@highstate/cilium 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/highstate.manifest.json +2 -2
- package/dist/index.js +13 -0
- package/dist/index.js.map +1 -1
- package/package.json +7 -7
- package/src/impl/network-policy.ts +20 -0
package/dist/index.js
CHANGED
|
@@ -56,6 +56,7 @@ var CiliumNetworkPolicy = class _CiliumNetworkPolicy extends ComponentResource {
|
|
|
56
56
|
const ports = port ? [port] : void 0;
|
|
57
57
|
return [
|
|
58
58
|
..._CiliumNetworkPolicy.createAllRules(prefix, rule, ports),
|
|
59
|
+
..._CiliumNetworkPolicy.createClusterPodRules(prefix, rule, ports),
|
|
59
60
|
..._CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),
|
|
60
61
|
..._CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),
|
|
61
62
|
..._CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),
|
|
@@ -73,6 +74,17 @@ var CiliumNetworkPolicy = class _CiliumNetworkPolicy extends ComponentResource {
|
|
|
73
74
|
}
|
|
74
75
|
];
|
|
75
76
|
}
|
|
77
|
+
static createClusterPodRules(prefix, rule, ports) {
|
|
78
|
+
if (!rule.clusterPods) {
|
|
79
|
+
return [];
|
|
80
|
+
}
|
|
81
|
+
return [
|
|
82
|
+
{
|
|
83
|
+
[`${prefix}Entities`]: ["cluster"],
|
|
84
|
+
toPorts: ports
|
|
85
|
+
}
|
|
86
|
+
];
|
|
87
|
+
}
|
|
76
88
|
static createCidrRules(prefix, rule, ports) {
|
|
77
89
|
if (rule.cidrs.length === 0) {
|
|
78
90
|
return [];
|
|
@@ -136,6 +148,7 @@ var CiliumNetworkPolicy = class _CiliumNetworkPolicy extends ComponentResource {
|
|
|
136
148
|
}
|
|
137
149
|
];
|
|
138
150
|
}
|
|
151
|
+
// TODO: support namespace selectors
|
|
139
152
|
static createNamespaceExpressions(rule) {
|
|
140
153
|
if (rule.namespaces.length === 0) {
|
|
141
154
|
return [];
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/impl/network-policy.ts"],"names":["cilium","selector","rawSelector","rule"],"mappings":";;;;;;;;AAoBA,IAAM,mBAAA,GAAN,MAAM,oBAAA,SAA4B,iBAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAIlC,aAAA;AAAA,EAEhB,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmC,IAAA,EAAwB;AACnF,IAAA,KAAA,CAAM,gCAAA,EAAkC,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAExD,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAIA,MAAAA,CAAO,EAAA,CAAG,mBAAA;AAAA,MACjC,IAAA;AAAA,MACA;AAAA,QACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,QAChC,IAAA,EAAM;AAAA,UACJ,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,WAAA;AAAA,UACvB,OAAA,EAAS,oBAAA,CAAoB,kBAAA,CAAmB,IAAI,CAAA;AAAA,UACpD,MAAA,EAAQ,oBAAA,CAAoB,iBAAA,CAAkB,IAAI;AAAA;AACpD,OACF;AAAA,MACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,IAAA;AAAK,KAC1B;AAAA,EACF;AAAA,EAEA,OAAe,mBAAmB,IAAA,EAA2C;AAC3E,IAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,MAAA,OAAO,CAAC,EAAE,CAAA;AAAA,IACZ;AAEA,IAAA,OAAO,QAAA;AAAA,MACL,KAAK,YAAA,CAAa,OAAA;AAAA,QAAQ,UACxB,oBAAA,CAAoB,WAAA,CAAY,MAAA,EAAQ,IAAA,EAAM,KAAK,OAAO;AAAA,OAC5D;AAAA,MACA,CAAA,IAAA,KAAQ,IAAA,CAAK,SAAA,CAAU,IAAI;AAAA,KAC7B;AAAA,EACF;AAAA,EAEA,OAAe,kBAAkB,IAAA,EAA2C;AAC1E,IAAA,IAAI,KAAK,aAAA,EAAe;AACtB,MAAA,OAAO,CAAC,EAAE,CAAA;AAAA,IACZ;AAEA,IAAA,MAAM,aAAqB,EAAC;AAE5B,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,UAAA,CAAW,KAAK,EAAE,UAAA,EAAY,CAAC,gBAAgB,GAAG,CAAA;AAAA,IACpD;AAEA,IAAA,OAAO,QAAA;AAAA,MACL,IAAA,CAAK,WAAA,CACF,OAAA,CAAQ,CAAA,IAAA,KAAQ,oBAAA,CAAoB,WAAA,CAAY,IAAA,EAAM,IAAA,EAAM,IAAA,CAAK,OAAO,CAAC,CAAA,CACzE,OAAO,UAAU,CAAA;AAAA,MACpB,CAAA,IAAA,KAAQ,IAAA,CAAK,SAAA,CAAU,IAAI;AAAA,KAC7B;AAAA,EACF;AAAA,EAEA,OAAe,WAAA,CACb,MAAA,EACA,IAAA,EACA,OAAA,EACQ;AACR,IAAA,MAAM,IAAA,GAAO,oBAAA,CAAoB,QAAA,CAAS,IAAA,CAAK,KAAK,CAAA;AACpD,IAAA,MAAM,KAAA,GAAQ,IAAA,GAAO,CAAC,IAAI,CAAA,GAAI,MAAA;AAE9B,IAAA,OAAO;AAAA,MACL,GAAG,oBAAA,CAAoB,cAAA,CAAe,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MACzD,GAAG,oBAAA,CAAoB,eAAA,CAAgB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC1D,GAAG,oBAAA,CAAoB,kBAAA,CAAmB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC7D,GAAG,oBAAA