github.phpd.cn/cilium/cilium@v1.6.12/pkg/k8s/network_policy.go (about) 1 // Copyright 2016-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package k8s 16 17 import ( 18 "fmt" 19 20 "github.com/cilium/cilium/pkg/annotation" 21 k8sConst "github.com/cilium/cilium/pkg/k8s/apis/cilium.io" 22 k8sCiliumUtils "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/utils" 23 k8sUtils "github.com/cilium/cilium/pkg/k8s/utils" 24 "github.com/cilium/cilium/pkg/labels" 25 "github.com/cilium/cilium/pkg/logging/logfields" 26 "github.com/cilium/cilium/pkg/policy" 27 "github.com/cilium/cilium/pkg/policy/api" 28 29 networkingv1 "k8s.io/api/networking/v1" 30 "k8s.io/apimachinery/pkg/apis/meta/v1" 31 ) 32 33 const ( 34 resourceTypeNetworkPolicy = "NetworkPolicy" 35 ) 36 37 var ( 38 allowAllNamespacesRequirement = v1.LabelSelectorRequirement{ 39 Key: k8sConst.PodNamespaceLabel, 40 Operator: v1.LabelSelectorOpExists, 41 } 42 ) 43 44 // GetPolicyLabelsv1 extracts the name of np. It uses the name from the Cilium 45 // annotation if present. If the policy's annotations do not contain 46 // the Cilium annotation, the policy's name field is used instead. 47 func GetPolicyLabelsv1(np *networkingv1.NetworkPolicy) labels.LabelArray { 48 if np == nil { 49 log.Warningf("unable to extract policy labels because provided NetworkPolicy is nil") 50 return nil 51 } 52 53 policyName := np.Annotations[annotation.Name] 54 policyUID := np.UID 55 56 if policyName == "" { 57 policyName = np.Name 58 } 59 60 ns := k8sUtils.ExtractNamespace(&np.ObjectMeta) 61 62 return k8sCiliumUtils.GetPolicyLabels(ns, policyName, policyUID, resourceTypeNetworkPolicy) 63 } 64 65 func parseNetworkPolicyPeer(namespace string, peer *networkingv1.NetworkPolicyPeer) *api.EndpointSelector { 66 if peer == nil { 67 return nil 68 } 69 70 var retSel *api.EndpointSelector 71 72 if peer.NamespaceSelector != nil { 73 labelSelector := peer.NamespaceSelector 74 matchLabels := map[string]string{} 75 // We use our own special label prefix for namespace metadata, 76 // thus we need to prefix that prefix to all NamespaceSelector.MatchLabels 77 for k, v := range peer.NamespaceSelector.MatchLabels { 78 matchLabels[policy.JoinPath(k8sConst.PodNamespaceMetaLabels, k)] = v 79 } 80 peer.NamespaceSelector.MatchLabels = matchLabels 81 82 // We use our own special label prefix for namespace metadata, 83 // thus we need to prefix that prefix to all NamespaceSelector.MatchLabels 84 for i, lsr := range peer.NamespaceSelector.MatchExpressions { 85 lsr.Key = policy.JoinPath(k8sConst.PodNamespaceMetaLabels, lsr.Key) 86 peer.NamespaceSelector.MatchExpressions[i] = lsr 87 } 88 89 // Empty namespace selector selects all namespaces (i.e., a namespace 90 // label exists). 91 if len(peer.NamespaceSelector.MatchLabels) == 0 && len(peer.NamespaceSelector.MatchExpressions) == 0 { 92 peer.NamespaceSelector.MatchExpressions = []v1.LabelSelectorRequirement{allowAllNamespacesRequirement} 93 } 94 95 selector := api.NewESFromK8sLabelSelector(labels.LabelSourceK8sKeyPrefix, labelSelector, peer.PodSelector) 96 retSel = &selector 97 } else if peer.PodSelector != nil { 98 labelSelector := peer.PodSelector 99 if peer.PodSelector.MatchLabels == nil { 100 peer.PodSelector.MatchLabels = map[string]string{} 101 } 102 // The PodSelector should only reflect to the same namespace 103 // the policy is being stored, thus we add the namespace to 104 // the MatchLabels map. 105 peer.PodSelector.MatchLabels[k8sConst.PodNamespaceLabel] = namespace 106 107 selector := api.NewESFromK8sLabelSelector(labels.LabelSourceK8sKeyPrefix, labelSelector) 108 retSel = &selector 109 } 110 111 return retSel 112 } 113 114 func hasV1PolicyType(pTypes []networkingv1.PolicyType, typ networkingv1.PolicyType) bool { 115 for _, pType := range pTypes { 116 if pType == typ { 117 return true 118 } 119 } 120 return false 121 } 122 123 // ParseNetworkPolicy parses a k8s NetworkPolicy. Returns a list of 124 // Cilium policy rules that can be added, along with an error if there was an 125 // error sanitizing the rules. 126 func ParseNetworkPolicy(np *networkingv1.NetworkPolicy) (api.Rules, error) { 127 128 if np == nil { 129 return nil, fmt.Errorf("cannot parse NetworkPolicy because it is nil") 130 } 131 132 ingresses := []api.IngressRule{} 133 egresses := []api.EgressRule{} 134 135 namespace := k8sUtils.ExtractNamespace(&np.ObjectMeta) 136 137 for _, iRule := range np.Spec.Ingress { 138 fromRules := []api.IngressRule{} 139 if iRule.From != nil && len(iRule.From) > 0 { 140 for _, rule := range iRule.From { 141 ingress := api.IngressRule{} 142 endpointSelector := parseNetworkPolicyPeer(namespace, &rule) 143 144 if endpointSelector != nil { 145 ingress.FromEndpoints = append(ingress.FromEndpoints, *endpointSelector) 146 } else { 147 // No label-based selectors were in NetworkPolicyPeer. 148 log.WithField(logfields.K8sNetworkPolicyName, np.Name).Debug("NetworkPolicyPeer does not have PodSelector or NamespaceSelector") 149 } 150 151 // Parse CIDR-based parts of rule. 152 if rule.IPBlock != nil { 153 ingress.FromCIDRSet = append(ingress.FromCIDRSet, ipBlockToCIDRRule(rule.IPBlock)) 154 } 155 156 fromRules = append(fromRules, ingress) 157 } 158 } else { 159 // Based on NetworkPolicyIngressRule docs: 160 // From []NetworkPolicyPeer 161 // If this field is empty or missing, this rule matches all 162 // sources (traffic not restricted by source). 163 ingress := api.IngressRule{} 164 ingress.FromEndpoints = append(ingress.FromEndpoints, api.WildcardEndpointSelector) 165 166 fromRules = append(fromRules, ingress) 167 } 168 169 // We apply the ports to all rules generated from the From section 170 if iRule.Ports != nil && len(iRule.Ports) > 0 { 171 toPorts := parsePorts(iRule.Ports) 172 for i := range fromRules { 173 fromRules[i].ToPorts = toPorts 174 } 175 } 176 177 ingresses = append(ingresses, fromRules...) 178 } 179 180 for _, eRule := range np.Spec.Egress { 181 toRules := []api.EgressRule{} 182 183 if eRule.To != nil && len(eRule.To) > 0 { 184 for _, rule := range eRule.To { 185 egress := api.EgressRule{} 186 if rule.NamespaceSelector != nil || rule.PodSelector != nil { 187 endpointSelector := parseNetworkPolicyPeer(namespace, &rule) 188 189 if endpointSelector != nil { 190 egress.ToEndpoints = append(egress.ToEndpoints, *endpointSelector) 191 } else { 192 log.WithField(logfields.K8sNetworkPolicyName, np.Name).Debug("NetworkPolicyPeer does not have PodSelector or NamespaceSelector") 193 } 194 } 195 if