Donavan Fritz
39ede9130b
Build flock Image / build (push) Has been cancelled
New pkg/agent/netpol implementing standard networking.k8s.io/v1 NetworkPolicy. Pipeline: pods + policies + namespaces → Translate → Render → Apply Supports ingress + egress, all three peer types (podSelector, namespaceSelector, ipBlock with except), numeric ports + port ranges, default-deny semantics derived from PolicyTypes (or inferred from non-empty Spec.Egress when unset). Apply path is `nft -f -` shell-out — single transaction, atomic, kernel guarantees partial-failure rollback. Idempotent dedup via last-applied script. Reconcile triggers: informer events, 30s self-heal tick, every CNI ADD/DEL. Verified against the three live cluster NetPols (calico-apiserver, remote-proxies/lodge-home-assistant, storage/garage-admin-restrict). Fuzz target stitches Translate + Render with random selector and peer inputs; 21 unit tests cover the policy semantics. Named ports skip with a warn — deferred until kubelet exposes them in a form that doesn't require shadowing pod state. Dockerfile: + nftables. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
17 lines
409 B
Go
17 lines
409 B
Go
//go:build !linux
|
|
|
|
package netpol
|
|
|
|
import "context"
|
|
|
|
// Applier is a no-op on non-Linux build hosts so unit tests run on macOS
|
|
// without nft.
|
|
type Applier struct {
|
|
NftPath string
|
|
Timeout interface{}
|
|
last string
|
|
}
|
|
|
|
func (a *Applier) Apply(_ context.Context, script string) error { a.last = script; return nil }
|
|
func (a *Applier) Clear(_ context.Context) error { a.last = ""; return nil }
|