Add support for policy auto-creation

Author: mohamed-essam

api/v1/nbresource_types.go

@@ -1,6 +1,8 @@
 package v1
 
 import (
+	"maps"
+
 	"github.com/netbirdio/kubernetes-operator/internal/util"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -18,6 +20,10 @@ type NBResourceSpec struct {
 	// +optional
 	PolicyName string `json:"policyName,omitempty"`
 	// +optional
+	PolicySourceGroups []string `json:"policySourceGroups,omitempty"`
+	// +optional
+	PolicyFriendlyName map[string]string `json:"policyFriendlyName,omitempty"`
+	// +optional
 	TCPPorts []int32 `json:"tcpPorts,omitempty"`
 	// +optional
 	UDPPorts []int32 `json:"udpPorts,omitempty"`
@@ -31,7 +37,8 @@ func (a NBResourceSpec) Equal(b NBResourceSpec) bool {
 		util.Equivalent(a.Groups, b.Groups) &&
 		a.PolicyName == b.PolicyName &&
 		util.Equivalent(a.TCPPorts, b.TCPPorts) &&
-		util.Equivalent(a.UDPPorts, b.UDPPorts)
+		util.Equivalent(a.UDPPorts, b.UDPPorts) &&
+		util.Equivalent(a.PolicySourceGroups, b.PolicySourceGroups)
 }
 
 // NBResourceStatus defines the observed state of NBResource.
@@ -47,7 +54,13 @@ type NBResourceStatus struct {
 	// +optional
 	Groups []string `json:"groups,omitempty"`
 	// +optional
+	PolicySourceGroups []string `json:"policySourceGroups,omitempty"`
+	// +optional
+	PolicyFriendlyName map[string]string `json:"policyFriendlyName,omitempty"`
+	// +optional
 	Conditions []NBCondition `json:"conditions,omitempty"`
+	// +optional
+	PolicyNameMapping map[string]string `json:"policyNameMapping"`
 }
 
 // Equal returns if NBResourceStatus is equal to this one
@@ -57,7 +70,10 @@ func (a NBResourceStatus) Equal(b NBResourceStatus) bool {
 		util.Equivalent(a.TCPPorts, b.TCPPorts) &&
 		util.Equivalent(a.UDPPorts, b.UDPPorts) &&
 		util.Equivalent(a.Groups, b.Groups) &&
-		util.Equivalent(a.Conditions, b.Conditions)
+		util.Equivalent(a.Conditions, b.Conditions) &&
+		util.Equivalent(a.PolicySourceGroups, b.PolicySourceGroups) &&
+		maps.Equal(a.PolicyFriendlyName, b.PolicyFriendlyName) &&
+		maps.Equal(a.PolicyNameMapping, b.PolicyNameMapping)
 }
 
 // +kubebuilder:object:root=true

api/v1/zz_generated.deepcopy.go

@@ -67,12 +67,13 @@ func init() {
 func main() {
 	// NB Specific flags
 	var (
-		managementURL      string
-		clientImage        string
-		clusterName        string
-		namespacedNetworks bool
-		clusterDNS         string
-		netbirdAPIKey      string
+		managementURL                string
+		clientImage                  string
+		clusterName                  string
+		namespacedNetworks           bool
+		clusterDNS                   string
+		netbirdAPIKey                string
+		allowAutomaticPolicyCreation bool
 	)
 	flag.StringVar(&managementURL, "netbird-management-url", "https://api.netbird.io", "Management service URL")
 	flag.StringVar(&clientImage, "netbird-client-image", "netbirdio/netbird:latest", "Image for netbird client container")
@@ -90,6 +91,12 @@ func main() {
 	)
 	flag.StringVar(&clusterDNS, "cluster-dns", "svc.cluster.local", "Cluster DNS name")
 	flag.StringVar(&netbirdAPIKey, "netbird-api-key", "", "API key for NetBird API operations")
+	flag.BoolVar(
+		&allowAutomaticPolicyCreation,
+		"allow-automatic-policy-creation",
+		false,
+		"Allow creating NBPolicy resources from annotations on Services",
+	)
 
