diff --git a/pkg/controllers/networkpolicy.go b/pkg/controllers/networkpolicy.go index 0a1d17c8..62e894c5 100644 --- a/pkg/controllers/networkpolicy.go +++ b/pkg/controllers/networkpolicy.go @@ -22,8 +22,8 @@ import ( "sync" "time" - multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" - multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta1" + multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2" + multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta2" "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -36,13 +36,13 @@ import ( type NetworkPolicyHandler interface { // OnPolicyAdd is called whenever creation of new policy object // is observed. - OnPolicyAdd(policy *multiv1beta1.MultiNetworkPolicy) + OnPolicyAdd(policy *multiv1beta2.MultiNetworkPolicy) // OnPolicyUpdate is called whenever modification of an existing // policy object is observed. - OnPolicyUpdate(oldPolicy, policy *multiv1beta1.MultiNetworkPolicy) + OnPolicyUpdate(oldPolicy, policy *multiv1beta2.MultiNetworkPolicy) // OnPolicyDelete is called whenever deletion of an existing policy // object is observed. - OnPolicyDelete(policy *multiv1beta1.MultiNetworkPolicy) + OnPolicyDelete(policy *multiv1beta2.MultiNetworkPolicy) // OnPolicySynced is called once all the initial event handlers were // called and the state is fully propagated to local cache. OnPolicySynced() @@ -55,7 +55,7 @@ type NetworkPolicyConfig struct { } // NewNetworkPolicyConfig creates a new NetworkPolicyConfig . -func NewNetworkPolicyConfig(policyInformer multiinformerv1beta1.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig { +func NewNetworkPolicyConfig(policyInformer multiinformerv1beta2.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig { result := &NetworkPolicyConfig{ listerSynced: policyInformer.Informer().HasSynced, } @@ -91,7 +91,7 @@ func (c *NetworkPolicyConfig) Run(stopCh <-chan struct{}) { } func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) { - policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy) + policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy) if !ok { utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj)) return @@ -104,12 +104,12 @@ func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) { } func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) { - oldPolicy, ok := oldObj.(*multiv1beta1.MultiNetworkPolicy) + oldPolicy, ok := oldObj.(*multiv1beta2.MultiNetworkPolicy) if !ok { utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", oldObj)) return } - policy, ok := newObj.(*multiv1beta1.MultiNetworkPolicy) + policy, ok := newObj.(*multiv1beta2.MultiNetworkPolicy) if !ok { utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", newObj)) return @@ -121,13 +121,13 @@ func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) { } func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) { - policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy) + policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj)) } - if policy, ok = tombstone.Obj.(*multiv1beta1.MultiNetworkPolicy); !ok { + if policy, ok = tombstone.Obj.(*multiv1beta2.MultiNetworkPolicy); !ok { utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj)) return } @@ -140,7 +140,7 @@ func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) { // PolicyInfo contains information that defines a policy. type PolicyInfo struct { - Policy *multiv1beta1.MultiNetworkPolicy + Policy *multiv1beta2.MultiNetworkPolicy } // Name ... @@ -223,14 +223,14 @@ func (pct *PolicyChangeTracker) String() string { return fmt.Sprintf("policyChange: %v", pct.items) } -func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta1.MultiNetworkPolicy) (*PolicyInfo, error) { +func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta2.MultiNetworkPolicy) (*PolicyInfo, error) { info := &PolicyInfo{ Policy: policy, } return info, nil } -func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetworkPolicy) PolicyMap { +func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta2.MultiNetworkPolicy) PolicyMap { if policy == nil { return nil } @@ -245,7 +245,7 @@ func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetw } // Update ... -func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta1.MultiNetworkPolicy) bool { +func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta2.MultiNetworkPolicy) bool { policy := current if pct == nil { diff --git a/pkg/controllers/networkpolicy_test.go b/pkg/controllers/networkpolicy_test.go index 8c582531..718cfe6b 100644 --- a/pkg/controllers/networkpolicy_test.go +++ b/pkg/controllers/networkpolicy_test.go @@ -20,9 +20,9 @@ import ( //"fmt" "time" - multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2" multifake "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/clientset/versioned/fake" - multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions" + multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -38,15 +38,15 @@ type FakeNetworkPolicyConfigStub struct { CounterSynced int } -func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta1.MultiNetworkPolicy) { +func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta2.MultiNetworkPolicy) { f.CounterAdd++ } -func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta1.MultiNetworkPolicy) { +func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta2.MultiNetworkPolicy) { f.CounterUpdate++ } -func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta1.MultiNetworkPolicy) { +func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta2.MultiNetworkPolicy) { f.CounterDelete++ } @@ -57,14 +57,14 @@ func (f *FakeNetworkPolicyConfigStub) OnPolicySynced() { func NewFakeNetworkPolicyConfig(stub *FakeNetworkPolicyConfigStub) *NetworkPolicyConfig { configSync := 15 * time.Minute fakeClient := multifake.NewSimpleClientset() - informerFactory := multiinformerv1beta1.NewSharedInformerFactoryWithOptions(fakeClient, configSync) - policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta1().MultiNetworkPolicies(), configSync) + informerFactory := multiinformerv1beta2.NewSharedInformerFactoryWithOptions(fakeClient, configSync) + policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta2().MultiNetworkPolicies(), configSync) policyConfig.RegisterEventHandler(stub) return policyConfig } -func NewNetworkPolicy(namespace, name string) *multiv1beta1.MultiNetworkPolicy { - return &multiv1beta1.MultiNetworkPolicy{ +func NewNetworkPolicy(namespace, name string) *multiv1beta2.MultiNetworkPolicy { + return &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, Name: name, diff --git a/pkg/server/policyrules.go b/pkg/server/policyrules.go index 46a28776..618a2899 100644 --- a/pkg/server/policyrules.go +++ b/pkg/server/policyrules.go @@ -23,7 +23,7 @@ import ( "strings" "github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers" - multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -141,10 +141,10 @@ func (ipt *iptableBuffer) FinalizeRules() { func (ipt *iptableBuffer) SaveRules(path string) error { file, err := os.Create(path) - defer file.Close() if err != nil { return err } + defer file.Close() //_, err = ipt.filterRules.WriteTo(file) fmt.Fprintf(file, "%s", ipt.filterRules.String()) return err @@ -216,7 +216,7 @@ func (ipt *iptableBuffer) renderIngressCommon(s *Server) { writeLine(ipt.policyCommon, "-A", ingressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") } -func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) { +func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-INGRESS", idx) ipt.CreateFilterChain(chainName) @@ -240,7 +240,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, } } -func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) { +func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-PORTS", pIndex, iIndex) ipt.CreateFilterChain(chainName) @@ -269,10 +269,9 @@ func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.Pod "-m", "comment", "--comment", "\"no ingress ports, skipped\"", "-j", "MARK", "--set-xmark", "0x10000/0x10000") } - return } -func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) { +func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-FROM", pIndex, iIndex) ipt.CreateFilterChain(chainName) @@ -391,7 +390,6 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI "-m", "comment", "--comment", "\"no ingress from, skipped\"", "-j", "MARK", "--set-xmark", "0x20000/0x20000") } - return } func (ipt *iptableBuffer) renderEgressCommon(s *Server) { @@ -442,7 +440,7 @@ func (ipt *iptableBuffer) renderEgressCommon(s *Server) { writeLine(ipt.policyCommon, "-A", egressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") } -func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) { +func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-EGRESS", idx) ipt.CreateFilterChain(chainName) @@ -465,7 +463,7 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, } } -func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) { +func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-PORTS", pIndex, iIndex) ipt.CreateFilterChain(chainName) @@ -494,10 +492,9 @@ func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodI "-m", "comment", "--comment", "\"no egress ports, skipped\"", "-j", "MARK", "--set-xmark", "0x10000/0x10000") } - return } -func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) { +func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) { chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-TO", pIndex, iIndex) ipt.CreateFilterChain(chainName) @@ -618,7 +615,6 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo "-m", "comment", "--comment", "\"no egress to, skipped\"", "-j", "MARK", "--set-xmark", "0x20000/0x20000") } - return } func (ipt *iptableBuffer) isIPFamilyCompatible(ip string) bool { diff --git a/pkg/server/policyrules_test.go b/pkg/server/policyrules_test.go index 66870a70..6dad34f1 100644 --- a/pkg/server/policyrules_test.go +++ b/pkg/server/policyrules_test.go @@ -19,13 +19,12 @@ package server import ( "bytes" "fmt" - "io/ioutil" "os" "path/filepath" "time" "github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers" - multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2" multifake "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/clientset/versioned/fake" netdefv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1" netfake "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/clientset/versioned/fake" @@ -221,7 +220,7 @@ var _ = Describe("policyrules testing", func() { BeforeEach(func() { var err error - tmpDir, err = ioutil.TempDir("", "multi-networkpolicy-iptables") + tmpDir, err = os.MkdirTemp("", "multi-networkpolicy-iptables") Expect(err).NotTo(HaveOccurred()) }) @@ -525,7 +524,7 @@ COMMIT It("ingress common - custom v4 rules", func() { tmpRuleFile := filepath.Join(tmpDir, "testInputRules.txt") - ioutil.WriteFile(tmpRuleFile, []byte( + os.WriteFile(tmpRuleFile, []byte( `# comment: this accepts DHCP packet -m udp -p udp --sport bootps --dport bootpc -j ACCEPT `), 0600) @@ -579,7 +578,7 @@ COMMIT It("ingress common - custom v6 rules", func() { tmpRuleFile := filepath.Join(tmpDir, "testInputRules.txt") - ioutil.WriteFile(tmpRuleFile, []byte( + os.WriteFile(tmpRuleFile, []byte( `# comment: this accepts DHCPv6 packets from link-local address -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT `), 0600) @@ -865,7 +864,7 @@ COMMIT It("egress common - custom v4 rules", func() { tmpRuleFile := filepath.Join(tmpDir, "testInputRules.txt") - ioutil.WriteFile(tmpRuleFile, []byte( + os.WriteFile(tmpRuleFile, []byte( `# comment: this rules accepts DHCP packets -m udp -p udp --sport bootc --dport bootps -j ACCEPT `), 0600) @@ -919,7 +918,7 @@ COMMIT It("egress common - custom v6 rules", func() { tmpRuleFile := filepath.Join(tmpDir, "testInputRules.txt") - ioutil.WriteFile(tmpRuleFile, []byte( + os.WriteFile(tmpRuleFile, []byte( `# comment: this rules accepts DHCPv6 packet to dhcp relay agents/servers -m udp -p udp --dport 547 -d ff02::1:2 -j ACCEPT `), 0600) @@ -974,23 +973,23 @@ COMMIT It("ingress rules ipblock", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { - IPBlock: &multiv1beta1.IPBlock{ + IPBlock: &multiv1beta2.IPBlock{ CIDR: "10.1.1.1/24", Except: []string{"10.1.1.254"}, }, @@ -1067,21 +1066,21 @@ COMMIT It("ingress rules podselector/matchlabels", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1169,15 +1168,15 @@ COMMIT }) It("ingress rules namespace selector", func() { - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1258,15 +1257,15 @@ COMMIT }) It("ingress rules namespaceSeelctor with non existent labels", func() { - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1344,15 +1343,15 @@ COMMIT }) It("enforce policy with net-attach-def in a different namespace than pods", func() { - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1431,23 +1430,23 @@ COMMIT It("egress rules ipblock", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - egressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + egressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "EgressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - To: []multiv1beta1.MultiNetworkPolicyPeer{ + To: []multiv1beta2.MultiNetworkPolicyPeer{ { - IPBlock: &multiv1beta1.IPBlock{ + IPBlock: &multiv1beta2.IPBlock{ CIDR: "10.1.1.1/24", Except: []string{"10.1.1.254"}, }, @@ -1524,21 +1523,21 @@ COMMIT It("egress rules podselector/matchlabels", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - egressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + egressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "EgressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - To: []multiv1beta1.MultiNetworkPolicyPeer{ + To: []multiv1beta2.MultiNetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1627,24 +1626,24 @@ COMMIT It("default values", func() { port := intstr.FromInt(8888) - policies1 := &multiv1beta1.MultiNetworkPolicy{ + policies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "policies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Port: &port, }, }, }, }, - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Port: &port, }, @@ -1696,7 +1695,7 @@ COMMIT It("policyType should be implicitly inferred", func() { - policy1 := &multiv1beta1.MultiNetworkPolicy{ + policy1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", @@ -1704,14 +1703,14 @@ COMMIT PolicyNetworkAnnotation: "net-attach1", }, }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{ "role": "targetpod", }, }, - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{{ - From: []multiv1beta1.MultiNetworkPolicyPeer{{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{{ + From: []multiv1beta2.MultiNetworkPolicyPeer{{ PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "foobar": "enabled", @@ -1807,14 +1806,14 @@ COMMIT Context("IPv6", func() { It("shoud avoid using IPv4 addresses on ip6tables", func() { - policy1 := &multiv1beta1.MultiNetworkPolicy{ + policy1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{{ - From: []multiv1beta1.MultiNetworkPolicyPeer{{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{{ + From: []multiv1beta2.MultiNetworkPolicyPeer{{ PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "foobar": "enabled", @@ -1822,8 +1821,8 @@ COMMIT }, }}, }}, - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{{ - To: []multiv1beta1.MultiNetworkPolicyPeer{{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{{ + To: []multiv1beta2.MultiNetworkPolicyPeer{{ PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "foobar": "enabled", @@ -1906,14 +1905,14 @@ COMMIT It("shoud manage dual stack networks", func() { - policy1 := &multiv1beta1.MultiNetworkPolicy{ + policy1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{{ - From: []multiv1beta1.MultiNetworkPolicyPeer{{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{{ + From: []multiv1beta2.MultiNetworkPolicyPeer{{ PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "foobar": "enabled", @@ -1921,8 +1920,8 @@ COMMIT }, }}, }}, - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{{ - To: []multiv1beta1.MultiNetworkPolicyPeer{{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{{ + To: []multiv1beta2.MultiNetworkPolicyPeer{{ PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "foobar": "enabled", @@ -2074,23 +2073,23 @@ COMMIT It("ingress rules ipblock", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { - IPBlock: &multiv1beta1.IPBlock{ + IPBlock: &multiv1beta2.IPBlock{ CIDR: "10.1.1.1/24", Except: []string{"10.1.1.1"}, }, @@ -2151,21 +2150,21 @@ COMMIT It("ingress rules podselector/matchlabels", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - ingressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + ingressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "ingressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Ingress: []multiv1beta2.MultiNetworkPolicyIngressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - From: []multiv1beta1.MultiNetworkPolicyPeer{ + From: []multiv1beta2.MultiNetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -2241,23 +2240,23 @@ COMMIT It("egress rules ipblock", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - egressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + egressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "EgressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - To: []multiv1beta1.MultiNetworkPolicyPeer{ + To: []multiv1beta2.MultiNetworkPolicyPeer{ { - IPBlock: &multiv1beta1.IPBlock{ + IPBlock: &multiv1beta2.IPBlock{ CIDR: "10.1.1.1/24", Except: []string{"10.1.1.1"}, }, @@ -2318,21 +2317,21 @@ COMMIT It("egress rules podselector/matchlabels", func() { port := intstr.FromInt(8888) protoTCP := v1.ProtocolTCP - egressPolicies1 := &multiv1beta1.MultiNetworkPolicy{ + egressPolicies1 := &multiv1beta2.MultiNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "EgressPolicies1", Namespace: "testns1", }, - Spec: multiv1beta1.MultiNetworkPolicySpec{ - Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{ + Spec: multiv1beta2.MultiNetworkPolicySpec{ + Egress: []multiv1beta2.MultiNetworkPolicyEgressRule{ { - Ports: []multiv1beta1.MultiNetworkPolicyPort{ + Ports: []multiv1beta2.MultiNetworkPolicyPort{ { Protocol: &protoTCP, Port: &port, }, }, - To: []multiv1beta1.MultiNetworkPolicyPeer{ + To: []multiv1beta2.MultiNetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ diff --git a/pkg/server/server.go b/pkg/server/server.go index d7e24516..f127347f 