Merge from release-v1.1.0 to main (#203)

<!--  Thanks for sending a pull request!  Here are some tips for you:
1. Ensure you have added the unit tests for your changes.
2. Ensure you have included output of manual testing done in the Testing
section.
3. Ensure number of lines of code for new or existing methods are within
the reasonable limit.
4. Ensure your change works on existing clusters after upgrade.
-->
**What type of PR is this?**

<!--
Add one of the following:
bug
cleanup
documentation
feature
-->

**Which issue does this PR fix**:


**What does this PR do / Why do we need it**:


**If an issue # is not available please add steps to reproduce and the
controller logs**:


**Testing done on this change**:
<!--
output of manual testing/integration tests results and also attach logs
showing the fix being resolved
-->

**Automation added to e2e**:
<!--
List the e2e tests you added as part of this PR.
If no, create an issue with enhancement/testing label
-->

**Will this PR introduce any new dependencies?**:
<!--
e.g. new K8s API
-->

**Will this break upgrades or downgrades. Has updating a running cluster
been tested?**:


**Does this PR introduce any user-facing change?**:
<!--
If yes, a release note update is required:
Enter your extended release note in the block below. If the PR requires
additional actions
from users switching to the new release, include the string "action
required".
-->

```release-note

```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: oliviassss

.github/workflows/pr-tests.yaml

@@ -31,6 +31,7 @@ jobs:
           go install golang.org/x/tools/cmd/goimports@latest
       - name: Run code checks
         run: |
+          make prepare-embed
           make check-format
           make vet
       - name: Build
@@ -42,9 +43,17 @@ jobs:
   docker-build:
     name: Build Docker images
     runs-on: ubuntu-latest
+    env:
+      GOTOOLCHAIN: auto
     steps:
       - name: Checkout latest commit in the PR
         uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache-dependency-path: "**/go.sum"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx

.go-version

@@ -1 +1 @@
-1.23
+1.25.5

Dockerfile

@@ -24,7 +24,7 @@ COPY internal/ internal/
 
 
 # Copy CRD file for embedding
-COPY charts/amazon-network-policy-controller-k8s/crds/crds.yaml pkg/crd/crds.yaml
+COPY pkg/crd/crds.yaml pkg/crd/crds.yaml
 # Short-term workaround for controller-gen version mismatch, should remove once the CRD removed from vpc-cni addon
 RUN sed -i 's/controller-gen.kubebuilder.io\/version: v[0-9]\+\.[0-9]\+\.[0-9]\+/controller-gen.kubebuilder.io\/version: v0.11.3/' pkg/crd/crds.yaml
 

Makefile

@@ -76,14 +76,14 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 .PHONY: test
-test: manifests generate fmt vet envtest ## Run tests.
+test: manifests generate fmt vet envtest prepare-embed ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 ##@ Build
 .PHONY: prepare-embed
 prepare-embed: ## Prepare files for go:embed.
-	cp charts/amazon-network-policy-controller-k8s/crds/crds.yaml pkg/crd/crds.yaml
-	sed -i 's/controller-gen.kubebuilder.io\/version: v[0-9]\+\.[0-9]\+\.[0-9]\+/controller-gen.kubebuilder.io\/version: v0.11.3/' pkg/crd/crds.yaml
+	cat config/crd/bases/*.yaml > pkg/crd/crds.yaml
+	sed -i '1834s/v0\.17\.0/v0.11.3/' pkg/crd/crds.yaml
 
 
 .PHONY: build
@@ -144,7 +144,7 @@ MOCKGEN ?= $(LOCALBIN)/mockgen
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.3
+CONTROLLER_TOOLS_VERSION ?= v0.17.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

README.md

@@ -17,6 +17,47 @@ The controller does not require any IAM policies. It does not make AWS API calls
 - Kubernetes Version - 1.25+
 - Amazon VPC CNI version - 1.14.0+
 
+## Deploy Controller on Dataplane for Development Testing
+
+To deploy the network policy controller on dataplane nodes for development and testing:
+
+1. **Deploy the controller:**
+This will deploy the image specified in helm chart
+   ```bash
+   make deploy-controller-on-dataplane
+   ```
+If want to deploy a custom image, you can use the cmd
+   ```bash
+   make deploy-controller-on-dataplane NP_CONTROLLER_IMAGE=<your-image-repository> NP_CONTROLLER_TAG=<your-image-tag>
+   ```
+Verify the image deployed
+```bash
+kubectl get deployment amazon-network-policy-controller-k8s -n kube-system | grep -i image
+```
+
+**Optional steps (only needed if using custom images with additional CRDs/permissions):**
+
+2. **Apply updated RBAC permissions:**
+   ```bash
+   kubectl apply -f config/rbac/role.yaml
+   ```
+
+3. **Apply latest CRDs:**
+   ```bash
+   kubectl apply -f config/crd/bases/
+   ```
+
+4. **Restart controller to pick up new permissions:**
+   ```bash
+   kubectl rollout restart deployment/amazon-network-policy-controller-k8s -n kube-system
+   ```
+
+**Verify deployment:**
+```bash
+kubectl get deployment amazon-network-policy-controller-k8s -n kube-system
+kubectl logs deployment/amazon-network-policy-controller-k8s -n kube-system
+```
+
 ## Security Disclosures 
 
