feat(network): add network policy features

Author: duanhongyi

charts/controller/files/network-policy-template.json

@@ -0,0 +1,48 @@
+{
+    "spec": {
+        "podSelector": {},
+        "policyTypes": [
+            "Ingress"
+        ],
+        "ingress": [
+            {
+                "from": [
+                    {
+                        "namespaceSelector": {
+                            "matchLabels": {
+                                "drycc.cc/workspace_id": "{{workspace_id}}"
+                            }
+                        }
+                    }
+                ]
+            },
+            {
+                "from": [
+                    {
+                        "ipBlock": {
+                            "cidr": "0.0.0.0/0",
+                            "except": [
+                                "10.0.0.0/8",
+                                "172.16.0.0/12",
+                                "192.168.0.0/16"
+                            ]
+                        }
+                    }
+                ]
+            },
+            {
+                "from": [
+                    {
+                        "ipBlock": {
+                            "cidr": "::/0",
+                            "except": [
+                                "fc00::/7",
+                                "fe80::/10"
+                            ]
+                        }
+                    }
+                ]
+            }
+        ]
+    }
+}

charts/controller/templates/controller-configmap.yaml

@@ -41,6 +41,12 @@ data:
     {{- else}}
     {{-  .Files.Get "files/volume-claim-template.json" | nindent 4 }}
     {{- end }}
+  network-policy-template.json: |
+    {{- if .Values.config.networkPolicyTemplate }}
+    {{- (tpl .Values.config.networkPolicyTemplate $)  | nindent 4 }}
+    {{- else}}
+    {{- .Files.Get "files/network-policy-template.json" | nindent 4 }}
+    {{- end }}
   volume-usage-template.promql: |
     {{- if .Values.config.volumeUsageTemplate }}
     {{- (tpl .Values.config.volumeUsageTemplate $)  | nindent 4 }}

charts/controller/values.yaml

@@ -77,6 +77,7 @@ config:
   volumeClaimTemplate: ""
   volumeUsageTemplate: ""
   networkUsageTemplate: ""
+  networkPolicyTemplate: ""
 
 # Service
 service:

rootfs/api/models/app.py

@@ -16,6 +16,7 @@
 from docker import auth as docker_auth
 from django.conf import settings
 from django.db import models
+from django.template import Template, Context
 from django.db.models import F, Func, Value, JSONField
 from django.contrib.auth import get_user_model
 from rest_framework.exceptions import ValidationError
@@ -181,6 +182,7 @@ def create(self, *args, **kwargs):  # noqa
                 self.scheduler.ns.create(namespace)
             except KubeException as e:
                 raise ServiceUnavailable('Could not create the Namespace in Kubernetes') from e
+        self._create_network_policy()
         try:
             self.appsettings_set.latest()
         except AppSettings.DoesNotExist:
@@ -945,6 +947,27 @@ def _create_default_ingress(self, target_port):
                 raise DryccException(msg)
             route.save()
 
+    def _create_network_policy(self):
+        if not settings.DRYCC_NETWORK_POLICY_TEMPLATE:
+            return
+        name = namespace = self.id
+        json_str = Template(settings.DRYCC_NETWORK_POLICY_TEMPLATE).render(
+            Context({"workspace_id": str(self.workspace_id)})).strip()
+        kwargs = json.loads(json_str) if json_str else {}
+        try:
+            self.scheduler.networkpolicy.get(namespace, name)
+            self.scheduler.networkpolicy.patch(namespace, name, **kwargs)
+        except KubeHTTPException as e:
+            if e.response.status_code == 404:
+                try:
+                    self.scheduler.networkpolicy.create(namespace, name, **kwargs)
+                except KubeException as ex:
+                    raise ServiceUnavailable(
+                        'Could not create the NetworkPolicy in Kubernetes') from ex
+            else:
+                raise ServiceUnavailable(
+                    'Could not get the NetworkPolicy in Kubernetes') from e
+
     def _verify_http_health(self, service, **kwargs):
         """
         Verify an application is healthy via the svc.
@@ -1083,6 +1106,7 @@ def _build_env_vars(self, release, ptype):
         # mix in default environment information drycc may require
         default_env = {
             'DRYCC_APP': self.id,
+            'DRYCC_WORKSPACE': self.workspace_id,
             'WORKFLOW_RELEASE': release.version_name,
             'WORKFLOW_RELEASE_SUMMARY': release.summary,
             'WORKFLOW_RELEASE_CREATED_AT': str(release.created.strftime(

rootfs/api/models/base.py

@@ -60,11 +60,11 @@ def app_log(self, app_id, msg):
 
