ClusterNetworkPolicy

aojea · aojea · commit 8d16dd1a7fb4 · 2025-08-15T10:27:11.000Z
diff --git a/cmd/main.go b/cmd/main.go
@@ -16,9 +16,12 @@ import (
 	"sigs.k8s.io/kube-network-policies/pkg/dns"
 	"sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
 	"sigs.k8s.io/kube-network-policies/pkg/podinfo"
+
+	npav1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2"
 	npaclient "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned"
 	npainformers "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions"
-	"sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha1"
+	npainformersv1alpha1 "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha1"
+	npainformersv1alpha2 "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha2"
 
 	"k8s.io/apimachinery/pkg/api/meta"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -38,6 +41,7 @@ var (
 	failOpen                   bool
 	adminNetworkPolicy         bool // 	AdminNetworkPolicy is alpha so keep it feature gated behind a flag
 	baselineAdminNetworkPolicy bool // 	BaselineAdminNetworkPolicy is alpha so keep it feature gated behind a flag
+	clusterNetworkPolicy       bool // 	ClusterNetworkPolicy is alpha so keep it feature gated behind a flag
 	queueID                    int
 	metricsBindAddress         string
 	hostnameOverride           string
@@ -49,6 +53,7 @@ func init() {
 	flag.BoolVar(&failOpen, "fail-open", false, "If set, don't drop packets if the controller is not running")
 	flag.BoolVar(&adminNetworkPolicy, "admin-network-policy", false, "If set, enable Admin Network Policy API")
 	flag.BoolVar(&baselineAdminNetworkPolicy, "baseline-admin-network-policy", false, "If set, enable Baseline Admin Network Policy API")
+	flag.BoolVar(&clusterNetworkPolicy, "cluster-network-policy", false, "If set, enable Cluster-network-policy")
 	flag.IntVar(&queueID, "nfqueue-id", 100, "Number of the nfqueue used")
 	flag.StringVar(&metricsBindAddress, "metrics-bind-address", ":9080", "The IP address and port for the metrics server to serve on")
 	flag.StringVar(&hostnameOverride, "hostname-override", "", "If non-empty, will be used as the name of the Node that kube-network-policies is running on. If unset, the node name is assumed to be the same as the node's hostname.")
@@ -131,7 +136,8 @@ func run() int {
 	var npaClient *npaclient.Clientset
 	var npaInformerFactory npainformers.SharedInformerFactory
 	var nodeInformer coreinformers.NodeInformer
-	if adminNetworkPolicy || baselineAdminNetworkPolicy {
+
+	if adminNetworkPolicy || baselineAdminNetworkPolicy || clusterNetworkPolicy {
 		nodeInformer = informersFactory.Core().V1().Nodes()
 		npaClient, err = npaclient.NewForConfig(npaConfig)
 		if err != nil {
@@ -140,14 +146,18 @@ func run() int {
 		npaInformerFactory = npainformers.NewSharedInformerFactory(npaClient, 0)
 	}
 
-	var anpInformer v1alpha1.AdminNetworkPolicyInformer
+	var anpInformer npainformersv1alpha1.AdminNetworkPolicyInformer
 	if adminNetworkPolicy {
 		anpInformer = npaInformerFactory.Policy().V1alpha1().AdminNetworkPolicies()
 	}
-	var banpInformer v1alpha1.BaselineAdminNetworkPolicyInformer
+	var banpInformer npainformersv1alpha1.BaselineAdminNetworkPolicyInformer
 	if baselineAdminNetworkPolicy {
 		banpInformer = npaInformerFactory.Policy().V1alpha1().BaselineAdminNetworkPolicies()
 	}
+	var cnpInformer npainformersv1alpha2.ClusterNetworkPolicyInformer
+	if clusterNetworkPolicy {
+		cnpInformer = npaInformerFactory.Policy().V1alpha2().ClusterNetworkPolicies()
+	}
 
 	nsInformer := informersFactory.Core().V1().Namespaces()
 	networkPolicyInfomer := informersFactory.Networking().V1().NetworkPolicies()
@@ -203,25 +213,40 @@ func run() int {
 		evaluators = append(evaluators, networkpolicy.NewLoggingPolicy())
 	}
 
