@highstate/k8s 0.7.2 → 0.7.4

package/src/network-policy.ts

@@ -0,0 +1,732 @@
+import { networking, types, type core } from "@pulumi/kubernetes"
+import {
+  ComponentResource,
+  normalize,
+  output,
+  type Input,
+  type InputArray,
+  type Output,
+  type Resource,
+  type ResourceOptions,
+  type Unwrap,
+} from "@highstate/pulumi"
+import { capitalize, flat, merge, mergeDeep } from "remeda"
+import { parseDomain, ParseResultType, type ParseResultIp } from "parse-domain"
+import { k8s } from "@highstate/library"
+import {
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapNamespaceNameToSelector,
+  mapSelectorLikeToSelector,
+  type CommonArgs,
+  type NamespaceLike,
+  type SelectorLike,
+} from "./shared"
+import { mapServiceToLabelSelector } from "./service"
+
+export type NetworkPolicyPort = {
+  /**
+   * The protocol to match.
+   *
+   * If not provided, "TCP" will be used.
+   */
+  protocol?: string
+} & (
+  | {
+      /**
+       * The single port to match.
+       */
+      port: number
+    }
+  | {
+      /**
+       * The range of ports to match.
+       */
+      range: [start: number, end: number]
+    }
+)
+
+export type IngressRuleArgs = {
+  /**
+   * Whether to allow all incoming traffic.
+   *
+   * If set to `true`, all other rules will be ignored for matched traffic.
+   */
+  fromAll?: Input<boolean>
+
+  /**
+   * The allowed cidr for incoming traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  fromCidr?: Input<string>
+
+  /**
+   * The list of allowed cidrs for incoming traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  fromCidrs?: InputArray<string>
+
+  /**
+   * The service to allow traffic from.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  fromService?: Input<core.v1.Service>
+
+  /**
+   * The list of allowed services for incoming traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  fromServices?: InputArray<core.v1.Service>
+
+  /**
+   * The namespace to allow traffic from.
+   *
+   * If provided with `fromSelector(s)`, it will be ANDed with them.
+   * Otherwise, it will match all pods in the namespace.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and selectors).
+   */
+  fromNamespace?: Input<NamespaceLike>
+
+  /**
+   * The list of allowed namespaces for incoming traffic.
+   *
+   * If provided with `fromSelector(s)`, it will be ANDed with them.
+   * Otherwise, it will match all pods in the namespaces.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and selectors).
+   */
+  fromNamespaces?: InputArray<NamespaceLike>
+
+  /**
+   * The selector for incoming traffic.
+   *
+   * If provided with `fromNamespace(s)`, it will be ANDed with them.
+   * Otherwise, it will match pods in all namespaces.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and namespaces).
+   */
+  fromSelector?: Input<SelectorLike>
+
+  /**
+   * The list of selectors for incoming traffic.
+   *
+   * If provided with `fromNamespace(s)`, it will be ANDed with them.
+   * Otherwise, it will match pods in all namespaces.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and namespaces).
+   */
+  fromSelectors?: InputArray<SelectorLike>
+
+  /**
+   * The port to allow incoming traffic on.
+   *
+   * Will be ANDed with all conditions inside the same rule.
+   */
+  toPort?: Input<NetworkPolicyPort>
+
+  /**
+   * The list of allowed ports for incoming traffic.
+   *
+   * Will be ANDed with all conditions inside the same rule.
+   */
+  toPorts?: InputArray<NetworkPolicyPort>
+}
+
+export type EgressRuleArgs = {
+  /**
+   * Whether to allow all outgoing traffic.
+   *
+   * If set to `true`, all other rules will be ignored for matched traffic.
+   */
+  toAll?: Input<boolean>
+
+  /**
+   * The allowed cidr for outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toCidr?: Input<string>
+
+  /**
+   * The list of allowed cidrs for outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toCidrs?: InputArray<string>
+
+  /**
+   * The FQDN to allow outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toFqdn?: Input<string>
+
+  /**
+   * The list of allowed FQDNs for outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toFqdns?: InputArray<string>
+
+  /**
+   * Either the FQDN or the IP address of the endpoint to allow outgoing traffic.
