1
- import { V1LabelSelector , V1NetworkPolicyPeer , V1NetworkPolicyPort } from "@kubernetes/client-node" ;
1
+ import { V1NetworkPolicyPeer , V1NetworkPolicyPort } from "@kubernetes/client-node" ;
2
2
import { kind } from "pepr" ;
3
3
4
4
import { Allow , RemoteGenerated } from "../../crd" ;
@@ -7,6 +7,56 @@ import { cloudMetadata } from "./generators/cloudMetadata";
7
7
import { intraNamespace } from "./generators/intraNamespace" ;
8
8
import { kubeAPI } from "./generators/kubeAPI" ;
9
9
10
+ function isWildcardNamespace ( namespace : string ) {
11
+ return namespace === "" || namespace === "*" ;
12
+ }
13
+
14
+ function getPeers ( policy : Allow ) : V1NetworkPolicyPeer [ ] {
15
+ let peers : V1NetworkPolicyPeer [ ] = [ ] ;
16
+
17
+ if ( policy . remoteGenerated ) {
18
+ switch ( policy . remoteGenerated ) {
19
+ case RemoteGenerated . KubeAPI :
20
+ peers = kubeAPI ( ) ;
21
+ break ;
22
+
23
+ case RemoteGenerated . CloudMetadata :
24
+ peers = cloudMetadata ;
25
+ break ;
26
+
27
+ case RemoteGenerated . IntraNamespace :
28
+ peers = [ intraNamespace ] ;
29
+ break ;
30
+
31
+ case RemoteGenerated . Anywhere :
32
+ peers = [ anywhere ] ;
33
+ break ;
34
+ }
35
+ } else if ( policy . remoteNamespace !== undefined || policy . remoteSelector !== undefined ) {
36
+ const peer : V1NetworkPolicyPeer = { } ;
37
+
38
+ if ( policy . remoteNamespace !== undefined ) {
39
+ if ( isWildcardNamespace ( policy . remoteNamespace ) ) {
40
+ peer . namespaceSelector = { } ;
41
+ } else {
42
+ peer . namespaceSelector = {
43
+ matchLabels : { "kubernetes.io/metadata.name" : policy . remoteNamespace } ,
44
+ } ;
45
+ }
46
+ }
47
+
48
+ if ( policy . remoteSelector !== undefined ) {
49
+ peer . podSelector = {
50
+ matchLabels : policy . remoteSelector ,
51
+ } ;
52
+ }
53
+
54
+ peers . push ( peer ) ;
55
+ }
56
+
57
+ return peers ;
58
+ }
59
+
10
60
export function generate ( namespace : string , policy : Allow ) : kind . NetworkPolicy {
11
61
// Generate a unique name for the NetworkPolicy
12
62
const name = generateName ( policy ) ;
@@ -35,57 +85,8 @@ export function generate(namespace: string, policy: Allow): kind.NetworkPolicy {
35
85
} ;
36
86
}
37
87
38
- // Create the remote (peer) to match against
39
- let peers : V1NetworkPolicyPeer [ ] = [ ] ;
40
-
41
- // Add the remoteNamespace if they exist
42
- if ( policy . remoteNamespace !== undefined ) {
43
- const namespaceSelector : V1LabelSelector = { } ;
44
-
45
- // Add the remoteNamespace to the namespaceSelector if it exists and is not "*", otherwise match all namespaces
46
- if ( policy . remoteNamespace !== "" && policy . remoteNamespace !== "*" ) {
47
- namespaceSelector . matchLabels = {
48
- "kubernetes.io/metadata.name" : policy . remoteNamespace ,
49
- } ;
50
- }
51
-
52
- // Add the remoteNamespace to the peers
53
- peers . push ( { namespaceSelector } ) ;
54
- }
55
-
56
- // Add the remoteSelector if they exist
57
- if ( policy . remoteSelector ) {
58
- peers . push ( {
59
- podSelector : {
60
- matchLabels : policy . remoteSelector ,
61
- } ,
62
- } ) ;
63
- }
64
-
65
- // Check if remoteGenerated is set
66
- if ( policy . remoteGenerated ) {
67
- // Add the remoteGenerated label
68
- generated . metadata ! . labels ! [ "uds/generated" ] = policy . remoteGenerated ;
69
-
70
- // Check if remoteGenerated is set
71
- switch ( policy . remoteGenerated ) {
72
- case RemoteGenerated . KubeAPI :
73
- peers = kubeAPI ( ) ;
74
- break ;
75
-
76
- case RemoteGenerated . CloudMetadata :
77
- peers = cloudMetadata ;
78
- break ;
79
-
80
- case RemoteGenerated . IntraNamespace :
81
- peers . push ( intraNamespace ) ;
82
- break ;
83
-
84
- case RemoteGenerated . Anywhere :
85
- peers = [ anywhere ] ;
86
- break ;
87
- }
88
- }
88
+ // Create the network policy peers
89
+ const peers : V1NetworkPolicyPeer [ ] = getPeers ( policy ) ;
89
90
90
91
// Define the ports to allow from the ports property
91
92
const ports : V1NetworkPolicyPort [ ] = ( policy . ports ?? [ ] ) . map ( port => ( { port } ) ) ;
0 commit comments