-	if adminNetworkPolicy {
+	var domainResolver networkpolicy.DomainResolver
+	// If AdminNetworkPolicy or ClusterNetworkPolicy are enabled, we need a domain resolver.
+	if adminNetworkPolicy || clusterNetworkPolicy {
+		klog.Infof("AdminNetworkPolicy or ClusterNetworkPolicy enabled, starting domain cache")
 		// Admin Network Policy need to associate IP addresses to Domains
 		// NewDomainCache implements the interface DomainResolver using
 		// nftables to create a cache with the resolved IP addresses from the
 		// Pod domain queries.
-		domainResolver := dns.NewDomainCache(queueID + 1)
+		domainCache := dns.NewDomainCache(queueID + 1)
 		go func() {
-			err := domainResolver.Run(ctx)
+			err := domainCache.Run(ctx)
 			if err != nil {
 				klog.Infof("domain cache controller exited: %v", err)
 			}
 		}()
+		domainResolver = domainCache
+
+	}
 
+	if adminNetworkPolicy {
 		evaluators = append(evaluators, networkpolicy.NewAdminNetworkPolicy(
 			anpInformer,
 			domainResolver,
 		))
 	}
 
+	if clusterNetworkPolicy {
+		evaluators = append(evaluators, networkpolicy.NewClusterNetworkPolicy(
+			npav1alpha2.AdminTier,
+			cnpInformer,
+			domainResolver,
+		))
+	}
+
 	// Standard Network Policy goes after AdminNetworkPolicy and before BaselineAdminNetworkPolicy
 	evaluators = append(evaluators, networkpolicy.NewStandardNetworkPolicy(
 		networkPolicyInfomer,
@@ -233,6 +258,14 @@ func run() int {
 		))
 	}
 
