networkpolicy: add new parameters allowedIngressNamespaces for user customization

Signed-off-by: N Duan Jiong <djduanjiong@gmail.com>

networkpolicy: add new parameters allowedIngressNamespaces for user customization
Signed-off-by: N Duan Jiong <djduanjiong@gmail.com>
eb216066 · Duan Jiong · afcd0efe · eb216066 · eb216066 · eb216066
6 changed file
--- a/cmd/controller-manager/app/controllers.go
+++ b/cmd/controller-manager/app/controllers.go
@@ -49,6 +49,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
 	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/network"
 	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
 	"kubesphere.io/kubesphere/pkg/simple/client/s3"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -65,7 +66,7 @@ func addControllers(
 	authenticationOptions *authoptions.AuthenticationOptions,
 	openpitrixClient openpitrix.Client,
 	multiClusterEnabled bool,
-	networkPolicyEnabled bool,
+	networkOptions *network.Options,
 	serviceMeshEnabled bool,
 	kubectlImage string,
 	stopCh <-chan struct{}) error {
@@ -267,7 +268,7 @@ func addControllers(
 	}

 	var nsnpController manager.Runnable
-	if networkPolicyEnabled {
+	if networkOptions.EnableNetworkPolicy {
 		nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
 		if err != nil {
 			return err
@@ -279,7 +280,7 @@ func addControllers(
 			kubernetesInformer.Core().V1().Services(),
 			kubernetesInformer.Core().V1().Nodes(),
 			kubesphereInformer.Tenant().V1alpha1().Workspaces(),
-			kubernetesInformer.Core().V1().Namespaces(), nsnpProvider)
+			kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions)
 	}

 	controllers := map[string]manager.Runnable{

--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -205,7 +205,7 @@ func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 			s.AuthenticationOptions,
 			openpitrixClient,
 			s.MultiClusterOptions.Enable,
-			s.NetworkOptions.EnableNetworkPolicy,
+			s.NetworkOptions,
 			servicemeshEnabled,
 			s.AuthenticationOptions.KubectlImage, stopCh); err != nil {
 			klog.Fatalf("unable to register controllers to the manager: %v", err)

--- a/pkg/apiserver/config/config_test.go
+++ b/pkg/apiserver/config/config_test.go
@@ -102,6 +102,9 @@ func newTestConfig() (*Config, error) {
 		},
 		NetworkOptions: &network.Options{
 			EnableNetworkPolicy: true,
+			NSNPOptions: network.NSNPOptions{
+				AllowedIngressNamespaces: []string{},
+			},
 		},
 		MonitoringOptions: &prometheus.Options{
 			Endpoint: "http://prometheus.kubesphere-monitoring-system.svc",

--- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
+++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
@@ -29,6 +29,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/controller/network"
 	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	options "kubesphere.io/kubesphere/pkg/simple/client/network"
 )

 const (
@@ -77,6 +78,7 @@ type NSNetworkPolicyController struct {
 	namespaceInformerSynced cache.InformerSynced

 	provider provider.NsNetworkPolicyProvider
+	options  options.NSNPOptions

 	nsQueue   workqueue.RateLimitingInterface
 	nsnpQueue workqueue.RateLimitingInterface
@@ -301,7 +303,7 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre
 	return rule, nil
 }

-func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
+func (c *NSNetworkPolicyController) generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv1.NetworkPolicy {
 	policy := &netv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      AnnotationNPNAME,
@@ -328,6 +330,17 @@ func generateNSNP(workspace string, namespace string, matchWorkspace bool) *netv
 		policy.Spec.Ingress[0].From[0].NamespaceSelector.MatchLabels[constants.NamespaceLabelKey] = namespace
 	}

+	for _, allowedIngressNamespace := range c.options.AllowedIngressNamespaces {
+		defaultAllowedIngress := netv1.NetworkPolicyPeer{
+			NamespaceSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					constants.NamespaceLabelKey: allowedIngressNamespace,
+				},
+			},
+		}
+		policy.Spec.Ingress[0].From = append(policy.Spec.Ingress[0].From, defaultAllowedIngress)
+	}
+
 	return policy
 }

