#5648

Committed 30 Oct 2025 02:23PM UTC coverage: 58.818% (-0.3%) from 59.076%

Build # #5648

Build Type

Pull #3938

travis-ci

Committed by

Acedus

Commit Message

csv-generator: add -dump-network-policies option

This commit adds the -dump-network-policies optional flag to the
csv-generator tool in order to allow dumping CDI's required network
policies in case of a restrictive environment.

Signed-off-by: Adi Aloni <aaloni@redhat.com>

Pull Request Pull Request #3938: Add network policies to CDI

Run Details

31 of 193 new or added lines in 7 files covered. (16.06%)

4 existing lines in 1 file now uncovered.

17270 of 29362 relevant lines covered (58.82%)

0.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/pkg/operator/resources/namespaced/networkpolicies.go

package namespaced

import (
        corev1 "k8s.io/api/core/v1"
        networkv1 "k8s.io/api/networking/v1"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/apimachinery/pkg/util/intstr"
        "k8s.io/utils/ptr"

        "sigs.k8s.io/controller-runtime/pkg/client"

        "kubevirt.io/containerized-data-importer/pkg/common"
)

const (
        allowIngressToMetrics          = "cdi-allow-ingress-to-metrics"
        allowUploadProxyCommunications = "cdi-allow-uploadproxy-communications"
        allowIngressToCdiAPIWebhook    = "cdi-allow-cdi-api-webhook-server"
        allowEgressToImporterMetrics   = "cdi-allow-cdi-deployment-importer-metrics"
        allowEgressFromPoller          = "cdi-allow-egress-from-poller"
)

func createNetworkPolicies(args *FactoryArgs) []client.Object {
        return []client.Object{
                newIngressToMetricsNP(args.Namespace),
                newUploadProxyCommunicationsNP(args.Namespace),
                newIngressToCdiAPIWebhookNP(args.Namespace),
                newCdiDeploymentToImporterMetricsNP(args.Namespace),
                newEgressFromPollerNP(args.Namespace),
        }
}

func newNetworkPolicy(namespace, name string, spec *networkv1.NetworkPolicySpec) *networkv1.NetworkPolicy {
        return &networkv1.NetworkPolicy{
                TypeMeta: metav1.TypeMeta{
                        APIVersion: "networking.k8s.io/v1",
                        Kind:       "NetworkPolicy",
                },
                ObjectMeta: metav1.ObjectMeta{
                        Name:      name,
                        Namespace: namespace,
                        Labels:    map[string]string{common.CDIComponentLabel: ""},
                },
                Spec: *spec,
        }
}

func newIngressToMetricsNP(namespace string) *networkv1.NetworkPolicy {
        return newNetworkPolicy(
                namespace,
                allowIngressToMetrics,
                &networkv1.NetworkPolicySpec{
                        PodSelector: metav1.LabelSelector{
                                MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},
                        },
                        PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},
                        Ingress: []networkv1.NetworkPolicyIngressRule{
                                {
                                        Ports: []networkv1.NetworkPolicyPort{
                                                {
                                                        Port:     ptr.To(intstr.FromInt32(8443)),
                                                        Protocol: ptr.To(corev1.ProtocolTCP),
                                                },
                                        },
                                },
                        },
                },
        )
}

