Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/snapp-incubator/svc-lb-to-cilium-netpolicy
An operator to ensures that the CiliumNetworkPolicy objects are up-to-date with the current state of the LoadBalancer Services.
https://github.com/snapp-incubator/svc-lb-to-cilium-netpolicy
controller go golang k8s k8s-controller network snappcloud
Last synced: about 2 months ago
JSON representation
An operator to ensures that the CiliumNetworkPolicy objects are up-to-date with the current state of the LoadBalancer Services.
- Host: GitHub
- URL: https://github.com/snapp-incubator/svc-lb-to-cilium-netpolicy
- Owner: snapp-incubator
- Created: 2023-08-28T09:36:05.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-09-08T06:59:22.000Z (5 months ago)
- Last Synced: 2024-11-15T01:39:18.953Z (2 months ago)
- Topics: controller, go, golang, k8s, k8s-controller, network, snappcloud
- Language: Go
- Homepage:
- Size: 147 KB
- Stars: 10
- Watchers: 6
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# svc-lb-to-cilium-netpolicy Operator
## Description
The svc-lb-to-cilium-netpolicy operator addresses a significant challenge in our clusters where NetworkPolicies and CiliumNetworkPolicies are employed to establish strict network segmentation for security purposes.Based on the current network policies, pods are restricted to receiving traffic only from other pods within the same namespace or specific designated namespaces. However, Some workloads are external to the cluster; These external workloads rely on services of type LoadBalancer to establish connections with cluster pods.
The problem arises when these external workloads are eventually migrated into the cluster, often placed in namespaces different from the ones housing the pods they need to communicate with. The existing network policies, initially configured for security, inadvertently disrupt these critical communication paths, causing disruptions and connectivity issues when external workloads are brought into the cluster.The primary purpose of the svc-lb-to-cilium-netpolicy operator is to enable uninterrupted communication between previously-external workloads, now residing within the Kubernetes cluster, and the LoadBalancer service endpoints. It achieves this by automatically managing CiliumNetworkPolicies to ensure that these workloads can establish connections with LoadBalancer service endpoints, overcoming the limitations posed by existing policies.
## Getting Started
You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.### Building the helm chart
We use [helmify](https://github.com/arttor/helmify) to generate Helm chart from kustomize rendered manifests. To update
the chart run:```shell
make helm
```### Test It Out
1. Compile the code:```sh
make build
```2. Run the controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
```sh
# Note: The controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
./bin/manager --config-file-path ./hack/config.yaml
```