From 28cf5808663d464b7c7c1632eea406e2cc0f755a Mon Sep 17 00:00:00 2001 From: Kyle Bai Date: Mon, 7 Jan 2019 15:41:10 +0800 Subject: [PATCH] Add flag to set the destination zones (#11) * Add flag to set the destination zones * Update version to v0.6.5 --- Makefile | 2 +- cmd/main.go | 17 +++++++++------ deploy/deployment.yml | 2 +- pkg/config/types.go | 1 + pkg/k8sutil/security.go | 29 ++++++++++++++++--------- pkg/k8sutil/security_test.go | 19 +++++++++++----- pkg/operator/service/controller.go | 14 ++++++++---- pkg/operator/service/controller_test.go | 4 +++- 8 files changed, 59 insertions(+), 29 deletions(-) diff --git a/Makefile b/Makefile index 9a19d47..ecb6f5f 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ VERSION_MAJOR ?= 0 VERSION_MINOR ?= 6 -VERSION_BUILD ?= 4 +VERSION_BUILD ?= 5 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD) GOOS ?= $(shell go env GOOS) diff --git a/cmd/main.go b/cmd/main.go index 4e705bc..cd68a34 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -13,19 +13,21 @@ import ( ) var ( - kubeconfig string - namespaces []string - services []string - retry int - logSetting string - group string - ver bool + kubeconfig string + namespaces []string + services []string + destinationZones []string + retry int + logSetting string + group string + ver bool ) func parserFlags() { flag.StringVarP(&kubeconfig, "kubeconfig", "", "", "Absolute path to the kubeconfig file.") flag.StringSliceVarP(&namespaces, "ignore-namespaces", "", nil, "Set ignore namespaces for Kubernetes service.") flag.StringSliceVarP(&services, "services", "", []string{"k8s-tcp", "k8s-udp"}, "The security policies service objects.") + flag.StringSliceVarP(&destinationZones, "destination-zones", "", []string{"AI public service network"}, "Public destination zones.") flag.IntVarP(&retry, "retry", "", 5, "Number of retry for PA failed job.") flag.StringVarP(&logSetting, "log-setting", "", "", "The security policies log-setting name.") flag.StringVarP(&group, "group", "", "", "The security policies group name.") @@ -48,6 +50,7 @@ func main() { conf := &config.OperatorConfig{ Kubeconfig: kubeconfig, IgnoreNamespaces: namespaces, + DestinationZones: destinationZones, Retry: retry, Services: services, GroupName: group, diff --git a/deploy/deployment.yml b/deploy/deployment.yml index 270fbb7..fc5bab5 100644 --- a/deploy/deployment.yml +++ b/deploy/deployment.yml @@ -22,7 +22,7 @@ spec: serviceAccountName: pa-svc-syncker containers: - name: pa-svc-syncker - image: inwinstack/pa-svc-syncker:v0.6.4 + image: inwinstack/pa-svc-syncker:v0.6.5 args: - --v=2 - --logtostderr=true diff --git a/pkg/config/types.go b/pkg/config/types.go index 605e332..a265592 100644 --- a/pkg/config/types.go +++ b/pkg/config/types.go @@ -20,6 +20,7 @@ type OperatorConfig struct { Kubeconfig string IgnoreNamespaces []string Services []string + DestinationZones []string Retry int LogSettingName string GroupName string diff --git a/pkg/k8sutil/security.go b/pkg/k8sutil/security.go index cf2b088..ed22313 100644 --- a/pkg/k8sutil/security.go +++ b/pkg/k8sutil/security.go @@ -23,10 +23,19 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func newSecurity(name, addr, log, group string, services []string, svc *v1.Service) *inwinv1.Security { +type SecurityParameter struct { + Name string + Address string + Log string + Group string + Services []string + DestinationZones []string +} + +func newSecurity(para *SecurityParameter, svc *v1.Service) *inwinv1.Security { return &inwinv1.Security{ ObjectMeta: metav1.ObjectMeta{ - Name: name, + Name: para.Name, Namespace: svc.Namespace, }, Spec: inwinv1.SecuritySpec{ @@ -34,28 +43,28 @@ func newSecurity(name, addr, log, group string, services []string, svc *v1.Servi SourceAddresses: []string{"any"}, SourceUsers: []string{"any"}, HipProfiles: []string{"any"}, - DestinationZones: []string{"AI public service network"}, - DestinationAddresses: []string{addr}, + DestinationZones: para.DestinationZones, + DestinationAddresses: []string{para.Address}, Applications: []string{"any"}, - Services: services, + Services: para.Services, Categories: []string{"any"}, Action: "allow", IcmpUnreachable: false, DisableServerResponseInspection: false, LogEnd: true, - LogSetting: log, - Group: group, + LogSetting: para.Log, + Group: para.Group, Description: "Auto sync Security for Kubernetes.", }, } } -func CreateSecurity(c clientset.Interface, name, addr, log, group string, services []string, svc *v1.Service) error { - if _, err := c.InwinstackV1().Securities(svc.Namespace).Get(name, metav1.GetOptions{}); err == nil { +func CreateSecurity(c clientset.Interface, para *SecurityParameter, svc *v1.Service) error { + if _, err := c.InwinstackV1().Securities(svc.Namespace).Get(para.Name, metav1.GetOptions{}); err == nil { return nil } - newSec := newSecurity(name, addr, log, group, services, svc) + newSec := newSecurity(para, svc) if _, err := c.InwinstackV1().Securities(svc.Namespace).Create(newSec); err != nil { return err } diff --git a/pkg/k8sutil/security_test.go b/pkg/k8sutil/security_test.go index deb9fe1..d2a425f 100644 --- a/pkg/k8sutil/security_test.go +++ b/pkg/k8sutil/security_test.go @@ -34,11 +34,20 @@ func TestSecurity(t *testing.T) { } client := fake.NewSimpleClientset() - assert.Nil(t, CreateSecurity(client, "test-sec", "140.11.22.33", "", "", []string{"k8s-tcp"}, svc)) + para := &SecurityParameter{ + Name: "test-sec", + Address: "140.11.22.33", + Log: "", + Group: "", + Services: []string{"k8s-tcp"}, + DestinationZones: []string{"AI public service network"}, + } + assert.Nil(t, CreateSecurity(client, para, svc)) - sec, err := client.InwinstackV1().Securities(svc.Namespace).Get("test-sec", metav1.GetOptions{}) + sec, err := client.InwinstackV1().Securities(svc.Namespace).Get(para.Name, metav1.GetOptions{}) assert.Nil(t, err) - assert.Equal(t, "140.11.22.33", sec.Spec.DestinationAddresses[0]) - assert.Equal(t, []string{"k8s-tcp"}, sec.Spec.Services) - assert.Nil(t, DeleteSecurity(client, "test-sec", svc.Namespace)) + assert.Equal(t, para.Address, sec.Spec.DestinationAddresses[0]) + assert.Equal(t, para.Services, sec.Spec.Services) + assert.Equal(t, para.DestinationZones, sec.Spec.DestinationZones) + assert.Nil(t, DeleteSecurity(client, para.Name, svc.Namespace)) } diff --git a/pkg/operator/service/controller.go b/pkg/operator/service/controller.go index b3c6f84..1dc5441 100644 --- a/pkg/operator/service/controller.go +++ b/pkg/operator/service/controller.go @@ -178,10 +178,16 @@ func (c *ServiceController) syncNAT(svc *v1.Service, addr string) { // Sync the PA Security policies func (c *ServiceController) syncSecurity(svc *v1.Service, addr string) { name := fmt.Sprintf("k8s-%s", addr) - log := c.conf.LogSettingName - group := c.conf.GroupName - services := c.conf.Services - if err := k8sutil.CreateSecurity(c.client, name, addr, log, group, services, svc); err != nil { + + secPara := &k8sutil.SecurityParameter{ + Name: name, + Address: addr, + Log: c.conf.LogSettingName, + Group: c.conf.GroupName, + Services: c.conf.Services, + DestinationZones: c.conf.DestinationZones, + } + if err := k8sutil.CreateSecurity(c.client, secPara, svc); err != nil { glog.Warningf("Failed to create and update Security resource: %+v.", err) } } diff --git a/pkg/operator/service/controller_test.go b/pkg/operator/service/controller_test.go index 5ff1397..5c4df0e 100644 --- a/pkg/operator/service/controller_test.go +++ b/pkg/operator/service/controller_test.go @@ -92,6 +92,7 @@ func TestController(t *testing.T) { Services: []string{"k8s-tcp", "k8s-udp"}, GroupName: "", LogSettingName: "", + DestinationZones: []string{"test"}, } controller := NewController(ctx, client, conf) @@ -116,7 +117,8 @@ func TestController(t *testing.T) { sec, err := client.InwinstackV1().Securities("default").Get(name, metav1.GetOptions{}) assert.Equal(t, ip.Status.Address, sec.Spec.DestinationAddresses[0]) - assert.Equal(t, []string{"k8s-tcp", "k8s-udp"}, sec.Spec.Services) + assert.Equal(t, conf.Services, sec.Spec.Services) + assert.Equal(t, conf.DestinationZones, sec.Spec.DestinationZones) // Test onDelete assert.Nil(t, coreClient.CoreV1().Services("default").Delete("test-svc", nil))