+   *
+   * Just a syntactic sugar for `toFqdn` and `toCidr` for cases when the endpoint can be both.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toEndpoint?: Input<string>
+
+  /**
+   * The list of allowed endpoints for outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toEndpoints?: InputArray<string>
+
+  /**
+   * The service to allow traffic to.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toService?: Input<core.v1.Service>
+
+  /**
+   * The list of allowed services for outgoing traffic.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   */
+  toServices?: InputArray<core.v1.Service>
+
+  /**
+   * The namespace to allow traffic to.
+   *
+   * If provided with `toSelector(s)`, it will be ANDed with them.
+   * Otherwise, it will match all pods in the namespace.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and selectors).
+   */
+  toNamespace?: Input<NamespaceLike>
+
+  /**
+   * The list of allowed namespaces for outgoing traffic.
+   *
+   * If provided with `toSelector(s)`, it will be ANDed with them.
+   * Otherwise, it will match all pods in the namespaces.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports and selectors).
+   */
+  toNamespaces?: InputArray<NamespaceLike>
+
+  /**
+   * The selector for outgoing traffic.
+   *
+   * If provided with `toNamespace(s)`, it will be ANDe with them.
+   *
+   * Otherwise, it will match pods only in all namespaces.
+   */
+  toSelector?: Input<SelectorLike>
+
+  /**
+   * The list of selectors for outgoing traffic.
+   *
+   * If provided with `toNamespace(s)`, it will be ANDed with them.
+   * Otherwise, it will match pods only in all namespaces.
+   */
+  toSelectors?: InputArray<SelectorLike>
+
+  /**
+   * The port to allow outgoing traffic on.
+   *
+   * Will be ANDed with all conditions inside the same rule.
+   */
+  toPort?: Input<NetworkPolicyPort>
+
+  /**
+   * The list of allowed ports for outgoing traffic.
+   *
+   * Will be ANDed with all conditions inside the same rule.
+   */
+  toPorts?: InputArray<NetworkPolicyPort>
+}
+
+export type NetworkPolicyArgs = CommonArgs & {
+  /**
+   * The description of this network policy.
+   */
+  description?: Input<string>
+
+  /**
+   * The pod selector for this network policy.
+   * If not provided, it will select all pods in the namespace.
+   */
+  selector?: SelectorLike
+
+  /**
+   * The rule for incoming traffic.
+   */
+  ingressRule?: Input<IngressRuleArgs>
+
+  /**
+   * The rules for incoming traffic.
+   */
+  ingressRules?: InputArray<IngressRuleArgs>
+
+  /**
+   * The rule for outgoing traffic.
+   */
+  egressRule?: Input<EgressRuleArgs>
+
+  /**
+   * The rules for outgoing traffic.
+   */
+  egressRules?: InputArray<EgressRuleArgs>
+
+  /**
+   * Enable the isolation of ingress traffic, so that only matched traffic can ingress.
+   */
+  isolateIngress?: Input<boolean>
+
+  /**
+   * Enable the isolation of egress traffic, so that only matched traffic can egress.
+   */
+  isolateEgress?: Input<boolean>
+
+  /**
+   * Allow the eggress traffic to the API server of the cluster.
+   *
+   * By default, `false`.
+   */
+  allowKubeApiServer?: Input<boolean>
+
+  /**
+   * Allow the eggress traffic to the DNS server of the cluster.
+   *
+   * By default, `false`.
+   */
+  allowKubeDns?: Input<boolean>
+}
+
+export type FullNetworkPolicyArgs = NetworkPolicyArgs & {
+  /**
+   * The name of the CNI plugin to use for creating network policies.
+   * If not provided or set to `unknown`, it will use the native `NetworkPolicy` resource.