,CAAoB,mBAAA,CAAoB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC9D,GAAI,WAAW,IAAA,GAAO,oBAAA,CAAoB,gBAAgB,IAAA,EAAM,KAAA,EAAO,OAAO,CAAA,GAAI;AAAC,KACrF;AAAA,EACF;AAAA,EAEA,OAAe,cAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,KAAK,GAAA,EAAK;AACb,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,QAAA,CAAU,GAAG,CAAC,KAAK,CAAA;AAAA,QAC7B,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,eAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAC3B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,IAAA,CAAM,GAAG,IAAA,CAAK,KAAA;AAAA,QACxB,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,eAAA,CACb,IAAA,EACA,KAAA,EACA,OAAA,EACuD;AACvD,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAC3B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,IAAA,KAAQ;AACvC,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA,GAAI,EAAE,cAAc,IAAA,EAAK,GAAI,EAAE,SAAA,EAAW,IAAA,EAAK;AAAA,IACzE,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,OAAA,EAAS,SAAA;AAAA,QACT,OAAA,EAAS;AAAA,OACX;AAAA,MACA;AAAA,QACE,WAAA,EAAa;AAAA,UACX;AAAA,YACE,WAAA,EAAa;AAAA,cACX,iCAAA,EAAmC,aAAA;AAAA,cACnC,aAAA,EAAe;AAAA;AACjB;AACF,SACF;AAAA,QACA,OAAA,EAAS;AAAA,UACP;AAAA,YACE,OAAO,CAAC,EAAE,MAAM,IAAA,EAAM,QAAA,EAAU,OAAO,CAAA;AAAA,YACvC,KAAA,EAAO;AAAA,cACL,KACE,KAAA,CAAM,GAAA,CAAI,qBAAA,EAAuB,OAAA,CAAQ,QAAQ,CAAA,IACjD,OAAA,CAAQ,QAAA,CAAS,MAAA,CAAO,+BACpB,CAAC,EAAE,YAAA,EAAc,GAAA,EAAK,CAAA,GACtB;AAAA;AACR;AACF;AACF;AACF,KACF;AAAA,EACF;AAAA,EAEA,OAAe,kBAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,MAAA,KAAW,CAAA,EAAG;AAC9B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,CAAA,OAAA,KAAW;AAC7C,MAAA,MAAM,QAAA,GAAW,0BAA0B,OAAO,CAAA;AAElD,MAAA,OAAO,MAAA,CAAO,QAAQ,CAAA,CAAE,KAAA,CAAM,CAAAC,SAAAA,MAAa;AAAA,QACzC,WAAA,EAAa;AAAA,UACX,GAAG,QAAQA,SAAAA,CAAS,WAAA,IAAe,EAAC,EAAG,CAAA,GAAA,KAAO,CAAA,IAAA,EAAO,GAAG,CAAA,CAAE,CAAA;AAAA,UAC1D,iCAAA,EAAmC,QAAQ,QAAA,CAAS;AAAA;AACtD,OACF,CAAE,CAAA;AAAA,IACJ,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,SAAA,CAAW,GAAG,SAAA;AAAA,QACxB,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,2BACb,IAAA,EACmD;AACnD,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAA,KAAW,CAAA,EAAG;AAChC,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO,KAAK,IAAA,CAAK,UAAA,EAAY,GAAA,CAAI,gBAAgB,GAAG,CAAA,KAAA,KAAS;AAAA,MAC3D;AAAA,QACE,GAAA,EAAK,iCAAA;AAAA,QACL,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ;AAAA;AACV,KACD,CAAA;AAAA,EACH;AAAA,EAEA,OAAe,mBAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACwD;AACxD,IAAA,MAAM,oBAAA,GAAuB,oBAAA,CAAoB,0BAAA,CAA2B,IAAI,CAAA;AAEhF,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,CAAA,EAAG;AAC/B,MAAA,IAAI,oBAAA,CAAqB,WAAW,CAAA,EAAG;AAErC,QAAA,OAAO,EAAC;AAAA,MACV;AAGA,MAAA,OAAO;AAAA,QACL;AAAA,UACE,CAAC,GAAG,MAAM,CAAA,SAAA,CAAW,GAAG,CAAC,EAAE,gBAAA,EAAkB,oBAAA,EAAsB,CAAA;AAAA,UACnE,OAAA,EAAS;AAAA;AACX,OACF;AAAA,IACF;AAGA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,CAAA,QAAA,KAAY;AAC/C,MAAA,MAAM,WAAA,GAAc,0BAA0B,QAAQ,CAAA;AAEtD,MAAA,OAAO,MAAA,CAAO,WAAW,CAAA,CAAE,KAAA,CAAM,CAAAC,YAAAA,KAAe;AAC9C,QAAA,MAAM,cAAc,GAAA,CAAIA,YAAAA,CAAY,gBAAA,IAAoB,IAAI,CAAA,UAAA,MAAe;AAAA,UACzE,GAAA,EAAK,CAAA,IAAA,EAAO,UAAA,CAAW,GAAG,CAAA,CAAA;AAAA,UAC1B,UAAU,UAAA,CAAW,QAAA;AAAA,UACrB,QAAQ,UAAA,CAAW;AAAA,SACrB,CAAE,CAAA;AAEF,QAAA,OAAO;AAAA,UACL,WAAA,EAAa,QAAQA,YAAAA,CAAY,WAAA,IAAe,EAAC,EAAG,CAAA,GAAA,KAAO,CAAA,IAAA,EAAO,GAAG,CAAA,CAAE,CAAA;AAAA,UACvE,gBAAA,EAAkB,CAAC,GAAG,WAAA,EAAa,GAAG,oBAAoB;AAAA,SAC5D;AAAA,MACF,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,SAAA,CAAW,GAAG,QAAA,CAAS,SAAA,EAAW,CAAAC,KAAAA,KAAQ,IAAA,CAAK,SAAA,CAAUA,KAAI,CAAC,CAAA;AAAA,QACxE,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,SACb,KAAA,EACwE;AACxE,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAA,IAAA,KAAQ;AACvB,QAAA,IAAI,UAAU,IAAA,EAAM;AAClB,UAAA,OAAO;AAAA,YACL,IAAA,EAAM,IAAA,CAAK,IAAA,CAAK,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,KAAK,QAAA,IAAY;AAAA,WAC7B;AAAA,QACF;AAEA,QAAA,OAAO;AAAA,UACL,IAAA,EAAM,IAAA,CAAK,KAAA,CAAM,CAAC,EAAE,QAAA,EAAS;AAAA,UAC7B,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAAA,UACrB,QAAA,EAAU,KAAK,QAAA,IAAY;AAAA,SAC7B;AAAA,MACF,CAAC;AAAA,KACH;AAAA,EACF;AACF,CAAA;AAEmC,qBAAA,CAAsB,SAAA;AAAA,EACvD,6BAAA;AAAA,EACA,CAAC,EAAE,IAAA,EAAM,IAAA,EAAK,KAAM;AAClB,IAAA,OAAO,IAAI,mBAAA,CAAoB,IAAA,EAAM,IAAI,CAAA;AAAA,EAC3C;AACF","file":"index.js","sourcesContent":["import