kubernetes-sigs
diff --git a/‎Makefile
Lines changed: 21 additions & 4 deletions b/‎Makefile
Lines changed: 21 additions & 4 deletions
diff --git a/‎cmd/npa-v1alpha2/main.go
Lines changed: 217 additions & 0 deletions b/‎cmd/npa-v1alpha2/main.go
Lines changed: 217 additions & 0 deletions
diff --git a/‎install-cnp.yaml
Lines changed: 112 additions & 0 deletions b/‎install-cnp.yaml
Lines changed: 112 additions & 0 deletions
@@ -12,9 +12,9 @@ REGISTRY?=gcr.io/k8s-staging-networking
 TAG?=$(shell echo "$$(date +v%Y%m%d)-$$(git describe --always --dirty)")
 PLATFORMS?=linux/amd64,linux/arm64
 
-.PHONY: all build build-standard build-npa-v1alpha1
+.PHONY: all build build-standard build-npa-v1alpha1 build-npa-v1alpha2
 all: build
-build: build-standard build-npa-v1alpha1
+build: build-standard build-npa-v1alpha1 build-npa-v1alpha2
 
 build-standard:
 	@echo "Building standard binary..."
@@ -24,6 +24,10 @@ build-npa-v1alpha1:
 	@echo "Building npa-v1alpha1 binary..."
 	go build -o ./bin/kube-network-policies-npa-v1alpha1 ./cmd/npa-v1alpha1
 
+build-npa-v1alpha2:
+	@echo "Building npa-v1alpha2 binary..."
+	go build -o ./bin/kube-network-policies-npa-v1alpha2 ./cmd/npa-v1alpha2
+
 clean:
 	rm -rf "$(OUT_DIR)/"
 
@@ -56,6 +60,12 @@ image-build-npa-v1alpha1: build-npa-v1alpha1
 		--tag="${REGISTRY}/$(IMAGE_NAME):$(TAG)-npa-v1alpha1" \
 		--load
 
+image-build-npa-v1alpha2: build-npa-v1alpha2
+	docker buildx build . \
+		--build-arg TARGET_BUILD=npa-v1alpha2 \
+		--tag="${REGISTRY}/$(IMAGE_NAME):$(TAG)-npa-v1alpha2" \
+		--load
+
 # Individual image push targets (multi-platform)
 image-push-standard: build-standard
 	docker buildx build . \
@@ -71,14 +81,21 @@ image-push-npa-v1alpha1: build-npa-v1alpha1
 		--tag="${REGISTRY}/$(IMAGE_NAME):$(TAG)-npa-v1alpha1" \
 		--push
 
+image-push-npa-v1alpha2: build-npa-v1alpha2
+	docker buildx build . \
+		--build-arg TARGET_BUILD=npa-v1alpha2 \
+		--platform="${PLATFORMS}" \
+		--tag="${REGISTRY}/$(IMAGE_NAME):$(TAG)-npa-v1alpha2" \
+		--push
+
 # --- Aggregate Targets ---
 .PHONY: images-build images-push release
 
 # Build all image variants and load them into the local Docker daemon
-images-build: ensure-buildx image-build-standard image-build-npa-v1alpha1
+images-build: ensure-buildx image-build-standard image-build-npa-v1alpha1 image-build-npa-v1alpha2
 
 # Build and push all multi-platform image variants to the registry
-images-push: ensure-buildx image-push-standard image-push-npa-v1alpha1
+images-push: ensure-buildx image-push-standard image-push-npa-v1alpha1 image-build-npa-v1alpha2
 
