Feature/cg 490 networkPolicy

README.md

@@ -41,6 +41,7 @@ Authenticate the CloudGraph k8s Provider any of the following ways:
 | ingress                      | namespace          |
 | job                          | namespace          |
 | namespace                    | ALL SERVICES       |
+| networkPolicy                | namespace          |
 | node                         | namespace          |
 | persistentVolume             | namespace          |
 | persistentVolumeClaim        | namespace          |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-k8s",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Kubernetes provider for the CloudGraph CLI",
   "publishConfig": {
     "access": "public"

src/enums/pluralization.ts

@@ -0,0 +1,17 @@
+export default {
+  cronJob: 'cronJobs',
+  deployment: 'deployments',
+  ingress: 'ingresses',
+  job: 'jobs',
+  namespace: 'namespaces',
+  networkPolicy: 'networkPolicies',
+  node: 'nodes',
+  persistentVolume: 'persistentVolumes',
+  persistentVolumeClaim: 'persistentVolumeClaims',
+  pod: 'pods',
+  role: 'roles',
+  secret: 'secrets',
+  service: 'services',
+  serviceAccount: 'serviceAccounts',
+  storageClass: 'storageClasses'
+}

src/enums/schemasMap.ts

@@ -3,6 +3,7 @@ import services from './services'
 export default {
   [services.node]: 'k8sNode',
   [services.namespace]: 'k8sNamespace',
+  [services.networkPolicy]: 'k8sNetworkPolicy',
   [services.pod]: 'k8sPod',
   [services.deployment]: 'k8sDeployment',
   [services.secret]: 'k8sSecret',

src/enums/serviceMap.ts

@@ -13,10 +13,12 @@ import Secret from '../services/secret'
 import Role from '../services/role'
 import Job from '../services/job'
 import CronJob from '../services/cronJob'
+import NetworkPolicy from '../services/networkPolicy'
 
 export default {
   [services.node]: Node,
   [services.namespace]: Namespace,
+  [services.networkPolicy]: NetworkPolicy,
   [services.pod]: Pod,
   [services.deployment]: Deployment,
   [services.secret]: Secret,

src/enums/services.ts

@@ -4,6 +4,7 @@ export default {
   ingress: 'ingress',
   job: 'job',
   namespace: 'namespace',
+  networkPolicy: 'networkPolicy',
   node: 'node',
   persistentVolume: 'persistentVolume',
   persistentVolumeClaim: 'persistentVolumeClaim',

src/services/cronJob/schema.graphql

@@ -6,7 +6,7 @@ type k8sCronJob {
   metadata: k8sMetadata
   spec: k8sCronJobSpec
   status: k8sCronJobStatus
-  namespace: [k8sNamespace] @hasInverse(field: cronJob)
+  namespace: [k8sNamespace] @hasInverse(field: cronJobs)
 }
 
 type k8sCronJobSpec {
@@ -17,7 +17,6 @@ type k8sCronJobSpec {
   startingDeadlineSeconds: Int @search
   successfulJobsHistoryLimit: Int @search
   suspend: Boolean @search
-  template: k8sJobTemplate
 }
 
 type k8sCronJobStatus {

src/services/deployment/schema.graphql

@@ -6,7 +6,7 @@ type k8sDeployment {
   metadata: k8sMetadata
   spec: k8sDeploymentSpec
   status: k8sDeploymentStatus
-  namespace: [k8sNamespace] @hasInverse(field: deployment)
+  namespace: [k8sNamespace] @hasInverse(field: deployments)
 }
 
 type k8sDeploymentSpec {

src/services/index.ts

@@ -99,7 +99,7 @@ export default class Provider extends CloudGraph.Client {
         'k8s'
       )} configuration successfully completed ${confettiBall}`
     )
-    this.logSelectedAccessRegionsAndResources(result.contexts, result.resources)
+    this.logSelectedAccessRegionsAndResources(result.contexts.map(({ name }) => name), result.resources)
     return result
   }
 
