mirror/QuickStack
1
0
Fork 0
mirror of https://github.com/biersoeckli/QuickStack.git synced 2026-02-10 13:39:07 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: add network policy management for file browser service

Browse Source
This commit is contained in:
biersoeckli
2025-12-22 14:35:31 +00:00
parent 2f1a169398
commit 2f6c3405f1
2 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/server/services/file-browser-service.ts
View File

@@ -11,6 +11,7 @@ import podService from "./pod.service";
import bcrypt from "bcrypt";
import hostnameDnsProviderService from "./hostname-dns-provider.service";
import pvcService from "./pvc.service";
import networkPolicyService from "./network-policy.service";
class FileBrowserService {
@@ -55,6 +56,9 @@ class FileBrowserService {
console.log(`Creating ingress for filebrowser for volume ${volumeId}`);
await this.createOrUpdateIngress(kubeAppName, namespace, appId, projectId, traefikHostname);
console.log(`Creating network policy for filebrowser for volume ${volumeId}`);
await networkPolicyService.reconcileFileBrowserNetworkPolicy(kubeAppName, projectId);
const fileBrowserPods = await podService.getPodsForApp(projectId, kubeAppName);
for (const pod of fileBrowserPods) {
await podService.waitUntilPodIsRunningFailedOrSucceded(projectId, pod.podName);
@@ -92,6 +96,8 @@ class FileBrowserService {
if (existingIngress) {
await k3s.network.deleteNamespacedIngress(KubeObjectNameUtils.getIngressName(kubeAppName), projectId);
}
await networkPolicyService.deleteFileBrowserNetworkPolicy(kubeAppName, projectId);
}
private async createOrUpdateIngress(kubeAppName: string, namespace: string, appId: string, projectId: string, traefikHostname: string) {

60
src/server/services/network-policy.service.ts
View File

@@ -357,6 +357,66 @@ class NetworkPolicyService {
await k3s.network.deleteNamespacedNetworkPolicy(policyName, projectId);
}
async reconcileFileBrowserNetworkPolicy(fileBrowserAppName: string, projectId: string) {
const policyName = KubeObjectNameUtils.toNetworkPolicyName(fileBrowserAppName);
const namespace = projectId;
const policy: V1NetworkPolicy = {
apiVersion: "networking.k8s.io/v1",
kind: "NetworkPolicy",
metadata: {
name: policyName,
namespace: namespace,
labels: {
app: fileBrowserAppName,
'file-browser': 'true'
},
annotations: {
[Constants.QS_ANNOTATION_PROJECT_ID]: projectId,
}
},
spec: {
podSelector: {
matchLabels: {
app: fileBrowserAppName
}
},
policyTypes: ["Ingress", "Egress"],
ingress: [
{
// Allow from Traefik (internet traffic)
from: [
{
namespaceSelector: {
matchLabels: {
'kubernetes.io/metadata.name': 'kube-system'
}
},
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'traefik'
}
}
}
]
}
],
egress: [] // Deny all outgoing traffic
}
};
console.log('Creating FileBrowser Network Policy:', JSON.stringify(policy, null, 2));
await this.applyNetworkPolicy(namespace, policyName, policy);
}
async deleteFileBrowserNetworkPolicy(fileBrowserAppName: string, projectId: string) {
const policyName = KubeObjectNameUtils.toNetworkPolicyName(fileBrowserAppName);
const existingNetworkPolicy = await this.getExistingNetworkPolicy(projectId, policyName);
if (!existingNetworkPolicy) {
return;
}
await k3s.network.deleteNamespacedNetworkPolicy(policyName, projectId);
}
async deleteAllNetworkPolicies() {
const namespaces = await k3s.core.listNamespace();
let deletedCount = 0;