@@ -445,7 +458,7 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
 		}
 	}

-	policy := generateNSNP(workspaceName, ns.Name, matchWorkspace)
+	policy := c.generateNSNP(workspaceName, ns.Name, matchWorkspace)
 	if shouldAddDNSRule(nsnpList) {
 		ruleDNS, err := generateDNSRule([]string{DNSLocalIP})
 		if err != nil {
@@ -589,7 +602,8 @@ func NewNSNetworkPolicyController(
 	nodeInformer v1.NodeInformer,
 	workspaceInformer workspace.WorkspaceInformer,
 	namespaceInformer v1.NamespaceInformer,
-	policyProvider provider.NsNetworkPolicyProvider) *NSNetworkPolicyController {
+	policyProvider provider.NsNetworkPolicyProvider,
+	options options.NSNPOptions) *NSNetworkPolicyController {

 	controller := &NSNetworkPolicyController{
 		client:                  client,
@@ -607,6 +621,7 @@ func NewNSNetworkPolicyController(
 		provider:                policyProvider,
 		nsQueue:                 workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
 		nsnpQueue:               workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespacenp"),
+		options:                 options,
 	}

 	workspaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{

--- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
+++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_test.go
@@ -22,6 +22,7 @@ import (
 	workspaceinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions/tenant/v1alpha1"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	options "kubesphere.io/kubesphere/pkg/simple/client/network"
 )

 var (
@@ -48,6 +49,9 @@ spec:
        - namespaceSelector:
            matchLabels:
              %s: %s
+        - namespaceSelector:
+            matchLabels:
+              "kubesphere.io/namespace" : "kubesphere-monitoring-system"
  policyTypes:
    - Ingress`

@@ -113,8 +117,12 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		nodeInforemer := kubeInformer.Core().V1().Nodes()
 		workspaceInformer := ksInformer.Tenant().V1alpha1().Workspaces()
 		namespaceInformer := kubeInformer.Core().V1().Namespaces()
+		nsnpOptions := options.NewNetworkOptions()
+		nsnpOptions.NSNPOptions.AllowedIngressNamespaces = append(nsnpOptions.NSNPOptions.AllowedIngressNamespaces, "kubesphere-monitoring-system")

-		c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(), nsnpInformer, serviceInformer, nodeInforemer, workspaceInformer, namespaceInformer, calicoProvider)
+		c = NewNSNetworkPolicyController(kubeClient, ksClient.NetworkV1alpha1(),
+			nsnpInformer, serviceInformer, nodeInforemer,
+			workspaceInformer, namespaceInformer, calicoProvider, nsnpOptions.NSNPOptions)

 		serviceObj := &corev1.Service{}
 		Expect(StringToObject(serviceTmp, serviceObj)).ShouldNot(HaveOccurred())
@@ -158,7 +166,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		obj := &netv1.NetworkPolicy{}
 		Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())

-		policy := generateNSNP("testworkspace", "testns", true)
+		policy := c.generateNSNP("testworkspace", "testns", true)
 		Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
 	})

@@ -167,7 +175,7 @@ var _ = Describe("Nsnetworkpolicy", func() {
 		obj := &netv1.NetworkPolicy{}
 		Expect(StringToObject(objSrt, obj)).ShouldNot(HaveOccurred())

-		policy := generateNSNP("testworkspace", "testns", false)
+		policy := c.generateNSNP("testworkspace", "testns", false)
 		Expect(reflect.DeepEqual(obj.Spec, policy.Spec)).To(BeTrue())
 	})


--- a/pkg/simple/client/network/options.go
+++ b/pkg/simple/client/network/options.go
@@ -2,14 +2,22 @@ package network

 import "github.com/spf13/pflag"

+type NSNPOptions struct {
+	AllowedIngressNamespaces []string `json:"allowedIngressNamespaces,omitempty" yaml:"allowedIngressNamespaces,omitempty"`
+}
+
 type Options struct {
-	EnableNetworkPolicy bool `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"`
+	EnableNetworkPolicy bool        `json:"enableNetworkPolicy,omitempty" yaml:"enableNetworkPolicy"`
+	NSNPOptions         NSNPOptions `json:"nsnpOptions,omitempty" yaml:"nsnpOptions,omitempty"`
 }

 // NewNetworkOptions returns a `zero` instance
 func NewNetworkOptions() *Options {
 	return &Options{
 		EnableNetworkPolicy: false,
+		NSNPOptions: NSNPOptions{
+			AllowedIngressNamespaces: []string{},
+		},
 	}
 }

@@ -20,6 +28,7 @@ func (s *Options) Validate() []error {

 func (s *Options) ApplyTo(options *Options) {
 	options.EnableNetworkPolicy = s.EnableNetworkPolicy
+	options.NSNPOptions = s.NSNPOptions
 }

 func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) {