Overview
Network policy types define rules for controlling network access in monitored environments. Policies can be scoped to projects, repositories, workflows, clusters, or nodes.
NetworkPolicy
Base network policy model.
type NetworkPolicy struct {
ID string `json:"id"`
ProjectID string `json:"-"`
Scope NetworkPolicyScope `json:"scope"`
Config NetworkPolicyConfig `json:"config"`
Rules []NetworkPolicyRule `json:"rules"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
DeletedAt *time.Time `json:"deleted_at,omitempty"`
}
scope
NetworkPolicyScope
required
Policy scope: system_global, global, repo, workflow, cluster, or node
config
NetworkPolicyConfig
required
Policy configuration (enforcement modes)
rules
NetworkPolicyRule[]
required
List of policy rules
When the policy was created
When the policy was last updated
When the policy was deleted (soft delete)
NetworkPolicyScope
Defines the scope of a network policy.
type NetworkPolicyScope string
const (
NetworkPolicyScopeSystemGlobal NetworkPolicyScope = "system_global" // System-wide (admin only)
NetworkPolicyScopeGlobal NetworkPolicyScope = "global" // Project-wide
NetworkPolicyScopeRepo NetworkPolicyScope = "repo" // GitHub repository
NetworkPolicyScopeWorkflow NetworkPolicyScope = "workflow" // GitHub workflow
NetworkPolicyScopeCluster NetworkPolicyScope = "cluster" // K8s cluster
NetworkPolicyScopeNode NetworkPolicyScope = "node" // K8s node
)
Methods
String() string - Returns string representationIsValid() bool - Checks if the scope is valid
NetworkPolicyConfig
Configuration options for a network policy.
type NetworkPolicyConfig struct {
CIDRMode NetworkPolicyCIDRMode `json:"cidr_mode"`
CIDRPolicy NetworkPolicyType `json:"cidr_policy"`
ResolveMode NetworkPolicyResolveMode `json:"resolve_mode"`
ResolvePolicy NetworkPolicyType `json:"resolve_policy"`
}
cidr_mode
NetworkPolicyCIDRMode
required
CIDR enforcement mode: alert, enforce, or both
cidr_policy
NetworkPolicyType
required
Default CIDR policy: allow or deny
resolve_mode
NetworkPolicyResolveMode
required
DNS resolution mode: bypass, strict, or permissive
resolve_policy
NetworkPolicyType
required
Default resolve policy: allow or deny
Methods
Validate() error - Validates configuration values
NetworkPolicyCIDRMode
CIDR enforcement mode.
type NetworkPolicyCIDRMode string
const (
NetworkPolicyCIDRModeAlert NetworkPolicyCIDRMode = "alert" // Log violations, allow traffic
NetworkPolicyCIDRModeEnforce NetworkPolicyCIDRMode = "enforce" // Block violations
NetworkPolicyCIDRModeBoth NetworkPolicyCIDRMode = "both" // Log and block
)
Methods
String() string - Returns string representationIsValid() bool - Checks if the mode is valid
NetworkPolicyType
Policy action type.
type NetworkPolicyType string
const (
NetworkPolicyTypeAllow NetworkPolicyType = "allow" // Allow traffic
NetworkPolicyTypeDeny NetworkPolicyType = "deny" // Deny traffic
)
Methods
String() string - Returns string representationIsValid() bool - Checks if the type is valid
NetworkPolicyResolveMode
DNS resolution enforcement mode.
type NetworkPolicyResolveMode string
const (
NetworkPolicyResolveModsBypass NetworkPolicyResolveMode = "bypass" // No DNS enforcement
NetworkPolicyResolveModeStrict NetworkPolicyResolveMode = "strict" // Strict enforcement
NetworkPolicyResolveModePermissive NetworkPolicyResolveMode = "permissive" // Permissive enforcement
)
Methods
String() string - Returns string representationIsValid() bool - Checks if the mode is valid
NetworkPolicyRule
A single rule in a network policy.
type NetworkPolicyRule struct {
ID string `json:"id"`
PolicyID string `json:"policy_id"`
Type NetworkPolicyRuleType `json:"type"`
Value string `json:"value"`
Action NetworkPolicyType `json:"action"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
type
NetworkPolicyRuleType
required
Rule type: cidr or domain
Rule value (CIDR range or domain name)
action
NetworkPolicyType
required
Action to take: allow or deny
When the rule was created
When the rule was last updated
Methods
Validate() error - Validates rule type, value, and action
NetworkPolicyRuleType
Type of network policy rule.
type NetworkPolicyRuleType string
const (
NetworkPolicyRuleTypeCIDR NetworkPolicyRuleType = "cidr" // CIDR range rule
NetworkPolicyRuleTypeDomain NetworkPolicyRuleType = "domain" // Domain name rule
)
Methods
String() string - Returns string representationIsValid() bool - Checks if the type is valid
CreateNetworkPolicy
Request to create a new network policy.
type CreateNetworkPolicy struct {
Scope NetworkPolicyScope `json:"scope"`
Config NetworkPolicyConfig `json:"config"`
Rules []CreateNetworkPolicyRule `json:"rules,omitempty"`
// GitHub context
RepositoryID string `json:"repository_id,omitempty"`
WorkflowName string `json:"workflow_name,omitempty"`
// Kubernetes context
ClusterName string `json:"cluster_name,omitempty"`
NodeName string `json:"node_name,omitempty"`
}
Methods
Validate() error - Validates scope, config, and required context fields
Validation Rules
scope must be valid- Config defaults are applied if not provided
- Scope-specific fields are required:
repo scope requires repository_idworkflow scope requires repository_id and workflow_namecluster scope requires cluster_namenode scope requires cluster_name and node_name
NetworkPolicyCreated
Response after creating a network policy.
type NetworkPolicyCreated struct {
ID string `json:"id"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
UpdateNetworkPolicy
Request to update a network policy.
type UpdateNetworkPolicy struct {
Config *NetworkPolicyConfig `json:"config"`
}
Methods
Validate() error - Validates config is provided and valid
NetworkPolicyUpdated
Response after updating a network policy.
type NetworkPolicyUpdated struct {
ID string `json:"id"`
UpdatedAt time.Time `json:"updated_at"`
}
CreateNetworkPolicyRule
Request to create a new policy rule.
type CreateNetworkPolicyRule struct {
Type NetworkPolicyRuleType `json:"type"`
Value string `json:"value"`
Action NetworkPolicyType `json:"action"`
EventID string `json:"event_id,omitempty"`
}
Methods
Validate() error - Validates rule type, value, and action
Validation Rules
- For
cidr type, value must be valid CIDR notation
- For
domain type, value must be non-empty domain name
NetworkPolicyRuleCreated
Response after creating a rule.
type NetworkPolicyRuleCreated struct {
ID string `json:"id"`
CreatedAt time.Time `json:"created_at"`
}
UpdateNetworkPolicyRule
Request to update a policy rule.
type UpdateNetworkPolicyRule struct {
Value *string `json:"value,omitempty"`
Action *NetworkPolicyType `json:"action,omitempty"`
}
Methods
Validate() error - Validates at least one field is provided
NetworkPolicyRuleUpdated
Response after updating a rule.
type NetworkPolicyRuleUpdated struct {
ID string `json:"id"`
UpdatedAt time.Time `json:"updated_at"`
}
MergedNetworkPolicy
Combined network policy from multiple scopes.
type MergedNetworkPolicy struct {
// Legacy format
Config NetworkPolicyConfig `json:"config"`
Rules []NetworkPolicyRule `json:"rules"`
// Simplified format
Mode NetworkPolicyMode `json:"mode"`
Policy NetworkPolicyType `json:"policy"`
Allow []string `json:"allow"`
Deny []string `json:"deny"`
Resolve []string `json:"resolve"`
// Policy references
SystemGlobalPolicy *SystemGlobalNetworkPolicy `json:"system_global_policy,omitempty"`
GlobalPolicy *NetworkPolicy `json:"global_policy,omitempty"`
RepoPolicy *RepoNetworkPolicy `json:"repo_policy,omitempty"`
WorkflowPolicy *WorkflowNetworkPolicy `json:"workflow_policy,omitempty"`
ClusterPolicy *ClusterNetworkPolicy `json:"cluster_policy,omitempty"`
NodePolicy *NodeNetworkPolicy `json:"node_policy,omitempty"`
}
config
NetworkPolicyConfig
required
Merged configuration (legacy format)
rules
NetworkPolicyRule[]
required
All applicable rules (legacy format)
mode
NetworkPolicyMode
required
Simplified enforcement mode
policy
NetworkPolicyType
required
Default policy for unmatched traffic
Allowed CIDR ranges and domains
Denied CIDR ranges and domains
Domains requiring DNS resolution checks
Scoped Network Policies
RepoNetworkPolicy
Repository-scoped policy (GitHub).
type RepoNetworkPolicy struct {
NetworkPolicy
RepositoryID string `json:"repository_id"`
}
WorkflowNetworkPolicy
Workflow-scoped policy (GitHub).
type WorkflowNetworkPolicy struct {
NetworkPolicy
RepositoryID string `json:"repository_id"`
WorkflowName string `json:"workflow_name"`
}
ClusterNetworkPolicy
Cluster-scoped policy (Kubernetes).
type ClusterNetworkPolicy struct {
NetworkPolicy
ClusterName string `json:"cluster_name"`
}
NodeNetworkPolicy
Node-scoped policy (Kubernetes).
type NodeNetworkPolicy struct {
NetworkPolicy
ClusterName string `json:"cluster_name"`
NodeName string `json:"node_name"`
}
Helper Functions
GetMergedNetworkPolicy
Merges GitHub-context policies.
func GetMergedNetworkPolicy(
systemGlobal *SystemGlobalNetworkPolicy,
global *GlobalNetworkPolicy,
repo *RepoNetworkPolicy,
workflow *WorkflowNetworkPolicy,
) *MergedNetworkPolicy
- System global (lowest)
- Project global
- Repository
- Workflow (highest)
GetMergedNetworkPolicyForK8s
Merges Kubernetes-context policies.
func GetMergedNetworkPolicyForK8s(
systemGlobal *SystemGlobalNetworkPolicy,
global *GlobalNetworkPolicy,
cluster *ClusterNetworkPolicy,
node *NodeNetworkPolicy,
) *MergedNetworkPolicy
- System global (lowest)
- Project global
- Cluster
- Node (highest)
Error Constants
const (
ErrInvalidNetworkPolicyScope = errs.InvalidArgumentError("invalid network policy scope")
ErrInvalidNetworkPolicyRepositoryID = errs.InvalidArgumentError("invalid network policy repository id")
ErrInvalidNetworkPolicyWorkflowName = errs.InvalidArgumentError("invalid network policy workflow name")
ErrInvalidNetworkPolicyClusterName = errs.InvalidArgumentError("invalid network policy cluster name")
ErrInvalidNetworkPolicyNodeName = errs.InvalidArgumentError("invalid network policy node name")
ErrInvalidNetworkPolicyRuleType = errs.InvalidArgumentError("invalid network policy rule type")
ErrInvalidNetworkPolicyRuleValue = errs.InvalidArgumentError("invalid network policy rule value")
ErrInvalidNetworkPolicyCIDRMode = errs.InvalidArgumentError("invalid network policy CIDR mode")
ErrInvalidNetworkPolicyCIDRPolicy = errs.InvalidArgumentError("invalid network policy CIDR policy")
ErrInvalidNetworkPolicyResolveMode = errs.InvalidArgumentError("invalid network policy resolve mode")
ErrInvalidNetworkPolicyResolvePolicy = errs.InvalidArgumentError("invalid network policy resolve policy")
ErrInvalidNetworkPolicyID = errs.InvalidArgumentError("invalid network policy ID")
ErrInvalidNetworkPolicyRuleID = errs.InvalidArgumentError("invalid network policy rule ID")
ErrUnauthorizedNetworkPolicy = errs.UnauthorizedError("permission denied")
ErrNetworkPolicyNotFound = errs.NotFoundError("network policy not found")
ErrNetworkPolicyRuleNotFound = errs.NotFoundError("network policy rule not found")
ErrNetworkPolicyAlreadyExists = errs.ConflictError("network policy already exists")
ErrNetworkPolicyRuleAlreadyExists = errs.ConflictError("network policy rule already exists")
)
