Add support for external traffic network policies that are restricted…

… to only allow the Ingress controller, rather than all traffic (#452)
otterize · Jul 8, 2024 · 00faac0 · 00faac0
1 parent 317cdf1
commit 00faac0
Show file tree

Hide file tree

Showing 16 changed files with 1,067 additions and 383 deletions.
diff --git a/src/operator/api/v1alpha3/clientintents_types.go b/src/operator/api/v1alpha3/clientintents_types.go
@@ -38,6 +38,7 @@ const (
 	OtterizeAccessLabelPrefix                        = "intents.otterize.com/access"
 	OtterizeServiceAccessLabelPrefix                 = "intents.otterize.com/svc-access"
 	OtterizeAccessLabelKey                           = "intents.otterize.com/access-%s"
+	OtterizeExternalAccessLabelKey             = "intents.otterize.com/external-access-%s"
 	OtterizeSvcAccessLabelKey                        = "intents.otterize.com/svc-access-%s"
 	OtterizeClientLabelKey                           = "intents.otterize.com/client"
 	OtterizeServiceLabelKey                          = "intents.otterize.com/service"

diff --git a/src/operator/api/v1alpha3/otterize_labels.go b/src/operator/api/v1alpha3/otterize_labels.go
@@ -30,6 +30,15 @@ func IsMissingOtterizeAccessLabels(pod *v1.Pod, otterizeAccessLabels map[string]
 	return false
 }
 
+func IsMissingOtterizeExternalAccessLabels(pod *v1.Pod) bool {
+	if pod.Labels == nil {
+		return true
+	}
+
+	_, found := pod.Labels[OtterizeExternalAccessLabelKey]
+	return !found
+}
+
 // UpdateOtterizeAccessLabels updates a pod's labels with Otterize labels representing their intents
 // The pod is also labeled with "otterize-client=<hashed-client-name>" to mark it as having intents or being the client-side of an egress netpol
 func UpdateOtterizeAccessLabels(pod *v1.Pod, serviceIdentity serviceidentity.ServiceIdentity, otterizeAccessLabels map[string]string) *v1.Pod {

diff --git a/src/operator/controllers/external_traffic/network_policy.go b/src/operator/controllers/external_traffic/network_policy.go
@@ -42,21 +42,23 @@ type NetworkPolicyHandler struct {
 	client client.Client
 	scheme *runtime.Scheme
 	injectablerecorder.InjectableRecorder
-	allowExternalTraffic allowexternaltraffic.Enum
+	allowExternalTraffic        allowexternaltraffic.Enum
+	ingressControllerIdentities []serviceidentity.ServiceIdentity
 }
 
 func NewNetworkPolicyHandler(
 	client client.Client,
 	scheme *runtime.Scheme,
 	allowExternalTraffic allowexternaltraffic.Enum,
+	ingressControllerIdentities []serviceidentity.ServiceIdentity,
 ) *NetworkPolicyHandler {
-	return &NetworkPolicyHandler{client: client, scheme: scheme, allowExternalTraffic: allowExternalTraffic}
+	return &NetworkPolicyHandler{client: client, scheme: scheme, allowExternalTraffic: allowExternalTraffic, ingressControllerIdentities: ingressControllerIdentities}
 }
 
 func (r *NetworkPolicyHandler) createOrUpdateNetworkPolicy(
 	ctx context.Context, endpoints *corev1.Endpoints, owner *corev1.Service, otterizeServiceName string, selector metav1.LabelSelector, ingressList *v1.IngressList, successMsg string) error {
 	policyName := r.formatPolicyName(endpoints.Name)
-	newPolicy := buildNetworkPolicyObjectForEndpoints(endpoints, otterizeServiceName, selector, ingressList, policyName)
+	newPolicy := r.buildNetworkPolicyObjectForEndpoints(endpoints, owner, otterizeServiceName, selector, ingressList, policyName)
 	err := controllerutil.SetOwnerReference(owner, newPolicy, r.scheme)
 	if err != nil {
 		return errors.Wrap(err)
@@ -112,9 +114,8 @@ func (r *NetworkPolicyHandler) arePoliciesEqual(existingPolicy *v1.NetworkPolicy
 		reflect.DeepEqual(existingPolicy.OwnerReferences, newPolicy.OwnerReferences)
 }
 
