||
|
||||
@@ -142,6 +142,31 @@ func GetDenyAll(name string) *networkingv1.NetworkPolicy {
|
||||
return policy
|
||||
}
|
||||
|
||||
// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
|
||||
func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy {
|
||||
protocolUDP := v1.ProtocolUDP
|
||||
return &networkingv1.NetworkPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "deny-all-tcp-allow-dns",
|
||||
},
|
||||
Spec: networkingv1.NetworkPolicySpec{
|
||||
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
|
||||
PodSelector: metav1.LabelSelector{},
|
||||
Ingress: []networkingv1.NetworkPolicyIngressRule{},
|
||||
Egress: []networkingv1.NetworkPolicyEgressRule{
|
||||
{
|
||||
Ports: []networkingv1.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// GetAllowIngressByPod allows ingress by pod labels
|
||||
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
|
||||
policy := &networkingv1.NetworkPolicy{
|
||||
|
||||
Reference in New Issue
Block a user