     @property
     def scheduler(self):
-        annotations = {}
+        labels = annotations = {}
         if hasattr(self, 'app'):
-            annotations["drycc.cc/app_id"] = str(self.app.id)
-            annotations["drycc.cc/workspace_id"] = str(self.app.workspace_id)
-        return get_scheduler(metadata={"annotations": annotations})
+            labels["drycc.cc/app_id"] = str(self.app.id)
+            labels["drycc.cc/workspace_id"] = str(self.app.workspace_id)
+        return get_scheduler(metadata={"labels": labels, "annotations": annotations})
 
 
 class UuidAuditedModel(AuditedModel):

rootfs/api/settings/production.py

@@ -308,6 +308,14 @@ def randstr(k):
     with open(DRYCC_VOLUME_CLAIM_TEMPLATE_PATH) as fd:
         DRYCC_VOLUME_CLAIM_TEMPLATE = fd.read()
 
+# drycc network policy template
+DRYCC_NETWORK_POLICY_TEMPLATE = {}
+DRYCC_NETWORK_POLICY_TEMPLATE_PATH = os.environ.get(
+    'DRYCC_NETWORK_POLICY_TEMPLATE_PATH', '/etc/controller/network-policy-template.json')
+if os.path.exists(DRYCC_NETWORK_POLICY_TEMPLATE_PATH):
+    with open(DRYCC_NETWORK_POLICY_TEMPLATE_PATH) as fd:
+        DRYCC_NETWORK_POLICY_TEMPLATE = fd.read()
+
 # drycc volume usage template
 DRYCC_VOLUME_USAGE_TEMPLATE = ""
 DRYCC_VOLUME_USAGE_TEMPLATE_PATH = os.environ.get(

rootfs/api/tests/test_app.py

@@ -62,6 +62,20 @@ def tearDown(self):
         # make sure every test has a clean slate for k8s mocking
         cache.clear()
 
+    def test_app_network_policy(self, mock_requests):
+        """
+        Test that a network policy is created when an app is created.
+        """
+        with self.settings(DRYCC_NETWORK_POLICY_TEMPLATE='{"spec": {"podSelector": {}}}'):
+            app_id = self.create_app()
+            app = App.objects.get(id=app_id)
+
+            try:
+                response = app.scheduler.networkpolicy.get(app.id, app.id).json()
+                self.assertEqual(response['metadata']['name'], app.id)
+            except Exception as e:
+                self.fail(f"Network policy not created: {e}")
+
     def test_app(self, mock_requests):
         """
         Test that a user can create, read, update and delete an application
@@ -674,6 +688,7 @@ def test_build_env_vars(self, mock_requests):
             app._build_env_vars(app.release_set.latest(), PTYPE_WEB),
             {
                 'DRYCC_APP': app.id,
+                'DRYCC_WORKSPACE': app.workspace_id,
                 'WORKFLOW_RELEASE': 'v2',
                 'PORT': 5000,
                 'SOURCE_VERSION': '',
@@ -689,6 +704,7 @@ def test_build_env_vars(self, mock_requests):
             app._build_env_vars(app.release_set.latest(), PTYPE_WEB),
             {
                 'DRYCC_APP': app.id,
+                'DRYCC_WORKSPACE': app.workspace_id,
                 'WORKFLOW_RELEASE': 'v3',
                 'PORT': 5000,
                 'SOURCE_VERSION': 'abc1234',

rootfs/scheduler/mock.py

@@ -83,7 +83,7 @@ def _acquire(self):
     'namespaces', 'nodes', 'pods', 'replicationcontrollers',
     'secrets', 'services', 'events', 'deployments', 'replicasets',
     'horizontalpodautoscalers', 'scale', 'resourcequotas', 'ingresses',
-    'persistentvolumeclaims', 'serviceinstances', 'servicebindings',
+    'persistentvolumeclaims', 'serviceinstances', 'servicebindings', 'networkpolicies',
     'limitranges', 'gateways', 'httproutes', 'tcproutes', 'udproutes',
     'issuers', 'certificates', 'certificaterequests', 'jobs', 'clusterserviceclasses',
     'statefulsets', 'daemonsets',

