Beispiel #1
0
// deleteNetworkPolicyByID deletes the policy specified by the policyID
func (l *KubeListener) deleteNetworkPolicyByID(policyID uint64) error {
	policyURL, err := l.restClient.GetServiceUrl("policy")
	if err != nil {
		return err
	}
	policyURL = fmt.Sprintf("%s/policies/%d", policyURL, policyID)
	log.Debugf("deleteNetworkPolicyByID: Deleting policy %d", policyID)
	deletedPolicy := common.Policy{}
	err = l.restClient.Delete(policyURL, nil, &deletedPolicy)
	if err != nil {
		switch err := err.(type) {
		default:
			return err
		case common.HttpError:
			if err.StatusCode == http.StatusNotFound {
				log.Warnf("deleteNetworkPolicyByID: Policy %d not found, ignoring", policyID)
				return nil
			} else {
				return err
			}
		}
	}
	log.Debugf("deleteNetworkPolicyByID: Deleted policy %s", deletedPolicy)
	return err
}
Beispiel #2
0
// deleteDefaultPolicy deletes the policy, thus enabling isolation
// effectively setting DefaultDeny to on.
func deleteDefaultPolicy(o *v1.Namespace, l *KubeListener) {
	var err error
	// TODO this should be ExternalID, not Name...
	policyName := getDefaultPolicyName(o)
	policy := common.Policy{Name: policyName}

	policyURL, err := l.restClient.GetServiceUrl("policy")
	if err != nil {
		log.Errorf("In deleteDefaultPolicy :: Failed to find policy service: %s\n", err)
		log.Errorf("In deleteDefaultPolicy :: Failed to delete default policy: %s\n", policyName)
		return
	}

	policyURL = fmt.Sprintf("%s/find/policies/%s", policyURL, policy.Name)
	err = l.restClient.Get(policyURL, &policy)
	if err != nil {
		// An annotation to set isolation on may be issued multiple times.
		// If it already was reacted to and default policy was dropped,
		// then we don't do anything.
		log.Debugf("In deleteDefaultPolicy :: Failed to find policy %s: %s, ignoring\n", policyName, err)
		return
	}
	if err = l.deleteNetworkPolicyByID(policy.ID); err != nil {
		log.Errorf("In deleteDefaultPolicy :: Error :: failed to delete policy %d: %s\n", policy.ID, err)
	}
}
Beispiel #3
0
// addDefaultPolicy adds the default policy which is to allow
// all ingres.
func addDefaultPolicy(o *v1.Namespace, l *KubeListener) {
	var err error
	// TODO this should be ExternalID, not Name...
	policyName := getDefaultPolicyName(o)

	// Before adding the default policy, see if it may already exist.
	policy := common.Policy{Name: policyName}

	policyURL, err := l.restClient.GetServiceUrl("policy")
	if err != nil {
		log.Errorf("In addDefaultPolicy :: Failed to find policy service: %s\n", err)
		log.Errorf("In addDefaultPolicy :: Failed to add default policy: %s\n", policyName)
		return
	}

	policyURL = fmt.Sprintf("%s/find/policies/%s", policyURL, policy.Name)
	err = l.restClient.Get(policyURL, &policy)
	if err == nil {
		// An annotation to set isolation off may be issued multiple
		// times and we already have the default policy caused by that in place.
		// So we just do not do anything.
		log.Infof("In addDefaultPolicy :: Policy %s (%d) already exists, ignoring\n", policy.Name, policy.ID)
		return
	}

	// Find tenant, to properly set up policy
	// TODO This really should be by external ID...
	tnt, err := l.resolveTenantByName(o.ObjectMeta.Name)
	if err != nil {
		log.Infof("In addDefaultPolicy :: Error :: failed to resolve tenant %s \n", err)
		return
	}

	romanaPolicy := &common.Policy{
		Direction: common.PolicyDirectionIngress,
		Name:      policyName,
		//		ExternalID: externalID,
		AppliedTo: []common.Endpoint{{TenantNetworkID: &tnt.NetworkID}},
		Ingress: []common.RomanaIngress{
			common.RomanaIngress{
				Peers: []common.Endpoint{{Peer: common.Wildcard}},
				Rules: []common.Rule{{Protocol: common.Wildcard}},
			},
		},
	}

	err = l.addNetworkPolicy(*romanaPolicy)
	switch err := err.(type) {
	default:
		log.Errorf("In addDefaultPolicy :: Error :: failed to create policy  %s: %s\n", policyName, err)
	case nil:
		log.Debugf("In addDefaultPolicy: Succesfully created policy  %s\n", policyName)
	case common.HttpError:
		if err.StatusCode == http.StatusConflict {
			log.Infof("In addDefaultPolicy ::Policy %s already exists.\n", policyName)
		} else {
			log.Errorf("In addDefaultPolicy :: Error :: failed to create policy %s: %s\n", policyName, err)
		}
	}
}
Beispiel #4
0
// HandleDefaultPolicy handles isolation flag on a namespace by creating/deleting
// default network policy. See http://kubernetes.io/docs/user-guide/networkpolicies/
func HandleDefaultPolicy(o *v1.Namespace, l *KubeListener) {
	var defaultDeny bool
	annotationKey := "net.beta.kubernetes.io/networkpolicy"
	if np, ok := o.ObjectMeta.Annotations[annotationKey]; ok {
		log.Infof("Handling default policy on a namespace %s, policy is now %s \n", o.ObjectMeta.Name, np)
		// Annotations are stored in the Annotations map as raw JSON.
		// So we need to parse it.
		isolationPolicy := struct {
			Ingress struct {
				Isolation string `json:"isolation"`
			} `json:"ingress"`
		}{}
		// TODO change to json.Unmarshal. Stas
		err := json.NewDecoder(strings.NewReader(np)).Decode(&isolationPolicy)
		if err != nil {
			log.Errorf("In HandleDefaultPolicy :: Error decoding annotation %s: %s", annotationKey, err)
			return
		}
		log.Debugf("Decoded to policy: %v", isolationPolicy)
		defaultDeny = isolationPolicy.Ingress.Isolation == "DefaultDeny"
	} else {
		log.Infof("Handling default policy on a namespace, no annotation detected assuming non isolated namespace\n")
		defaultDeny = false
	}
	if defaultDeny {
		deleteDefaultPolicy(o, l)
	} else {
		addDefaultPolicy(o, l)
	}
}
Beispiel #5
0
// addNetworkPolicy adds the policy to the policy service.
func (l *KubeListener) addNetworkPolicy(policy common.Policy) error {
	policyURL, err := l.restClient.GetServiceUrl("policy")
	if err != nil {
		return err
	}
	policyURL = fmt.Sprintf("%s/policies", policyURL)
	log.Debugf("Applying policy %s", policy)
	err = l.restClient.Post(policyURL, policy, &policy)
	if err != nil {
		return err
	}
	return nil
}