Skip to content

Commit 800f2c2

Browse files
commjoencommjoen
authored
Merge pull request #29 from madhuakula/nspfun
Fixed NSP for the namespace access stuff
2 parents 1f64a8f + 07faa00 commit 800f2c2

File tree

1 file changed

+16
-56
lines changed

1 file changed

+16
-56
lines changed

wrongsecrets-balancer/src/kubernetes.js

Lines changed: 16 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -524,126 +524,86 @@ const createNSPsforTeam = async (team) => {
524524
},
525525
};
526526

527-
const nsAllowWithinNS = {
527+
const nsAllowWrongSecretstoVirtualDesktop = {
528528
kind: 'NetworkPolicy',
529529
apiVersion: 'networking.k8s.io/v1',
530530
metadata: {
531-
name: 'allow-same-namespace',
531+
name: 'allow-wrongsecrets-access',
532532
namespace: `t-${team}`,
533533
},
534534
spec: {
535535
podSelector: {
536536
matchLabels: {
537-
team: `${team}`,
537+
app: 'wrongsecrets',
538538
},
539539
},
540540
ingress: [
541541
{
542542
from: [
543543
{
544-
namespaceSelector: {
544+
podSelector: {
545545
matchLabels: {
546-
'kubernetes.io/metadata.name': `t-${team}`,
546+
app: 'virtualdesktop',
547547
},
548548
},
549549
},
550550
],
551-
ports: [
552-
{
553-
port: 8080,
554-
protocol: 'TCP',
555-
},
556-
{
557-
port: 3000,
558-
protocol: 'TCP',
559-
},
560-
],
561551
},
562552
],
563553
},
564554
egress: [
565555
{
566556
to: [
567557
{
568-
namespaceSelector: {
558+
podSelector: {
569559
matchLabels: {
570-
'kubernetes.io/metadata.name': `t-${team}`,
560+
app: 'virtualdesktop',
571561
},
572562
},
573563
},
574564
],
575-
ports: [
576-
{
577-
port: 8080,
578-
protocol: 'TCP',
579-
},
580-
{
581-
port: 3000,
582-
protocol: 'TCP',
583-
},
584-
],
585565
},
586566
],
587567
};
588568

589-
const nsAllowToTalkToDefault = {
569+
const nsAllowVirtualDesktoptoWrongSecrets = {
590570
kind: 'NetworkPolicy',
591571
apiVersion: 'networking.k8s.io/v1',
592572
metadata: {
593-
name: 'allow-ns-to-default-and-back',
573+
name: 'allow-virtualdesktop-access',
594574
namespace: `t-${team}`,
595575
},
596576
spec: {
597577
podSelector: {
598578
matchLabels: {
599-
team: `${team}`,
579+
app: 'virtualdesktop',
600580
},
601581
},
602582
ingress: [
603583
{
604584
from: [
605585
{
606-
namespaceSelector: {
586+
podSelector: {
607587
matchLabels: {
608-
'kubernetes.io/metadata.name': 'default',
588+
app: 'wrongsecrets',
609589
},
610590
},
611591
},
612592
],
613-
ports: [
614-
{
615-
port: 8080,
616-
protocol: 'TCP',
617-
},
618-
{
619-
port: 3000,
620-
protocol: 'TCP',
621-
},
622-
],
623593
},
624594
],
625595
},
626596
egress: [
627597
{
628598
to: [
629599
{
630-
namespaceSelector: {
600+
podSelector: {
631601
matchLabels: {
632-
'kubernetes.io/metadata.name': 'default',
602+
app: 'wrongsecrets',
633603
},
634604
},
635605
},
636606
],
637-
ports: [
638-
{
639-
port: 8080,
640-
protocol: 'TCP',
641-
},
642-
{
643-
port: 3000,
644-
protocol: 'TCP',
645-
},
646-
],
647607
},
648608
],
649609
};
@@ -763,12 +723,12 @@ const createNSPsforTeam = async (team) => {
763723
throw new Error(JSON.stringify(error));
764724
});
765725
await k8sNetworkingApi
766-
.createNamespacedNetworkPolicy(`t-${team}`, nsAllowWithinNS)
726+
.createNamespacedNetworkPolicy(`t-${team}`, nsAllowWrongSecretstoVirtualDesktop)
767727
.catch((error) => {
768728
throw new Error(JSON.stringify(error));
769729
});
770730
await k8sNetworkingApi
771-
.createNamespacedNetworkPolicy(`t-${team}`, nsAllowToTalkToDefault)
731+
.createNamespacedNetworkPolicy(`t-${team}`, nsAllowVirtualDesktoptoWrongSecrets)
772732
.catch((error) => {
773733
throw new Error(JSON.stringify(error));
774734
});

0 commit comments

Comments
 (0)