func newUploadProxyCommunicationsNP(namespace string) *networkv1.NetworkPolicy {
        return newNetworkPolicy(
                namespace,
                allowUploadProxyCommunications,
                &networkv1.NetworkPolicySpec{
                        PodSelector: metav1.LabelSelector{
                                MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIUploadProxyResourceName},
                        },
                        PolicyTypes: []networkv1.PolicyType{
                                networkv1.PolicyTypeIngress,
                                networkv1.PolicyTypeEgress,
                        },
                        Egress: []networkv1.NetworkPolicyEgressRule{
                                {
                                        To: []networkv1.NetworkPolicyPeer{
                                                {
                                                        PodSelector: &metav1.LabelSelector{
                                                                MatchLabels: map[string]string{common.CDIComponentLabel: common.UploadServerCDILabel},
                                                        },
                                                        NamespaceSelector: &metav1.LabelSelector{},
                                                },
                                        },
                                        Ports: []networkv1.NetworkPolicyPort{
                                                {
                                                        Port:     ptr.To(intstr.FromInt32(8443)),
                                                        Protocol: ptr.To(corev1.ProtocolTCP),
                                                },
                                        },
                                },
                        },
                        Ingress: []networkv1.NetworkPolicyIngressRule{
                                {
                                        Ports: []networkv1.NetworkPolicyPort{
                                                {
                                                        Port:     ptr.To(intstr.FromInt32(8443)),
                                                        Protocol: ptr.To(corev1.ProtocolTCP),
                                                },
                                        },
                                },
                        },
                },
        )
}

func newIngressToCdiAPIWebhookNP(namespace string) *networkv1.NetworkPolicy {
        return newNetworkPolicy(
                namespace,
                allowIngressToCdiAPIWebhook,
                &networkv1.NetworkPolicySpec{
                        PodSelector: metav1.LabelSelector{
                                MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIApiServerResourceName},
                        },
                        PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},
                        Ingress: []networkv1.NetworkPolicyIngressRule{
                                {
                                        Ports: []networkv1.NetworkPolicyPort{
                                                {
                                                        Port:     ptr.To(intstr.FromInt32(8443)),
                                                        Protocol: ptr.To(corev1.ProtocolTCP),
                                                },
                                        },
                                },
                        },
                },
        )
}

func newCdiDeploymentToImporterMetricsNP(namespace string) *networkv1.NetworkPolicy {
        return newNetworkPolicy(
                namespace,
                allowEgressToImporterMetrics,
                &networkv1.NetworkPolicySpec{
                        PodSelector: metav1.LabelSelector{
                                MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIControllerResourceName},
                        },
                        PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeEgress},
                        Egress: []networkv1.NetworkPolicyEgressRule{
                                {
                                        To: []networkv1.NetworkPolicyPeer{
                                                {
                                                        PodSelector: &metav1.LabelSelector{
                                                                MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},
                                                        },
                                                        NamespaceSelector: &metav1.LabelSelector{},
                                                },
                                        },
                                        Ports: []networkv1.NetworkPolicyPort{
                                                {
                                                        Port:     ptr.To(intstr.FromInt32(8443)),
                                                        Protocol: ptr.To(corev1.ProtocolTCP),
                                                },
                                        },
                                },
                        },
                },
        )
}

func newEgressFromPollerNP(namespace string) *networkv1.NetworkPolicy {
        return newNetworkPolicy(
                namespace,
                allowEgressFromPoller,
                &networkv1.NetworkPolicySpec{
                        PodSelector: metav1.LabelSelector{
                                MatchLabels: map[string]string{common.DataImportCronPollerLabel: ""},
                        },
                        PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeEgress},
                        Egress:      []networkv1.NetworkPolicyEgressRule{{}},
                },
        )
}

