@highstate/k8s 0.9.4 → 0.9.5

package/src/network-policy.ts

@@ -1,6 +1,7 @@
 import { networking, types, type core } from "@pulumi/kubernetes"
 import {
   ComponentResource,
+  interpolate,
   normalize,
   output,
   type Input,
@@ -10,10 +11,16 @@ import {
   type ResourceOptions,
   type Unwrap,
 } from "@highstate/pulumi"
-import { capitalize, flat, merge, mergeDeep } from "remeda"
-import { parseDomain, ParseResultType, type ParseResultIp } from "parse-domain"
-import { k8s } from "@highstate/library"
+import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy } from "remeda"
+import { k8s, network } from "@highstate/library"
 import {
+  l34EndpointToString,
+  l3EndpointToCidr,
+  parseL34Endpoint,
+  type InputL34Endpoint,
+} from "@highstate/common"
+import {
+  getProvider,
   mapMetadata,
   mapNamespaceLikeToNamespaceName,
   mapNamespaceNameToSelector,
@@ -22,7 +29,7 @@ import {
   type NamespaceLike,
   type SelectorLike,
 } from "./shared"
-import { mapServiceToLabelSelector } from "./service"
+import { getServiceMetadata, isFromCluster, mapServiceToLabelSelector } from "./service"
 
 export type NetworkPolicyPort = {
   /**
@@ -36,7 +43,7 @@ export type NetworkPolicyPort = {
       /**
        * The single port to match.
        */
-      port: number
+      port: number | string
     }
   | {
       /**
@@ -68,6 +75,30 @@ export type IngressRuleArgs = {
    */
   fromCidrs?: InputArray<string>
 
+  /**
+   * The list of allowed L3 or L4 endpoints for outgoing traffic.
+   *
+   * Just a syntactic sugar for `fromFqdn` and `fromService` for cases when the endpoint can be one of them + optional port/protocol.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   *
+   * If a single endpoint also has a port/protocol/service metadata,
+   * it will produce separate rule for it with them and ORed with the rest of the rules.
+   */
+  fromEndpoint?: Input<InputL34Endpoint>
+
+  /**
+   * The list of allowed L3 or L4 endpoints for incoming traffic.
+   *
+   * Just a syntactic sugar for `fromFqdn` and `fromService` for cases when the endpoint can be one of them + optional port/protocol.
+   *
+   * Will be ORed with other conditions inside the same rule (except ports).
+   *
+   * If a single endpoint also has a port/protocol/service metadata,
+   * it will produce separate rule for it with them and ORed with the rest of the rules.
+   */
+  fromEndpoints?: InputArray<InputL34Endpoint>
+
   /**
    * The service to allow traffic from.
    *
@@ -174,20 +205,28 @@ export type EgressRuleArgs = {
   toFqdns?: InputArray<string>
 
   /**
-   * Either the FQDN or the IP address of the endpoint to allow outgoing traffic.
+   * The L3 or L4 endpoint to allow outgoing traffic.
    *
-   * Just a syntactic sugar for `toFqdn` and `toCidr` for cases when the endpoint can be both.
+   * Just a syntactic sugar for `toFqdn`, `toCidr` and `toService` for cases when the endpoint can be one of them + optional port/protocol.
    *
    * Will be ORed with other conditions inside the same rule (except ports).
+   *
+   * If a single endpoint also has a port/protocol/service metadata,
+   * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  toEndpoint?: Input<string>
+  toEndpoint?: Input<InputL34Endpoint>
 
   /**
-   * The list of allowed endpoints for outgoing traffic.
+   * The list of allowed L3 or L4 endpoints for outgoing traffic.
+   *
+   * Just a syntactic sugar for `toFqdn`, `toCidr` and `toService` for cases when the endpoint can be one of them + optional port/protocol.
    *
    * Will be ORed with other conditions inside the same rule (except ports).
+   *
+   * If a single endpoint also has a port/protocol/service metadata,
+   * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  toEndpoints?: InputArray<string>
+  toEndpoints?: InputArray<InputL34Endpoint>
 
