Skip to content

Commit 0873bf8

Browse files
tssuryatssurya
committed
Add support for selecting nodes as peers
Some FTR things: 1) As a peer a user can selector either namespaces, or pods or nodes. In a given rule more than 1 type of selection is not allowed. 2) An empty node selector means it selects all nodes in the cluster. 3) nodes can be referred only from egress rule peers, since we only support northbound use cases. Signed-off-by: Surya Seetharaman <[email protected]>
1 parent 778a9a1 commit 0873bf8

8 files changed

+419
-0
lines changed

apis/v1alpha1/adminnetworkpolicy_types.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,7 @@ type AdminNetworkPolicyIngressRule struct {
136136
//
137137
// +kubebuilder:validation:MinItems=1
138138
// +kubebuilder:validation:MaxItems=100
139+
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
139140
From []AdminNetworkPolicyPeer `json:"from"`
140141

141142
// Ports allows for matching traffic based on port and protocols.

apis/v1alpha1/baselineadminnetworkpolicy_types.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,7 @@ type BaselineAdminNetworkPolicyIngressRule struct {
119119
// Support: Core
120120
//
121121
// +kubebuilder:validation:MinItems=1
122+
// +kubebuilder:validation:XValidation:rule="self.all(value, !has(value.nodes))",message="cluster-ingress traffic controls are unsupported"
122123
From []AdminNetworkPolicyPeer `json:"from"`
123124

124125
// Ports allows for matching traffic based on port and protocols.

apis/v1alpha1/shared_types.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,14 @@ type AdminNetworkPolicyPeer struct {
140140
//
141141
// +optional
142142
Pods *NamespacedPodPeer `json:"pods,omitempty"`
143+
// Nodes defines a way to select a set of nodes in
144+
// in the cluster. This field follows standard label selector
145+
// semantics; if present but empty, it selects all Nodes.
146+
//
147+
// Support: Core
148+
//
149+
// +optional
150+
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
143151
}
144152

145153
// NamespacedPeer defines a flexible way to select Namespaces in a cluster.

apis/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -247,6 +247,55 @@ spec:
247247
maxItems: 100
248248
type: array
249249
type: object
250+
nodes:
251+
description: "Nodes defines a way to select a set of nodes
252+
in in the cluster. This field follows standard label
253+
selector semantics; if present but empty, it selects
254+
all Nodes. \n Support: Core"
255+
properties:
256+
matchExpressions:
257+
description: matchExpressions is a list of label selector
258+
requirements. The requirements are ANDed.
259+
items:
260+
description: A label selector requirement is a selector
261+
that contains values, a key, and an operator that
262+
relates the key and values.
263+
properties:
264+
key:
265+
description: key is the label key that the selector
266+
applies to.
267+
type: string
268+
operator:
269+
description: operator represents a key's relationship
270+
to a set of values. Valid operators are In,
271+
NotIn, Exists and DoesNotExist.
272+
type: string
273+
values:
274+
description: values is an array of string values.
275+
If the operator is In or NotIn, the values
276+
array must be non-empty. If the operator is
277+
Exists or DoesNotExist, the values array must
278+
be empty. This array is replaced during a
279+
strategic merge patch.
280+
items:
281+
type: string
282+
type: array
283+
required:
284+
- key
285+
- operator
286+
type: object
287+
type: array
288+
matchLabels:
289+
additionalProperties:
290+
type: string
291+
description: matchLabels is a map of {key,value} pairs.
292+
A single {key,value} in the matchLabels map is equivalent
293+
to an element of matchExpressions, whose key field
294+
is "key", the operator is "In", and the values array
295+
contains only "value". The requirements are ANDed.
296+
type: object
297+
type: object
298+
x-kubernetes-map-type: atomic
250299
pods:
251300
description: "Pods defines a way to select a set of pods
252301
in in a set of namespaces. \n Support: Core"
@@ -527,6 +576,55 @@ spec:
527576
maxItems: 100
528577
type: array
529578
type: object
579+
nodes:
580+
description: "Nodes defines a way to select a set of nodes
581+
in in the cluster. This field follows standard label
582+
selector semantics; if present but empty, it selects
583+
all Nodes. \n Support: Core"
584+
properties:
585+
matchExpressions:
586+
description: matchExpressions is a list of label selector
587+
requirements. The requirements are ANDed.
588+
items:
589+
description: A label selector requirement is a selector
590+
that contains values, a key, and an operator that
591+
relates the key and values.
592+
properties:
593+
key:
594+
description: key is the label key that the selector
595+
applies to.
596+
type: string
597+
operator:
598+
description: operator represents a key's relationship
599+
to a set of values. Valid operators are In,
600+
NotIn, Exists and DoesNotExist.
601+
type: string
602+
values:
603+
description: values is an array of string values.
604+
If the operator is In or NotIn, the values
605+
array must be non-empty. If the operator is
606+
Exists or DoesNotExist, the values array must
607+
be empty. This array is replaced during a
608+
strategic merge patch.
609+
items:
610+
type: string
611+
type: array
612+
required:
613+
- key
614+
- operator
615+
type: object
616+
type: array
617+
matchLabels:
618+
additionalProperties:
619+
type: string
620+
description: matchLabels is a map of {key,value} pairs.
621+
A single {key,value} in the matchLabels map is equivalent
622+
to an element of matchExpressions, whose key field
623+
is "key", the operator is "In", and the values array
624+
contains only "value". The requirements are ANDed.
625+
type: object
626+
type: object
627+
x-kubernetes-map-type: atomic
530628
pods:
531629
description: "Pods defines a way to select a set of pods
532630
in in a set of namespaces. \n Support: Core"
@@ -678,6 +776,9 @@ spec:
678776
maxItems: 100
679777
minItems: 1
680778
type: array
779+
x-kubernetes-validations:
780+
- message: cluster-ingress traffic controls are unsupported
781+
rule: self.all(value, !has(value.nodes))
681782
name:
682783
description: "Name is an identifier for this rule, that may
683784
be no more than 100 characters in length. This field should