 # The main release target, which pushes all images
 release: images-push
@@ -0,0 +1,217 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"sigs.k8s.io/kube-network-policies/pkg/api"
+	"sigs.k8s.io/kube-network-policies/pkg/cmd"
+	"sigs.k8s.io/kube-network-policies/pkg/dataplane"
+	"sigs.k8s.io/kube-network-policies/pkg/dns"
+	"sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
+	"sigs.k8s.io/kube-network-policies/pkg/podinfo"
+	pluginsnpav1alpha2 "sigs.k8s.io/kube-network-policies/plugins/npa-v1alpha2"
+	npav1alpha2 "sigs.k8s.io/network-policy-api/apis/v1alpha2"
+	npaclient "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned"
+	npainformers "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/component-base/logs"
+	logsapi "k8s.io/component-base/logs/api/v1"
+	_ "k8s.io/component-base/logs/json/register"
+	nodeutil "k8s.io/component-helpers/node/util"
+	"k8s.io/klog/v2"
+)
+
+// This is a pattern to ensure that deferred functions executes before os.Exit
+func main() {
+	os.Exit(run())
+}
+
+func run() int {
+	// Setup logging
+	logCfg := logsapi.NewLoggingConfiguration()
+	logsapi.AddGoFlags(logCfg, flag.CommandLine)
+
+	// Setup flags
+	opts := cmd.NewOptions()
+	opts.AddFlags(flag.CommandLine)
+
+	flag.Parse()
+
+	// init logging
+	logs.InitLogs()
+	if err := logsapi.ValidateAndApply(logCfg, nil); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		return 1
+	}
+
+	// Create a context for structured logging, and catch termination signals
+	ctx, cancel := signal.NotifyContext(
+		context.Background(), os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	logger := klog.FromContext(ctx)
+	logger.Info("called", "args", flag.Args())
+
+	flag.VisitAll(func(flag *flag.Flag) {
+		logger.Info("flag", "name", flag.Name, "value", flag.Value)
+	})
+
+	if _, _, err := net.SplitHostPort(opts.MetricsBindAddress); err != nil {
+		logger.Error(err, "parsing metrics bind address", "address", opts.MetricsBindAddress)
+		return 1
+	}
+
+	nodeName, err := nodeutil.GetHostname(opts.HostnameOverride)
+	if err != nil {
+		klog.Fatalf("can not obtain the node name, use the hostname-override flag if you want to set it to a specific value: %v", err)
+	}
+
+	dpCfg := dataplane.Config{
+		FailOpen:            opts.FailOpen,
+		QueueID:             opts.QueueID,
+		NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
+	}
+
+	var config *rest.Config
+	if opts.Kubeconfig != "" {
+		config, err = clientcmd.BuildConfigFromFlags("", opts.Kubeconfig)
+	} else {
+		// creates the in-cluster config
+		config, err = rest.InClusterConfig()
+	}
+	if err != nil {
+		klog.Fatalf("can not create client-go configuration: %v", err)
+	}
+
+	// use protobuf for better performance at scale
+	// https://kubernetes.io/docs/reference/using-api/api-concepts/#alternate-representations-of-resources
+	npaConfig := config // shallow copy because  CRDs does not support proto
+	config.AcceptContentTypes = "application/vnd.kubernetes.protobuf,application/json"
+	config.ContentType = "application/vnd.kubernetes.protobuf"
+
+	// creates the clientset
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		panic(err.Error())
+	}
+
+	informersFactory := informers.NewSharedInformerFactory(clientset, 0)
+	nsInformer := informersFactory.Core().V1().Namespaces()
+	networkPolicyInfomer := informersFactory.Networking().V1().NetworkPolicies()
+	podInformer := informersFactory.Core().V1().Pods()
+	nodeInformer := informersFactory.Core().V1().Nodes()
+
+	// Set the memory-saving transform function on the pod informer.
+	err = podInformer.Informer().SetTransform(func(obj interface{}) (interface{}, error) {
+		if accessor, err := meta.Accessor(obj); err == nil {
+			accessor.SetManagedFields(nil)
+		}
+		return obj, nil
+	})
+	if err != nil {
+		klog.Fatalf("Failed to set pod informer transform: %v", err)
+	}
+
+	npaClient, err := npaclient.NewForConfig(npaConfig)
+	if err != nil {
+		klog.Fatalf("Failed to create Network client: %v", err)
+	}
+	npaInformerFactory := npainformers.NewSharedInformerFactory(npaClient, 0)
+	cnpInformer := npaInformerFactory.Policy().V1alpha2().ClusterNetworkPolicies()
+
+	// Create the Pod IP resolvers.
+	// First, given an IP address they return the Pod name/namespace.
+	informerResolver, err := podinfo.NewInformerResolver(podInformer.Informer())
+	if err != nil {
+		klog.Fatalf("Failed to create informer resolver: %v", err)
+	}
+	resolvers := []podinfo.IPResolver{informerResolver}
+
+	// Create an NRI Pod IP resolver if enabled, since NRI connects to the container runtime
+	// the Pod and IP information is provided at the time the Pod Sandbox is created and before
