diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-19 10:33:21 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-19 10:33:21 +0300 |
| commit | 36a59d088eca61b834191dacea009677a96c052f (patch) | |
| tree | e4f33972dab5d8ef79e3944a9f403035fceea43f /lib/gitlab/kubernetes | |
| parent | a1761f15ec2cae7c7f7bbda39a75494add0dfd6f (diff) | |
Add latest changes from gitlab-org/gitlab@15-0-stable-eev15.0.0-rc42
Diffstat (limited to 'lib/gitlab/kubernetes')
| -rw-r--r-- | lib/gitlab/kubernetes/cilium_network_policy.rb | 141 | ||||
| -rw-r--r-- | lib/gitlab/kubernetes/kube_client.rb | 18 | ||||
| -rw-r--r-- | lib/gitlab/kubernetes/network_policy.rb | 98 | ||||
| -rw-r--r-- | lib/gitlab/kubernetes/network_policy_common.rb | 63 |
4 files changed, 0 insertions, 320 deletions
diff --git a/lib/gitlab/kubernetes/cilium_network_policy.rb b/lib/gitlab/kubernetes/cilium_network_policy.rb deleted file mode 100644 index 8a31e068c30..00000000000 --- a/lib/gitlab/kubernetes/cilium_network_policy.rb +++ /dev/null @@ -1,141 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module Kubernetes - class CiliumNetworkPolicy - include NetworkPolicyCommon - extend ::Gitlab::Utils::Override - - API_VERSION = "cilium.io/v2" - KIND = 'CiliumNetworkPolicy' - - PREDEFINED_POLICIES = { - 'allow-inbound-http' => <<~YAML.rstrip, - apiVersion: cilium.io/v2 - kind: CiliumNetworkPolicy - metadata: - name: allow-inbound-http - spec: - endpointSelector: - matchLabels: - network-policy.gitlab.com/disabled_by: gitlab - ingress: - - toPorts: - - ports: - - port: '80' - - port: '443' - YAML - 'drop-outbound' => <<~YAML.rstrip - apiVersion: cilium.io/v2 - kind: CiliumNetworkPolicy - metadata: - name: drop-outbound - spec: - endpointSelector: - matchLabels: - network-policy.gitlab.com/disabled_by: gitlab - egress: - - {} - YAML - }.freeze - - # We are modeling existing kubernetes resource and don't have - # control over amount of parameters. - # rubocop:disable Metrics/ParameterLists - def initialize(name:, namespace:, selector:, ingress:, resource_version: nil, description: nil, labels: nil, creation_timestamp: nil, egress: nil, annotations: nil, environment_ids: []) - @name = name - @description = description - @namespace = namespace - @labels = labels - @creation_timestamp = creation_timestamp - @selector = selector - @resource_version = resource_version - @ingress = ingress - @egress = egress - @annotations = annotations - @environment_ids = environment_ids - end - # rubocop:enable Metrics/ParameterLists - - def self.from_yaml(manifest) - return unless manifest - - policy = YAML.safe_load(manifest, symbolize_names: true) - return if !policy[:metadata] || !policy[:spec] - - metadata = policy[:metadata] - spec = policy[:spec] - self.new( - name: metadata[:name], - description: policy[:description], - namespace: metadata[:namespace], - annotations: metadata[:annotations], - resource_version: metadata[:resourceVersion], - labels: metadata[:labels], - selector: spec[:endpointSelector], - ingress: spec[:ingress], - egress: spec[:egress] - ) - rescue Psych::SyntaxError, Psych::DisallowedClass - nil - end - - def self.from_resource(resource, environment_ids = []) - return unless resource - return if !resource[:metadata] || !resource[:spec] - - metadata = resource[:metadata] - spec = resource[:spec].to_h - self.new( - name: metadata[:name], - description: resource[:description], - namespace: metadata[:namespace], - annotations: metadata[:annotations]&.to_h, - resource_version: metadata[:resourceVersion], - labels: metadata[:labels]&.to_h, - creation_timestamp: metadata[:creationTimestamp], - selector: spec[:endpointSelector], - ingress: spec[:ingress], - egress: spec[:egress], - environment_ids: environment_ids - ) - end - - override :resource - def resource - resource = { - apiVersion: API_VERSION, - kind: KIND, - metadata: metadata, - spec: spec - } - resource[:description] = description if description - resource - end - - private - - attr_reader :name, :description, :namespace, :labels, :creation_timestamp, :resource_version, :ingress, :egress, :annotations, :environment_ids - - def selector - @selector ||= {} - end - - def metadata - meta = { name: name, namespace: namespace } - meta[:labels] = labels if labels - meta[:resourceVersion] = resource_version if resource_version - meta[:annotations] = annotations if annotations - meta - end - - def spec - { - endpointSelector: selector, - ingress: ingress, - egress: egress - }.compact - end - end - end -end diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb index 6caebf445e5..cd03e332175 100644 --- a/lib/gitlab/kubernetes/kube_client.rb +++ b/lib/gitlab/kubernetes/kube_client.rb @@ -81,24 +81,6 @@ module Gitlab :update_gateway, to: :istio_client - # NetworkPolicy methods delegate to the apis/networking.k8s.io api - # group client - delegate :create_network_policy, - :get_network_policies, - :get_network_policy, - :update_network_policy, - :delete_network_policy, - to: :networking_client - - # CiliumNetworkPolicy methods delegate to the apis/cilium.io api - # group client - delegate :create_cilium_network_policy, - :get_cilium_network_policies, - :get_cilium_network_policy, - :update_cilium_network_policy, - :delete_cilium_network_policy, - to: :cilium_networking_client - attr_reader :api_prefix, :kubeclient_options DEFAULT_KUBECLIENT_OPTIONS = { diff --git a/lib/gitlab/kubernetes/network_policy.rb b/lib/gitlab/kubernetes/network_policy.rb deleted file mode 100644 index e6111db5b17..00000000000 --- a/lib/gitlab/kubernetes/network_policy.rb +++ /dev/null @@ -1,98 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module Kubernetes - class NetworkPolicy - include NetworkPolicyCommon - extend ::Gitlab::Utils::Override - - KIND = 'NetworkPolicy' - - # rubocop:disable Metrics/ParameterLists - def initialize(name:, namespace:, selector:, ingress:, labels: nil, creation_timestamp: nil, policy_types: ["Ingress"], egress: nil, environment_ids: []) - @name = name - @namespace = namespace - @labels = labels - @creation_timestamp = creation_timestamp - @selector = selector - @policy_types = policy_types - @ingress = ingress - @egress = egress - @environment_ids = environment_ids - end - # rubocop:enable Metrics/ParameterLists - - def self.from_yaml(manifest) - return unless manifest - - policy = YAML.safe_load(manifest, symbolize_names: true) - return if !policy[:metadata] || !policy[:spec] - - metadata = policy[:metadata] - spec = policy[:spec] - self.new( - name: metadata[:name], - namespace: metadata[:namespace], - labels: metadata[:labels], - selector: spec[:podSelector], - policy_types: spec[:policyTypes], - ingress: spec[:ingress], - egress: spec[:egress] - ) - rescue Psych::SyntaxError, Psych::DisallowedClass - nil - end - - def self.from_resource(resource, environment_ids = []) - return unless resource - return if !resource[:metadata] || !resource[:spec] - - metadata = resource[:metadata] - spec = resource[:spec].to_h - self.new( - name: metadata[:name], - namespace: metadata[:namespace], - labels: metadata[:labels]&.to_h, - creation_timestamp: metadata[:creationTimestamp], - selector: spec[:podSelector], - policy_types: spec[:policyTypes], - ingress: spec[:ingress], - egress: spec[:egress], - environment_ids: environment_ids - ) - end - - override :resource - def resource - { - kind: KIND, - metadata: metadata, - spec: spec - } - end - - private - - attr_reader :name, :namespace, :labels, :creation_timestamp, :policy_types, :ingress, :egress, :environment_ids - - def selector - @selector ||= {} - end - - def metadata - meta = { name: name, namespace: namespace } - meta[:labels] = labels if labels - meta - end - - def spec - { - podSelector: selector, - policyTypes: policy_types, - ingress: ingress, - egress: egress - } - end - end - end -end diff --git a/lib/gitlab/kubernetes/network_policy_common.rb b/lib/gitlab/kubernetes/network_policy_common.rb deleted file mode 100644 index de91833b734..00000000000 --- a/lib/gitlab/kubernetes/network_policy_common.rb +++ /dev/null @@ -1,63 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module Kubernetes - module NetworkPolicyCommon - DISABLED_BY_LABEL = :'network-policy.gitlab.com/disabled_by' - - def generate - ::Kubeclient::Resource.new(resource) - end - - def as_json(opts = nil) - { - name: name, - namespace: namespace, - creation_timestamp: creation_timestamp, - manifest: manifest, - is_autodevops: autodevops?, - is_enabled: enabled?, - environment_ids: environment_ids - } - end - - def autodevops? - return false unless labels - - !labels[:chart].nil? && labels[:chart].start_with?('auto-deploy-app-') - end - - # selector selects pods that should be targeted by this - # policy. It can represent podSelector, nodeSelector or - # endpointSelector We can narrow selection by requiring - # this policy to match our custom labels. Since DISABLED_BY - # label will not be on any pod a policy will be effectively disabled. - def enabled? - return true unless selector&.key?(:matchLabels) - - !selector[:matchLabels]&.key?(DISABLED_BY_LABEL) - end - - def enable - return if enabled? - - selector[:matchLabels].delete(DISABLED_BY_LABEL) - end - - def disable - selector[:matchLabels] ||= {} - selector[:matchLabels].merge!(DISABLED_BY_LABEL => 'gitlab') - end - - private - - def resource - raise NotImplementedError - end - - def manifest - YAML.dump(resource.deep_stringify_keys) - end - end - end -end |