chriswiggins/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Kubernetes Calico GlobalNetworkSets from Amazon AWS IPList

This cronjob updates GlobalNetworkSets hourly from the Amazon IPList.
Edit the REGIONS in the script to the regions of IPLists you'd like to create. Each region specified creates a separate GlobalNetwork set called amazon-services-REGION, with labels as specified in the cronjob

  
## aws-iplist-networkset.yaml
# Restricts to its own namespace
apiVersion: v1
kind: Namespace
metadata:
  name: aws-iplist-cronjob
---
# We need to get to the internet to download the ip-range and the curl and jq packages
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: aws-iplist-cronjob
spec:
  egress:
  - action: Allow
  order: 0
  selector: app == 'aws-iplist-cronjob'
  types:
  - Egress
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-iplist-cronjob
  namespace: aws-iplist-cronjob
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: aws-iplist-cronjob
  namespace: aws-iplist-cronjob
spec:
  schedule: "0 */1 * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      backoffLimit: 4
      template:
        metadata:
          labels:
            app: aws-iplist-cronjob
        spec:
          hostNetwork: true
          serviceAccountName: aws-iplist-cronjob
          terminationGracePeriodSeconds: 0
          restartPolicy: Never
          containers:
          - name: aws-iplist-cronjob
            image: calico/ctl:v3.13.2
            env:
            - name: DATASTORE_TYPE
              value: kubernetes
            command:
            - "/bin/sh"
            - "-c"
            - |
              set -e

              apk add --no-cache curl jq

              # Get list of IPs from Amazon
              IPS=$(curl -Ss https://ip-ranges.amazonaws.com/ip-ranges.json)

              # Update what regions you want here
              for REGION in "us-west-2" "ap-southeast-2"; do
              LIST=$(echo "$IPS" | jq -r '[.prefixes[] | select(.region=="'$REGION'" and .service=="AMAZON").ip_prefix] - [.prefixes[] | select(.region=="'$REGION'" and .service=="EC2").ip_prefix] | to_entries | .[] | "    - "+ .value')

              TEMPLATE="$(cat <<-EOF
              apiVersion: projectcalico.org/v3
              kind: GlobalNetworkSet
              metadata:
                name: amazon-services-$REGION
                labels:
                  service: amazon
                  region: $REGION
              spec:
                nets:
              $LIST
              EOF
              )"

              echo "$TEMPLATE" | calicoctl apply -f -

              done

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: aws-iplist-cronjob
rules:
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalnetworksets
    verbs:
      - create
      - get
      - list
      - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: aws-iplist-cronjob
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aws-iplist-cronjob
subjects:
- kind: ServiceAccount
  name: aws-iplist-cronjob
  namespace: aws-iplist-cronjob
	# Restricts to its own namespace
	apiVersion: v1
	kind: Namespace
	metadata:
	name: aws-iplist-cronjob
	---
	# We need to get to the internet to download the ip-range and the curl and jq packages
	apiVersion: crd.projectcalico.org/v1
	kind: GlobalNetworkPolicy
	metadata:
	name: aws-iplist-cronjob
	spec:
	egress:
	- action: Allow
	order: 0
	selector: app == 'aws-iplist-cronjob'
	types:
	- Egress
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: aws-iplist-cronjob
	namespace: aws-iplist-cronjob
	---
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: aws-iplist-cronjob
	namespace: aws-iplist-cronjob
	spec:
	schedule: "0 /1 * *"
	successfulJobsHistoryLimit: 1
	failedJobsHistoryLimit: 1
	jobTemplate:
	spec:
	backoffLimit: 4
	template:
	metadata:
	labels:
	app: aws-iplist-cronjob
	spec:
	hostNetwork: true
	serviceAccountName: aws-iplist-cronjob
	terminationGracePeriodSeconds: 0
	restartPolicy: Never
	containers:
	- name: aws-iplist-cronjob
	image: calico/ctl:v3.13.2
	env:
	- name: DATASTORE_TYPE
	value: kubernetes
	command:
	- "/bin/sh"
	- "-c"
	- \|
	set -e

	apk add --no-cache curl jq

	# Get list of IPs from Amazon
	IPS=$(curl -Ss https://ip-ranges.amazonaws.com/ip-ranges.json)

	# Update what regions you want here
	for REGION in "us-west-2" "ap-southeast-2"; do
	LIST=$(echo "$IPS" \| jq -r '[.prefixes[] \| select(.region=="'$REGION'" and .service=="AMAZON").ip_prefix] - [.prefixes[] \| select(.region=="'$REGION'" and .service=="EC2").ip_prefix] \| to_entries \| .[] \| " - "+ .value')

	TEMPLATE="$(cat <<-EOF
	apiVersion: projectcalico.org/v3
	kind: GlobalNetworkSet
	metadata:
	name: amazon-services-$REGION
	labels:
	service: amazon
	region: $REGION
	spec:
	nets:
	$LIST
	EOF
	)"

	echo "$TEMPLATE" \| calicoctl apply -f -

	done

	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: aws-iplist-cronjob
	rules:
	- apiGroups: ["crd.projectcalico.org"]
	resources:
	- globalnetworksets
	verbs:
	- create
	- get
	- list
	- update
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: aws-iplist-cronjob
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: aws-iplist-cronjob
	subjects:
	- kind: ServiceAccount
	name: aws-iplist-cronjob
	namespace: aws-iplist-cronjob