feat(services): add networkPolicy service

Author: tyler-dunkel

src/enums/schemasMap.ts

@@ -3,6 +3,7 @@ import services from './services'
 export default {
   [services.node]: 'k8sNode',
   [services.namespace]: 'k8sNamespace',
+  [services.networkPolicy]: 'k8sNetworkPolicy',
   [services.pod]: 'k8sPod',
   [services.deployment]: 'k8sDeployment',
   [services.secret]: 'k8sSecret',

src/enums/serviceMap.ts

@@ -13,10 +13,12 @@ import Secret from '../services/secret'
 import Role from '../services/role'
 import Job from '../services/job'
 import CronJob from '../services/cronJob'
+import NetworkPolicy from '../services/networkPolicy'
 
 export default {
   [services.node]: Node,
   [services.namespace]: Namespace,
+  [services.networkPolicy]: NetworkPolicy,
   [services.pod]: Pod,
   [services.deployment]: Deployment,
   [services.secret]: Secret,

src/enums/services.ts

@@ -4,6 +4,7 @@ export default {
   ingress: 'ingress',
   job: 'job',
   namespace: 'namespace',
+  networkPolicy: 'networkPolicy',
   node: 'node',
   persistentVolume: 'persistentVolume',
   persistentVolumeClaim: 'persistentVolumeClaim',

src/services/namespace/schema.graphql

@@ -6,6 +6,7 @@ type k8sNamespace {
   metadata: k8sMetadata
   spec: k8sNamespaceSpec
   status: k8sNamespaceStatus
+  networkPolicy: [k8sNetworkPolicy] @hasInverse(field: namespace)
   node: [k8sNode] @hasInverse(field: namespace)
   pod: [k8sPod] @hasInverse(field: namespace)
   deployment: [k8sDeployment] @hasInverse(field: namespace)

src/services/networkPolicy/data.ts

@@ -0,0 +1,22 @@
+import CloudGraph from '@cloudgraph/sdk'
+import { V1NetworkPolicy } from '@kubernetes/client-node'
+import { k8sClient } from '../../types'
+
+const { logger } = CloudGraph
+
+export default async ({
+  config,
+}: { config: { client: k8sClient } }): Promise<V1NetworkPolicy[]> => {
+  const { client,  } = config
+
+  try {
+    const response = await client.networking.listNetworkPolicyForAllNamespaces()
+    const { body: { items = []} = {}} = response ?? {}
+    logger.debug(`Found ${items.length} k8s network policies`)
+
+    return items
+  } catch (e) {
+    logger.debug(e)
+    return []
+  }
+}

src/services/networkPolicy/format.ts

@@ -0,0 +1,85 @@
+import cuid from 'cuid'
+import { V1NetworkPolicy, V1NetworkPolicyPeer, V1NetworkPolicyPort } from '@kubernetes/client-node'
+import { K8sNetworkPolicy } from '../../types/generated'
+import { convertObjToArrayWithId } from '../../util'
+import formatMetadata from '../../util/metadata'
+import { formatMatchedExpressionsAndFields } from '../pod/util'
+
+const formatPort = (port: V1NetworkPolicyPort) => {
+  return {
+    id: cuid(),
+    endPort: port?.endPort,
+    port: String(port?.port ?? ''),
+    protocol: port?.protocol
+  }
+}
+
+const formatPolicyPeer = (peer: V1NetworkPolicyPeer) => {
+  return {
+    id: cuid(),
+    ipBlock: {
+      cidr: peer?.ipBlock?.cidr,
+      except: peer?.ipBlock?.except
+    },
+    namespaceSelector: {
+      matchExpressions: formatMatchedExpressionsAndFields(peer?.namespaceSelector?.matchExpressions ?? []),
+      matchLabels: convertObjToArrayWithId(peer?.namespaceSelector?.matchLabels ?? {})
+    },
+    podSelector: {
+      matchExpressions: formatMatchedExpressionsAndFields(peer?.podSelector?.matchExpressions ?? []),
+      matchLabels: convertObjToArrayWithId(peer?.podSelector?.matchLabels ?? {})
+    }
+  }
+}
+export default ({
+  entity,
+  context,
+}: {
+  entity: V1NetworkPolicy
+  context: string
+}): K8sNetworkPolicy => {
+  const {
+    apiVersion,
+    kind,
+    metadata,
+    spec: {
+      egress,
+      ingress,
+      podSelector,
+      policyTypes
+    } = {}
+  } = entity
+
+
+  const formattedMetadata = formatMetadata(metadata)
+  const mappedEgress = egress?.map(({ ports, to })=> ({
+    id: cuid(),
+    ports: ports?.map(formatPort) ?? [],
+    to: to?.map(formatPolicyPeer) ?? []
+  })) ?? []
+
+  const mappedIngress = ingress?.map(({ ports, from })=> ({
+    id: cuid(),
+    ports: ports?.map(formatPort) ?? [],
+    from: from?.map(formatPolicyPeer) ?? []
+  })) ?? []
+
+  const formattedPodSelector = {
+    matchExpressions: formatMatchedExpressionsAndFields(podSelector?.matchExpressions ?? []),
+    matchLabels: convertObjToArrayWithId(podSelector?.matchLabels ?? {})
+  }
+
+  return {
+    id: formattedMetadata.id,
+    apiVersion,
+    kind,
+    context,
+    metadata: formattedMetadata.metadata,
+    spec: {
+      egress: mappedEgress,
+      ingress: mappedIngress,
+      podSelector: formattedPodSelector,
+      policyTypes
+    }
+  }
+}