config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -239,6 +239,55 @@ spec:
239239
maxItems: 100
240240
type: array
241241
type: object
242+
nodes:
243+
description: "Nodes defines a way to select a set of nodes
244+
in in the cluster. This field follows standard label
245+
selector semantics; if present but empty, it selects
246+
all Nodes. \n Support: Core"
247+
properties:
248+
matchExpressions:
249+
description: matchExpressions is a list of label selector
250+
requirements. The requirements are ANDed.
251+
items:
252+
description: A label selector requirement is a selector
253+
that contains values, a key, and an operator that
254+
relates the key and values.
255+
properties:
256+
key:
257+
description: key is the label key that the selector
258+
applies to.
259+
type: string
260+
operator:
261+
description: operator represents a key's relationship
262+
to a set of values. Valid operators are In,
263+
NotIn, Exists and DoesNotExist.
264+
type: string
265+
values:
266+
description: values is an array of string values.
267+
If the operator is In or NotIn, the values
268+
array must be non-empty. If the operator is
269+
Exists or DoesNotExist, the values array must
270+
be empty. This array is replaced during a
271+
strategic merge patch.
272+
items:
273+
type: string
274+
type: array
275+
required:
276+
- key
277+
- operator
278+
type: object
279+
type: array
280+
matchLabels:
281+
additionalProperties:
282+
type: string
283+
description: matchLabels is a map of {key,value} pairs.
284+
A single {key,value} in the matchLabels map is equivalent
285+
to an element of matchExpressions, whose key field
286+
is "key", the operator is "In", and the values array
287+
contains only "value". The requirements are ANDed.
288+
type: object
289+
type: object
290+
x-kubernetes-map-type: atomic
242291
pods:
243292
description: "Pods defines a way to select a set of pods
244293
in in a set of namespaces. \n Support: Core"
@@ -513,6 +562,55 @@ spec:
513562
maxItems: 100
514563
type: array
515564
type: object
565+
nodes:
566+
description: "Nodes defines a way to select a set of nodes
567+
in in the cluster. This field follows standard label
568+
selector semantics; if present but empty, it selects
569+
all Nodes. \n Support: Core"
570+
properties:
571+
matchExpressions:
572+
description: matchExpressions is a list of label selector
573+
requirements. The requirements are ANDed.
574+
items:
575+
description: A label selector requirement is a selector
576+
that contains values, a key, and an operator that
577+
relates the key and values.
578+
properties:
579+
key:
580+
description: key is the label key that the selector
581+
applies to.
582+
type: string
583+
operator:
584+
description: operator represents a key's relationship
585+
to a set of values. Valid operators are In,
586+
NotIn, Exists and DoesNotExist.
587+
type: string
588+
values:
589+
description: values is an array of string values.
590+
If the operator is In or NotIn, the values
591+
array must be non-empty. If the operator is
592+
Exists or DoesNotExist, the values array must
593+
be empty. This array is replaced during a
594+
strategic merge patch.
595+
items:
596+
type: string
597+
type: array
598+
required:
599+
- key
600+
- operator
601+
type: object
602+
type: array
603+
matchLabels:
604+
additionalProperties:
605+
type: string
606+
description: matchLabels is a map of {key,value} pairs.
607+
A single {key,value} in the matchLabels map is equivalent
608+
to an element of matchExpressions, whose key field
609+
is "key", the operator is "In", and the values array
610+
contains only "value". The requirements are ANDed.
611+
type: object
612+
type: object
613+
x-kubernetes-map-type: atomic
516614
pods:
517615
description: "Pods defines a way to select a set of pods
518616
in in a set of namespaces. \n Support: Core"
@@ -663,6 +761,9 @@ spec:
663761
type: object
664762
minItems: 1
665763
type: array
764+
x-kubernetes-validations:
765+
- message: cluster-ingress traffic controls are unsupported
766+
rule: self.all(value, !has(value.nodes))
666767
name:
667768
description: "Name is an identifier for this rule, that may
668769
be no more than 100 characters in length. This field should

0 commit comments

Comments
 (0)