-func buildNetworkPolicyObjectForEndpoints(
-	endpoints *corev1.Endpoints, otterizeServiceName string, selector metav1.LabelSelector, ingressList *v1.IngressList, policyName string) *v1.NetworkPolicy {
-	serviceSpecCopy := endpoints.Subsets
+func (r *NetworkPolicyHandler) buildNetworkPolicyObjectForEndpoints(
+	endpoints *corev1.Endpoints, svc *corev1.Service, otterizeServiceName string, selector metav1.LabelSelector, ingressList *v1.IngressList, policyName string) *v1.NetworkPolicy {
 
 	annotations := map[string]string{
 		v1alpha3.OtterizeCreatedForServiceAnnotation: endpoints.GetName(),
@@ -126,6 +127,26 @@ func buildNetworkPolicyObjectForEndpoints(
 		}), ",")
 	}
 
+	rule := v1.NetworkPolicyIngressRule{}
+	// Only limit netpol if there is an ingress controller restriction configured AND the service is not directly exposed.
+	if len(r.ingressControllerIdentities) != 0 && svc.Spec.Type == corev1.ServiceTypeClusterIP {
+		for _, ingressController := range r.ingressControllerIdentities {
+			rule.From = append(rule.From, v1.NetworkPolicyPeer{
+				PodSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						v1alpha3.OtterizeServiceLabelKey:   ingressController.GetFormattedOtterizeIdentityWithoutKind(),
+						v1alpha3.OtterizeOwnerKindLabelKey: ingressController.Kind,
+					},
+				},
+				NamespaceSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						v1alpha3.KubernetesStandardNamespaceNameLabelKey: ingressController.Namespace,
+					},
+				},
+			})
+		}
+	}
+
 	netpol := &v1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      policyName,
@@ -139,12 +160,12 @@ func buildNetworkPolicyObjectForEndpoints(
 			PolicyTypes: []v1.PolicyType{v1.PolicyTypeIngress},
 			PodSelector: selector,
 			Ingress: []v1.NetworkPolicyIngressRule{
-				{},
+				rule,
 			},
 		},
 	}
 
-	for _, subsets := range serviceSpecCopy {
+	for _, subsets := range endpoints.Subsets {
 		for _, port := range subsets.Ports {
 			netpolPort := v1.NetworkPolicyPort{
 				Port: lo.ToPtr(intstr.FromInt(int(port.Port))),

diff --git a/src/operator/controllers/external_traffic/network_policy_test.go b/src/operator/controllers/external_traffic/network_policy_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
 	"github.com/otterize/intents-operator/src/shared/operatorconfig/allowexternaltraffic"
+	"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
 	"github.com/otterize/intents-operator/src/shared/testbase"
 	"github.com/stretchr/testify/suite"
 	"go.uber.org/mock/gomock"
@@ -21,7 +22,7 @@ type NetworkPolicyHandlerTestSuite struct {
 
 func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
 	s.MocksSuiteBase.SetupTest()
-	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, allowexternaltraffic.IfBlockedByOtterize)
+	s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, allowexternaltraffic.IfBlockedByOtterize, make([]serviceidentity.ServiceIdentity, 0))
 }
 
 func (s *NetworkPolicyHandlerTestSuite) TestNetworkPolicyHandler_HandleBeforeAccessPolicyRemoval_createWhenNoIntentsEnabled_doNothing() {

diff --git a/src/operator/controllers/external_traffic/network_policy_uploader.go b/src/operator/controllers/external_traffic/network_policy_uploader.go