Sync PA security policy's SourceAddress from Namespace annotation (#14)

Author: kairen

Makefile

@@ -1,6 +1,6 @@
 VERSION_MAJOR ?= 0
-VERSION_MINOR ?= 6
-VERSION_BUILD ?= 5
+VERSION_MINOR ?= 7
+VERSION_BUILD ?= 0
 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD)
 
 GOOS ?= $(shell go env GOOS)

deploy/deployment.yml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: pa-svc-syncker
       containers:
       - name: pa-svc-syncker
-        image: inwinstack/pa-svc-syncker:v0.6.5
+        image: inwinstack/pa-svc-syncker:v0.7.0
         args:
         - --v=2
         - --logtostderr=true

pkg/constants/constants.go

@@ -29,4 +29,6 @@ const (
 	AnnKeyPublicIP = "inwinstack.com/allocated-public-ip"
 	// AnnKeyServiceRefresh set in Service to refresh the annotations
 	AnnKeyServiceRefresh = "inwinstack.com/service-refresh"
+	// AnnKeyWhiteListAddresses is the key of annotations for the whitelist
+	AnnKeyWhiteListAddresses = "inwinstack.com/whitelist-addresses"
 )

pkg/k8sutil/k8sutil.go

@@ -18,7 +18,7 @@ package k8sutil
 
 import (
 	"github.com/inwinstack/pa-svc-syncker/pkg/constants"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"

pkg/k8sutil/security.go

@@ -19,7 +19,7 @@ package k8sutil
 import (
 	inwinv1 "github.com/inwinstack/blended/apis/inwinstack/v1"
 	clientset "github.com/inwinstack/blended/client/clientset/versioned"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -30,6 +30,7 @@ type SecurityParameter struct {
 	Group            string
 	Services         []string
 	DestinationZones []string
+	SourceAddresses  []string
 }
 
 func newSecurity(para *SecurityParameter, svc *v1.Service) *inwinv1.Security {
@@ -40,7 +41,7 @@ func newSecurity(para *SecurityParameter, svc *v1.Service) *inwinv1.Security {
 		},
 		Spec: inwinv1.SecuritySpec{
 			SourceZones:                     []string{"untrust"},
-			SourceAddresses:                 []string{"any"},
+			SourceAddresses:                 para.SourceAddresses,
 			SourceUsers:                     []string{"any"},
 			HipProfiles:                     []string{"any"},
 			DestinationZones:                para.DestinationZones,
@@ -74,3 +75,18 @@ func CreateSecurity(c clientset.Interface, para *SecurityParameter, svc *v1.Serv
 func DeleteSecurity(c clientset.Interface, name, namespace string) error {
 	return c.InwinstackV1().Securities(namespace).Delete(name, nil)
 }
+
+func UpdateSecuritiesSourceIPs(c clientset.Interface, namespace string, addrs []string) error {
+	secs, err := c.InwinstackV1().Securities(namespace).List(metav1.ListOptions{})
+	if err != nil {
+		return err
+	}
+
+	for _, sec := range secs.Items {
+		sec.Spec.SourceAddresses = addrs
+		if _, err := c.InwinstackV1().Securities(namespace).Update(&sec); err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/operator/namespace/controller.go

@@ -0,0 +1,101 @@
+/*
+Copyright © 2018 inwinSTACK.inc
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package namespace
+
+import (
+	"reflect"
+	"strings"
+
+	"github.com/golang/glog"
+	clientset "github.com/inwinstack/blended/client/clientset/versioned"
+	opkit "github.com/inwinstack/operator-kit"
+	"github.com/inwinstack/pa-svc-syncker/pkg/config"
+	"github.com/inwinstack/pa-svc-syncker/pkg/constants"
+	"github.com/inwinstack/pa-svc-syncker/pkg/k8sutil"
+	slice "github.com/thoas/go-funk"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+var Resource = opkit.CustomResource{
+	Name:    "namespace",
+	Plural:  "namespaces",
+	Version: "v1",
+	Kind:    reflect.TypeOf(v1.Namespace{}).Name(),
+}
+
+type NamespaceController struct {
+	ctx    *opkit.Context
+	client clientset.Interface
+	cfg    *config.OperatorConfig
+}
+
+func NewController(ctx *opkit.Context, client clientset.Interface, cfg *config.OperatorConfig) *NamespaceController {
+	return &NamespaceController{ctx: ctx, client: client, cfg: cfg}
+}
+
+func (c *NamespaceController) StartWatch(namespace string, stopCh chan struct{}) error {
+	resourceHandlerFuncs := cache.ResourceEventHandlerFuncs{
+		AddFunc:    c.onAdd,
+		UpdateFunc: c.onUpdate,
+	}
+
+	glog.Info("Start watching service resources.")
+	watcher := opkit.NewWatcher(Resource, namespace, resourceHandlerFuncs, c.ctx.Clientset.CoreV1().RESTClient())
+	go watcher.Watch(&v1.Namespace{}, stopCh)
+	return nil
+}
+
+func (c *NamespaceController) onAdd(obj interface{}) {
+	ns := obj.(*v1.Namespace).DeepCopy()
+	glog.V(2).Infof("Received add on %s namespace.", ns.Name)
+
+	if ns.Status.Phase == v1.NamespaceActive {
+		if err := c.updateSecurityPolicies(ns); err != nil {
+			glog.Errorf("Failed to add sources addresss to all policies on %s namespace.: %+v.", ns.Name, err)
+		}
+	}
+}
+
+func (c *NamespaceController) onUpdate(oldObj, newObj interface{}) {
+	ns := newObj.(*v1.Namespace).DeepCopy()
+	glog.V(2).Infof("Received update on %s namespace.", ns.Name)
+
+	if ns.Status.Phase == v1.NamespaceActive {
+		if err := c.updateSecurityPolicies(ns); err != nil {
+			glog.Errorf("Failed to add sources addresss to all policies on %s namespace.: %+v.", ns.Name, err)
+		}
+	}
+}
+
+func (c *NamespaceController) updateSecurityPolicies(ns *v1.Namespace) error {
+	if slice.Contains(c.cfg.IgnoreNamespaces, ns.Name) {
+		return nil
+	}
+
+	addrs := []string{"any"}
+	if value, ok := ns.Annotations[constants.AnnKeyWhiteListAddresses]; ok {
+		addrString := strings.TrimSpace(value)
+		if len(addrString) > 0 {
+			addrs = strings.Split(addrString, ",")
+		}
+	}
+	if err := k8sutil.UpdateSecuritiesSourceIPs(c.client, ns.Name, addrs); err != nil {
+		return err
+	}
+	return nil
+}

