Add k8s 1.8+ Network Policy fields: egress, ip_block and policy_types

hashicorp · May 7, 2018 · 0ba7866 · 0ba7866
1 parent cad0bd5
commit 0ba7866
Show file tree

Hide file tree

Showing 4 changed files with 382 additions and 26 deletions.
diff --git a/kubernetes/resource_kubernetes_network_policy.go b/kubernetes/resource_kubernetes_network_policy.go
@@ -17,12 +17,19 @@ var (
 	networkPolicySpecDoc                  = api.NetworkPolicy{}.SwaggerDoc()["spec"]
 	networkPolicySpecIngressDoc           = api.NetworkPolicySpec{}.SwaggerDoc()["ingress"]
 	networkPolicyIngressRulePortsDoc      = api.NetworkPolicyIngressRule{}.SwaggerDoc()["ports"]
+	networkPolicyIngressRuleFromDoc       = api.NetworkPolicyIngressRule{}.SwaggerDoc()["from"]
+	networkPolicySpecEgressDoc            = api.NetworkPolicySpec{}.SwaggerDoc()["egress"]
+	networkPolicyEgressRulePortsDoc       = api.NetworkPolicyEgressRule{}.SwaggerDoc()["ports"]
+	networkPolicyEgressRuleToDoc          = api.NetworkPolicyEgressRule{}.SwaggerDoc()["to"]
 	networkPolicyPortPortDoc              = api.NetworkPolicyPort{}.SwaggerDoc()["port"]
 	networkPolicyPortProtocolDoc          = api.NetworkPolicyPort{}.SwaggerDoc()["protocol"]
-	networkPolicyIngressRuleFromDoc       = api.NetworkPolicyIngressRule{}.SwaggerDoc()["from"]
+	networkPolicyPeerIpBlockDoc           = api.NetworkPolicyPeer{}.SwaggerDoc()["ipBlock"]
+	ipBlockCidrDoc                        = api.IPBlock{}.SwaggerDoc()["cidr"]
+	ipBlockExceptDoc                      = api.IPBlock{}.SwaggerDoc()["except"]
 	networkPolicyPeerNamespaceSelectorDoc = api.NetworkPolicyPeer{}.SwaggerDoc()["namespaceSelector"]
 	networkPolicyPeerPodSelectorDoc       = api.NetworkPolicyPeer{}.SwaggerDoc()["podSelector"]
 	networkPolicySpecPodSelectorDoc       = api.NetworkPolicySpec{}.SwaggerDoc()["podSelector"]
+	networkPolicySpecPolicyTypesDoc       = api.NetworkPolicySpec{}.SwaggerDoc()["policyTypes"]
 )
 
 func resourceKubernetesNetworkPolicy() *schema.Resource {
@@ -77,6 +84,104 @@ func resourceKubernetesNetworkPolicy() *schema.Resource {
 										Optional:    true,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
+												"ip_block": {
+													Type:        schema.TypeList,
+													Description: networkPolicyPeerIpBlockDoc,
+													Optional:    true,
+													MaxItems:    1,
+													Elem: &schema.Resource{
+														Schema: map[string]*schema.Schema{
+															"cidr": {
+																Type:        schema.TypeString,
+																Description: ipBlockCidrDoc,
+																Optional:    true,
+															},
+															"except": {
+																Type:        schema.TypeList,
+																Description: ipBlockExceptDoc,
+																Optional:    true,
+																Elem:        &schema.Schema{Type: schema.TypeString},
+															},
+														},
+													},
+												},
+												"namespace_selector": {
+													Type:        schema.TypeList,
+													Description: networkPolicyPeerNamespaceSelectorDoc,
+													Optional:    true,
+													MaxItems:    1,
+													Elem: &schema.Resource{
+														Schema: labelSelectorFields(),
+													},
+												},
+												"pod_selector": {
+													Type:        schema.TypeList,
+													Description: networkPolicyPeerPodSelectorDoc,
+													Optional:    true,
+													MaxItems:    1,
+													Elem: &schema.Resource{
+														Schema: labelSelectorFields(),
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+						"egress": {
+							Type:        schema.TypeList,
+							Description: networkPolicySpecEgressDoc,
+							Optional:    true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"ports": {
+										Type:        schema.TypeList,
+										Description: networkPolicyEgressRulePortsDoc,
+										Optional:    true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"port": {
+													Type:        schema.TypeString,
+													Description: networkPolicyPortPortDoc,
+													Optional:    true,
+												},
+												"protocol": {
+													Type:        schema.TypeString,
+													Description: networkPolicyPortProtocolDoc,
+													Optional:    true,
+													Default:     "TCP",
+												},
+											},
+										},
+									},
+									"to": {
+										Type:        schema.TypeList,
+										Description: networkPolicyEgressRuleToDoc,
+										Optional:    true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"ip_block": {
+													Type:        schema.TypeList,
+													Description: networkPolicyPeerIpBlockDoc,
+													Optional:    true,
+													MaxItems:    1,
+													Elem: &schema.Resource{
+														Schema: map[string]*schema.Schema{
+															"cidr": {
+																Type:        schema.TypeString,
+																Description: ipBlockCidrDoc,
+																Optional:    true,
+															},
+															"except": {
+																Type:        schema.TypeList,
+																Description: ipBlockExceptDoc,
+																Optional:    true,
+																Elem:        &schema.Schema{Type: schema.TypeString},
+															},
+														},
+													},
+												},
 												"namespace_selector": {
 													Type:        schema.TypeList,
 													Description: networkPolicyPeerNamespaceSelectorDoc,
@@ -110,6 +215,14 @@ func resourceKubernetesNetworkPolicy() *schema.Resource {
 								Schema: labelSelectorFields(),
 							},
 						},
+						"policy_types": {
+							Type:        schema.TypeList,
+							Description: networkPolicySpecPolicyTypesDoc,
+							Optional:    true,
+							MaxItems:    2,
+							Computed:    true,
+							Elem:        &schema.Schema{Type: schema.TypeString},
+						},
 					},
 				},
 			},