rootfs/scheduler/resources/deployment.py

@@ -1,5 +1,6 @@
 import json
 import time
+import copy
 import logging
 from datetime import datetime, timedelta, timezone
 from scheduler.resources import Resource
@@ -32,16 +33,14 @@ def get(self, namespace, name=None, ignore_exception=False, **kwargs):
         return response
 
     def manifest(self, namespace, name, image, command, args, spec_annotations, **kwargs):
+        app_type = kwargs.get('app_type')
         replicas = kwargs.get('replicas', 0)
         batches = kwargs.get('deploy_batches', None)
         tags = kwargs.get('tags', {})
         annotations = kwargs.get('annotations', {})
 
-        labels = {
-            'app': namespace,
-            'type': kwargs.get('app_type'),
-            'heritage': 'drycc',
-        }
+        labels = copy.deepcopy(kwargs.get('labels', {}))
+        labels.update({'app': namespace, 'type': app_type, 'heritage': 'drycc'})
 
         manifest = {
             'kind': 'Deployment',

rootfs/scheduler/resources/networkpolicy.py

@@ -0,0 +1,74 @@
+from api import utils
+from scheduler.resources import Resource
+from scheduler.exceptions import KubeHTTPException
+
+
+class NetworkPolicy(Resource):
+    api_prefix = 'apis'
+    api_version = 'networking.k8s.io/v1'
+
+    def manifest(self, namespace, name, **kwargs):
+        data = {
+            "apiVersion": self.api_version,
+            "kind": "NetworkPolicy",
+            "metadata": {
+                "name": name,
+                "namespace": namespace,
+                "labels": {
+                    "heritage": "drycc"
+                }
+            }
+        }
+        data = utils.dict_merge(data, kwargs)
+        if "version" in kwargs:
+            data["metadata"]["resourceVersion"] = kwargs.get("version")
+        return data
+
+    def get(self, namespace, name=None, ignore_exception=False, **kwargs):
+        """
+        Fetch a single NetworkPolicy or a list
+        """
+        if name is not None:
+            url = self.api("/namespaces/{}/networkpolicies/{}", namespace, name)
+            message = 'get NetworkPolicy "{}" in Namespace "{}"'.format(name, namespace)
+        else:
+            url = self.api("/namespaces/{}/networkpolicies", namespace)
+            message = 'get NetworkPolicies in Namespace "{}"'.format(namespace)
+
+        response = self.http_get(url, params=self.query_params(**kwargs))
+        if not ignore_exception and self.unhealthy(response.status_code):
+            raise KubeHTTPException(response, message)
+
+        return response
+
+    def create(self, namespace, name, ignore_exception=False, **kwargs):
+        url = self.api("/namespaces/{}/networkpolicies", namespace)
+        data = self.manifest(namespace, name, **kwargs)
+        response = self.http_post(url, json=data)
+
+        if not ignore_exception and self.unhealthy(response.status_code):
+            raise KubeHTTPException(
+                response, 'create NetworkPolicy "{}" in Namespace "{}"', name, namespace)
+
+        return response
+
+    def patch(self, namespace, name, ignore_exception=False, **kwargs):
+        url = self.api("/namespaces/{}/networkpolicies/{}", namespace, name)
+        data = self.manifest(namespace, name, **kwargs)
+        response = self.http_patch(
+            url,
+            json=data,
+            headers={"Content-Type": "application/merge-patch+json"}
+        )
+        if not ignore_exception and self.unhealthy(response.status_code):
+            raise KubeHTTPException(
+                response, 'patch NetworkPolicy "{}" in Namespace "{}"', name, namespace)
+        return response
+
+    def delete(self, namespace, name, ignore_exception=False):
+        url = self.api("/namespaces/{}/networkpolicies/{}", namespace, name)
+        response = self.http_delete(url)
+        if not ignore_exception and self.unhealthy(response.status_code):
+            raise KubeHTTPException(
+                response, 'delete NetworkPolicy "{}" in Namespace "{}"', name, namespace)
+        return response