@@ -174,9 +174,7 @@ export default class Provider extends CloudGraph.Client {
       roles: rolesClient
     }
 
-    // rolesClient.listRoleForAllNamespaces
     // networkingClient.listNetworkPolicyForAllNamespaces
-    // batchClient.listCronJobForAllNamespaces
     // client.listConfigMapForAllNamespaces
     // client.listEndpointsForAllNamespaces
     // client.listEventForAllNamespaces

src/services/ingress/schema.graphql

@@ -6,7 +6,7 @@ type k8sIngress {
   metadata: k8sMetadata
   spec: k8sIngressSpec
   status: k8sIngressStatus
-  namespace: [k8sNamespace] @hasInverse(field: ingress)
+  namespace: [k8sNamespace] @hasInverse(field: ingresses)
 }
 
 type k8sIngressSpec {

src/services/job/schema.graphql

@@ -6,7 +6,7 @@ type k8sJob {
   metadata: k8sMetadata
   spec: k8sJobSpec
   status: k8sJobStatus
-  namespace: [k8sNamespace] @hasInverse(field: job)
+  namespace: [k8sNamespace] @hasInverse(field: jobs)
 }
 
 type k8sJobSpec {

src/services/namespace/connections.ts

@@ -3,6 +3,7 @@ import isEmpty from 'lodash/isEmpty'
 import { ServiceConnection } from '@cloudgraph/sdk'
 import { V1Namespace } from '@kubernetes/client-node'
 import services from '../../enums/services'
+import plurals from '../../enums/pluralization'
 
 /**
  * Service Account
@@ -36,7 +37,7 @@ export default ({
             id: service.metadata?.uid,
             resourceType: entity.name,
             relation: 'child',
-            field: entity.name
+            field: plurals[entity.name] ?? entity.name
           })
         }
       }

src/services/namespace/schema.graphql

@@ -6,19 +6,20 @@ type k8sNamespace {
   metadata: k8sMetadata
   spec: k8sNamespaceSpec
   status: k8sNamespaceStatus
-  node: [k8sNode] @hasInverse(field: namespace)
-  pod: [k8sPod] @hasInverse(field: namespace)
-  deployment: [k8sDeployment] @hasInverse(field: namespace)
-  ingress: [k8sIngress] @hasInverse(field: namespace)
-  secret: [k8sSecret] @hasInverse(field: namespace)
-  service: [k8sService] @hasInverse(field: namespace)
-  serviceAccount: [k8sServiceAccount] @hasInverse(field: namespace)
-  storageClass: [k8sStorageClass] @hasInverse(field: namespace)
-  persistentVolume: [k8sPersistentVolume] @hasInverse(field: namespace)
-  persistentVolumeClaim: [k8sPersistentVolumeClaim] @hasInverse(field: namespace)
-  role: [k8sRole] @hasInverse(field: namespace)
-  job: [k8sJob] @hasInverse(field: namespace)
-  cronJob: [k8sCronJob] @hasInverse(field: namespace)
+  networkPolicies: [k8sNetworkPolicy] @hasInverse(field: namespace)
+  nodes: [k8sNode] @hasInverse(field: namespace)
+  pods: [k8sPod] @hasInverse(field: namespace)
+  deployments: [k8sDeployment] @hasInverse(field: namespace)
+  ingresses: [k8sIngress] @hasInverse(field: namespace)
+  secrets: [k8sSecret] @hasInverse(field: namespace)
+  services: [k8sService] @hasInverse(field: namespace)
+  serviceAccounts: [k8sServiceAccount] @hasInverse(field: namespace)
+  storageClasses: [k8sStorageClass] @hasInverse(field: namespace)
+  persistentVolumes: [k8sPersistentVolume] @hasInverse(field: namespace)
+  persistentVolumeClaims: [k8sPersistentVolumeClaim] @hasInverse(field: namespace)
+  roles: [k8sRole] @hasInverse(field: namespace)
+  jobs: [k8sJob] @hasInverse(field: namespace)
+  cronJobs: [k8sCronJob] @hasInverse(field: namespace)
 }
 