   /**
    * The service to allow traffic to.
@@ -369,17 +408,6 @@ export abstract class NetworkPolicy extends ComponentResource {
       const ingressRules = normalize(args.ingressRule, args.ingressRules)
       const egressRules = normalize(args.egressRule, args.egressRules)
 
-      const endpoints = normalize(args.egressRule?.toEndpoint, args.egressRule?.toEndpoints)
-      const parsedEndpoints = endpoints.map(endpoint => parseDomain(endpoint))
-
-      const cidrsFromEndpoints = parsedEndpoints
-        .filter(result => result.type === ParseResultType.Ip)
-        .map(result => NetworkPolicy.mapCidrFromEndpoint(result))
-
-      const fqdnsFromEndpoints = parsedEndpoints
-        .filter(result => result.type !== ParseResultType.Invalid)
-        .map(result => result.hostname)
-
       const extraEgressRules: NormalizedRuleArgs[] = []
 
       if (args.allowKubeDns) {
@@ -404,47 +432,182 @@ export abstract class NetworkPolicy extends ComponentResource {
 
         allowKubeApiServer: args.allowKubeApiServer ?? false,
 
-        ingressRules: ingressRules.map(rule => ({
-          all: rule.fromAll ?? false,
-          cidrs: normalize(rule.fromCidr, rule.fromCidrs),
-          fqdns: [],
-          services: normalize(rule.fromService, rule.fromServices),
-          namespaces: normalize(rule.fromNamespace, rule.fromNamespaces),
-          selectors: normalize(rule.fromSelector, rule.fromSelectors),
-          ports: normalize(rule.toPort, rule.toPorts),
-        })),
+        ingressRules: ingressRules.flatMap(rule => {
+          const endpoints = normalize(
+            args.ingressRule?.fromEndpoint,
+            args.ingressRule?.fromEndpoints,
+          )
+          const parsedEndpoints = endpoints.map(parseL34Endpoint)
 
