Cyclonus uses an interim data structure (matcher.Policy) for the NetworkPolicy. We can modify this to support a generic Policy representing a ANP, BANP, or NetworkPolicy.
New features include:
SameLabels in Peer
Namespace Selector in Target (Subject)
Node Selector in Target/Peer
Priority + Action
Code to Modify
Will need to make new implementations of PeerMatcher like those seen in TargetsTableLines().
type Policy struct {
// NOTE: need policyKind here
Ingress map[string]*Target
Egress map[string]*Target
}
func (p *Policy) IsIngressOrEgressAllowed(traffic *Traffic, isIngress bool) *DirectionResult {
// NOTE: need new logic here
// Targets can overlap now since ANP uses namespace selector
}
type Traffic struct {
Source *TrafficPeer
Destination *TrafficPeer
ResolvedPort int
ResolvedPortName string
Protocol v1.Protocol
}
type Target struct {
// NOTE: need:
// 1. Namespace selector
// 2. Node Selector
Namespace string
PodSelector metav1.LabelSelector
Peers []PeerMatcher
SourceRules []*networkingv1.NetworkPolicy // need ANP/BNP option
primaryKey string
}
type PeerMatcher interface {
Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool
// NOTE: need argument for target’s pod/node labels (to help with SameLabels)
// NOTE: return value must be (policyKind, priority, action)
}
type TrafficPeer struct {
Internal *InternalPeer
IP string
}
type InternalPeer struct {
PodLabels map[string]string
NamespaceLabels map[string]string
Namespace string
// NOTE: need:
// 1. Node
// 2. Node labels
}
Requirement for #150.
Cyclonus uses an interim data structure (
matcher.Policy
) for the NetworkPolicy. We can modify this to support a generic Policy representing a ANP, BANP, or NetworkPolicy.New features include:
Code to Modify
Will need to make new implementations of
PeerMatcher
like those seen inTargetsTableLines()
.