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -29,10 +29,10 @@ import ( "github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers" multiutils "github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/utils" - multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2" multiclient "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/clientset/versioned" multiinformer "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions" - multilisterv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/listers/k8s.cni.cncf.io/v1beta1" + multilisterv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/listers/k8s.cni.cncf.io/v1beta2" netdefv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1" netdefclient "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/clientset/versioned" netdefinformerv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/informers/externalversions" @@ -92,7 +92,7 @@ type Server struct { nsSynced bool podLister corelisters.PodLister - policyLister multilisterv1beta1.MultiNetworkPolicyLister + policyLister multilisterv1beta2.MultiNetworkPolicyLister syncRunner *async.BoundedFrequencyRunner syncRunnerStopCh chan struct{} @@ -126,10 +126,10 @@ func (s *Server) Run(_ string, stopCh chan struct{}) { policyInformerFactory := multiinformer.NewSharedInformerFactoryWithOptions( s.NetworkPolicyClient, s.ConfigSyncPeriod) - s.policyLister = policyInformerFactory.K8sCniCncfIo().V1beta1().MultiNetworkPolicies().Lister() + s.policyLister = policyInformerFactory.K8sCniCncfIo().V1beta2().MultiNetworkPolicies().Lister() policyConfig := controllers.NewNetworkPolicyConfig( - policyInformerFactory.K8sCniCncfIo().V1beta1().MultiNetworkPolicies(), s.ConfigSyncPeriod) + policyInformerFactory.K8sCniCncfIo().V1beta2().MultiNetworkPolicies(), s.ConfigSyncPeriod) policyConfig.RegisterEventHandler(s) go policyConfig.Run(wait.NeverStop) policyInformerFactory.Start(wait.NeverStop) @@ -300,7 +300,7 @@ func (s *Server) Sync() { // AllSynced ... func (s *Server) AllSynced() bool { - return (s.policySynced == true && s.netdefSynced == true && s.nsSynced == true) + return (s.policySynced && s.netdefSynced && s.nsSynced) } // OnPodAdd ... @@ -344,13 +344,13 @@ func (s *Server) OnPodSynced() { } // OnPolicyAdd ... -func (s *Server) OnPolicyAdd(policy *multiv1beta1.MultiNetworkPolicy) { +func (s *Server) OnPolicyAdd(policy *multiv1beta2.MultiNetworkPolicy) { klog.V(4).Infof("OnPolicyAdd") s.OnPolicyUpdate(nil, policy) } // OnPolicyUpdate ... -func (s *Server) OnPolicyUpdate(oldPolicy, policy *multiv1beta1.MultiNetworkPolicy) { +func (s *Server) OnPolicyUpdate(oldPolicy, policy *multiv1beta2.MultiNetworkPolicy) { klog.V(4).Infof("OnPolicyUpdate %s -> %s", policyNamespacedName(oldPolicy), policyNamespacedName(policy)) if s.policyChanges.Update(oldPolicy, policy) && s.isInitialized() { s.Sync() @@ -358,7 +358,7 @@ func (s *Server) OnPolicyUpdate(oldPolicy, policy *multiv1beta1.MultiNetworkPoli } // OnPolicyDelete ... -func (s *Server) OnPolicyDelete(policy *multiv1beta1.MultiNetworkPolicy) { +func (s *Server) OnPolicyDelete(policy *multiv1beta2.MultiNetworkPolicy) { klog.V(4).Infof("OnPolicyDelete") s.OnPolicyUpdate(policy, nil) } @@ -614,7 +614,7 @@ func (s *Server) generatePolicyRulesForPodAndFamily(pod *v1.Pod, podInfo *contro policyNetworks := strings.Split(policyNetworksAnnot, ",") for pidx, networkName := range policyNetworks { // fill namespace - if strings.IndexAny(networkName, "/") == -1 { + if !strings.ContainsAny(networkName, "/") { policyNetworks[pidx] = fmt.Sprintf("%s/%s", policy.GetNamespace(), networkName) } } @@ -681,7 +681,7 @@ func namespaceName(o *v1.Namespace) string { return o.GetName() } -func policyNamespacedName(o *multiv1beta1.MultiNetworkPolicy) string { +func policyNamespacedName(o *multiv1beta2.MultiNetworkPolicy) string { if o == nil { return "" } @@ -695,13 +695,13 @@ func nadNamespacedName(o *netdefv1.NetworkAttachmentDefinition) string { return o.GetNamespace() + "/" + o.GetName() } -func getEnabledPolicyTypes(policy *multiv1beta1.MultiNetworkPolicy) (bool, bool) { +func getEnabledPolicyTypes(policy *multiv1beta2.MultiNetworkPolicy) (bool, bool) { var ingressEnable, egressEnable bool if len(policy.Spec.PolicyTypes) > 0 { for _, v := range policy.Spec.PolicyTypes { - if strings.EqualFold(string(v), string(multiv1beta1.PolicyTypeIngress)) { + if strings.EqualFold(string(v), string(multiv1beta2.PolicyTypeIngress)) { ingressEnable = true - } else if strings.EqualFold(string(v), string(multiv1beta1.PolicyTypeEgress)) { + } else if strings.EqualFold(string(v), string(multiv1beta2.PolicyTypeEgress)) { egressEnable = true } }