type { types as k8sTypes } from \"@pulumi/kubernetes\"\nimport { cilium, type types } from \"@highstate/cilium-crds\"\nimport { check } from \"@highstate/contract\"\nimport {\n getNamespaceName,\n mapMetadata,\n mapSelectorLikeToSelector,\n mapServiceToLabelSelector,\n type NetworkPolicyPort,\n type NormalizedNetworkPolicyArgs,\n type NormalizedRuleArgs,\n networkPolicyMediator,\n} from \"@highstate/k8s\"\nimport { implementationReferenceSchema, k8s } from \"@highstate/library\"\nimport { ComponentResource, output, type ResourceOptions } from \"@highstate/pulumi\"\nimport { map, mapKeys, pipe, uniqueBy } from \"remeda\"\n\ntype Rule = types.input.cilium.v2.CiliumNetworkPolicySpecIngress &\n types.input.cilium.v2.CiliumNetworkPolicySpecEgress\n\nclass CiliumNetworkPolicy extends ComponentResource {\n /**\n * The underlying Cilium network policy resource.\n */\n public readonly networkPolicy: cilium.v2.CiliumNetworkPolicy\n\n constructor(name: string, args: NormalizedNetworkPolicyArgs, opts?: ResourceOptions) {\n super(\"highstate:cilium:NetworkPolicy\", name, args, opts)\n\n this.networkPolicy = new cilium.v2.CiliumNetworkPolicy(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: {\n description: args.description,\n endpointSelector: args.podSelector,\n ingress: CiliumNetworkPolicy.createIngressRules(args),\n egress: CiliumNetworkPolicy.createEgressRules(args),\n },\n },\n { ...opts, parent: this },\n )\n }\n\n private static createIngressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateIngress) {\n return [{}]\n }\n\n return uniqueBy(\n args.ingressRules.flatMap(rule =>\n CiliumNetworkPolicy.createRules(\"from\", rule, args.cluster),\n ),\n rule => JSON.stringify(rule),\n )\n }\n\n private static createEgressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateEgress) {\n return [{}]\n }\n\n const extraRules: Rule[] = []\n\n if (args.allowKubeApiServer) {\n extraRules.push({ toEntities: [\"kube-apiserver\"] })\n }\n\n return uniqueBy(\n args.egressRules\n .flatMap(rule => CiliumNetworkPolicy.createRules(\"to\", rule, args.cluster))\n .concat(extraRules),\n rule => JSON.stringify(rule),\n )\n }\n\n private static createRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n cluster: k8s.Cluster,\n ): Rule[] {\n const port = CiliumNetworkPolicy.mapPorts(rule.ports)\n const ports = port ? [port] : undefined\n\n return [\n ...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),\n ...(prefix === \"to\" ? CiliumNetworkPolicy.createFqdnRules(rule, ports, cluster) : []),\n ]\n }\n\n private static createAllRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (!rule.all) {\n return []\n }\n\n return [\n {\n [`${prefix}Entities`]: [\"all\"],\n toPorts: ports,\n },\n ]\n }\n\n private static createCidrRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.cidrs.length === 0) {\n return []\n }\n\n return [\n {\n [`${prefix}CIDR`]: rule.cidrs,\n toPorts: ports,\n },\n ]\n }\n\n private static createFqdnRules(\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n cluster: k8s.Cluster,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgress[] {\n if (rule.fqdns.length === 0) {\n return []\n }\n\n const fqdnRules = rule.fqdns.map(fqdn => {\n return fqdn.includes(\"*\") ? { matchPattern: fqdn } : { matchName: fqdn }\n })\n\n return [\n {\n toFQDNs: fqdnRules,\n toPorts: ports,\n },\n {\n toEndpoints: [\n {\n matchLabels: {\n \"k8s:io.kubernetes.pod.namespace\": \"kube-system\",\n \"k8s:k8s-app\": \"kube-dns\",\n },\n },\n ],\n toPorts: [\n {\n ports: [{ port: \"53\", protocol: \"UDP\" }],\n rules: {\n dns:\n check(k8s.ciliumClusterMetadata, cluster.metadata) &&\n cluster.metadata.cilium.allowForbiddenFqdnResolution\n ? [{ matchPattern: \"*\" }]\n : fqdnRules,\n },\n },\n ],\n },\n ]\n }\n\n private static createServiceRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.services.length === 0) {\n return []\n }\n\n const selectors = rule.services.map(service => {\n const selector = mapServiceToLabelSelector(service)\n\n return output(selector).apply(selector => ({\n matchLabels: {\n ...mapKeys(selector.matchLabels ?? {}, key => `k8s:${key}`),\n \"k8s:io.kubernetes.pod.namespace\": service.metadata.namespace,\n },\n }))\n })\n\n return [\n {\n [`${prefix}Endpoints`]: selectors,\n toPorts: ports,\n },\n ]\n }\n\n private static createNamespaceExpressions(\n rule: NormalizedRuleArgs,\n ): k8sTypes.input.meta.v1.LabelSelectorRequirement[] {\n if (rule.namespaces.length === 0) {\n return []\n }\n\n return pipe(rule.namespaces, map(getNamespaceName), names => [\n {\n key: \"k8s:io.kubernetes.pod.namespace\",\n operator: \"In\",\n values: names,\n },\n ])\n }\n\n private static createSelectorRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecIngress[] {\n const namespaceExpressions = CiliumNetworkPolicy.createNamespaceExpressions(rule)\n\n if (rule.selectors.length === 0) {\n if (namespaceExpressions.length === 0) {\n // if no selectors and no namespaces are provided, we do not match\n return []\n }\n\n // if no selectors are provided, we only match on namespaces\n return [\n {\n [`${prefix}Endpoints`]: [{ matchExpressions: namespaceExpressions }],\n toPorts: ports,\n },\n ]\n }\n\n // otherwise, we match on selectors and namespaces\n const selectors = rule.selectors.map(selector => {\n const rawSelector = mapSelectorLikeToSelector(selector)\n\n return output(rawSelector).apply(rawSelector => {\n const expressions = map(rawSelector.matchExpressions ?? [], expression => ({\n key: `k8s:${expression.key}`,\n operator: expression.operator,\n values: expression.values,\n }))\n\n return {\n matchLabels: mapKeys(rawSelector.matchLabels ?? {}, key => `k8s:${key}`),\n matchExpressions: [...expressions, ...namespaceExpressions],\n }\n })\n })\n\n return [\n {\n [`${prefix}Endpoints`]: uniqueBy(selectors, rule => JSON.stringify(rule)),\n toPorts: ports,\n },\n ]\n }\n\n private static mapPorts(\n ports: NetworkPolicyPort[],\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts | undefined {\n if (ports.length === 0) {\n return\n }\n\n return {\n ports: ports.map(port => {\n if (\"port\" in port) {\n return {\n port: port.port.toString(),\n protocol: port.protocol ?? \"TCP\",\n }\n }\n\n return {\n port: port.range[0].toString(),\n endPort: port.range[1],\n protocol: port.protocol ?? \"TCP\",\n }\n }),\n }\n }\n}\n\nexport const createNetworkPolicy = networkPolicyMediator.implement(\n implementationReferenceSchema,\n ({ name, args }) => {\n return new CiliumNetworkPolicy(name, args)\n },\n)\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/impl/network-policy.ts"],"names":["cilium","selector","rawSelector","rule"],"mappings":";;;;;;;;AAoBA,IAAM,mBAAA,GAAN,MAAM,oBAAA,SAA4B,iBAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAIlC,aAAA;AAAA,EAEhB,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmC,IAAA,EAAwB;AACnF,IAAA,KAAA,CAAM,gCAAA,EAAkC,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAExD,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAIA,MAAAA,CAAO,EAAA,CAAG,mBAAA;AAAA,MACjC,IAAA;AAAA,MACA;AAAA,QACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,QAChC,IAAA,EAAM;AAAA,UACJ,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,WAAA;AAAA,UACvB,OAAA,EAAS,oBAAA,CAAoB,kBAAA,CAAmB,IAAI,CAAA;AAAA,UACpD,MAAA,EAAQ,oBAAA,CAAoB,iBAAA,CAAkB,IAAI;AAAA;AACpD,OACF;AAAA,MACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,IAAA;AAAK,KAC1B;AAAA,EACF;AAAA,EAEA,OAAe,mBAAmB,IAAA,EAA2C;AAC3E,IAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,MAAA,OAAO,CAAC,EAAE,CAAA;AAAA,IACZ;AAEA,IAAA,OAAO,QAAA;AAAA,MACL,KAAK,YAAA,CAAa,OAAA;AAAA,QAAQ,UACxB,oBAAA,CAAoB,WAAA,CAAY,MAAA,EAAQ,IAAA,EAAM,KAAK,OAAO;AAAA,OAC5D;AAAA,MACA,CAAA,IAAA,KAAQ,IAAA,CAAK,SAAA,CAAU,IAAI;AAAA,KAC7B;AAAA,EACF;AAAA,EAEA,OAAe,kBAAkB,IAAA,EAA2C;AAC1E,IAAA,IAAI,KAAK,aAAA,EAAe;AACtB,MAAA,OAAO,CAAC,EAAE,CAAA;AAAA,IACZ;AAEA,IAAA,MAAM,aAAqB,EAAC;AAE5B,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,UAAA,CAAW,KAAK,EAAE,UAAA,EAAY,CAAC,gBAAgB,GAAG,CAAA;AAAA,IACpD;AAEA,IAAA,OAAO,QAAA;AAAA,MACL,IAAA,CAAK,WAAA,CACF,OAAA,CAAQ,CAAA,IAAA,KAAQ,oBAAA,CAAoB,WAAA,CAAY,IAAA,EAAM,IAAA,EAAM,IAAA,CAAK,OAAO,CAAC,CAAA,CACzE,OAAO,UAAU,CAAA;AAAA,MACpB,CAAA,IAAA,KAAQ,IAAA,CAAK,SAAA,CAAU,IAAI;AAAA,KAC7B;AAAA,EACF;AAAA,EAEA,OAAe,WAAA,CACb,MAAA,EACA,IAAA,EACA,OAAA,EACQ;AACR,IAAA,MAAM,IAAA,GAAO,oBAAA,CAAoB,QAAA,CAAS,IAAA,CAAK,KAAK,CAAA;AACpD,IAAA,MAAM,KAAA,GAAQ,IAAA,GAAO,CAAC,IAAI,CAAA,GAAI,MAAA;AAE9B,IAAA,OAAO;AAAA,MACL,GAAG,oBAAA,CAAoB,cAAA,CAAe,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MACzD,GAAG,oBAAA,CAAoB,qBAAA,CAAsB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAChE,GAAG,oBAAA,CAAoB,eAAA,CAAgB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC1D,GAAG,oBAAA,CAAoB,kBAAA,CAAmB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC7D,GAAG,oBAAA,CAAoB,mBAAA,CAAoB,MAAA,EAAQ,MAAM,KAAK,CAAA;AAAA,MAC9D,GAAI,WAAW,IAAA,GAAO,oBAAA,CAAoB,gBAAgB,IAAA,EAAM,KAAA,EAAO,OAAO,CAAA,GAAI;AAAC,KACrF;AAAA,EACF;AAAA,EAEA,OAAe,cAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,KAAK,GAAA,EAAK;AACb,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,QAAA,CAAU,GAAG,CAAC,KAAK,CAAA;AAAA,QAC7B,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,qBAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,QAAA,CAAU,GAAG,CAAC,SAAS,CAAA;AAAA,QACjC,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,eAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAC3B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,IAAA,CAAM,GAAG,IAAA,CAAK,KAAA;AAAA,QACxB,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,eAAA,CACb,IAAA,EACA,KAAA,EACA,OAAA,EACuD;AACvD,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAC3B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,IAAA,KAAQ;AACvC,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA,GAAI,EAAE,cAAc,IAAA,EAAK,GAAI,EAAE,SAAA,EAAW,IAAA,EAAK;AAAA,IACzE,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,OAAA,EAAS,SAAA;AAAA,QACT,OAAA,EAAS;AAAA,OACX;AAAA,MACA;AAAA,QACE,WAAA,EAAa;AAAA,UACX;AAAA,YACE,WAAA,EAAa;AAAA,cACX,iCAAA,EAAmC,aAAA;AAAA,cACnC,aAAA,EAAe;AAAA;AACjB;AACF,SACF;AAAA,QACA,OAAA,EAAS;AAAA,UACP;AAAA,YACE,OAAO,CAAC,EAAE,MAAM,IAAA,EAAM,QAAA,EAAU,OAAO,CAAA;AAAA,YACvC,KAAA,EAAO;AAAA,cACL,KACE,KAAA,CAAM,GAAA,CAAI,qBAAA,EAAuB,OAAA,CAAQ,QAAQ,CAAA,IACjD,OAAA,CAAQ,QAAA,CAAS,MAAA,CAAO,+BACpB,CAAC,EAAE,YAAA,EAAc,GAAA,EAAK,CAAA,GACtB;AAAA;AACR;AACF;AACF;AACF,KACF;AAAA,EACF;AAAA,EAEA,OAAe,kBAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACQ;AACR,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,MAAA,KAAW,CAAA,EAAG;AAC9B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,CAAA,OAAA,KAAW;AAC7C,MAAA,MAAM,QAAA,GAAW,0BAA0B,OAAO,CAAA;AAElD,MAAA,OAAO,MAAA,CAAO,QAAQ,CAAA,CAAE,KAAA,CAAM,CAAAC,SAAAA,MAAa;AAAA,QACzC,WAAA,EAAa;AAAA,UACX,GAAG,QAAQA,SAAAA,CAAS,WAAA,IAAe,EAAC,EAAG,CAAA,GAAA,KAAO,CAAA,IAAA,EAAO,GAAG,CAAA,CAAE,CAAA;AAAA,UAC1D,iCAAA,EAAmC,QAAQ,QAAA,CAAS;AAAA;AACtD,OACF,CAAE,CAAA;AAAA,IACJ,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,SAAA,CAAW,GAAG,SAAA;AAAA,QACxB,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA;AAAA,EAIA,OAAe,2BACb,IAAA,EACmD;AACnD,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAA,KAAW,CAAA,EAAG;AAChC,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO,KAAK,IAAA,CAAK,UAAA,EAAY,GAAA,CAAI,gBAAgB,GAAG,CAAA,KAAA,KAAS;AAAA,MAC3D;AAAA,QACE,GAAA,EAAK,iCAAA;AAAA,QACL,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ;AAAA;AACV,KACD,CAAA;AAAA,EACH;AAAA,EAEA,OAAe,mBAAA,CACb,MAAA,EACA,IAAA,EACA,KAAA,EACwD;AACxD,IAAA,MAAM,oBAAA,GAAuB,oBAAA,CAAoB,0BAAA,CAA2B,IAAI,CAAA;AAEhF,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,CAAA,EAAG;AAC/B,MAAA,IAAI,oBAAA,CAAqB,WAAW,CAAA,EAAG;AAErC,QAAA,OAAO,EAAC;AAAA,MACV;AAGA,MAAA,OAAO;AAAA,QACL;AAAA,UACE,CAAC,GAAG,MAAM,CAAA,SAAA,CAAW,GAAG,CAAC,EAAE,gBAAA,EAAkB,oBAAA,EAAsB,CAAA;AAAA,UACnE,OAAA,EAAS;AAAA;AACX,OACF;AAAA,IACF;AAGA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,CAAA,QAAA,KAAY;AAC/C,MAAA,MAAM,WAAA,GAAc,0BAA0B,QAAQ,CAAA;AAEtD,MAAA,OAAO,MAAA,CAAO,WAAW,CAAA,CAAE,KAAA,CAAM,CAAAC,YAAAA,KAAe;AAC9C,QAAA,MAAM,cAAc,GAAA,CAAIA,YAAAA,CAAY,gBAAA,IAAoB,IAAI,CAAA,UAAA,MAAe;AAAA,UACzE,GAAA,EAAK,CAAA,IAAA,EAAO,UAAA,CAAW,GAAG,CAAA,CAAA;AAAA,UAC1B,UAAU,UAAA,CAAW,QAAA;AAAA,UACrB,QAAQ,UAAA,CAAW;AAAA,SACrB,CAAE,CAAA;AAEF,QAAA,OAAO;AAAA,UACL,WAAA,EAAa,QAAQA,YAAAA,CAAY,WAAA,IAAe,EAAC,EAAG,CAAA,GAAA,KAAO,CAAA,IAAA,EAAO,GAAG,CAAA,CAAE,CAAA;AAAA,UACvE,gBAAA,EAAkB,CAAC,GAAG,WAAA,EAAa,GAAG,oBAAoB;AAAA,SAC5D;AAAA,MACF,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAED,IAAA,OAAO;AAAA,MACL;AAAA,QACE,CAAC,CAAA,EAAG,MAAM,CAAA,SAAA,CAAW,GAAG,QAAA,CAAS,SAAA,EAAW,CAAAC,KAAAA,KAAQ,IAAA,CAAK,SAAA,CAAUA,KAAI,CAAC,CAAA;AAAA,QACxE,OAAA,EAAS;AAAA;AACX,KACF;AAAA,EACF;AAAA,EAEA,OAAe,SACb,KAAA,EACwE;AACxE,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAA,IAAA,KAAQ;AACvB,QAAA,IAAI,UAAU,IAAA,EAAM;AAClB,UAAA,OAAO;AAAA,YACL,IAAA,EAAM,IAAA,CAAK,IAAA,CAAK,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,KAAK,QAAA,IAAY;AAAA,WAC7B;AAAA,QACF;AAEA,QAAA,OAAO;AAAA,UACL,IAAA,EAAM,IAAA,CAAK,KAAA,CAAM,CAAC,EAAE,QAAA,EAAS;AAAA,UAC7B,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAAA,UACrB,QAAA,EAAU,KAAK,QAAA,IAAY;AAAA,SAC7B;AAAA,MACF,CAAC;AAAA,KACH;AAAA,EACF;AACF,CAAA;AAEmC,qBAAA,CAAsB,SAAA;AAAA,EACvD,6BAAA;AAAA,EACA,CAAC,EAAE,IAAA,EAAM,IAAA,EAAK,KAAM;AAClB,IAAA,OAAO,IAAI,mBAAA,CAAoB,IAAA,EAAM,IAAI,CAAA;AAAA,EAC3C;AACF","file":"index.js","sourcesContent":["import type { types as k8sTypes } from \"@pulumi/kubernetes\"\nimport { cilium, type types } from \"@highstate/cilium-crds\"\nimport { check } from \"@highstate/contract\"\nimport {\n getNamespaceName,\n mapMetadata,\n mapSelectorLikeToSelector,\n mapServiceToLabelSelector,\n type NetworkPolicyPort,\n type NormalizedNetworkPolicyArgs,\n type NormalizedRuleArgs,\n networkPolicyMediator,\n} from \"@highstate/k8s\"\nimport { implementationReferenceSchema, k8s } from \"@highstate/library\"\nimport { ComponentResource, output, type ResourceOptions } from \"@highstate/pulumi\"\nimport { map, mapKeys, pipe, uniqueBy } from \"remeda\"\n\ntype Rule = types.input.cilium.v2.CiliumNetworkPolicySpecIngress &\n types.input.cilium.v2.CiliumNetworkPolicySpecEgress\n\nclass CiliumNetworkPolicy extends ComponentResource {\n /**\n * The underlying Cilium network policy resource.\n */\n public readonly networkPolicy: cilium.v2.CiliumNetworkPolicy\n\n constructor(name: string, args: NormalizedNetworkPolicyArgs, opts?: ResourceOptions) {\n super(\"highstate:cilium:NetworkPolicy\", name, args, opts)\n\n this.networkPolicy = new cilium.v2.CiliumNetworkPolicy(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: {\n description: args.description,\n endpointSelector: args.podSelector,\n ingress: CiliumNetworkPolicy.createIngressRules(args),\n egress: CiliumNetworkPolicy.createEgressRules(args),\n },\n },\n { ...opts, parent: this },\n )\n }\n\n private static createIngressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateIngress) {\n return [{}]\n }\n\n return uniqueBy(\n args.ingressRules.flatMap(rule =>\n CiliumNetworkPolicy.createRules(\"from\", rule, args.cluster),\n ),\n rule => JSON.stringify(rule),\n )\n }\n\n private static createEgressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateEgress) {\n return [{}]\n }\n\n const extraRules: Rule[] = []\n\n if (args.allowKubeApiServer) {\n extraRules.push({ toEntities: [\"kube-apiserver\"] })\n }\n\n return uniqueBy(\n args.egressRules\n .flatMap(rule => CiliumNetworkPolicy.createRules(\"to\", rule, args.cluster))\n .concat(extraRules),\n rule => JSON.stringify(rule),\n )\n }\n\n private static createRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n cluster: k8s.Cluster,\n ): Rule[] {\n const port = CiliumNetworkPolicy.mapPorts(rule.ports)\n const ports = port ? [port] : undefined\n\n return [\n ...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createClusterPodRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),\n ...(prefix === \"to\" ? CiliumNetworkPolicy.createFqdnRules(rule, ports, cluster) : []),\n ]\n }\n\n private static createAllRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (!rule.all) {\n return []\n }\n\n return [\n {\n [`${prefix}Entities`]: [\"all\"],\n toPorts: ports,\n },\n ]\n }\n\n private static createClusterPodRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (!rule.clusterPods) {\n return []\n }\n\n return [\n {\n [`${prefix}Entities`]: [\"cluster\"],\n toPorts: ports,\n },\n ]\n }\n\n private static createCidrRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.cidrs.length === 0) {\n return []\n }\n\n return [\n {\n [`${prefix}CIDR`]: rule.cidrs,\n toPorts: ports,\n },\n ]\n }\n\n private static createFqdnRules(\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n cluster: k8s.Cluster,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgress[] {\n if (rule.fqdns.length === 0) {\n return []\n }\n\n const fqdnRules = rule.fqdns.map(fqdn => {\n return fqdn.includes(\"*\") ? { matchPattern: fqdn } : { matchName: fqdn }\n })\n\n return [\n {\n toFQDNs: fqdnRules,\n toPorts: ports,\n },\n {\n toEndpoints: [\n {\n matchLabels: {\n \"k8s:io.kubernetes.pod.namespace\": \"kube-system\",\n \"k8s:k8s-app\": \"kube-dns\",\n },\n },\n ],\n toPorts: [\n {\n ports: [{ port: \"53\", protocol: \"UDP\" }],\n rules: {\n dns:\n check(k8s.ciliumClusterMetadata, cluster.metadata) &&\n cluster.metadata.cilium.allowForbiddenFqdnResolution\n ? [{ matchPattern: \"*\" }]\n : fqdnRules,\n },\n },\n ],\n },\n ]\n }\n\n private static createServiceRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.services.length === 0) {\n return []\n }\n\n const selectors = rule.services.map(service => {\n const selector = mapServiceToLabelSelector(service)\n\n return output(selector).apply(selector => ({\n matchLabels: {\n ...mapKeys(selector.matchLabels ?? {}, key => `k8s:${key}`),\n \"k8s:io.kubernetes.pod.namespace\": service.metadata.namespace,\n },\n }))\n })\n\n return [\n {\n [`${prefix}Endpoints`]: selectors,\n toPorts: ports,\n },\n ]\n }\n\n // TODO: support namespace selectors\n\n private static createNamespaceExpressions(\n rule: NormalizedRuleArgs,\n ): k8sTypes.input.meta.v1.LabelSelectorRequirement[] {\n if (rule.namespaces.length === 0) {\n return []\n }\n\n return pipe(rule.namespaces, map(getNamespaceName), names => [\n {\n key: \"k8s:io.kubernetes.pod.namespace\",\n operator: \"In\",\n values: names,\n },\n ])\n }\n\n private static createSelectorRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecIngress[] {\n const namespaceExpressions = CiliumNetworkPolicy.createNamespaceExpressions(rule)\n\n if (rule.selectors.length === 0) {\n if (namespaceExpressions.length === 0) {\n // if no selectors and no namespaces are provided, we do not match\n return []\n }\n\n // if no selectors are provided, we only match on namespaces\n return [\n {\n [`${prefix}Endpoints`]: [{ matchExpressions: namespaceExpressions }],\n toPorts: ports,\n },\n ]\n }\n\n // otherwise, we match on selectors and namespaces\n const selectors = rule.selectors.map(selector => {\n const