netpol: NetworkPolicy v1 enforcement via nftables
Build flock Image / build (push) Has been cancelled
Build flock Image / build (push) Has been cancelled
New pkg/agent/netpol implementing standard networking.k8s.io/v1 NetworkPolicy. Pipeline: pods + policies + namespaces → Translate → Render → Apply Supports ingress + egress, all three peer types (podSelector, namespaceSelector, ipBlock with except), numeric ports + port ranges, default-deny semantics derived from PolicyTypes (or inferred from non-empty Spec.Egress when unset). Apply path is `nft -f -` shell-out — single transaction, atomic, kernel guarantees partial-failure rollback. Idempotent dedup via last-applied script. Reconcile triggers: informer events, 30s self-heal tick, every CNI ADD/DEL. Verified against the three live cluster NetPols (calico-apiserver, remote-proxies/lodge-home-assistant, storage/garage-admin-restrict). Fuzz target stitches Translate + Render with random selector and peer inputs; 21 unit tests cover the policy semantics. Named ports skip with a warn — deferred until kubelet exposes them in a form that doesn't require shadowing pod state. Dockerfile: + nftables. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Donavan Fritz
@@ -0,0 +1,16 @@
|
||||
//go:build !linux
|
||||
|
||||
package netpol
|
||||
|
||||
import "context"
|
||||
|
||||
// Applier is a no-op on non-Linux build hosts so unit tests run on macOS
|
||||
// without nft.
|
||||
type Applier struct {
|
||||
NftPath string
|
||||
Timeout interface{}
|
||||
last string
|
||||
}
|
||||
|
||||
func (a *Applier) Apply(_ context.Context, script string) error { a.last = script; return nil }
|
||||
func (a *Applier) Clear(_ context.Context) error { a.last = ""; return nil }
|
||||
Reference in New Issue
Block a user