+   */
+  cni?: Input<string | undefined>
+}
+
+export type NormalizedRuleArgs = {
+  all: boolean
+  cidrs: string[]
+  fqdns: string[]
+  services: core.v1.Service[]
+  namespaces: NamespaceLike[]
+  selectors: SelectorLike[]
+  ports: NetworkPolicyPort[]
+}
+
+export type NormalizedNetworkPolicyArgs = Omit<
+  Unwrap<NetworkPolicyArgs>,
+  | "podSelector"
+  | "ingressRule"
+  | "ingressRules"
+  | "egressRule"
+  | "egressRules"
+  | "isolateIngress"
+  | "isolateEgress"
+  | "allowKubeApiServer"
+  | "allowKubeDNS"
+> & {
+  podSelector: Unwrap<types.input.meta.v1.LabelSelector>
+
+  isolateIngress: boolean
+  isolateEgress: boolean
+
+  allowKubeApiServer: boolean
+
+  ingressRules: NormalizedRuleArgs[]
+  egressRules: NormalizedRuleArgs[]
+}
+
+/**
+ * The abstract resource for creating network policies.
+ * Will use different resources depending on the environment.
+ *
+ * Note: In the worst case, it will create native `NetworkPolicy` resources and ignore some features like L7 rules.
+ */
+export abstract class NetworkPolicy extends ComponentResource {
+  /**
+   * The underlying network policy resource.
+   */
+  public readonly networkPolicy: Output<Resource>
+
+  protected constructor(name: string, args: Unwrap<NetworkPolicyArgs>, opts?: ResourceOptions) {
+    super("k8s:network-policy", name, args, opts)
+
+    const normalizedArgs = output(args).apply(args => {
+      const ingressRules = normalize(args.ingressRule, args.ingressRules)
+      const egressRules = normalize(args.egressRule, args.egressRules)
+
+      const endpoints = normalize(args.egressRule?.toEndpoint, args.egressRule?.toEndpoints)
+      const parsedEndpoints = endpoints.map(endpoint => parseDomain(endpoint))
+
+      const cidrsFromEndpoints = parsedEndpoints
+        .filter(result => result.type === ParseResultType.Ip)
+        .map(result => NetworkPolicy.mapCidrFromEndpoint(result))
+
+      const fqdnsFromEndpoints = parsedEndpoints
+        .filter(result => result.type !== ParseResultType.Invalid)
+        .map(result => result.hostname)
+
+      const extraEgressRules: NormalizedRuleArgs[] = []
+
+      if (args.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: [],
+        })
+      }
+
+      return {
+        ...args,
+
+        podSelector: args.selector ? mapSelectorLikeToSelector(args.selector) : {},
+
+        isolateEgress: args.isolateEgress ?? false,
+        isolateIngress: args.isolateIngress ?? false,
+
+        allowKubeApiServer: args.allowKubeApiServer ?? false,
+
+        ingressRules: ingressRules.map(rule => ({
+          all: rule.fromAll ?? false,
+          cidrs: normalize(rule.fromCidr, rule.fromCidrs),
+          fqdns: [],
+          services: normalize(rule.fromService, rule.fromServices),
+          namespaces: normalize(rule.fromNamespace, rule.fromNamespaces),
+          selectors: normalize(rule.fromSelector, rule.fromSelectors),
+          ports: normalize(rule.toPort, rule.toPorts),
+        })),
+
+        egressRules: egressRules
+          .map(rule => {
+            return {
+              all: rule.toAll ?? false,
+              cidrs: normalize(rule.toCidr, rule.toCidrs).concat(cidrsFromEndpoints),
+              fqdns: normalize(rule.toFqdn, rule.toFqdns).concat(fqdnsFromEndpoints),
+              services: normalize(rule.toService, rule.toServices),
+              namespaces: normalize(rule.toNamespace, rule.toNamespaces),
+              selectors: normalize(rule.toSelector, rule.toSelectors),
+              ports: normalize(rule.toPort, rule.toPorts),
+            } as NormalizedRuleArgs
+          })
+          .concat(extraEgressRules),
+      }
+    })
+
+    this.networkPolicy = normalizedArgs.apply(args => {
+      return output(
+        this.create(name, args as NormalizedNetworkPolicyArgs, { ...opts, parent: this }),
+      )
+    })
+