rule.IPBlock != nil { 196 egress.ToCIDRSet = append(egress.ToCIDRSet, ipBlockToCIDRRule(rule.IPBlock)) 197 } 198 199 toRules = append(toRules, egress) 200 } 201 } else { 202 // Based on NetworkPolicyEgressRule docs: 203 // To []NetworkPolicyPeer 204 // If this field is empty or missing, this rule matches all 205 // destinations (traffic not restricted by destination) 206 egress := api.EgressRule{} 207 egress.ToEndpoints = append(egress.ToEndpoints, api.WildcardEndpointSelector) 208 209 toRules = append(toRules, egress) 210 } 211 212 // We apply the ports to all rules generated from the To section 213 if eRule.Ports != nil && len(eRule.Ports) > 0 { 214 toPorts := parsePorts(eRule.Ports) 215 for i := range toRules { 216 toRules[i].ToPorts = toPorts 217 } 218 } 219 220 egresses = append(egresses, toRules...) 221 } 222 223 // Convert the k8s default-deny model to the Cilium default-deny model 224 //spec: 225 // podSelector: {} 226 // policyTypes: 227 // - Ingress 228 // Since k8s 1.7 doesn't contain any PolicyTypes, we default deny 229 // if podSelector is empty and the policyTypes is not egress 230 if len(ingresses) == 0 && 231 (hasV1PolicyType(np.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) || 232 !hasV1PolicyType(np.Spec.PolicyTypes, networkingv1.PolicyTypeEgress)) { 233 ingresses = []api.IngressRule{{}} 234 } 235 236 // Convert the k8s default-deny model to the Cilium default-deny model 237 //spec: 238 // podSelector: {} 239 // policyTypes: 240 // - Egress 241 if len(egresses) == 0 && hasV1PolicyType(np.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) { 242 egresses = []api.EgressRule{{}} 243 } 244 245 if np.Spec.PodSelector.MatchLabels == nil { 246 np.Spec.PodSelector.MatchLabels = map[string]string{} 247 } 248 np.Spec.PodSelector.MatchLabels[k8sConst.PodNamespaceLabel] = namespace 249 250 // The next patch will pass the UID. 251 rule := api.NewRule(). 252 WithEndpointSelector(api.NewESFromK8sLabelSelector(labels.LabelSourceK8sKeyPrefix, &np.Spec.PodSelector)). 253 WithLabels(GetPolicyLabelsv1(np)). 254 WithIngressRules(ingresses). 255 WithEgressRules(egresses) 256 257 if err := rule.Sanitize(); err != nil { 258 return nil, err 259 } 260 261 return api.Rules{rule}, nil 262 } 263 264 func ipBlockToCIDRRule(block *networkingv1.IPBlock) api.CIDRRule { 265 cidrRule := api.CIDRRule{} 266 cidrRule.Cidr = api.CIDR(block.CIDR) 267 for _, v := range block.Except { 268 cidrRule.ExceptCIDRs = append(cidrRule.ExceptCIDRs, api.CIDR(v)) 269 } 270 return cidrRule 271 } 272 273 // parsePorts converts list of K8s NetworkPolicyPorts to Cilium PortRules. 274 func parsePorts(ports []networkingv1.NetworkPolicyPort) []api.PortRule { 275 portRules := []api.PortRule{} 276 for _, port := range ports { 277 if port.Protocol == nil && port.Port == nil { 278 continue 279 } 280 281 protocol := api.ProtoTCP 282 if port.Protocol != nil { 283 protocol, _ = api.ParseL4Proto(string(*port.Protocol)) 284 } 285 286 portStr := "" 287 if port.Port != nil { 288 portStr = port.Port.String() 289 } 290 291 portRule := api.PortRule{ 292 Ports: []api.PortProtocol{ 293 {Port: portStr, Protocol: protocol}, 294 }, 295 } 296 297 portRules = append(portRules, portRule) 298 } 299 300 return portRules 301 }