kubernetes-sigs
diff --git a/‎apis/v1alpha1/externalnetworks_types.go‎
Lines changed: 64 additions & 0 deletions b/‎apis/v1alpha1/externalnetworks_types.go‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎apis/v1alpha1/shared_types.go‎
Lines changed: 6 additions & 0 deletions b/‎apis/v1alpha1/shared_types.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎apis/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 83 additions & 0 deletions b/‎apis/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎apis/v1alpha1/zz_generated.register.go‎
Lines changed: 2 additions & 0 deletions b/‎apis/v1alpha1/zz_generated.register.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/crd/policy.networking.k8s.io_adminnetworkpolicies.yaml‎
Lines changed: 100 additions & 0 deletions b/‎config/crd/policy.networking.k8s.io_adminnetworkpolicies.yaml‎
Lines changed: 100 additions & 0 deletions
@@ -0,0 +1,64 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// All fields in this package are required unless Explicitly marked optional
+// +kubebuilder:validation:Required
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=ens,scope=Cluster
+// +kubebuilder:printcolumn:name="Networks",type=string,JSONPath=".spec.priority"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSet is a cluster level resource that is used to define
+// a set of networks outsides the cluster which can be referred to from
+// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
+type ExternalNetworkSet struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// Specification of the desired behavior of ExternalNetworkSet.
+	Spec ExternalNetworkSetSpec `json:"spec"`
+}
+
+// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
+type ExternalNetworkSetSpec struct {
+	// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
+	// external destinations.
+	// A total of 100 CIDRs will be allowed in each NetworkSet instance.
+	// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
+	// to select a set of external networks
+	// +optional
+	// +kubebuilder:validation:MaxItems=100
+	Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSetList contains a list of ExternalNetworkSet
+type ExternalNetworkSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalNetworkSet `json:"items"`
+}
@@ -114,6 +114,12 @@ type AdminNetworkPolicyPeer struct {
 	// semantics; if present but empty, it selects all Nodes.
 	// +optional
 	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// ExternalNetworks defines a way to select ExternalNetworkSets
+	// that consist of network CIDRs that live outside the cluster as a peer.
+	// This field follows standard label selector semantics; if present
+	// but empty, it selects all ExternalNetworkSets defined in the cluster.
+	// +optional
+	ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
 }
 
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.
 
@@ -159,6 +159,56 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: Namespaces defines a way to select a set
                               of Namespaces.
@@ -481,6 +531,56 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: Namespaces defines a way to select a set
                               of Namespaces.