+    this.registerOutputs({ networkPolicy: this.networkPolicy })
+  }
+
+  private static mapCidrFromEndpoint(result: ParseResultIp): string {
+    if (result.ipVersion === 4) {
+      return `${result.hostname}/32`
+    }
+
+    return `${result.hostname}/128`
+  }
+
+  protected abstract create(
+    name: string,
+    args: NormalizedNetworkPolicyArgs,
+    opts?: ResourceOptions,
+  ): Input<Resource>
+
+  private static readonly supportedCNIs = ["cilium"]
+
+  static create(
+    name: string,
+    args: FullNetworkPolicyArgs,
+    opts: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return output(args).apply(async args => {
+      if (!args.cni || !NetworkPolicy.supportedCNIs.includes(args.cni)) {
+        return new NativeNetworkPolicy(name, args, opts)
+      }
+
+      const implName = `${capitalize(args.cni)}NetworkPolicy`
+      const implModule = (await import(`@highstate/${args.cni}`)) as Record<string, unknown>
+
+      type NetworkPolicyFactory = new (
+        name: string,
+        args: Unwrap<NetworkPolicyArgs>,
+        opts?: ResourceOptions,
+      ) => NetworkPolicy
+
+      const implClass = implModule[implName] as NetworkPolicyFactory | undefined
+      if (!implClass) {
+        throw new Error(`No implementation found for ${args.cni}`)
+      }
+
+      return new implClass(name, args, opts)
+    })
+  }
+
+  static allowInsideNamespace(
+    namespace: Input<NamespaceLike>,
+    k8sCluster: Input<k8s.Cluster>,
+    opts: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return NetworkPolicy.create(
+      "allow-inside-namespace",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+
+        description: "Allow all traffic inside the namespace.",
+        selector: {},
+
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace },
+      },
+      opts,
+    )
+  }
+
+  static allowKubeApiServer(
+    namespace: Input<NamespaceLike>,
+    k8sCluster: Input<k8s.Cluster>,
+    opts: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return NetworkPolicy.create(
+      "allow-kube-api-server",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+
+        allowKubeApiServer: true,
+      },
+      opts,
+    )
+  }
+
+  static allowKubeDns(
+    namespace: Input<NamespaceLike>,
+    k8sCluster: Input<k8s.Cluster>,
+    opts: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return NetworkPolicy.create(
+      "allow-kube-dns",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+
+        allowKubeDns: true,
+      },
+      opts,
+    )
+  }
+
+  static allowAllEgress(
+    namespace: Input<NamespaceLike>,
+    k8sCluster: Input<k8s.Cluster>,
+    opts: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return NetworkPolicy.create(
+      "allow-all-egress",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+
+        description: "Allow all egress traffic from the namespace.",
+
+        egressRule: { toAll: true },
+      },
+      opts,
+    )
+  }
+}
+
+export class NativeNetworkPolicy extends NetworkPolicy {
+  protected create(
+    name: string,
+    args: NormalizedNetworkPolicyArgs,
+    opts?: ResourceOptions,
+  ): Resource {
+    const ingress = NativeNetworkPolicy.createIngressRules(args)
+    const egress = NativeNetworkPolicy.createEgressRules(args)
+
+    const policyTypes: string[] = []
+
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress")
+    }
+
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress")
+    }
+
+    return new networking.v1.NetworkPolicy(
+      name,
+      {
+        metadata: mergeDeep(mapMetadata(args, name), {
+          annotations: args.description
+            ? { "kubernetes.io/description": args.description }
+            : undefined,
+        }),
+        spec: {
+          podSelector: args.podSelector,
+          ingress,
+          egress,
+          policyTypes,
+        },
+      },