 If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the

api/v1alpha1/applicationnetworkpolicy_types.go

@@ -0,0 +1,169 @@
+/*
+Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	networking "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ApplicationNetworkPolicySpec defines the desired state of ApplicationNetworkPolicy
+type ApplicationNetworkPolicySpec struct {
+	// PodSelector selects the pods to which this ApplicationNetworkPolicy object applies.
+	PodSelector metav1.LabelSelector `json:"podSelector"`
+
+	// PolicyTypes is a list of rule types that the ApplicationNetworkPolicy relates to.
+	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
+	// If this field is not specified, it will default based on the existence of ingress or egress rules.
+	// +optional
+	PolicyTypes []networking.PolicyType `json:"policyTypes,omitempty"`
+
+	// Ingress is a list of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if there are no ApplicationNetworkPolicies selecting the pod
+	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
+	// the pod's local node, OR if the traffic matches at least one ingress rule
+	// across all of the ApplicationNetworkPolicy objects whose podSelector matches the pod.
+	// +optional
+	Ingress []networking.NetworkPolicyIngressRule `json:"ingress,omitempty"`
+
+	// Egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
+	// is allowed if there are no ApplicationNetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the ApplicationNetworkPolicy objects whose podSelector matches the pod.
+	// +optional
+	Egress []ApplicationNetworkPolicyEgressRule `json:"egress,omitempty"`
+}
+
+// DomainName describes one or more domain names to be used as a peer.
+//
+// DomainName can be an exact match, or use the wildcard specifier '*' to match
+// one or more labels.
+//
+// '*', the wildcard specifier, matches one or more entire labels. It does not
+// support partial matches. '*' may only be specified as a prefix.
+//
+//	Examples:
+//	  - `kubernetes.io` matches only `kubernetes.io`.
+//	    It does not match "www.kubernetes.io", "blog.kubernetes.io",
+//	    "my-kubernetes.io", or "wikipedia.org".
+//	  - `blog.kubernetes.io` matches only "blog.kubernetes.io".
+//	    It does not match "www.kubernetes.io" or "kubernetes.io".
+//	  - `*.kubernetes.io` matches subdomains of kubernetes.io.
+//	    "www.kubernetes.io", "blog.kubernetes.io", and
+//	    "latest.blog.kubernetes.io" match, however "kubernetes.io", and
+//	    "wikipedia.org" do not.
+//
+// +kubebuilder:validation:Pattern=`^(\*\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\.?$`
+type DomainName string
+
+// ApplicationNetworkPolicyPeer describes a peer to allow traffic to/from.
+// Only certain combinations of fields are allowed
+// +kubebuilder:validation:XValidation:rule="!(has(self.ipBlock) && has(self.domainNames))",message="ipBlock and domainNames are mutually exclusive"
+// +kubebuilder:validation:XValidation:rule="!(has(self.podSelector) && has(self.domainNames))",message="podSelector and domainNames are mutually exclusive"
+// +kubebuilder:validation:XValidation:rule="!(has(self.namespaceSelector) && has(self.domainNames))",message="namespaceSelector and domainNames are mutually exclusive"
+type ApplicationNetworkPolicyPeer struct {
+	// PodSelector is a label selector which selects pods. This field follows standard label
+	// selector semantics; if present but empty, it selects all pods.
+	//
+	// If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects the pods matching podSelector in the policy's own namespace.
+	// +optional
+	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
+
+	// NamespaceSelector selects namespaces using cluster-scoped labels. This field follows
+	// standard label selector semantics; if present but empty, it selects all namespaces.
+	//
+	// If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the namespaces selected by namespaceSelector.
+	// Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// IPBlock defines policy on a particular IPBlock. If this field is set then
+	// neither of the other fields can be.
+	// +optional
+	IPBlock *networking.IPBlock `json:"ipBlock,omitempty"`
+
+	// DomainNames provides a way to specify domain names as peers.
+	//
+	// DomainNames is only supported for Allow rules. In order to control
+	// access, DomainNames Allow rules should be used with a lower priority
+	// egress deny -- this allows the admin to maintain an explicit "allowlist"
+	// of reachable domains.
+	//
+	// This field is mutually exclusive with PodSelector, NamespaceSelector, and IPBlock.
+	// FQDN rules are ALLOW-only and do not support DENY semantics.
+	//
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	DomainNames []DomainName `json:"domainNames,omitempty"`
+}
+
+// ApplicationNetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by an ApplicationNetworkPolicySpec's podSelector. The traffic must match both ports and to.
+type ApplicationNetworkPolicyEgressRule struct {
+	// Ports is a list of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []networking.NetworkPolicyPort `json:"ports,omitempty"`
+
+	// To is a list of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []ApplicationNetworkPolicyPeer `json:"to,omitempty"`
+}
+
+// ApplicationNetworkPolicyStatus defines the observed state of ApplicationNetworkPolicy
+type ApplicationNetworkPolicyStatus struct {
+	// Conditions represent the latest available observations of the ApplicationNetworkPolicy's current state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:shortName=anp
+
+// ApplicationNetworkPolicy is the Schema for the applicationnetworkpolicies API
+type ApplicationNetworkPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ApplicationNetworkPolicySpec   `json:"spec,omitempty"`
+	Status ApplicationNetworkPolicyStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ApplicationNetworkPolicyList contains a list of ApplicationNetworkPolicy
+type ApplicationNetworkPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ApplicationNetworkPolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ApplicationNetworkPolicy{}, &ApplicationNetworkPolicyList{})
+}