io.fabric8.kubernetes.api.model.networking.NetworkPolicyIngressRule Java Examples
The following examples show how to use
io.fabric8.kubernetes.api.model.networking.NetworkPolicyIngressRule.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: CruiseControlTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testRestApiPortNetworkPolicy() {
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"))
.endPodSelector()
.withNewNamespaceSelector().endNamespaceSelector()
.build();
NetworkPolicy np = cc.generateNetworkPolicy(true);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(CruiseControl.REST_API_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
assertThat(rules.size(), is(1));
assertThat(rules.contains(clusterOperatorPeer), is(true));
}
Example #2
| Source File: KafkaClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 5 votes |
|
@Test
public void testReplicationPortNetworkPolicyOnOldKubernetes() {
Kafka kafkaAssembly = ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCm, configuration, emptyMap());
KafkaCluster k = KafkaCluster.fromCrd(kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(false);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
assertThat(rules.size(), is(0));
}
Example #3
| Source File: KafkaClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 5 votes |
|
@Test
public void testNoNetworkPolicyPeers() {
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCm, configuration, emptyMap()))
.editSpec()
.editKafka()
.withNewListeners()
.withNewPlain()
.endPlain()
.withNewTls()
.endTls()
.withNewKafkaListenerExternalRoute()
.endKafkaListenerExternalRoute()
.endListeners()
.endKafka()
.endSpec()
.build();
KafkaCluster k = KafkaCluster.fromCrd(kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(true);
List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CLIENT_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(0));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CLIENT_TLS_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(0));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.EXTERNAL_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(0));
}
Example #4
| Source File: KafkaConnectCluster.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
/**
* @param namespaceAndPodSelectorNetworkPolicySupported whether the kube cluster supports namespace selectors
* @param connectorOperatorEnabled Whether the ConnectorOperator is enabled or not
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(boolean namespaceAndPodSelectorNetworkPolicySupported, boolean connectorOperatorEnabled) {
if (connectorOperatorEnabled) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(2);
// Give CO access to the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder()
.addNewPort()
.withNewPort(REST_API_PORT)
.endPort()
.build();
// OCP 3.11 doesn't support network policies with the `from` section containing a namespace.
// Since the CO can run in a different namespace, we have to leave it wide open on OCP 3.11
// Therefore these rules are set only when using something else than OCP 3.11 and leaving
// the `from` section empty on 3.11
if (namespaceAndPodSelectorNetworkPolicySupported) {
List<NetworkPolicyPeer> peers = new ArrayList<>(2);
// Other connect pods in the same cluster need to talk with each other over the REST API
NetworkPolicyPeer connectPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.addToMatchLabels(getSelectorLabels().toMap())
.endPodSelector()
.build();
peers.add(connectPeer);
// CO needs to talk with the Connect pods to manage connectors
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator")
.endPodSelector()
.withNewNamespaceSelector()
.endNamespaceSelector()
.build();
peers.add(clusterOperatorPeer);
restApiRule.setFrom(peers);
}
rules.add(restApiRule);
// If metrics are enabled, we have to open them as well. Otherwise they will be blocked.
if (isMetricsEnabled) {
NetworkPolicyPort metricsPort = new NetworkPolicyPort();
metricsPort.setPort(new IntOrString(METRICS_PORT));
NetworkPolicyIngressRule metricsRule = new NetworkPolicyIngressRuleBuilder()
.withPorts(metricsPort)
.withFrom()
.build();
rules.add(metricsRule);
}
NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
.withNewMetadata()
.withName(name)
.withNamespace(namespace)
.withLabels(labels.toMap())
.withOwnerReferences(createOwnerReference())
.endMetadata()
.withNewSpec()
.withNewPodSelector()
.addToMatchLabels(getSelectorLabels().toMap())
.endPodSelector()
.withIngress(rules)
.endSpec()
.build();
log.trace("Created network policy {}", networkPolicy);
return networkPolicy;
} else {
return null;
}
}
Example #5
| Source File: CruiseControl.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
/**
* @param namespaceAndPodSelectorNetworkPolicySupported whether the kube cluster supports namespace selectors
* @return The network policy.