+	if clusterNetworkPolicy {
+		evaluators = append(evaluators, networkpolicy.NewClusterNetworkPolicy(
+			npav1alpha2.BaselineTier,
+			cnpInformer,
+			nil,
+		))
+	}
+
 	http.Handle("/metrics", promhttp.Handler())
 	go func() {
 		err := http.ListenAndServe(metricsBindAddress, nil)
diff --git a/pkg/networkpolicy/clusternetworkpolicy.go b/pkg/networkpolicy/clusternetworkpolicy.go
@@ -0,0 +1,253 @@
+// SPDX-License-Identifier: APACHE-2.0
+
+package networkpolicy
+
+import (
+	"cmp"
+	"context"
+	"net"
+	"slices"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/kube-network-policies/pkg/api"
+	"sigs.k8s.io/kube-network-policies/pkg/network"
+	npav1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2"
+	cnpinformers "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha2"
+	cnplisters "sigs.k8s.io/network-policy-api/pkg/client/listers/apis/v1alpha2"
+)
+
+// ClusterNetworkPolicy implements the PolicyEvaluator interface for the CNP API.
+type ClusterNetworkPolicy struct {
+	tier           npav1alpha2.Tier
+	cnpLister      cnplisters.ClusterNetworkPolicyLister
+	domainResolver DomainResolver
+}
+
+var _ PolicyEvaluator = &ClusterNetworkPolicy{}
+
+// NewClusterNetworkPolicy creates a new CNP implementation.
+func NewClusterNetworkPolicy(tier npav1alpha2.Tier, cnpInformer cnpinformers.ClusterNetworkPolicyInformer, domainResolver DomainResolver) *ClusterNetworkPolicy {
+	return &ClusterNetworkPolicy{
+		tier:           tier,
+		cnpLister:      cnpInformer.Lister(),
+		domainResolver: domainResolver,
+	}
+}
+
+func (c *ClusterNetworkPolicy) Name() string {
+	return "ClusterNetworkPolicy" + string(c.tier)
+}
+
+// EvaluateIngress evaluates ingress rules for the evaluator's specific tier.
+func (c *ClusterNetworkPolicy) EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+	logger := klog.FromContext(ctx)
+
+	policies, err := c.getPoliciesForPod(dstPod)
+	if err != nil || len(policies) == 0 {
+		return VerdictNext, err
+	}
+
+	action := c.evaluateClusterIngress(policies, srcPod, dstPod, p.DstPort, p.Proto)
+	logger.V(2).Info("Ingress CNP evaluation", "tier", c.tier, "npolicies", len(policies), "action", action)
+
+	return actionToVerdict(action), nil
+}
+
+// EvaluateEgress evaluates egress rules for the evaluator's specific tier.
+func (c *ClusterNetworkPolicy) EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+	logger := klog.FromContext(ctx)
+
+	policies, err := c.getPoliciesForPod(srcPod)
+	if err != nil || len(policies) == 0 {
+		return VerdictNext, err
+	}
+
+	action := c.evaluateClusterEgress(policies, dstPod, p.DstIP, p.DstPort, p.Proto)
+	logger.V(2).Info("Egress CNP evaluation", "tier", c.tier, "npolicies", len(policies), "action", action)
+
+	return actionToVerdict(action), nil
+}
+
+// getPoliciesForPod filters policies from the lister that match the pod and the evaluator's tier.
+func (c *ClusterNetworkPolicy) getPoliciesForPod(pod *api.PodInfo) ([]*npav1alpha2.ClusterNetworkPolicy, error) {
+	if pod == nil {
+		return nil, nil
+	}
+
+	allPolicies, err := c.cnpLister.List(labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+
+	var result []*npav1alpha2.ClusterNetworkPolicy
+	for _, policy := range allPolicies {
+		// Filter by the tier this evaluator instance is responsible for.
+		if policy.Spec.Tier != c.tier {
+			continue
+		}
+
+		subject := policy.Spec.Subject
+		matches := false
+		if subject.Namespaces != nil && matchesSelector(subject.Namespaces, pod.Namespace.Labels) {
+			matches = true
+		}
+		if !matches && subject.Pods != nil &&
+			matchesSelector(&subject.Pods.NamespaceSelector, pod.Namespace.Labels) &&
+			matchesSelector(&subject.Pods.PodSelector, pod.Labels) {
+			matches = true
+		}
+
+		if matches {
+			result = append(result, policy)
+		}
+	}
+
+	// Sort by priority and then by name for deterministic evaluation.
+	slices.SortFunc(result, func(a, b *npav1alpha2.ClusterNetworkPolicy) int {
+		if n := cmp.Compare(a.Spec.Priority, b.Spec.Priority); n != 0 {
+			return n
+		}
+		return cmp.Compare(a.Name, b.Name)
+	})
+	return result, nil
+}
+
+// evaluateClusterEgress evaluates a list of egress policies for a traffic flow.
+func (c *ClusterNetworkPolicy) evaluateClusterEgress(
+	policies []*npav1alpha2.ClusterNetworkPolicy,
+	dstPod *api.PodInfo,
+	dstIP net.IP,
+	dstPort int,