+      opts,
+    )
+  }
+
+  private static fallbackIpBlock: types.input.networking.v1.IPBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
+  }
+
+  private static createIngressRules(
+    args: NormalizedNetworkPolicyArgs,
+  ): types.input.networking.v1.NetworkPolicyIngressRule[] {
+    return args.ingressRules.map(rule => ({
+      from: rule.all ? undefined : NativeNetworkPolicy.createRulePeers(rule),
+      ports: NativeNetworkPolicy.mapPorts(rule.ports),
+    }))
+  }
+
+  private static createEgressRules(
+    args: NormalizedNetworkPolicyArgs,
+  ): types.input.networking.v1.NetworkPolicyEgressRule[] {
+    // the native resource does not support FQDNs
+    // to provide compatibility, we need to fallback to all except private CIDRs
+    const needFallback = args.egressRules.some(rule => rule.fqdns.length > 0)
+    if (needFallback) {
+      return [{ to: [{ ipBlock: NativeNetworkPolicy.fallbackIpBlock }] }]
+    }
+
+    const extraRules: types.input.networking.v1.NetworkPolicyEgressRule[] = []
+
+    if (args.allowKubeApiServer) {
+      // TODO: the "10.96.0.1" is not guaranteed to be the API server
+      extraRules.push({ to: [{ ipBlock: { cidr: "10.96.0.1" } }] })
+    }
+
+    return args.egressRules
+      .map(rule => {
+        return {
+          to: rule.all ? undefined : NativeNetworkPolicy.createRulePeers(rule),
+          ports: NativeNetworkPolicy.mapPorts(rule.ports),
+        } as types.input.networking.v1.NetworkPolicyEgressRule
+      })
+      .concat(extraRules)
+  }
+
+  private static createRulePeers(
+    this: void,
+    args: NormalizedRuleArgs,
+  ): types.input.networking.v1.NetworkPolicyPeer[] {
+    return [
+      ...NativeNetworkPolicy.createCidrPeers(args),
+      ...NativeNetworkPolicy.createServicePeers(args),
+      ...NativeNetworkPolicy.createSelectorPeers(args),
+    ]
+  }
+
+  private static createCidrPeers(
+    args: NormalizedRuleArgs,
+  ): types.input.networking.v1.NetworkPolicyPeer[] {
+    return args.cidrs.map(cidr => ({ ipBlock: { cidr } }))
+  }
+
+  private static createServicePeers(
+    args: NormalizedRuleArgs,
+  ): types.input.networking.v1.NetworkPolicyPeer[] {
+    return args.services.map(service => {
+      const selector = mapServiceToLabelSelector(service)
+
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector,
+      }
+    })
+  }
+
+  private static createSelectorPeers(
+    args: NormalizedRuleArgs,
+  ): types.input.networking.v1.NetworkPolicyPeer[] {
+    const selectorPeers = args.selectors.map(selector => ({
+      podSelector: mapSelectorLikeToSelector(selector),
+    }))
+
+    const namespacePeers = args.namespaces.map(NativeNetworkPolicy.createNamespacePeer)
+
+    if (namespacePeers.length === 0) {
+      // if there are no namespaces, we can just return selector peers
+      return selectorPeers
+    }
+
+    if (selectorPeers.length === 0) {
+      // if there are no selectors, we can just return namespace peers
+      return namespacePeers
+    }
+
+    // if there are both, we need to create a cartesian product
+    return flat(
+      selectorPeers.map(selectorPeer => {
+        return namespacePeers.map(namespacePeer => merge(selectorPeer, namespacePeer))
+      }),
+    )
+  }
+
+  private static createNamespacePeer(
+    this: void,
+    namespace: NamespaceLike,
+  ): types.input.networking.v1.NetworkPolicyPeer {
+    const namespaceName = mapNamespaceLikeToNamespaceName(namespace)
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName)
+
+    return { namespaceSelector }
+  }
+
+  private static mapPorts(
+    ports: NetworkPolicyPort[],
+  ): types.input.networking.v1.NetworkPolicyPort[] {
+    return ports.map(port => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP",
+        }
+      }
+
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP",
+      }
+    })
+  }
+}