diff --git a/kubernetes/resource_kubernetes_network_policy_test.go b/kubernetes/resource_kubernetes_network_policy_test.go
@@ -127,10 +127,68 @@ func TestAccKubernetesNetworkPolicy_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.0.protocol", "TCP"),
 					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.1.port", "statsd"),
 					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.1.protocol", "UDP"),
-					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.#", "1"),
-					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.namespace_selector.#", "0"),
-					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.pod_selector.#", "1"),
-					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.pod_selector.0.match_labels.app", "myapp"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.cidr", "10.0.0.0/8"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.0", "10.0.0.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.1", "10.0.1.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.pod_selector.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.ip_block.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.namespace_selector.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.pod_selector.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.pod_selector.0.match_labels.app", "myapp"),
+				),
+			},
+			{
+				Config: testAccKubernetesNetworkPolicyConfig_specModified3(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesNetworkPolicyExists("kubernetes_network_policy.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "metadata.0.annotations.%", "0"),
+					testAccCheckMetaAnnotations(&conf.ObjectMeta, map[string]string{}),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "metadata.0.labels.%", "0"),
+					testAccCheckMetaLabels(&conf.ObjectMeta, map[string]string{}),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "metadata.0.name", name),
+					resource.TestCheckResourceAttrSet("kubernetes_network_policy.test", "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet("kubernetes_network_policy.test", "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet("kubernetes_network_policy.test", "metadata.0.self_link"),
+					resource.TestCheckResourceAttrSet("kubernetes_network_policy.test", "metadata.0.uid"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.0.key", "name"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.0.operator", "In"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.0.values.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.0.values.1742479128", "webfront"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.pod_selector.0.match_expressions.0.values.2902841359", "api"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.0.port", "http"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.0.protocol", "TCP"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.1.port", "statsd"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.ports.1.protocol", "UDP"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.cidr", "10.0.0.0/8"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.0", "10.0.0.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.ip_block.0.except.1", "10.0.1.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.0.pod_selector.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.ip_block.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.namespace_selector.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.pod_selector.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.ingress.0.from.1.pod_selector.0.match_labels.app", "myapp"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.ports.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.ports.0.port", "statsd"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.ports.0.protocol", "UDP"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.ip_block.#", "1"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.ip_block.0.cidr", "10.0.0.0/8"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.ip_block.0.except.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.ip_block.0.except.0", "10.0.0.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.ip_block.0.except.1", "10.0.1.0/24"),
+					resource.TestCheckResourceAttr("kubernetes_network_policy.test", "spec.0.egress.0.to.0.pod_selector.#", "0"),
 				),
 			},
 		},
@@ -334,6 +392,15 @@ resource "kubernetes_network_policy" "test" {
         ]
 
         from = [
+          {
+			ip_block {
+              cidr = "10.0.0.0/8"
+              except = [
+                "10.0.0.0/24",
+                "10.0.1.0/24",
+              ]
+            }
+          },
           {
             pod_selector {
               match_labels = {
@@ -348,3 +415,81 @@ resource "kubernetes_network_policy" "test" {
 }
 	`, name)
 }
+
+func testAccKubernetesNetworkPolicyConfig_specModified3(name string) string {
+	return fmt.Sprintf(`
+resource "kubernetes_network_policy" "test" {
+  metadata {
+    name      = "%s"
+    namespace = "default"
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "name"
+        operator = "In"
+        values   = ["webfront", "api"]
+      }
+    }
+
+    ingress = [
+      {
+        ports = [
+          {
+            port     = "http"
+            protocol = "TCP"
+          },
+          {
+            port     = "statsd"
+            protocol = "UDP"
+          },
+        ]
+
+        from = [
+          {
+			ip_block {
+              cidr = "10.0.0.0/8"
+              except = [
+                "10.0.0.0/24",
+                "10.0.1.0/24",
+              ]
+            }
+          },
+          {
+            pod_selector {
+              match_labels = {
+                app = "myapp"
+              }
+            }
+          },
+        ]
+      },
+    ]
+
+    egress = [
+      {
+        ports = [
+          {
+            port     = "statsd"
+            protocol = "UDP"
+          },
+        ]
+
+        to = [
+          {
+			ip_block {
+              cidr = "10.0.0.0/8"
+              except = [
+                "10.0.0.0/24",
+                "10.0.1.0/24",
+              ]
+            }
+          },
+        ]
+      },
+    ]
+  }
+}
+	`, name)
+}