-        egressRules: egressRules
-          .map(rule => {
-            return {
-              all: rule.toAll ?? false,
-              cidrs: normalize(rule.toCidr, rule.toCidrs).concat(cidrsFromEndpoints),
-              fqdns: normalize(rule.toFqdn, rule.toFqdns).concat(fqdnsFromEndpoints),
-              services: normalize(rule.toService, rule.toServices),
-              namespaces: normalize(rule.toNamespace, rule.toNamespaces),
-              selectors: normalize(rule.toSelector, rule.toSelectors),
+          const endpointsByPortsAndNamespaces = groupBy(parsedEndpoints, endpoint => {
+            const namespace = isFromCluster(endpoint, args.cluster)
+              ? endpoint.metadata.k8sService.namespace
+              : ""
+
+            const port = isFromCluster(endpoint, args.cluster)
+              ? endpoint.metadata.k8sService.targetPort
+              : endpoint.port
+
+            return `${port ?? "0"}:${namespace}`
+          })
+
+          const l3OnlyRule = endpointsByPortsAndNamespaces["0:"]
+            ? NetworkPolicy.getRuleFromEndpoint(
+                undefined,
+                endpointsByPortsAndNamespaces["0:"],
+                args.cluster,
+              )
+            : undefined
+
+          const otherRules = Object.entries(endpointsByPortsAndNamespaces)
+            .filter(([key]) => key !== "0:")
+            .map(([key, endpoints]) => {
+              const [port] = key.split(":")
+              const portNumber = parseInt(port, 10)
+              const portValue = isNaN(portNumber) ? port : portNumber
+
+              return NetworkPolicy.getRuleFromEndpoint(portValue, endpoints, args.cluster)
+            })
+
+          return [
+            {
+              all: rule.fromAll ?? false,
+              cidrs: normalize(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize(rule.fromService, rule.fromServices),
+              namespaces: normalize(rule.fromNamespace, rule.fromNamespaces),
+              selectors: normalize(rule.fromSelector, rule.fromSelectors),
               ports: normalize(rule.toPort, rule.toPorts),
-            } as NormalizedRuleArgs
+            } as NormalizedRuleArgs,
+
+            ...otherRules,
+          ].filter(rule => !NetworkPolicy.isEmptyRule(rule))
+        }),
+
+        egressRules: egressRules
+          .flatMap(rule => {
+            const endpoints = normalize(args.egressRule?.toEndpoint, args.egressRule?.toEndpoints)
+            const parsedEndpoints = endpoints.map(parseL34Endpoint)
+
+            const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, endpoint => {
+              const namespace = isFromCluster(endpoint, args.cluster)
+                ? endpoint.metadata.k8sService.namespace
+                : ""
+
+              const port = isFromCluster(endpoint, args.cluster)
+                ? endpoint.metadata.k8sService.targetPort
+                : endpoint.port
+
+              return `${port ?? "0"}:${namespace}`
+            })
+
+            const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"]
+              ? NetworkPolicy.getRuleFromEndpoint(
+                  undefined,
+                  endpointsByPortsAnsNamespaces["0:"],
+                  args.cluster,
+                )
+              : undefined
+
+            const otherRules = Object.entries(endpointsByPortsAnsNamespaces)
+              .filter(([key]) => key !== "0:")
+              .map(([key, endpoints]) => {
+                const [port] = key.split(":")
+                const portNumber = parseInt(port, 10)
+                const portValue = isNaN(portNumber) ? port : portNumber
+
+                return NetworkPolicy.getRuleFromEndpoint(portValue, endpoints, args.cluster)
+              })
+
+            return [
+              {
+                all: rule.toAll ?? false,
+                cidrs: normalize(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+                fqdns: normalize(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+                services: normalize(rule.toService, rule.toServices),
+                namespaces: normalize(rule.toNamespace, rule.toNamespaces),
+                selectors: normalize(rule.toSelector, rule.toSelectors),
+                ports: normalize(rule.toPort, rule.toPorts),
+              } as NormalizedRuleArgs,
+
+              ...otherRules,
+            ].filter(rule => !NetworkPolicy.isEmptyRule(rule))
           })
           .concat(extraEgressRules),
       }
     })
 
-    this.networkPolicy = normalizedArgs.apply(args => {
-      return output(
-        this.create(name, args as NormalizedNetworkPolicyArgs, { ...opts, parent: this }),
-      )
-    })
+    this.networkPolicy = output(
+      normalizedArgs.apply(async args => {
+        return output(
+          this.create(name, args as NormalizedNetworkPolicyArgs, {
+            ...opts,
+            parent: this,
+            provider: await getProvider(args.cluster),
+          }),
+        )
+      }),
+    )
+  }
+
+  private static mapCidrFromEndpoint(
+    this: void,
+    result: network.L3Endpoint & { type: "ipv4" | "ipv6" },
+  ): string {
+    if (result.type === "ipv4") {
+      return `${result.address}/32`
+    }
 
-    this.registerOutputs({ networkPolicy: this.networkPolicy })
+    return `${result.address}/128`
   }
 
