@@ -121,6 +121,13 @@ type PortRange struct {
121121}
122122
123123// AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
124+ //
125+ // Note that presence of a Service object with this policy subject as its backend
126+ // has no impact on the behavior of the policy applied to the peer
127+ // trying to talk to the Service. It will work in the same way as if the
128+ // Service didn't exist since policy is applied after ServiceVIP (clusterIP,
129+ // externalIP, loadBalancerIngressIP) is rewritten to the backendIPs.
130+ //
124131// Exactly one of the selector pointers must be set for a given peer. If a
125132// consumer observes none of its fields are set, they must assume an unknown
126133// option has been specified and fail closed.
@@ -145,6 +152,13 @@ type AdminNetworkPolicyIngressPeer struct {
145152}
146153
147154// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
155+ //
156+ // Note that presence of a Service object with this peer as its backend
157+ // has no impact on the behavior of the policy applied to the subject
158+ // trying to talk to the Service. It will work in the same way as if the
159+ // Service didn't exist since policy is applied after ServiceVIP (clusterIP,
160+ // externalIP, loadBalancerIngressIP) is rewritten to the backendIPs.
161+ //
148162// Exactly one of the selector pointers must be set for a given peer. If a
149163// consumer observes none of its fields are set, they must assume an unknown
150164// option has been specified and fail closed.
@@ -175,6 +189,31 @@ type AdminNetworkPolicyEgressPeer struct {
175189 // <network-policy-api:experimental>
176190 // +optional
177191 Nodes * metav1.LabelSelector `json:"nodes,omitempty"`
192+ // Networks defines a way to select peers via CIDR blocks.
193+ // This is intended for representing entities that live outside the cluster,
194+ // which can't be selected by pods, namespaces and nodes peers, but note
195+ // that cluster-internal traffic will be checked against the rule as
196+ // well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
197+ // or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
198+ // add a rule that Passes all pod traffic before the Networks rule.
199+ //
200+ // Note that because policies are applied after Service VIPs (clusterIPs, externalIPs,
201+ // load balancer IPs) are rewritten to endpoint IPs, a Networks selector cannot match
202+ // such a VIP. For example, a Networks selector that denies traffic to the entire
203+ // service CIDR will not actually block any service traffic.
204+ //
205+ // Each item in Networks should be provided in the CIDR format and should be
206+ // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
207+ //
208+ // Networks can have upto 25 CIDRs specified.
209+ //
210+ // Support: Extended
211+ //
212+ // <network-policy-api:experimental>
213+ // +optional
214+ // +kubebuilder:validation:MinItems=1
215+ // +kubebuilder:validation:MaxItems=25
216+ Networks []CIDR `json:"networks,omitempty"`
178217}
179218
180219// NamespacedPeer defines a flexible way to select Namespaces in a cluster.
@@ -237,3 +276,13 @@ type NamespacedPodPeer struct {
237276 //
238277 PodSelector metav1.LabelSelector `json:"podSelector"`
239278}
279+
280+ // CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
281+ // The regex for the IPv4 and IPv6 CIDR range was taken from
282+ // https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/
283+ // The resulting regex is an OR of both regexes. IPv4 address embedded in IPv6 addresses are not supported.
284+ // TODO: Change the CIDR's validation regex to use CEL isCIDR() in Kube 1.31 when it is available.
285+ // +kubebuilder:validation:Pattern=`(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)`
286+ // +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported"
287+ // +kubebuilder:validation:MaxLength=43
288+ type CIDR string
0 commit comments