Skip to content

Commit

Permalink
Add support for selecting external destinations
Browse files Browse the repository at this point in the history 
Some FTR things:

    1) As a peer a user can selector either namespaces, or pods or
       nodes or externalNetworks.
    In a given rule more than 1 type of selection is not allowed.
    2) An empty externalNetworks selector means it selects all externalNetworkSets in the cluster.
    3) externalNetworks can be set only from to.Peer

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
  • Loading branch information
@tssurya
tssurya committed Oct 7, 2023
1 parent 0873bf8 commit 234ed98
Show file tree
Hide file tree
Showing 23 changed files with 1,217 additions and 5 deletions.
1 change: 1 addition & 0 deletions apis/v1alpha1/adminnetworkpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ type AdminNetworkPolicyIngressRule struct {
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.externalNetworks))",message="cluster-ingress traffic controls are unsupported"
From []AdminNetworkPolicyPeer `json:"from"`

// Ports allows for matching traffic based on port and protocols.
Expand Down
5 changes: 4 additions & 1 deletion apis/v1alpha1/baselineadminnetworkpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,9 @@ type BaselineAdminNetworkPolicyIngressRule struct {
// Support: Core
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.externalNetworks))",message="cluster-ingress traffic controls are unsupported"
From []AdminNetworkPolicyPeer `json:"from"`

// Ports allows for matching traffic based on port and protocols.
Expand Down Expand Up @@ -164,13 +166,14 @@ type BaselineAdminNetworkPolicyEgressRule struct {
// traffic then the specified action is applied.
// This field must be defined and contain at least one item.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
//
// Support: Core
//
To []AdminNetworkPolicyPeer `json:"to"`

// Ports allows for matching traffic based on port and protocols.
// This field is a list of destination ports for the outging egress traffic.
// This field is a list of destination ports for the outgoing egress traffic.
// If Ports is not set then the rule does not filter traffic via port.
// +optional
// +kubebuilder:validation:MaxItems=100
Expand Down
66 changes: 66 additions & 0 deletions apis/v1alpha1/externalnetworkset_types.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// All fields in this package are required unless Explicitly marked optional
// +kubebuilder:validation:Required
package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// +genclient
// +genclient:nonNamespaced
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:shortName=ens,scope=Cluster
// +kubebuilder:printcolumn:name="Networks",type=string,JSONPath=".spec.networks"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ExternalNetworkSet is a cluster level resource that is used to define
// a set of networks outside the cluster which can be referred to from
// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
type ExternalNetworkSet struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata"`

// Specification of the desired behavior of ExternalNetworkSet.
Spec ExternalNetworkSetSpec `json:"spec"`
}

// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
// +kubebuilder:validation:MaxProperties=1
// +kubebuilder:validation:MinProperties=1
type ExternalNetworkSetSpec struct {
// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
// external destinations.
// A total of 100 CIDRs will be allowed in each NetworkSet instance.
// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
// to select a set of external networks
//
// Support: Core
//
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
}

// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ExternalNetworkSetList contains a list of ExternalNetworkSet
type ExternalNetworkSetList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ExternalNetworkSet `json:"items"`
}
9 changes: 9 additions & 0 deletions apis/v1alpha1/shared_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,15 @@ type AdminNetworkPolicyPeer struct {
//
// +optional
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
// ExternalNetworks defines a way to select ExternalNetworkSets
// that consist of network CIDRs that live outside the cluster as a peer.
// This field follows standard label selector semantics; if present
// but empty, it selects all ExternalNetworkSets defined in the cluster.
//
// Support: Core
//
// +optional
ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
}

// NamespacedPeer defines a flexible way to select Namespaces in a cluster.
Expand Down
83 changes: 83 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions apis/v1alpha1/zz_generated.register.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

104 changes: 104 additions & 0 deletions config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,57 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. This field follows
standard label selector semantics; if present but empty,
it selects all ExternalNetworkSets defined in the cluster.
\n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down Expand Up @@ -493,6 +544,57 @@ spec:
maxProperties: 1
minProperties: 1
properties:
externalNetworks:
description: "ExternalNetworks defines a way to select
ExternalNetworkSets that consist of network CIDRs that
live outside the cluster as a peer. This field follows
standard label selector semantics; if present but empty,
it selects all ExternalNetworkSets defined in the cluster.
\n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: "Namespaces defines a way to select a set
of Namespaces. \n Support: Core"
Expand Down Expand Up @@ -779,6 +881,8 @@ spec:
x-kubernetes-validations:
- message: cluster-ingress traffic controls are unsupported
rule: self.all(value, !has(value.nodes))
- message: cluster-ingress traffic controls are unsupported
rule: self.all(value, !has(value.externalNetworks))
name:
description: "Name is an identifier for this rule, that may
be no more than 100 characters in length. This field should
Expand Down
Loading

0 comments on commit 234ed98

Please sign in to comment.