Implement BaseComponentNetworkPolicy

Author: kabicin

api/v1/webspherelibertyapplication_types.go

@@ -414,13 +414,37 @@ type WebSphereLibertyApplicationNetworkPolicy struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="Disable",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Disable *bool `json:"disable,omitempty"`
 
-	// Specify the labels of namespaces that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// Disable the creation of the network policy ingress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Disable Ingress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableIngress *bool `json:"disableIngress,omitempty"`
+
+	// Disable the creation of the network policy egress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableEgress *bool `json:"disableEgress,omitempty"`
+
+	// Bypasses deny all egress rules to allow API server and DNS access. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=55,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"`
+
+	// Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this.
+	// +operator-sdk:csv:customresourcedefinitions:order=56,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"`
 
+	// Specify the labels of namespaces that incoming traffic is allowed from.
+	// +operator-sdk:csv:customresourcedefinitions:order=57,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"`
+
 	// Specify the labels of pod(s) that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=58,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	FromLabels *map[string]string `json:"fromLabels,omitempty"`
+
+	// Specify the labels of namespaces that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=59,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"`
+
+	// Specify the labels of pod(s) that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=60,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToLabels *map[string]string `json:"toLabels,omitempty"`
 }
 
 // Defines the desired state and cycle of applications.
@@ -1211,8 +1235,28 @@ func (ssa *WebSphereLibertyApplicationServiceSessionAffinity) GetConfig() *corev
 	return ssa.Config
 }
 
-// GetNamespaceLabels returns the namespace selector labels that should be used for the ingress rule
-func (np *WebSphereLibertyApplicationNetworkPolicy) GetNamespaceLabels() map[string]string {
+// GetToNamespaceLabels returns the namespace selector labels that should be used for the egress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetToNamespaceLabels() map[string]string {
+	if np.ToNamespaceLabels != nil {
+		return *np.ToNamespaceLabels
+	}
+	return nil
+}
+
+// GetToLabels returns the pod selector labels that should be used for the egress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetToLabels() map[string]string {
+	if np.ToLabels != nil {
+		return *np.ToLabels
+	}
+	return nil
+}
+
+// GetFromNamespaceLabels returns the namespace selector labels that should be used for the ingress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetFromNamespaceLabels() map[string]string {
+	if np.FromNamespaceLabels != nil {
+		return *np.FromNamespaceLabels
+	}
+	// fallback to deprecated flag np.NamespaceLabels for when we only supported one type of network policy (ingress)
 	if np.NamespaceLabels != nil {
 		return *np.NamespaceLabels
 	}
@@ -1232,6 +1276,20 @@ func (np *WebSphereLibertyApplicationNetworkPolicy) IsDisabled() bool {
 	return np.Disable != nil && *np.Disable
 }
 
+// IsIngressDisabled returns whether the network policy ingress should be created or not
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsIngressDisabled() bool {
+	return np.DisableIngress != nil && *np.DisableIngress
+}
+
+// IsEgressDisabled returns whether the network policy egress should be created or not
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsEgressDisabled() bool {
+	return np.DisableEgress != nil && *np.DisableEgress
+}
+
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsBypassingDenyAllEgress() bool {
+	return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress
+}
+
 // GetLabels returns labels to be added on ServiceMonitor
 func (m *WebSphereLibertyApplicationMonitoring) GetLabels() map[string]string {
 	return m.Labels

internal/controller/webspherelibertyapplication_controller.go

@@ -73,6 +73,7 @@ const applicationFinalizer = "finalizer.webspherelibertyapps.liberty.websphere.i
 // +kubebuilder:rbac:groups=apps,resources=deployments;statefulsets,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator
 // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers;statefulsets,verbs=update,namespace=websphere-liberty-operator
 // +kubebuilder:rbac:groups=core,resources=services;secrets;serviceaccounts;configmaps;persistentvolumeclaims,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator
+// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch,namespace=websphere-liberty-operator
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator
@@ -456,7 +457,7 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl.
 	networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta}
 	if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() {
 		err = r.CreateOrUpdate(networkPolicy, instance, func() error {
-			oputils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance)
+			oputils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), r.getDNSEgressRule, r.getEndpoints, instance)
 			return nil
 		})
 		if err != nil {
@@ -1022,3 +1023,38 @@ func (r *ReconcileWebSphereLiberty) deletePVC(reqLogger logr.Logger, pvcName str
 		}
 	}
 }
+
+func (r *ReconcileWebSphereLiberty) getEndpoints(serviceName string, namespace string) (*corev1.Endpoints, error) {
+	endpoints := &corev1.Endpoints{}
+	if err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: serviceName, Namespace: namespace}, endpoints); err != nil {
+		return nil, err
+	} else {
+		return endpoints, nil
+	}
+}
+
+func (r *ReconcileWebSphereLiberty) getDNSEgressRule(endpointsName string, endpointsNamespace string) (bool, networkingv1.NetworkPolicyEgressRule) {
+	dnsRule := networkingv1.NetworkPolicyEgressRule{}
+	if dnsEndpoints, err := r.getEndpoints(endpointsName, endpointsNamespace); err == nil {
+		if len(dnsEndpoints.Subsets) > 0 {
+			if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+			if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+		}
+		peer := networkingv1.NetworkPolicyPeer{}
+		peer.NamespaceSelector = &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"kubernetes.io/metadata.name": endpointsNamespace,
+			},
+		}
+		dnsRule.To = append(dnsRule.To, peer)
+		return false, dnsRule
+	}
+	// use permissive rule
+	// egress:
+	//   - {}
+	return true, dnsRule
+}

utils/utils.go

@@ -28,6 +28,8 @@ import (
 
 	"math/rand/v2"
 
+	networkingv1 "k8s.io/api/networking/v1"
+
 	wlv1 "github.com/WASdev/websphere-liberty-operator/api/v1"
 	rcoutils "github.com/application-stacks/runtime-component-operator/utils"
 	routev1 "github.com/openshift/api/route/v1"
@@ -37,6 +39,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -1001,6 +1004,25 @@ func GetRequiredLabels(name string, instance string) map[string]string {
 	return requiredLabels
 }
 
+func GetEndpointPortByName(endpointPorts *[]corev1.EndpointPort, name string) *corev1.EndpointPort {
+	if endpointPorts != nil {
+		for _, endpointPort := range *endpointPorts {
+			if endpointPort.Name == name {
+				return &endpointPort
+			}
+		}
+	}
+	return nil
+}
+
+func CreateNetworkPolicyPortFromEndpointPort(endpointPort *corev1.EndpointPort) networkingv1.NetworkPolicyPort {
+	port := networkingv1.NetworkPolicyPort{}
+	port.Protocol = &endpointPort.Protocol
+	var portNumber intstr.IntOrString = intstr.FromInt((int)(endpointPort.Port))
+	port.Port = &portNumber
+	return port
+}
+
 func IsOperandVersionString(version string) bool {
 	if !strings.Contains(version, "_") {
 		return false