 type k8sNamespaceSpec @generate(

src/services/networkPolicy/data.ts

@@ -0,0 +1,22 @@
+import CloudGraph from '@cloudgraph/sdk'
+import { V1NetworkPolicy } from '@kubernetes/client-node'
+import { k8sClient } from '../../types'
+
+const { logger } = CloudGraph
+
+export default async ({
+  config,
+}: { config: { client: k8sClient } }): Promise<V1NetworkPolicy[]> => {
+  const { client,  } = config
+
+  try {
+    const response = await client.networking.listNetworkPolicyForAllNamespaces()
+    const { body: { items = []} = {}} = response ?? {}
+    logger.debug(`Found ${items.length} k8s network policies`)
+
+    return items
+  } catch (e) {
+    logger.debug(e)
+    return []
+  }
+}

src/services/networkPolicy/format.ts

@@ -0,0 +1,85 @@
+import cuid from 'cuid'
+import { V1NetworkPolicy, V1NetworkPolicyPeer, V1NetworkPolicyPort } from '@kubernetes/client-node'
+import { K8sNetworkPolicy } from '../../types/generated'
+import { convertObjToArrayWithId } from '../../util'
+import formatMetadata from '../../util/metadata'
+import { formatMatchedExpressionsAndFields } from '../pod/util'
+
+const formatPort = (port: V1NetworkPolicyPort) => {
+  return {
+    id: cuid(),
+    endPort: port?.endPort,
+    port: String(port?.port ?? ''),
+    protocol: port?.protocol
+  }
+}
+
+const formatPolicyPeer = (peer: V1NetworkPolicyPeer) => {
+  return {
+    id: cuid(),
+    ipBlock: {
+      cidr: peer?.ipBlock?.cidr,
+      except: peer?.ipBlock?.except
+    },
+    namespaceSelector: {
+      matchExpressions: formatMatchedExpressionsAndFields(peer?.namespaceSelector?.matchExpressions ?? []),
+      matchLabels: convertObjToArrayWithId(peer?.namespaceSelector?.matchLabels ?? {})
+    },
+    podSelector: {
+      matchExpressions: formatMatchedExpressionsAndFields(peer?.podSelector?.matchExpressions ?? []),
+      matchLabels: convertObjToArrayWithId(peer?.podSelector?.matchLabels ?? {})
+    }
+  }
+}
+export default ({
+  entity,
+  context,
+}: {
+  entity: V1NetworkPolicy
+  context: string
+}): K8sNetworkPolicy => {
+  const {
+    apiVersion,
+    kind,
+    metadata,
+    spec: {
+      egress,
+      ingress,
+      podSelector,
+      policyTypes
+    } = {}
+  } = entity
+
+
+  const formattedMetadata = formatMetadata(metadata)
+  const mappedEgress = egress?.map(({ ports, to })=> ({
+    id: cuid(),
+    ports: ports?.map(formatPort) ?? [],
+    to: to?.map(formatPolicyPeer) ?? []
+  })) ?? []
+
+  const mappedIngress = ingress?.map(({ ports, from })=> ({
+    id: cuid(),
+    ports: ports?.map(formatPort) ?? [],
+    from: from?.map(formatPolicyPeer) ?? []
+  })) ?? []
+
+  const formattedPodSelector = {
+    matchExpressions: formatMatchedExpressionsAndFields(podSelector?.matchExpressions ?? []),
+    matchLabels: convertObjToArrayWithId(podSelector?.matchLabels ?? {})
+  }
+
+  return {
+    id: formattedMetadata.id,
+    apiVersion,
+    kind,
+    context,
+    metadata: formattedMetadata.metadata,
+    spec: {
+      egress: mappedEgress,
+      ingress: mappedIngress,
+      podSelector: formattedPodSelector,
+      policyTypes
+    }
+  }
+}