*/
public NetworkPolicy generateNetworkPolicy(boolean namespaceAndPodSelectorNetworkPolicySupported) {
List<NetworkPolicyIngressRule> rules = new ArrayList<>(1);
// CO can access the REST API
NetworkPolicyIngressRule restApiRule = new NetworkPolicyIngressRuleBuilder()
.addNewPort()
.withNewPort(REST_API_PORT)
.endPort()
.build();
if (namespaceAndPodSelectorNetworkPolicySupported) {
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector() // cluster operator
.addToMatchLabels(Labels.STRIMZI_KIND_LABEL, "cluster-operator")
.endPodSelector()
.withNewNamespaceSelector()
.endNamespaceSelector()
.build();
restApiRule.setFrom(Collections.singletonList(clusterOperatorPeer));
}
rules.add(restApiRule);
NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
.withNewMetadata()
.withName(policyName(cluster))
.withNamespace(namespace)
.withLabels(labels.toMap())
.withOwnerReferences(createOwnerReference())
.endMetadata()
.withNewSpec()
.withNewPodSelector()
.addToMatchLabels(Labels.STRIMZI_NAME_LABEL, cruiseControlName(cluster))
.endPodSelector()
.withIngress(rules)
.endSpec()
.build();
log.trace("Created network policy {}", networkPolicy);
return networkPolicy;
}
Example #6
| Source File: KafkaClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
@Test
public void testReplicationPortNetworkPolicy() {
NetworkPolicyPeer kafkaBrokersPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaCluster.kafkaClusterName(cluster)))
.endPodSelector()
.build();
NetworkPolicyPeer eoPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, EntityOperator.entityOperatorName(cluster)))
.endPodSelector()
.build();
NetworkPolicyPeer kafkaExporterPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, KafkaExporter.kafkaExporterName(cluster)))
.endPodSelector()
.build();
NetworkPolicyPeer cruiseControlPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_NAME_LABEL, CruiseControl.cruiseControlName(cluster)))
.endPodSelector()
.build();
NetworkPolicyPeer clusterOperatorPeer = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchLabels(Collections.singletonMap(Labels.STRIMZI_KIND_LABEL, "cluster-operator"))
.endPodSelector()
.withNewNamespaceSelector().endNamespaceSelector()
.build();
Kafka kafkaAssembly = ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCm, configuration, emptyMap());
KafkaCluster k = KafkaCluster.fromCrd(kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(true);
assertThat(np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).findFirst().orElse(null), is(notNullValue()));
List<NetworkPolicyPeer> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.REPLICATION_PORT))).map(NetworkPolicyIngressRule::getFrom).findFirst().orElse(null);
assertThat(rules.size(), is(5));
assertThat(rules.contains(kafkaBrokersPeer), is(true));
assertThat(rules.contains(eoPeer), is(true));
assertThat(rules.contains(kafkaExporterPeer), is(true));
assertThat(rules.contains(cruiseControlPeer), is(true));
assertThat(rules.contains(clusterOperatorPeer), is(true));
}
Example #7
| Source File: KafkaClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
@Test
public void testNetworkPolicyPeers() {
NetworkPolicyPeer peer1 = new NetworkPolicyPeerBuilder()
.withNewPodSelector()
.withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key1").withValues("my-value1").build())
.endPodSelector()
.build();
NetworkPolicyPeer peer2 = new NetworkPolicyPeerBuilder()
.withNewNamespaceSelector()
.withMatchExpressions(new LabelSelectorRequirementBuilder().withKey("my-key2").withValues("my-value2").build())
.endNamespaceSelector()
.build();
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCm, configuration, emptyMap()))
.editSpec()
.editKafka()
.withNewListeners()
.withNewPlain()
.withNetworkPolicyPeers(peer1)
.endPlain()
.withNewTls()
.withNetworkPolicyPeers(peer2)
.endTls()
.withNewKafkaListenerExternalRoute()
.withNetworkPolicyPeers(peer1, peer2)
.endKafkaListenerExternalRoute()
.endListeners()
.endKafka()
.endSpec()
.build();
KafkaCluster k = KafkaCluster.fromCrd(kafkaAssembly, VERSIONS);
// Check Network Policies
NetworkPolicy np = k.generateNetworkPolicy(true);
List<NetworkPolicyIngressRule> rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CLIENT_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer1));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.CLIENT_TLS_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().get(0), is(peer2));
rules = np.getSpec().getIngress().stream().filter(ing -> ing.getPorts().get(0).getPort().equals(new IntOrString(KafkaCluster.EXTERNAL_PORT))).collect(Collectors.toList());
assertThat(rules.size(), is(1));
assertThat(rules.get(0).getFrom().size(), is(2));
assertThat(rules.get(0).getFrom().contains(peer1), is(true));
assertThat(rules.get(0).getFrom().contains(peer2), is(true));
}
Example #8
| Source File: NetworkPolicy.java From enmasse with Apache License 2.0 | 4 votes |
|
public NetworkPolicy(@JsonProperty("ingress") List<NetworkPolicyIngressRule> ingress,
@JsonProperty("egress") List<NetworkPolicyEgressRule> egress) {
this.ingress = ingress != null ? ingress : new ArrayList<>();
this.egress = egress != null ? egress : new ArrayList<>();
}
Example #9
| Source File: NetworkPolicy.java From enmasse with Apache License 2.0 | 4 votes |
|
public List<NetworkPolicyIngressRule> getIngress() {
return ingress;
}