-  private static mapCidrFromEndpoint(result: ParseResultIp): string {
-    if (result.ipVersion === 4) {
-      return `${result.hostname}/32`
+  private static getRuleFromEndpoint(
+    port: number | string | undefined,
+    endpoints: network.L34Endpoint[],
+    cluster: k8s.Cluster,
+  ): NormalizedRuleArgs {
+    const ports: NetworkPolicyPort[] = port
+      ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }]
+      : []
+
+    const cidrs = endpoints
+      .filter(endpoint => !isFromCluster(endpoint, cluster))
+      .filter(endpoint => endpoint.type === "ipv4" || endpoint.type === "ipv6")
+      .map(NetworkPolicy.mapCidrFromEndpoint)
+
+    const fqdns = endpoints
+      .filter(endpoint => endpoint.type === "hostname")
+      .map(endpoint => endpoint.hostname)
+
+    const selectors = endpoints
+      .filter(endpoint => isFromCluster(endpoint, cluster))
+      .map(endpoint => endpoint.metadata.k8sService.selector)
+
+    const namespace = endpoints
+      .filter(endpoint => isFromCluster(endpoint, cluster))
+      .map(endpoint => getServiceMetadata(endpoint)?.namespace)[0]
+
+    return {
+      all: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      selectors,
+      ports,
     }
+  }
 
-    return `${result.hostname}/128`
+  private static isEmptyRule(rule: NormalizedRuleArgs): boolean {
+    return (
+      !rule.all &&
+      rule.cidrs.length === 0 &&
+      rule.fqdns.length === 0 &&
+      rule.services.length === 0 &&
+      rule.namespaces.length === 0 &&
+      rule.selectors.length === 0 &&
+      rule.ports.length === 0
+    )
   }
 
   protected abstract create(
@@ -453,17 +616,15 @@ export abstract class NetworkPolicy extends ComponentResource {
     opts?: ResourceOptions,
   ): Input<Resource>
 
-  private static readonly supportedCNIs = ["cilium"]
-
   static create(
     name: string,
     args: NetworkPolicyArgs,
-    opts: ResourceOptions,
+    opts?: ResourceOptions,
   ): Output<NetworkPolicy> {
     return output(args).apply(async args => {
-      const cni = args.cluster.info.cni
+      const cni = args.cluster.cni
 
-      if (!cni || !NetworkPolicy.supportedCNIs.includes(cni)) {
+      if (cni === "other") {
         return new NativeNetworkPolicy(name, args, opts)
       }
 
@@ -485,10 +646,30 @@ export abstract class NetworkPolicy extends ComponentResource {
     })
   }
 
+  static isolate(
+    namespace: Input<NamespaceLike>,
+    cluster: Input<k8s.Cluster>,
+    opts?: ResourceOptions,
+  ) {
+    return NetworkPolicy.create(
+      "isolate",
+      {
+        namespace,
+        cluster,
+
+        description: "By default, deny all traffic to/from the namespace.",
+
+        isolateEgress: true,
+        isolateIngress: true,
+      },
+      opts,
+    )
+  }
+
   static allowInsideNamespace(
     namespace: Input<NamespaceLike>,
     cluster: Input<k8s.Cluster>,
-    opts: ResourceOptions,
+    opts?: ResourceOptions,
   ): Output<NetworkPolicy> {
     return NetworkPolicy.create(
       "allow-inside-namespace",
@@ -509,7 +690,7 @@ export abstract class NetworkPolicy extends ComponentResource {
   static allowKubeApiServer(
     namespace: Input<NamespaceLike>,
     cluster: Input<k8s.Cluster>,
-    opts: ResourceOptions,
+    opts?: ResourceOptions,
   ): Output<NetworkPolicy> {
     return NetworkPolicy.create(
       "allow-kube-api-server",
@@ -528,7 +709,7 @@ export abstract class NetworkPolicy extends ComponentResource {
   static allowKubeDns(
     namespace: Input<NamespaceLike>,
     cluster: Input<k8s.Cluster>,
-    opts: ResourceOptions,
+    opts?: ResourceOptions,
   ): Output<NetworkPolicy> {
     return NetworkPolicy.create(
       "allow-kube-dns",
@@ -547,7 +728,7 @@ export abstract class NetworkPolicy extends ComponentResource {
   static allowAllEgress(
     namespace: Input<NamespaceLike>,
     cluster: Input<k8s.Cluster>,
-    opts: ResourceOptions,
+    opts?: ResourceOptions,
   ): Output<NetworkPolicy> {
     return NetworkPolicy.create(
       "allow-all-egress",
@@ -562,6 +743,69 @@ export abstract class NetworkPolicy extends ComponentResource {
       opts,
     )
   }
+
+  static allowAllIngress(
+    namespace: Input<NamespaceLike>,
+    cluster: Input<k8s.Cluster>,
+    opts?: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    return NetworkPolicy.create(
+      "allow-all-ingress",
+      {
+        namespace,
+        cluster,
+
+        description: "Allow all ingress traffic to the namespace.",
+
+        ingressRule: { fromAll: true },
+      },
+      opts,
+    )
+  }
+
+  static allowEgressToEndpoint(
+    endpoint: InputL34Endpoint,
+    namespace: Input<NamespaceLike>,
+    cluster: Input<k8s.Cluster>,
+    opts?: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    const parsedEndpoint = parseL34Endpoint(endpoint)
+
+    return NetworkPolicy.create(
+      `allow-egress-to-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+
+        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+
+        egressRule: { toEndpoint: endpoint },
+      },
+      opts,
+    )
+  }
+
+  static allowIngressFromEndpoint(
+    endpoint: InputL34Endpoint,
+    namespace: Input<NamespaceLike>,
+    cluster: Input<k8s.Cluster>,
+    opts?: ResourceOptions,
+  ): Output<NetworkPolicy> {
+    const parsedEndpoint = parseL34Endpoint(endpoint)
+
+    return NetworkPolicy.create(
+      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+
+        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+
+        ingressRule: { fromEndpoint: endpoint },
+      },
+      opts,
+    )
+  }
 }
 