+	// the containers start running, so policies can be enforced without race conditions.
+	if !opts.DisableNRI {
+		nriIPResolver, err := podinfo.NewNRIResolver(ctx)
+		if err != nil {
+			klog.Infof("failed to create NRI plugin, using apiserver information only: %v", err)
+		}
+		resolvers = append(resolvers, nriIPResolver)
+	}
+
+	// Create the pod info provider to obtain the Pod information
+	// necessary for the network policy evaluation, it uses the resolvers
+	// to obtain the key (Pod name and namespace) and use the informers to obtain
+	// the labels that are necessary to match the network policies.
+	podInfoProvider := podinfo.NewInformerProvider(
+		podInformer,
+		nsInformer,
+		nodeInformer,
+		resolvers)
+
+	// Create the evaluators for the Pipeline to process the packets
+	// and take a network policy action. The evaluators are processed
+	// by the order in the array.
+	evaluators := []api.PolicyEvaluator{}
+
+	// Logging evaluator must go first if enabled.
+	if klog.V(2).Enabled() {
+		evaluators = append(evaluators, networkpolicy.NewLoggingPolicy())
+	}
+
+	// Admin Network Policy need to associate IP addresses to Domains
+	// NewDomainCache implements the interface DomainResolver using
+	// nftables to create a cache with the resolved IP addresses from the
+	// Pod domain queries.
+	domainResolver := dns.NewDomainCache(opts.QueueID + 1)
+	go func() {
+		err := domainResolver.Run(ctx)
+		if err != nil {
+			klog.Infof("domain cache controller exited: %v", err)
+		}
+	}()
+
+	evaluators = append(evaluators, pluginsnpav1alpha2.NewClusterNetworkPolicy(
+		npav1alpha2.AdminTier,
+		cnpInformer,
+		domainResolver,
+	))
+
+	// Standard Network Policy goes after AdminNetworkPolicy and before BaselineAdminNetworkPolicy
+	evaluators = append(evaluators, networkpolicy.NewStandardNetworkPolicy(
+		nodeName,
+		nsInformer,
+		podInformer,
+		networkPolicyInfomer,
+	))
+
+	evaluators = append(evaluators, pluginsnpav1alpha2.NewClusterNetworkPolicy(
+		npav1alpha2.BaselineTier,
+		cnpInformer,
+		domainResolver,
+	))
+
+	informersFactory.Start(ctx.Done())
+	npaInformerFactory.Start(ctx.Done())
+
+	cmd.Start(ctx, networkpolicy.NewPolicyEngine(podInfoProvider, evaluators), dpCfg, opts.MetricsBindAddress)
+
+	<-ctx.Done()
+	logger.Info("Received termination signal, starting cleanup...")
+	// grace period to cleanup resources
+	time.Sleep(5 * time.Second)
+	logger.Info("Cleanup completed, exiting...")
+	return 0
+}
@@ -0,0 +1,112 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kube-network-policies
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - namespaces
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+     - "networking.k8s.io"
+    resources:
+      - networkpolicies
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+     - "policy.networking.k8s.io"
+    resources:
+      - clusternetworkpolicies
+    verbs:
+      - list
+      - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kube-network-policies
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-network-policies
+subjects:
+- kind: ServiceAccount
+  name: kube-network-policies
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-network-policies
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-network-policies
+  namespace: kube-system
+  labels:
+    tier: node
+    app: kube-network-policies
+    k8s-app: kube-network-policies
+spec:
+  selector:
+    matchLabels:
+      app: kube-network-policies
+  template:
+    metadata:
+      labels:
+        tier: node
+        app: kube-network-policies
+        k8s-app: kube-network-policies
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      serviceAccountName: kube-network-policies
+      containers:
+      - name: kube-network-policies
+        image: registry.k8s.io/networking/kube-network-policies:v0.8.0-npa-v1alpha2
+        args:
+        - /bin/netpol
+        - --hostname-override=$(MY_NODE_NAME)
+        - --v=4
+        - --nfqueue-id=89
+        volumeMounts:
+        - name: nri-plugin
+          mountPath: /var/run/nri
+        - name: netns
+          mountPath: /var/run/netns
+          mountPropagation: HostToContainer
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "50Mi"
+        securityContext:
+          privileged: true
+          capabilities:
+            add: ["NET_ADMIN"]
+        env:
+        - name: MY_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+      volumes:
+      - name: nri-plugin
+        hostPath:
+          path: /var/run/nri
+      - name: netns
+        hostPath:
+          path: /var/run/netns
+---