mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-14 09:59:57 +00:00
584d372521
* feat(config): add combined users property as successor for usergroups and usernames configuration Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(crds): add proper deprecation notices on properties and via admission warnings Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: add local monitoring environment Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
86 lines
2.3 KiB
Go
86 lines
2.3 KiB
Go
// Copyright 2020-2025 Project Capsule Authors
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
//nolint:dupl
|
|
package tenant
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strconv"
|
|
|
|
"golang.org/x/sync/errgroup"
|
|
networkingv1 "k8s.io/api/networking/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
|
|
|
|
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
|
|
"github.com/projectcapsule/capsule/pkg/api/meta"
|
|
)
|
|
|
|
// Ensuring all the NetworkPolicies are applied to each Namespace handled by the Tenant.
|
|
func (r *Manager) syncNetworkPolicies(ctx context.Context, tenant *capsulev1beta2.Tenant) error { //nolint:dupl
|
|
// getting requested NetworkPolicy keys
|
|
keys := make([]string, 0, len(tenant.Spec.NetworkPolicies.Items)) //nolint:staticcheck
|
|
|
|
//nolint:staticcheck
|
|
for i := range tenant.Spec.NetworkPolicies.Items {
|
|
keys = append(keys, strconv.Itoa(i))
|
|
}
|
|
|
|
group := new(errgroup.Group)
|
|
|
|
for _, ns := range tenant.Status.Namespaces {
|
|
namespace := ns
|
|
|
|
group.Go(func() error {
|
|
return r.syncNetworkPolicy(ctx, tenant, namespace, keys)
|
|
})
|
|
}
|
|
|
|
return group.Wait()
|
|
}
|
|
|
|
func (r *Manager) syncNetworkPolicy(ctx context.Context, tenant *capsulev1beta2.Tenant, namespace string, keys []string) (err error) {
|
|
if err = r.pruningResources(ctx, namespace, keys, &networkingv1.NetworkPolicy{}); err != nil {
|
|
return err
|
|
}
|
|
|
|
//nolint:staticcheck
|
|
for i, spec := range tenant.Spec.NetworkPolicies.Items { //nolint:dupl
|
|
target := &networkingv1.NetworkPolicy{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
|
|
Namespace: namespace,
|
|
},
|
|
}
|
|
|
|
var res controllerutil.OperationResult
|
|
|
|
res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() (err error) {
|
|
labels := target.GetLabels()
|
|
if labels == nil {
|
|
labels = map[string]string{}
|
|
}
|
|
|
|
labels[meta.TenantLabel] = tenant.Name
|
|
labels[meta.NetworkPolicyLabel] = strconv.Itoa(i)
|
|
|
|
target.SetLabels(labels)
|
|
target.Spec = spec
|
|
|
|
return controllerutil.SetControllerReference(tenant, target, r.Scheme())
|
|
})
|
|
|
|
r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring NetworkPolicy %s", target.GetName()), err)
|
|
|
|
r.Log.V(4).Info("Network Policy sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|