1	package namespaced
2
3	import (
4	corev1 "k8s.io/api/core/v1"
5	networkv1 "k8s.io/api/networking/v1"
6	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
7	"k8s.io/apimachinery/pkg/util/intstr"
8	"k8s.io/utils/ptr"
9
10	"sigs.k8s.io/controller-runtime/pkg/client"
11
12	"kubevirt.io/containerized-data-importer/pkg/common"
13	)
14
15	const (
16	allowIngressToMetrics = "cdi-allow-ingress-to-metrics"
17	allowUploadProxyCommunications = "cdi-allow-uploadproxy-communications"
18	allowIngressToCdiAPIWebhook = "cdi-allow-cdi-api-webhook-server"
19	allowEgressToImporterMetrics = "cdi-allow-cdi-deployment-importer-metrics"
20	allowEgressFromPoller = "cdi-allow-egress-from-poller"
21	)
22
NEW 23	func createNetworkPolicies(args *FactoryArgs) []client.Object {	×
NEW 24	return []client.Object{	×
NEW 25	newIngressToMetricsNP(args.Namespace),	×
NEW 26	newUploadProxyCommunicationsNP(args.Namespace),	×
NEW 27	newIngressToCdiAPIWebhookNP(args.Namespace),	×
NEW 28	newCdiDeploymentToImporterMetricsNP(args.Namespace),	×
NEW 29	newEgressFromPollerNP(args.Namespace),	×
NEW 30	}	×
NEW 31	}	×
32
NEW 33	func newNetworkPolicy(namespace, name string, spec networkv1.NetworkPolicySpec) networkv1.NetworkPolicy {	×
NEW 34	return &networkv1.NetworkPolicy{	×
NEW 35	TypeMeta: metav1.TypeMeta{	×
NEW 36	APIVersion: "networking.k8s.io/v1",	×
NEW 37	Kind: "NetworkPolicy",	×
NEW 38	},	×
NEW 39	ObjectMeta: metav1.ObjectMeta{	×
NEW 40	Name: name,	×
NEW 41	Namespace: namespace,	×
NEW 42	Labels: map[string]string{common.CDIComponentLabel: ""},	×
NEW 43	},	×
NEW 44	Spec: *spec,	×
NEW 45	}	×
NEW 46	}	×
47
NEW 48	func newIngressToMetricsNP(namespace string) *networkv1.NetworkPolicy {	×
NEW 49	return newNetworkPolicy(	×
NEW 50	namespace,	×
NEW 51	allowIngressToMetrics,	×
NEW 52	&networkv1.NetworkPolicySpec{	×
NEW 53	PodSelector: metav1.LabelSelector{	×
NEW 54	MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},	×
NEW 55	},	×
NEW 56	PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},	×
NEW 57	Ingress: []networkv1.NetworkPolicyIngressRule{	×
NEW 58	{	×
NEW 59	Ports: []networkv1.NetworkPolicyPort{	×
NEW 60	{	×
NEW 61	Port: ptr.To(intstr.FromInt32(8443)),	×
NEW 62	Protocol: ptr.To(corev1.ProtocolTCP),	×
NEW 63	},	×
NEW 64	},	×
NEW 65	},	×
NEW 66	},	×
NEW 67	},	×
NEW 68	)	×
NEW 69	}	×
70
NEW 71	func newUploadProxyCommunicationsNP(namespace string) *networkv1.NetworkPolicy {	×
NEW 72	return newNetworkPolicy(	×
NEW 73	namespace,	×
NEW 74	allowUploadProxyCommunications,	×
NEW 75	&networkv1.NetworkPolicySpec{	×
NEW 76	PodSelector: metav1.LabelSelector{	×
NEW 77	MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIUploadProxyResourceName},	×
NEW 78	},	×
NEW 79	PolicyTypes: []networkv1.PolicyType{	×
NEW 80	networkv1.PolicyTypeIngress,	×
NEW 81	networkv1.PolicyTypeEgress,	×
NEW 82	},	×
NEW 83	Egress: []networkv1.NetworkPolicyEgressRule{	×
NEW 84	{	×
NEW 85	To: []networkv1.NetworkPolicyPeer{	×
NEW 86	{	×
NEW 87	PodSelector: &metav1.LabelSelector{	×
NEW 88	MatchLabels: map[string]string{common.CDIComponentLabel: common.UploadServerCDILabel},	×