rawSelector = mapSelectorLikeToSelector(selector)\n\n return output(rawSelector).apply(rawSelector => {\n const expressions = map(rawSelector.matchExpressions ?? [], expression => ({\n key: `k8s:${expression.key}`,\n operator: expression.operator,\n values: expression.values,\n }))\n\n return {\n matchLabels: mapKeys(rawSelector.matchLabels ?? {}, key => `k8s:${key}`),\n matchExpressions: [...expressions, ...namespaceExpressions],\n }\n })\n })\n\n return [\n {\n [`${prefix}Endpoints`]: uniqueBy(selectors, rule => JSON.stringify(rule)),\n toPorts: ports,\n },\n ]\n }\n\n private static mapPorts(\n ports: NetworkPolicyPort[],\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts | undefined {\n if (ports.length === 0) {\n return\n }\n\n return {\n ports: ports.map(port => {\n if (\"port\" in port) {\n return {\n port: port.port.toString(),\n protocol: port.protocol ?? \"TCP\",\n }\n }\n\n return {\n port: port.range[0].toString(),\n endPort: port.range[1],\n protocol: port.protocol ?? \"TCP\",\n }\n }),\n }\n }\n}\n\nexport const createNetworkPolicy = networkPolicyMediator.implement(\n implementationReferenceSchema,\n ({ name, args }) => {\n return new CiliumNetworkPolicy(name, args)\n },\n)\n"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@highstate/cilium",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.18.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"files": [
|
|
6
6
|
"dist",
|
|
@@ -27,17 +27,17 @@
|
|
|
27
27
|
"@pulumi/kubernetes": "^4.18.0",
|
|
28
28
|
"@pulumi/pulumi": "3.198.0",
|
|
29
29
|
"remeda": "^2.21.0",
|
|
30
|
+
"@highstate/common": "0.18.0",
|
|
31
|
+
"@highstate/contract": "0.18.0",
|
|
32
|
+
"@highstate/k8s": "0.18.0",
|
|
30
33
|
"@highstate/cilium-crds": "0.14.0",
|
|
31
|
-
"@highstate/
|
|
32
|
-
"@highstate/
|
|
33
|
-
"@highstate/contract": "0.17.0",
|
|
34
|
-
"@highstate/library": "0.16.0",
|
|
35
|
-
"@highstate/pulumi": "0.17.0"
|
|
34
|
+
"@highstate/library": "0.18.0",
|
|
35
|
+
"@highstate/pulumi": "0.18.0"
|
|
36
36
|
},
|
|
37
37
|
"devDependencies": {
|
|
38
38
|
"@biomejs/biome": "2.2.0",
|
|
39
39
|
"@typescript/native-preview": "^7.0.0-dev.20250920.1",
|
|
40
|
-
"@highstate/cli": "0.
|
|
40
|
+
"@highstate/cli": "0.18.0"
|
|
41
41
|
},
|
|
42
42
|
"repository": {
|
|
43
43
|
"url": "https://github.com/highstate-io/highstate"
|
|
@@ -84,6 +84,7 @@ class CiliumNetworkPolicy extends ComponentResource {
|
|
|
84
84
|
|
|
85
85
|
return [
|
|
86
86
|
...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),
|
|
87
|
+
...CiliumNetworkPolicy.createClusterPodRules(prefix, rule, ports),
|
|
87
88
|
...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),
|
|
88
89
|
...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),
|
|
89
90
|
...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),
|
|
@@ -108,6 +109,23 @@ class CiliumNetworkPolicy extends ComponentResource {
|
|
|
108
109
|
]
|
|
109
110
|
}
|
|
110
111
|
|
|
112
|
+
private static createClusterPodRules(
|
|
113
|
+
prefix: "from" | "to",
|
|
114
|
+
rule: NormalizedRuleArgs,
|
|
115
|
+
ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
|
|
116
|
+
): Rule[] {
|
|
117
|
+
if (!rule.clusterPods) {
|
|
118
|
+
return []
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
return [
|
|
122
|
+
{
|
|
123
|
+
[`${prefix}Entities`]: ["cluster"],
|
|
124
|
+
toPorts: ports,
|
|
125
|
+
},
|
|
126
|
+
]
|
|
127
|
+
}
|
|
128
|
+
|
|
111
129
|
private static createCidrRules(
|
|
112
130
|
prefix: "from" | "to",
|
|
113
131
|
rule: NormalizedRuleArgs,
|
|
@@ -196,6 +214,8 @@ class CiliumNetworkPolicy extends ComponentResource {
|
|
|
196
214
|
]
|
|
197
215
|
}
|
|
198
216
|
|
|
217
|
+
// TODO: support namespace selectors
|
|
218
|
+
|
|
199
219
|
private static createNamespaceExpressions(
|
|
200
220
|
rule: NormalizedRuleArgs,
|
|
201
221
|
): k8sTypes.input.meta.v1.LabelSelectorRequirement[] {
|