 export class NativeNetworkPolicy extends NetworkPolicy {
@@ -607,56 +851,96 @@ export class NativeNetworkPolicy extends NetworkPolicy {
     except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
   }
 
+  private static fallbackDnsRule: types.input.networking.v1.NetworkPolicyEgressRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } },
+      },
+    ],
+    ports: [{ port: 53, protocol: "UDP" }],
+  }
+
   private static createIngressRules(
     args: NormalizedNetworkPolicyArgs,
   ): types.input.networking.v1.NetworkPolicyIngressRule[] {
-    return args.ingressRules.map(rule => ({
-      from: rule.all ? undefined : NativeNetworkPolicy.createRulePeers(rule),
-      ports: NativeNetworkPolicy.mapPorts(rule.ports),
-    }))
+    return uniqueBy(
+      args.ingressRules.map(rule => ({
+        from: rule.all ? [] : NativeNetworkPolicy.createRulePeers(rule),
+        ports: NativeNetworkPolicy.mapPorts(rule.ports),
+      })),
+      rule => JSON.stringify(rule),
+    )
   }
 
   private static createEgressRules(
     args: NormalizedNetworkPolicyArgs,
   ): types.input.networking.v1.NetworkPolicyEgressRule[] {
+    const extraRules: types.input.networking.v1.NetworkPolicyEgressRule[] = []
+
+    const needKubeDns = args.egressRules.some(rule => rule.fqdns.length > 0)
+    if (needKubeDns) {
+      extraRules.push(NativeNetworkPolicy.fallbackDnsRule)
+    }
+
     // the native resource does not support FQDNs
     // to provide compatibility, we need to fallback to all except private CIDRs
-    const needFallback = args.egressRules.some(rule => rule.fqdns.length > 0)
+    const needFallback = args.egressRules.some(rule =>
+      rule.fqdns.some(fqdn => !fqdn.endsWith(".cluster.local")),
+    )
     if (needFallback) {
-      return [{ to: [{ ipBlock: NativeNetworkPolicy.fallbackIpBlock }] }]
+      extraRules.push({ to: [{ ipBlock: NativeNetworkPolicy.fallbackIpBlock }] })
     }
 