NEW 89	},	×
NEW 90	NamespaceSelector: &metav1.LabelSelector{},	×
NEW 91	},	×
NEW 92	},	×
NEW 93	Ports: []networkv1.NetworkPolicyPort{	×
NEW 94	{	×
NEW 95	Port: ptr.To(intstr.FromInt32(8443)),	×
NEW 96	Protocol: ptr.To(corev1.ProtocolTCP),	×
NEW 97	},	×
NEW 98	},	×
NEW 99	},	×
NEW 100	},	×
NEW 101	Ingress: []networkv1.NetworkPolicyIngressRule{	×
NEW 102	{	×
NEW 103	Ports: []networkv1.NetworkPolicyPort{	×
NEW 104	{	×
NEW 105	Port: ptr.To(intstr.FromInt32(8443)),	×
NEW 106	Protocol: ptr.To(corev1.ProtocolTCP),	×
NEW 107	},	×
NEW 108	},	×
NEW 109	},	×
NEW 110	},	×
NEW 111	},	×
NEW 112	)	×
NEW 113	}	×
114
NEW 115	func newIngressToCdiAPIWebhookNP(namespace string) *networkv1.NetworkPolicy {	×
NEW 116	return newNetworkPolicy(	×
NEW 117	namespace,	×
NEW 118	allowIngressToCdiAPIWebhook,	×
NEW 119	&networkv1.NetworkPolicySpec{	×
NEW 120	PodSelector: metav1.LabelSelector{	×
NEW 121	MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIApiServerResourceName},	×
NEW 122	},	×
NEW 123	PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeIngress},	×
NEW 124	Ingress: []networkv1.NetworkPolicyIngressRule{	×
NEW 125	{	×
NEW 126	Ports: []networkv1.NetworkPolicyPort{	×
NEW 127	{	×
NEW 128	Port: ptr.To(intstr.FromInt32(8443)),	×
NEW 129	Protocol: ptr.To(corev1.ProtocolTCP),	×
NEW 130	},	×
NEW 131	},	×
NEW 132	},	×
NEW 133	},	×
NEW 134	},	×
NEW 135	)	×
NEW 136	}	×
137
NEW 138	func newCdiDeploymentToImporterMetricsNP(namespace string) *networkv1.NetworkPolicy {	×
NEW 139	return newNetworkPolicy(	×
NEW 140	namespace,	×
NEW 141	allowEgressToImporterMetrics,	×
NEW 142	&networkv1.NetworkPolicySpec{	×
NEW 143	PodSelector: metav1.LabelSelector{	×
NEW 144	MatchLabels: map[string]string{common.CDIComponentLabel: common.CDIControllerResourceName},	×
NEW 145	},	×
NEW 146	PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeEgress},	×
NEW 147	Egress: []networkv1.NetworkPolicyEgressRule{	×
NEW 148	{	×
NEW 149	To: []networkv1.NetworkPolicyPeer{	×
NEW 150	{	×
NEW 151	PodSelector: &metav1.LabelSelector{	×
NEW 152	MatchLabels: map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue},	×
NEW 153	},	×
NEW 154	NamespaceSelector: &metav1.LabelSelector{},	×
NEW 155	},	×
NEW 156	},	×
NEW 157	Ports: []networkv1.NetworkPolicyPort{	×
NEW 158	{	×
NEW 159	Port: ptr.To(intstr.FromInt32(8443)),	×
NEW 160	Protocol: ptr.To(corev1.ProtocolTCP),	×
NEW 161	},	×
NEW 162	},	×
NEW 163	},	×
NEW 164	},	×
NEW 165	},	×
NEW 166	)	×
NEW 167	}	×
168
NEW 169	func newEgressFromPollerNP(namespace string) *networkv1.NetworkPolicy {	×
NEW 170	return newNetworkPolicy(	×
NEW 171	namespace,	×
NEW 172	allowEgressFromPoller,	×
NEW 173	&networkv1.NetworkPolicySpec{	×
NEW 174	PodSelector: metav1.LabelSelector{	×
NEW 175	MatchLabels: map[string]string{common.DataImportCronPollerLabel: ""},	×
NEW 176	},	×
NEW 177	PolicyTypes: []networkv1.PolicyType{networkv1.PolicyTypeEgress},	×
NEW 178	Egress: []networkv1.NetworkPolicyEgressRule{{}},	×
NEW 179	},	×
NEW 180	)	×
NEW 181	}	×

kubevirt / containerized-data-importer / #5648

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous