5GSEC · anurag-rajawat · Jun 4, 2024 · Apr 29, 2024 · Apr 30, 2024 · May 2, 2024
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -160,7 +160,7 @@ jobs:
           run: |
             kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
             kubectl get pods -A
-          
+
         - name: Run Tests
           run: make integration-test
 

diff --git a/api/v1/clusternimbuspolicy_types.go → api/v1alpha1/clusternimbuspolicy_types.go b/api/v1/clusternimbuspolicy_types.go → api/v1alpha1/clusternimbuspolicy_types.go
@@ -1,16 +1,18 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // ClusterNimbusPolicySpec defines the desired state of ClusterNimbusPolicy
 type ClusterNimbusPolicySpec struct {
-	Selector    CwSelector    `json:"selector"`
-	NimbusRules []NimbusRules `json:"rules"`
+	NodeSelector     LabelSelector     `json:"nodeSelector,omitempty"`
+	NsSelector       NamespaceSelector `json:"nsSelector,omitempty"`
+	WorkloadSelector LabelSelector     `json:"workloadSelector,omitempty"`
+	NimbusRules      []NimbusRules     `json:"rules"`
 }
 
 // ClusterNimbusPolicyStatus defines the observed state of ClusterNimbusPolicy

diff --git a/api/v1/clustersecurityintentbinding_types.go → ...ha1/clustersecurityintentbinding_types.go b/api/v1/clustersecurityintentbinding_types.go → ...ha1/clustersecurityintentbinding_types.go
@@ -1,28 +1,28 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-type CwResource struct {
-	Kind        string            `json:"kind"`
-	Name        string            `json:"name"`
-	Namespace   string            `json:"namespace,omitempty"`
-	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+type NamespaceSelector struct {
+	MatchNames   []string `json:"matchNames,omitempty"`
+	ExcludeNames []string `json:"excludeNames,omitempty"`
 }
 
-type CwSelector struct {
-	Resources []CwResource `json:"resources,omitempty"`
-	CEL       []string     `json:"cel,omitempty"`
+type ClusterMatchWorkloads struct {
+	NodeSelector     LabelSelector     `json:"nodeSelector,omitempty"`
+	NsSelector       NamespaceSelector `json:"nsSelector,omitempty"`
+	WorkloadSelector LabelSelector     `json:"workloadSelector,omitempty"`
 }
 
 // ClusterSecurityIntentBindingSpec defines the desired state of ClusterSecurityIntentBinding
 type ClusterSecurityIntentBindingSpec struct {
-	Intents  []MatchIntent `json:"intents"`
-	Selector CwSelector    `json:"selector"`
+	Intents  []MatchIntent         `json:"intents"`
+	Selector ClusterMatchWorkloads `json:"selector,omitempty"`
+	CEL      []string              `json:"cel,omitempty"`
 }
 
 // ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding

diff --git a/api/v1/groupversion_info.go → api/v1alpha1/groupversion_info.go b/api/v1/groupversion_info.go → api/v1alpha1/groupversion_info.go
@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-// Package v1 contains API Schema definitions for the intent v1 API group
+// Package v1alpha1 contains API Schema definitions for the intent v1 API group
 // +kubebuilder:object:generate=true
 // +groupName=intent.security.nimbus.com
-package v1
+package v1alpha1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -13,7 +13,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1"}
+	GroupVersion = schema.GroupVersion{Group: "intent.security.nimbus.com", Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/api/v1/nimbuspolicy_types.go → api/v1alpha1/nimbuspolicy_types.go b/api/v1/nimbuspolicy_types.go → api/v1alpha1/nimbuspolicy_types.go
@@ -1,27 +1,23 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
+	"reflect"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // NimbusPolicySpec defines the desired state of NimbusPolicy
 type NimbusPolicySpec struct {
 	// Selector specifies the target resources to which the policy applies
-	Selector NimbusSelector `json:"selector"`
+	Selector LabelSelector `json:"selector"`
 
 	// PolicyType specifies the type of policy, e.g., "Network", "System", "Cluster"
 	NimbusRules []NimbusRules `json:"rules"`
 }
 
-// NimbusSelector is used to select specific resources based on labels.
-type NimbusSelector struct {
-	// MatchLabels is a map that holds key-value pairs to match against labels of resources.
-	MatchLabels map[string]string `json:"matchLabels"`
-}
-
 // NimbusRules represents a single policy rule with an ID, type, description, and detailed rule configurations.
 type NimbusRules struct {
 	ID          string `json:"id"`
@@ -70,3 +66,26 @@ type NimbusPolicyList struct {
 func init() {
 	SchemeBuilder.Register(&NimbusPolicy{}, &NimbusPolicyList{})
 }
+
+// Check equality of the spec to decide if we need to update the object
+func (a NimbusPolicy) Equal(b NimbusPolicy) (string, bool) {
+	if a.ObjectMeta.Name != b.ObjectMeta.Name {
+		return "diff: name", false
+	}
+	if a.ObjectMeta.Namespace != b.ObjectMeta.Namespace {
+		return "diff: Namespace", false
+	}
+
+	if !reflect.DeepEqual(a.ObjectMeta.Labels, b.ObjectMeta.Labels) {
+		return "diff: Labels", false
+	}
+
+	if !reflect.DeepEqual(a.ObjectMeta.OwnerReferences, b.ObjectMeta.OwnerReferences) {
+		return "diff: OwnerReferences", false
+	}
+
+	if !reflect.DeepEqual(a.Spec, b.Spec) {
+		return "diff: Spec", false
+	}
+	return "", true
+}
diff --git a/api/v1/securityintent_types.go → api/v1alpha1/securityintent_types.go b/api/v1/securityintent_types.go → api/v1alpha1/securityintent_types.go
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

diff --git a/api/v1/securityintentbinding_types.go → api/v1alpha1/securityintentbinding_types.go b/api/v1/securityintentbinding_types.go → api/v1alpha1/securityintentbinding_types.go
@@ -1,16 +1,17 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of Nimbus
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // SecurityIntentBindingSpec defines the desired state of SecurityIntentBinding
 type SecurityIntentBindingSpec struct {
-	Intents  []MatchIntent `json:"intents"`
-	Selector Selector      `json:"selector"`
+	Intents  []MatchIntent  `json:"intents"`
+	Selector MatchWorkloads `json:"selector"`
+	CEL      []string       `json:"cel,omitempty"`
 }
 
 // MatchIntent struct defines the request for a specific SecurityIntent
@@ -19,21 +20,11 @@ type MatchIntent struct {
 }
 
 // Selector defines the selection criteria for resources
-type Selector struct {
-	Any []ResourceFilter `json:"any,omitempty"`
-	All []ResourceFilter `json:"all,omitempty"`
-	CEL []string         `json:"cel,omitempty"`
+type MatchWorkloads struct {
+	WorkloadSelector LabelSelector `json:"workloadSelector,omitempty"`
 }
 
-// ResourceFilter is used for filtering resources
-type ResourceFilter struct {
-	Resources Resources `json:"resources,omitempty"`
-}
-
-// Resources defines the properties for selecting Kubernetes resources
-type Resources struct {
-	Kind        string            `json:"kind,omitempty"`
-	Namespace   string            `json:"namespace,omitempty"`
+type LabelSelector struct {
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 }