src/services/networkPolicy/index.ts

@@ -0,0 +1,12 @@
+import getData from './data'
+import format from './format'
+import mutation from './mutation'
+
+
+export default class NetworkPolicy {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}

src/services/networkPolicy/mutation.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [Addk8sNetworkPolicyInput!]!) {
+  addk8sNetworkPolicy(input: $input, upsert: true) {
+    numUids
+  }
+}`;

src/services/networkPolicy/schema.graphql

@@ -0,0 +1,52 @@
+type k8sNetworkPolicy {
+  id: String! @id @search(by: [hash, regexp])
+  context: String! @search(by: [hash, regexp])
+  apiVersion: String @search(by: [hash, regexp])
+  kind: String @search(by: [hash, regexp])
+  metadata: k8sMetadata
+  spec: k8sNetworkPolicySpec
+  namespace: [k8sNamespace] @hasInverse(field: networkPolicies)
+}
+
+type k8sNetworkPolicySpec {
+  egress: [k8sNetworkPolicyEgress]
+  ingress: [k8sNetworkPolicyIngress]
+  podSelector: k8sDeploymentSelector
+  policyTypes: [String] @search(by: [hash, regexp])
+}
+
+type k8sDeploymentSelector {
+  matchExpressions: [k8sDeploymentExpressions]
+  matchLabels: [k8sKeyValueArray]
+}
+
+type k8sNetworkPolicyEgress {
+  id: String! @id @search(by: [hash, regexp])
+  ports: [k8sNetworkPolicyPort]
+  to: [k8sNetworkPolicyPeer]
+}
+
+type k8sNetworkPolicyIngress {
+  id: String! @id @search(by: [hash, regexp])
+  ports: [k8sNetworkPolicyPort]
+  from: [k8sNetworkPolicyPeer]
+}
+
+type k8sNetworkPolicyPort {
+  id: String! @id @search(by: [hash, regexp])
+  endPort: Int @search
+  port: String @search(by: [hash, regexp])
+  protocol: String @search(by: [hash, regexp])
+}
+
+type k8sNetworkPolicyPeer {
+  id: String! @id @search(by: [hash, regexp])
+  ipBlock: k8sNetworkPolicyPeerIpBlock
+  namespaceSelector: k8sDeploymentSelector
+  podSelector: k8sDeploymentSelector
+}
+
+type k8sNetworkPolicyPeerIpBlock {
+  cidr: String @search(by: [hash, regexp])
+  except: [String] @search(by: [hash, regexp])
+}

src/services/node/schema.graphql

@@ -9,7 +9,7 @@ type k8sNode {
   metadata: k8sMetadata
   spec: k8sNodeSpec
   status: k8sNodeStatus
-  namespace: [k8sNamespace] @hasInverse(field: node)
+  namespace: [k8sNamespace] @hasInverse(field: nodes)
 }
 
 type k8sMetadata @generate(

src/services/persistentVolume/schema.graphql

@@ -6,7 +6,7 @@ type k8sPersistentVolume {
   metadata: k8sMetadata
   spec: k8sPersistentVolumeSpec
   status: k8sPersistentVolumeStatus
-  namespace: [k8sNamespace] @hasInverse(field: persistentVolume)
+  namespace: [k8sNamespace] @hasInverse(field: persistentVolumes)
 }
 
 type k8sPersistentVolumeSpec @generate(

src/services/persistentVolumeClaim/schema.graphql

@@ -6,7 +6,7 @@ type k8sPersistentVolumeClaim {
   metadata: k8sMetadata
   spec: k8sPersistentVolumeClaimSpec
   status: k8sPersistentVolumeClaimStatus
-  namespace: [k8sNamespace] @hasInverse(field: persistentVolumeClaim)
+  namespace: [k8sNamespace] @hasInverse(field: persistentVolumeClaims)
 }
 
 type k8sPersistentVolumeClaimSpec @generate(