-    const extraRules: types.input.networking.v1.NetworkPolicyEgressRule[] = []
-
+    // apply fallback rules for kube-apiserver
     if (args.allowKubeApiServer) {
-      const apiServerIp = args.cluster.info.kubeApiServerIp ?? "10.96.0.1"
-      const apiServerPort = args.cluster.info.kubeApiServerPort ?? 443
+      const { quirks, apiEndpoints } = args.cluster
 
-      extraRules.push({
-        to: [{ ipBlock: { cidr: `${apiServerIp}/32` } }],
-        ports: [{ port: apiServerPort, protocol: "TCP" }],
-      })
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }],
+        })
+      } else {
+        const rules = apiEndpoints
+          .filter(endpoint => endpoint.type !== "hostname")
+          .map(endpoint => ({
+            to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+            ports: [{ port: endpoint.port, protocol: "TCP" }],
+          }))
+
+        extraRules.push(...rules)
+      }
     }
 
-    return args.egressRules
-      .map(rule => {
-        return {
-          to: rule.all ? undefined : NativeNetworkPolicy.createRulePeers(rule),
-          ports: NativeNetworkPolicy.mapPorts(rule.ports),
-        } as types.input.networking.v1.NetworkPolicyEgressRule
-      })
-      .concat(extraRules)
+    return uniqueBy(
+      args.egressRules
+        .map(rule => {
+          return {
+            to: rule.all ? [] : NativeNetworkPolicy.createRulePeers(rule),
+            ports: NativeNetworkPolicy.mapPorts(rule.ports),
+          } as types.input.networking.v1.NetworkPolicyEgressRule
+        })
+        .filter(rule => rule.to !== undefined)
+        .concat(extraRules),
+      rule => JSON.stringify(rule),
+    )
   }
 
   private static createRulePeers(
     this: void,
     args: NormalizedRuleArgs,
-  ): types.input.networking.v1.NetworkPolicyPeer[] {
-    return [
-      ...NativeNetworkPolicy.createCidrPeers(args),
-      ...NativeNetworkPolicy.createServicePeers(args),
-      ...NativeNetworkPolicy.createSelectorPeers(args),
-    ]
+  ): types.input.networking.v1.NetworkPolicyPeer[] | undefined {
+    const peers = uniqueBy(
+      [
+        ...NativeNetworkPolicy.createCidrPeers(args),
+        ...NativeNetworkPolicy.createServicePeers(args),
+        ...NativeNetworkPolicy.createSelectorPeers(args),
+      ],
+      peer => JSON.stringify(peer),
+    )
+
+    return peers.length > 0 ? peers : undefined
   }
 
   private static createCidrPeers(

package/src/network.ts

@@ -0,0 +1,41 @@
+import type { k8s, network } from "@highstate/library"
+import { filterEndpoints } from "@highstate/common"
+import { isFromCluster } from "./service"
+
+export function getBestEndpoint(
+  endpoints: network.L4Endpoint[],
+  cluster?: k8s.Cluster,
+): network.L4Endpoint | undefined {
+  if (!endpoints.length) {
+    return undefined
+  }
+
+  if (endpoints.length === 1) {
+    return endpoints[0]
+  }
+
+  if (!cluster) {
+    return filterEndpoints(endpoints)[0]
+  }
+
+  const clusterEndpoint = endpoints.find(endpoint => isFromCluster(endpoint, cluster))
+
+  if (clusterEndpoint) {
+    return clusterEndpoint
+  }
+
+  return filterEndpoints(endpoints)[0]
+}
+
+export function requireBestEndpoint(
+  endpoints: network.L4Endpoint[],
+  cluster: k8s.Cluster,
+): network.L4Endpoint {
+  const endpoint = getBestEndpoint(endpoints, cluster)
+
+  if (!endpoint) {
+    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`)
+  }
+
+  return endpoint
+}