pkg/operator/operator.go

@@ -28,8 +28,9 @@ import (
 	opkit "github.com/inwinstack/operator-kit"
 	"github.com/inwinstack/pa-svc-syncker/pkg/config"
 	"github.com/inwinstack/pa-svc-syncker/pkg/k8sutil"
+	"github.com/inwinstack/pa-svc-syncker/pkg/operator/namespace"
 	"github.com/inwinstack/pa-svc-syncker/pkg/operator/service"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/client-go/kubernetes"
 )
@@ -41,9 +42,10 @@ const (
 )
 
 type Operator struct {
-	ctx     *opkit.Context
-	conf    *config.OperatorConfig
-	service *service.ServiceController
+	ctx       *opkit.Context
+	conf      *config.OperatorConfig
+	service   *service.ServiceController
+	namespace *namespace.NamespaceController
 }
 
 func NewMainOperator(conf *config.OperatorConfig) *Operator {
@@ -57,6 +59,7 @@ func (o *Operator) Initialize() error {
 	}
 
 	o.service = service.NewController(ctx, clientset, o.conf)
+	o.namespace = namespace.NewController(ctx, clientset, o.conf)
 	o.ctx = ctx
 	return nil
 }
@@ -100,6 +103,7 @@ func (o *Operator) Run() error {
 
 	// start watching the resources
 	o.service.StartWatch(v1.NamespaceAll, stopChan)
+	o.namespace.StartWatch(v1.NamespaceAll, stopChan)
 
 	for {
 		select {

pkg/operator/service/controller.go

@@ -19,6 +19,7 @@ package service
 import (
 	"fmt"
 	"reflect"
+	"strings"
 
 	"github.com/golang/glog"
 	clientset "github.com/inwinstack/blended/client/clientset/versioned"
@@ -28,7 +29,8 @@ import (
 	"github.com/inwinstack/pa-svc-syncker/pkg/k8sutil"
 	"github.com/inwinstack/pa-svc-syncker/pkg/util"
 	slice "github.com/thoas/go-funk"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/client-go/tools/cache"
 )
@@ -177,15 +179,24 @@ func (c *ServiceController) syncNAT(svc *v1.Service, addr string) {
 
 // Sync the PA Security policies
 func (c *ServiceController) syncSecurity(svc *v1.Service, addr string) {
-	name := fmt.Sprintf("k8s-%s", addr)
+	addrs := []string{"any"}
+	ns, _ := c.ctx.Clientset.CoreV1().Namespaces().Get(svc.Namespace, metav1.GetOptions{})
+	if value, ok := ns.Annotations[constants.AnnKeyWhiteListAddresses]; ok {
+		addrString := strings.TrimSpace(value)
+		if len(addrString) > 0 {
+			addrs = strings.Split(addrString, ",")
+		}
+	}
 
+	name := fmt.Sprintf("k8s-%s", addr)
 	secPara := &k8sutil.SecurityParameter{
 		Name:             name,
 		Address:          addr,
 		Log:              c.conf.LogSettingName,
 		Group:            c.conf.GroupName,
 		Services:         c.conf.Services,
 		DestinationZones: c.conf.DestinationZones,
+		SourceAddresses:  addrs,
 	}
 	if err := k8sutil.CreateSecurity(c.client, secPara, svc); err != nil {
 		glog.Warningf("Failed to create and update Security resource: %+v.", err)

pkg/operator/service/controller_test.go

@@ -31,7 +31,7 @@ import (
 	corefake "k8s.io/client-go/kubernetes/fake"
 
 	"github.com/stretchr/testify/assert"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -40,6 +40,19 @@ func TestController(t *testing.T) {
 	coreClient := corefake.NewSimpleClientset()
 	extensionsClient := extensionsfake.NewSimpleClientset()
 
+	ns := &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: "",
+			Annotations: map[string]string{
+				constants.AnnKeyExternalPool:       "internet",
+				constants.AnnKeyWhiteListAddresses: "172.22.132.99, 172.22.131.0/32",
+			},
+		},
+	}
+	_, nserr := coreClient.CoreV1().Namespaces().Create(ns)
+	assert.Nil(t, nserr)
+
 	ip := &inwinv1.IP{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "172.11.22.33",