+	protocol v1.Protocol,
+) npav1alpha2.ClusterNetworkPolicyRuleAction {
+	for _, policy := range policies {
+		for _, rule := range policy.Spec.Egress {
+			if rule.Ports != nil {
+				if !evaluateClusterNetworkPolicyPort(*rule.Ports, dstPod, dstPort, protocol) {
+					continue
+				}
+			}
+			for _, to := range rule.To {
+				if to.Namespaces != nil && dstPod != nil && matchesSelector(to.Namespaces, dstPod.Namespace.Labels) {
+					return rule.Action
+				}
+
+				if to.Pods != nil && dstPod != nil &&
+					matchesSelector(&to.Pods.NamespaceSelector, dstPod.Namespace.Labels) &&
+					matchesSelector(&to.Pods.PodSelector, dstPod.Labels) {
+					return rule.Action
+				}
+
+				if to.Nodes != nil && dstPod != nil && matchesSelector(to.Nodes, dstPod.Node.Labels) {
+					return rule.Action
+				}
+
+				for _, network := range to.Networks {
+					_, cidr, err := net.ParseCIDR(string(network))
+					if err != nil {
+						continue
+					}
+					if cidr.Contains(dstIP) {
+						return rule.Action
+					}
+				}
+				for _, domain := range to.DomainNames {
+					if c.domainResolver != nil && c.domainResolver.ContainsIP(string(domain), dstIP) {
+						return rule.Action
+					}
+				}
+			}
+		}
+	}
+	// Per CNP spec, if no rule matches, the default action is 'Pass'.
+	return npav1alpha2.ClusterNetworkPolicyRuleActionPass
+}
+
+// evaluateClusterIngress evaluates a list of ingress policies for a traffic flow.
+func (c *ClusterNetworkPolicy) evaluateClusterIngress(
+	policies []*npav1alpha2.ClusterNetworkPolicy,
+	srcPod, dstPod *api.PodInfo,
+	dstPort int,
+	protocol v1.Protocol,
+) npav1alpha2.ClusterNetworkPolicyRuleAction {
+	if srcPod == nil {
+		return npav1alpha2.ClusterNetworkPolicyRuleActionPass
+	}
+	for _, policy := range policies {
+		for _, rule := range policy.Spec.Ingress {
+			if rule.Ports != nil {
+				if !evaluateClusterNetworkPolicyPort(*rule.Ports, dstPod, dstPort, protocol) {
+					continue
+				}
+			}
+			for _, from := range rule.From {
+				if from.Namespaces != nil && matchesSelector(from.Namespaces, srcPod.Namespace.Labels) {
+					return rule.Action
+				}
+
+				if from.Pods != nil &&
+					matchesSelector(&from.Pods.NamespaceSelector, srcPod.Namespace.Labels) &&
+					matchesSelector(&from.Pods.PodSelector, srcPod.Labels) {
+					return rule.Action
+				}
+			}
+		}
+	}
+	return npav1alpha2.ClusterNetworkPolicyRuleActionPass
+}
+
+// evaluateClusterNetworkPolicyPort checks if a specific port and protocol match any port selectors.
+func evaluateClusterNetworkPolicyPort(
+	policyPorts []npav1alpha2.ClusterNetworkPolicyPort,
+	pod *api.PodInfo,
+	port int,
+	protocol v1.Protocol,
+) bool {
+	if len(policyPorts) == 0 {
+		return true
+	}
+
+	for _, policyPort := range policyPorts {
+		if policyPort.PortNumber != nil &&
+			policyPort.PortNumber.Port == int32(port) &&
+			policyPort.PortNumber.Protocol == protocol {
+			return true
+		}
+
+		if policyPort.NamedPort != nil {
+			if pod == nil {
+				continue
+			}
+			for _, containerPort := range pod.ContainerPorts {
+				if containerPort.Name == *policyPort.NamedPort && v1.Protocol(containerPort.Protocol) == protocol && containerPort.Port == int32(port) {
+					return true
+				}
+			}
+		}
+
+		if policyPort.PortRange != nil &&
+			policyPort.PortRange.Protocol == protocol &&
+			policyPort.PortRange.Start <= int32(port) &&
+			policyPort.PortRange.End >= int32(port) {
+			return true
+		}
+	}
+	return false
+}
+
+// actionToVerdict translates a CNP action into an internal Verdict.
+func actionToVerdict(action npav1alpha2.ClusterNetworkPolicyRuleAction) Verdict {
+	switch action {
+	case npav1alpha2.ClusterNetworkPolicyRuleActionAllow:
+		return VerdictAccept
+	case npav1alpha2.ClusterNetworkPolicyRuleActionDeny:
+		return VerdictDeny
+	case npav1alpha2.ClusterNetworkPolicyRuleActionPass:
+		return VerdictNext
+	default:
+		// Default to a "pass" behavior is safest if the action is unknown or empty.
+		return VerdictNext
+	}
+}
diff --git a/pkg/networkpolicy/clusternetworkpolicy_test.go b/pkg/networkpolicy/clusternetworkpolicy_test.go
@@ -0,0 +1,3 @@
+// SPDX-License-Identifier: APACHE-2.0
+
+package networkpolicy

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+// SPDX-License-Identifier: APACHE-2.0`
	`2`	`+`
	`3`	`+package networkpolicy`