src/services/networkPolicy/index.ts

@@ -0,0 +1,12 @@
+import getData from './data'
+import format from './format'
+import mutation from './mutation'
+
+
+export default class NetworkPolicy {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}

src/services/networkPolicy/mutation.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [Addk8sNetworkPolicyInput!]!) {
+  addk8sNetworkPolicy(input: $input, upsert: true) {
+    numUids
+  }
+}`;

src/services/networkPolicy/schema.graphql

@@ -0,0 +1,52 @@
+type k8sNetworkPolicy {
+  id: String! @id @search(by: [hash, regexp])
+  context: String! @search(by: [hash, regexp])
+  apiVersion: String @search(by: [hash, regexp])
+  kind: String @search(by: [hash, regexp])
+  metadata: k8sMetadata
+  spec: k8sNetworkPolicySpec
+  namespace: [k8sNamespace] @hasInverse(field: networkPolicy)
+}
+
+type k8sNetworkPolicySpec {
+  egress: [k8sNetworkPolicyEgress]
+  ingress: [k8sNetworkPolicyIngress]
+  podSelector: k8sDeploymentSelector
+  policyTypes: [String] @search(by: [hash, regexp])
+}
+
+type k8sDeploymentSelector {
+  matchExpressions: [k8sDeploymentExpressions]
+  matchLabels: [k8sKeyValueArray]
+}
+
+type k8sNetworkPolicyEgress {
+  id: String! @id @search(by: [hash, regexp])
+  ports: [k8sNetworkPolicyPort]
+  to: [k8sNetworkPolicyPeer]
+}
+
+type k8sNetworkPolicyIngress {
+  id: String! @id @search(by: [hash, regexp])
+  ports: [k8sNetworkPolicyPort]
+  from: [k8sNetworkPolicyPeer]
+}
+
+type k8sNetworkPolicyPort {
+  id: String! @id @search(by: [hash, regexp])
+  endPort: Int @search
+  port: String @search(by: [hash, regexp])
+  protocol: String @search(by: [hash, regexp])
+}
+
+type k8sNetworkPolicyPeer {
+  id: String! @id @search(by: [hash, regexp])
+  ipBlock: k8sNetworkPolicyPeerIpBlock
+  namespaceSelector: k8sDeploymentSelector
+  podSelector: k8sDeploymentSelector
+}
+
+type k8sNetworkPolicyPeerIpBlock {
+  cidr: String @search(by: [hash, regexp])
+  except: [String] @search(by: [hash, regexp])
+}

src/types/generated.ts

@@ -341,6 +341,7 @@ export type K8sNamespace = {
   metadata?: Maybe<K8sMetadata>;
   spec?: Maybe<K8sNamespaceSpec>;
   status?: Maybe<K8sNamespaceStatus>;
+  networkPolicy?: Maybe<Array<Maybe<K8sNetworkPolicy>>>;
   node?: Maybe<Array<Maybe<K8sNode>>>;
   pod?: Maybe<Array<Maybe<K8sPod>>>;
   deployment?: Maybe<Array<Maybe<K8sDeployment>>>;
@@ -365,6 +366,54 @@ export type K8sNamespaceStatus = {
   conditions?: Maybe<Array<Maybe<K8sConditions>>>;
 };
 
+export type K8sNetworkPolicy = {
+  id: Scalars['String'];
+  context: Scalars['String'];
+  apiVersion?: Maybe<Scalars['String']>;
+  kind?: Maybe<Scalars['String']>;
+  metadata?: Maybe<K8sMetadata>;
+  spec?: Maybe<K8sNetworkPolicySpec>;
+  namespace?: Maybe<Array<Maybe<K8sNamespace>>>;
+};
+
+export type K8sNetworkPolicyEgress = {
+  id: Scalars['String'];
+  ports?: Maybe<Array<Maybe<K8sNetworkPolicyPort>>>;
+  to?: Maybe<Array<Maybe<K8sNetworkPolicyPeer>>>;
+};
+
+export type K8sNetworkPolicyIngress = {
+  id: Scalars['String'];
+  ports?: Maybe<Array<Maybe<K8sNetworkPolicyPort>>>;
+  from?: Maybe<Array<Maybe<K8sNetworkPolicyPeer>>>;
+};
+
+export type K8sNetworkPolicyPeer = {
+  id: Scalars['String'];
+  ipBlock?: Maybe<K8sNetworkPolicyPeerIpBlock>;
+  namespaceSelector?: Maybe<K8sDeploymentSelector>;
+  podSelector?: Maybe<K8sDeploymentSelector>;
+};
+
+export type K8sNetworkPolicyPeerIpBlock = {
+  cidr?: Maybe<Scalars['String']>;
+  except?: Maybe<Array<Maybe<Scalars['String']>>>;
+};
+
+export type K8sNetworkPolicyPort = {
+  id: Scalars['String'];
+  endPort?: Maybe<Scalars['Int']>;
+  port?: Maybe<Scalars['String']>;
+  protocol?: Maybe<Scalars['String']>;
+};
+
+export type K8sNetworkPolicySpec = {
+  egress?: Maybe<Array<Maybe<K8sNetworkPolicyEgress>>>;
+  ingress?: Maybe<Array<Maybe<K8sNetworkPolicyIngress>>>;
+  podSelector?: Maybe<K8sDeploymentSelector>;
+  policyTypes?: Maybe<Array<Maybe<Scalars['String']>>>;
+};
+
 export type K8sNode = {
   id: Scalars['String'];
   context: Scalars['String'];