 	// Controller generic flags
 	var (
@@ -233,10 +240,12 @@ func main() {
 		}
 
 		if err = (&controller.NBResourceReconciler{
-			Client:        mgr.GetClient(),
-			Scheme:        mgr.GetScheme(),
-			APIKey:        netbirdAPIKey,
-			ManagementURL: managementURL,
+			Client:                       mgr.GetClient(),
+			Scheme:                       mgr.GetScheme(),
+			APIKey:                       netbirdAPIKey,
+			ManagementURL:                managementURL,
+			AllowAutomaticPolicyCreation: allowAutomaticPolicyCreation,
+			ClusterName:                  clusterName,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "NBResource")
 			os.Exit(1)

cmd/main.go

@@ -2,5 +2,5 @@ apiVersion: v2
 name: kubernetes-operator
 description: NetBird Kubernetes Operator
 type: application
-version: 0.1.7
-appVersion: "0.1.2"
+version: 0.1.8
+appVersion: "0.1.3"

helm/kubernetes-operator/Chart.yaml

@@ -55,8 +55,16 @@ spec:
                 x-kubernetes-validations:
                 - message: Value is immutable
                   rule: self == oldSelf
+              policyFriendlyName:
+                additionalProperties:
+                  type: string
+                type: object
               policyName:
                 type: string
+              policySourceGroups:
+                items:
+                  type: string
+                type: array
               tcpPorts:
                 items:
                   format: int32
@@ -116,8 +124,20 @@ spec:
                 type: array
               networkResourceID:
                 type: string
+              policyFriendlyName:
+                additionalProperties:
+                  type: string
+                type: object
               policyName:
                 type: string
+              policyNameMapping:
+                additionalProperties:
+                  type: string
+                type: object
+              policySourceGroups:
+                items:
+                  type: string
+                type: array
               tcpPorts:
                 items:
                   format: int32

helm/kubernetes-operator/crds/netbird.io_nbresources.yaml

@@ -60,6 +60,9 @@ spec:
           {{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
           - --netbird-api-key=$(NB_API_KEY)
           {{- end }}
+          {{- if .Values.ingress.allowAutomaticPolicyCreation }}
+          - --allow-automatic-policy-creation
+          {{- end }}
           ports:
             - name: webhook-server
               containerPort: {{ .Values.webhook.service.port }}

helm/kubernetes-operator/templates/deployment.yaml

@@ -135,6 +135,8 @@ ingress:
   enabled: false
   # Create router per namespace, useful for strict networking requirements
   namespacedNetworks: false
+  # Allow creating policies through Service annotations
+  allowAutomaticPolicyCreation: false
   kubernetesAPI:
     enabled: false
     groups: []

helm/kubernetes-operator/values.yaml

@@ -33,6 +33,7 @@ var (
 	errUnknownProtocol = fmt.Errorf("Unknown protocol")
 	errKubernetesAPI   = fmt.Errorf("kubernetes API error")
 	errNetBirdAPI      = fmt.Errorf("netbird API error")
+	errInvalidValue    = fmt.Errorf("invalid value")
 )
 
 const (
@@ -77,16 +78,28 @@ func (r *NBPolicyReconciler) mapResources(ctx context.Context, nbPolicy *netbird
 	}
 
 	for _, resource := range resources {
-		if resource.Status.PolicyName != nil && util.Contains(util.SplitTrim(*resource.Status.PolicyName, ","), nbPolicy.Name) {
-			// Groups
-			groups = append(groups, resource.Status.Groups...)
+		generatedBy := nbPolicy.Annotations["netbird.io/generated-by"]
+		generatedBy = strings.ReplaceAll(generatedBy, "/", "-")
+		if resource.Status.PolicyName == nil {
+			continue
+		}
+		resourcePolicies := util.SplitTrim(*resource.Status.PolicyName, ",")
 
-			for _, p := range resource.Spec.TCPPorts {
-				portMapping[protocolTCP][p] = nil
-			}
-			for _, p := range resource.Spec.UDPPorts {
-				portMapping[protocolUDP][p] = nil
-			}
+		if generatedBy == "" && !util.Contains(resourcePolicies, nbPolicy.Name) {
+			continue
+		}
+
+		if generatedBy != "" && !util.Contains(resourcePolicies, strings.ReplaceAll(nbPolicy.Name, "-"+generatedBy, "")) {
+			continue
+		}
+		// Groups
+		groups = append(groups, resource.Status.Groups...)
+
+		for _, p := range resource.Spec.TCPPorts {
+			portMapping[protocolTCP][p] = nil
+		}
+		for _, p := range resource.Spec.UDPPorts {
+			portMapping[protocolUDP][p] = nil
 		}
 	}