kubernetes
/
kubectl
mirror of https://github.com/kubernetes/kubectl.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #123316 from jcaamano/describe-port-range 

Describe NetworkPolicy port ranges

Kubernetes-commit: 18608386ea5709ec26ed4958ddbba28b6723acee
This commit is contained in:
Kubernetes Publisher 2024-04-18 00:00:35 -07:00
parent 426055bedd 9957529f9c
commit 25dbaefaa9
4 changed files with 218 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
go.mod
View File

@ -30,15 +30,15 @@ require (
github.com/stretchr/testify v1.8.4
golang.org/x/sys v0.18.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.0.0-20240404035423-5e7d566356d1
k8s.io/apimachinery v0.0.0-20240404035254-e696ec55a32e
k8s.io/api v0.0.0-20240418013359-a819b1d9bd16
k8s.io/apimachinery v0.0.0-20240418093209-8c36da9e60f7
k8s.io/cli-runtime v0.0.0-20240404041703-9ad5569b61bc
k8s.io/client-go v0.0.0-20240404035629-aa7909e7d7c0
k8s.io/component-base v0.0.0-20240404040301-d0106a887d7d
k8s.io/component-helpers v0.0.0-20240404040358-dc3c4990ec39
k8s.io/klog/v2 v2.120.1
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
k8s.io/metrics v0.0.0-20240404041558-f59363f3b9af
k8s.io/metrics v0.0.0-20240418015151-b895691471d2
k8s.io/utils v0.0.0-20230726121419-3b25d923346b
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3

12
go.sum
View File

@ -276,10 +276,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.0.0-20240404035423-5e7d566356d1 h1:tUkP151p85IMjkPt1+gdSJ4a7HTp6atyw0BPaOl43AI=
k8s.io/api v0.0.0-20240404035423-5e7d566356d1/go.mod h1:hpltBotDO81r+TzqESp+1COe04YlRTmdCzAysBBM8CU=
k8s.io/apimachinery v0.0.0-20240404035254-e696ec55a32e h1:QDMqQVyH8eAEDzaa0HcUsmoJE2goz2xNXb2SKkcU3Lw=
k8s.io/apimachinery v0.0.0-20240404035254-e696ec55a32e/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
k8s.io/api v0.0.0-20240418013359-a819b1d9bd16 h1:DXJla1ulezom5N0QIRlZetozcxtRPdS7U+muHDJuiO4=
k8s.io/api v0.0.0-20240418013359-a819b1d9bd16/go.mod h1:a1YU16kjsAapUzg1LYaOqTnbMlo87NXy9bSeWjRmfoo=
k8s.io/apimachinery v0.0.0-20240418093209-8c36da9e60f7 h1:SydhMcp6AJkjqqVcd0o0uz7ntTcs/QyIgIHAFYfIm7E=
k8s.io/apimachinery v0.0.0-20240418093209-8c36da9e60f7/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
k8s.io/cli-runtime v0.0.0-20240404041703-9ad5569b61bc h1:a12ozjrLRSgKfGuGr0tFr7Aw+jheNPDo6jh/Y1AOkhU=
k8s.io/cli-runtime v0.0.0-20240404041703-9ad5569b61bc/go.mod h1:XYjtKcGQuoX/UlaQtuRlfn9WIdSSrwDwKAkUx4OdbTk=
k8s.io/client-go v0.0.0-20240404035629-aa7909e7d7c0 h1:BV0JmMEQlllu+Rbl7x4I8kU4xYXhQU+3oJZ5/qaxm00=
@ -292,8 +292,8 @@ k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
k8s.io/metrics v0.0.0-20240404041558-f59363f3b9af h1:AtrH4GKrL8LRMVceJKJHr6oeTOKYr4C8k6gYFFwwCmo=
k8s.io/metrics v0.0.0-20240404041558-f59363f3b9af/go.mod h1:N8LPxBy5v7WW+b8KdTIRXWQsoAREip8g10HvJrykDw8=
k8s.io/metrics v0.0.0-20240418015151-b895691471d2 h1:8t+fm49iESk7KyRtZthdbk/bgapb69xsv0WCY99tbHw=
k8s.io/metrics v0.0.0-20240418015151-b895691471d2/go.mod h1:6BtBw4dYxgGd9MpdyJ/0Qmy9jFJ1+9pWoKM2z+xXB+g=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

12
pkg/describe/describe.go
View File

@ -4576,7 +4576,11 @@ func printNetworkPolicySpecIngressFrom(npirs []networkingv1.NetworkPolicyIngress
} else {
proto = corev1.ProtocolTCP
}
w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto)
if port.EndPort == nil {
w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto)
} else {
w.Write(LEVEL_0, "%s%s: %s-%d/%s\n", initialIndent, "To Port Range", port.Port, *port.EndPort, proto)
}
}
}
if len(npir.From) == 0 {
@ -4620,7 +4624,11 @@ func printNetworkPolicySpecEgressTo(npers []networkingv1.NetworkPolicyEgressRule
} else {
proto = corev1.ProtocolTCP
}
w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto)
if port.EndPort == nil {
w.Write(LEVEL_0, "%s%s: %s/%s\n", initialIndent, "To Port", port.Port, proto)
} else {
w.Write(LEVEL_0, "%s%s: %s-%d/%s\n", initialIndent, "To Port Range", port.Port, *port.EndPort, proto)
}
}
}
if len(nper.To) == 0 {

199
pkg/describe/describe_test.go
View File

@ -5483,6 +5483,205 @@ Spec:
}
}
func TestDescribeNetworkPoliciesWithPortRange(t *testing.T) {
expectedTime, err := time.Parse("2006-01-02 15:04:05 Z0700 MST", "2017-06-04 21:45:56 -0700 PDT")
if err != nil {
t.Errorf("unable to parse time %q error: %s", "2017-06-04 21:45:56 -0700 PDT", err)
}
expectedOut := `Name: network-policy-1
Namespace: default
Created on: 2017-06-04 21:45:56 -0700 PDT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: foo in (bar1,bar2),foo2 notin (bar1,bar2),id1=app1,id2=app2
Allowing ingress traffic:
To Port Range: 80-82/TCP
From:
NamespaceSelector: id=ns1,id2=ns2
PodSelector: id=pod1,id2=pod2
From:
PodSelector: id=app2,id2=app3
From:
NamespaceSelector: id=app2,id2=app3
From:
NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3
From:
IPBlock:
CIDR: 192.168.0.0/16
Except: 192.168.3.0/24, 192.168.4.0/24
----------
To Port: <any> (traffic allowed to all ports)
From: <any> (traffic not restricted by source)
Allowing egress traffic:
To Port Range: 80-82/TCP
To:
NamespaceSelector: id=ns1,id2=ns2
PodSelector: id=pod1,id2=pod2
To:
PodSelector: id=app2,id2=app3
To:
NamespaceSelector: id=app2,id2=app3
To:
NamespaceSelector: foo in (bar1,bar2),id=app2,id2=app3
To:
IPBlock:
CIDR: 192.168.0.0/16
Except: 192.168.3.0/24, 192.168.4.0/24
----------
To Port: <any> (traffic allowed to all ports)
To: <any> (traffic not restricted by destination)
Policy Types: Ingress, Egress
`
port80 := intstr.FromInt(80)
port82 := int32(82)
protoTCP := corev1.ProtocolTCP
versionedFake := fake.NewSimpleClientset(&networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "network-policy-1",
Namespace: "default",
CreationTimestamp: metav1.NewTime(expectedTime),
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{
"id1": "app1",
"id2": "app2",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
{Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}},
{Key: "foo2", Operator: "NotIn", Values: []string{"bar1", "bar2"}},
},
},
Ingress: []networkingv1.NetworkPolicyIngressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
{Port: &port80, EndPort: &port82, Protocol: &protoTCP},
},
From: []networkingv1.NetworkPolicyPeer{
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "pod1",
"id2": "pod2",
},
},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "ns1",
"id2": "ns2",
},
},
},
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
{Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}},
},
},
},
{
IPBlock: &networkingv1.IPBlock{
CIDR: "192.168.0.0/16",
Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
},
},
},
},
{},
},
Egress: []networkingv1.NetworkPolicyEgressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
{Port: &port80, EndPort: &port82, Protocol: &protoTCP},
},
To: []networkingv1.NetworkPolicyPeer{
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "pod1",
"id2": "pod2",
},
},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "ns1",
"id2": "ns2",
},
},
},
{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
},
},
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"id": "app2",
"id2": "app3",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
{Key: "foo", Operator: "In", Values: []string{"bar1", "bar2"}},
},
},
},
{
IPBlock: &networkingv1.IPBlock{
CIDR: "192.168.0.0/16",
Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
},
},
},
},
{},
},
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
},
})
d := NetworkPolicyDescriber{versionedFake}
out, err := d.Describe("default", "network-policy-1", DescriberSettings{})
if err != nil {
t.Errorf("unexpected error: %s", err)
}
if out != expectedOut {
t.Errorf("want:\n%s\ngot:\n%s", expectedOut, out)
}
}
func TestDescribeServiceAccount(t *testing.T) {
fake := fake.NewSimpleClientset(&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{