Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckParameters = func(rule *rules.Rule) error { parameters := rule.GetParameters() if err := utils.CheckParameters(parameters, "allow", utils.SliceInterfaceStr, nil, false); err != nil { return err } if parameters["allow"] == nil { return nil } if p := parameters["allow"].([]interface{}); len(p) != 0 { for _, i := range p { if _, _, err := net.ParseCIDR(i.(string)); err != nil { return fmt.Errorf("wrong CIDR '%v'", i) } } } return nil }
View Source
var NetworkPolicy = func(rule *rules.Rule, event *events.Event) (utils.LogLine, error) { podName := event.GetPodName() namespace := event.GetNamespaceName() objects := map[string]string{ "Pod": podName, "Namespace": namespace, } client := kubernetes.GetClient() pod, err := client.GetPod(podName, namespace) if err != nil { return utils.LogLine{ Objects: objects, Error: err.Error(), Status: "failure", }, err } labels := make(map[string]string) var owner string if len(pod.OwnerReferences) != 0 { switch pod.OwnerReferences[0].Kind { case "DaemonSet": u, errG := client.GetDaemonsetFromPod(pod) if errG != nil { return utils.LogLine{ Objects: objects, Error: errG.Error(), Status: "failure", }, errG } if u == nil { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the daemonset for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the daemonset for the pod %v in namespace %v", podName, namespace) } owner = u.ObjectMeta.Name labels = u.Spec.Selector.MatchLabels if owner == "" || len(labels) == 0 { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace) } case "StatefulSet": u, errG := client.GetStatefulsetFromPod(pod) if errG != nil { return utils.LogLine{ Objects: objects, Error: errG.Error(), Status: "failure", }, errG } if u == nil { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the statefulset for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the statefulset for the pod %v in namespace %v", podName, namespace) } owner = u.ObjectMeta.Name labels = u.Spec.Selector.MatchLabels if owner == "" || len(labels) == 0 { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace) } case "ReplicaSet": u, errG := client.GetReplicasetFromPod(pod) if errG != nil { return utils.LogLine{ Objects: objects, Error: errG.Error(), Status: "failure", }, errG } if u == nil { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the replicaset for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the replicaset for the pod %v in namespace %v", podName, namespace) } var v *v1.Deployment v, errG = client.Clientset.AppsV1().Deployments(namespace).Get(context.Background(), u.OwnerReferences[0].Name, metav1.GetOptions{}) if errG != nil { return utils.LogLine{ Objects: objects, Error: errG.Error(), Status: "failure", }, errG } if v == nil { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the deployment for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the deployment for the pod %v in namespace %v", podName, namespace) } owner = v.ObjectMeta.Name labels = v.Spec.Selector.MatchLabels if owner == "" || len(labels) == 0 { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace) } } } else { owner = pod.ObjectMeta.Name labels = pod.ObjectMeta.Labels if owner == "" || len(labels) == 0 { return utils.LogLine{ Objects: objects, Error: fmt.Sprintf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace), Status: "failure", }, fmt.Errorf("can't find the owner and/or labels for the pod %v in namespace %v", podName, namespace) } } delete(labels, "pod-template-hash") payload := networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: owner, Namespace: namespace, Labels: labels, }, Spec: networkingv1.NetworkPolicySpec{ PolicyTypes: []networkingv1.PolicyType{"Egress"}, PodSelector: metav1.LabelSelector{ MatchLabels: labels, }, }, } np, err := createEgressRule(rule) if err != nil { return utils.LogLine{ Objects: objects, Error: err.Error(), Status: "failure", }, err } if np != nil { payload.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{*np} } var status string _, err = client.NetworkingV1().NetworkPolicies(namespace).Get(context.Background(), owner, metav1.GetOptions{}) if errorsv1.IsNotFound(err) { _, err = client.NetworkingV1().NetworkPolicies(namespace).Create(context.Background(), &payload, metav1.CreateOptions{}) status = "created" } else { _, err = client.NetworkingV1().NetworkPolicies(namespace).Update(context.Background(), &payload, metav1.UpdateOptions{}) status = "updated" } if err != nil { return utils.LogLine{ Objects: objects, Error: err.Error(), Status: "failure", }, err } objects["NetworkPolicy"] = owner return utils.LogLine{ Objects: objects, Output: status, Status: "success", }, nil }
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.