Skip to content

Commit 96a7cc3

Browse files
tssuryatssurya
committed
Implement inline CIDR block egress peer
This PR adds support for implementing inline CIDR peer blocks. Signed-off-by: Surya Seetharaman <[email protected]>
1 parent 5862cce commit 96a7cc3

8 files changed

+213
-42
lines changed

apis/v1alpha1/shared_types.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,25 @@ type AdminNetworkPolicyEgressPeer struct {
175175
// <network-policy-api:experimental>
176176
// +optional
177177
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
178+
// Networks defines a way to select peers via CIDR blocks (both v4 & v6).
179+
// This is intended for representing entities that live outside the cluster,
180+
// which can't be selected by pods, namespaces and nodes peers, but note
181+
// that cluster-internal traffic will be checked against the rule as
182+
// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
183+
// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
184+
// add a rule that Passes all pod traffic before the Networks rule.
185+
//
186+
// Each item in Networks should be provided in the CIDR format and should be
187+
// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
188+
//
189+
// Support: Extended
190+
//
191+
// <network-policy-api:experimental>
192+
// +optional
193+
// +kubebuilder:validation:MinItems=1
194+
// +kubebuilder:validation:MaxItems=100
195+
// +kubebuilder:validation:XValidation:rule="self.all(x, isCIDR(x))",message="Invalid CIDR provided"
196+
Networks []string `json:"networks,omitempty"`
178197
}
179198

180199
// NamespacedPeer defines a flexible way to select Namespaces in a cluster.

apis/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,11 +206,13 @@ spec:
206206
items:
207207
type: string
208208
type: array
209+
x-kubernetes-list-type: atomic
209210
required:
210211
- key
211212
- operator
212213
type: object
213214
type: array
215+
x-kubernetes-list-type: atomic
214216
matchLabels:
215217
additionalProperties:
216218
type: string
@@ -249,6 +251,27 @@ spec:
249251
maxItems: 100
250252
type: array
251253
type: object
254+
networks:
255+
description: "Networks defines a way to select peers via
256+
CIDR blocks (both v4 & v6). This is intended for representing
257+
entities that live outside the cluster, which can't
258+
be selected by pods, namespaces and nodes peers, but
259+
note that cluster-internal traffic will be checked against
260+
the rule as well. So if you Allow or Deny traffic to
261+
`\"0.0.0.0/0\"`, that will allow or deny all IPv4 pod-to-pod
262+
traffic as well. If you don't want that, add a rule
263+
that Passes all pod traffic before the Networks rule.
264+
\n Each item in Networks should be provided in the CIDR
265+
format and should be IPv4 or IPv6, for example \"10.0.0.0/8\"
266+
or \"fd00::/8\". \n Support: Extended \n <network-policy-api:experimental>"
267+
items:
268+
type: string
269+
maxItems: 100
270+
minItems: 1
271+
type: array
272+
x-kubernetes-validations:
273+
- message: Invalid CIDR provided
274+
rule: self.all(x, isCIDR(x))
252275
nodes:
253276
description: "Nodes defines a way to select a set of nodes
254277
in the cluster. This field follows standard label selector
@@ -282,11 +305,13 @@ spec:
282305
items:
283306
type: string
284307
type: array
308+
x-kubernetes-list-type: atomic
285309
required:
286310
- key
287311
- operator
288312
type: object
289313
type: array
314+
x-kubernetes-list-type: atomic
290315
matchLabels:
291316
additionalProperties:
292317
type: string
@@ -347,11 +372,13 @@ spec:
347372
items:
348373
type: string
349374
type: array
375+
x-kubernetes-list-type: atomic
350376
required:
351377
- key
352378
- operator
353379
type: object
354380
type: array
381+
x-kubernetes-list-type: atomic
355382
matchLabels:
356383
additionalProperties:
357384
type: string
@@ -425,11 +452,13 @@ spec:
425452
items:
426453
type: string
427454
type: array
455+
x-kubernetes-list-type: atomic
428456
required:
429457
- key
430458
- operator
431459
type: object
432460
type: array
461+
x-kubernetes-list-type: atomic
433462
matchLabels:
434463
additionalProperties:
435464
type: string
@@ -538,11 +567,13 @@ spec:
538567
items:
539568
type: string
540569
type: array
570+
x-kubernetes-list-type: atomic
541571
required:
542572
- key
543573
- operator
544574
type: object
545575
type: array
576+
x-kubernetes-list-type: atomic
546577
matchLabels:
547578
additionalProperties:
548579
type: string
@@ -630,11 +661,13 @@ spec:
630661
items:
631662
type: string
632663
type: array
664+
x-kubernetes-list-type: atomic
633665
required:
634666
- key
635667
- operator
636668
type: object
637669
type: array
670+
x-kubernetes-list-type: atomic
638671
matchLabels:
639672
additionalProperties:
640673
type: string
@@ -708,11 +741,13 @@ spec:
708741
items:
709742
type: string
710743
type: array
744+
x-kubernetes-list-type: atomic
711745
required:
712746
- key
713747
- operator
714748
type: object
715749
type: array
750+
x-kubernetes-list-type: atomic
716751
matchLabels:
717752
additionalProperties:
718753
type: string
@@ -865,11 +900,13 @@ spec:
865900
items:
866901
type: string
867902
type: array
903+
x-kubernetes-list-type: atomic
868904
required:
869905
- key
870906
- operator
871907
type: object
872908
type: array
909+
x-kubernetes-list-type: atomic
873910
matchLabels:
874911
additionalProperties:
875912
type: string
@@ -916,11 +953,13 @@ spec:
916953
items:
917954
type: string
918955
type: array
956+
x-kubernetes-list-type: atomic
919957
required:
920958
- key
921959
- operator
922960
type: object
923961
type: array
962+
x-kubernetes-list-type: atomic
924963
matchLabels:
925964
additionalProperties:
926965
type: string
@@ -963,11 +1002,13 @@ spec:
9631002
items:
9641003
type: string
9651004
type: array
1005+
x-kubernetes-list-type: atomic
9661006
required:
9671007
- key
9681008
- operator
9691009
type: object
9701010
type: array
1011+
x-kubernetes-list-type: atomic
9711012
matchLabels:
9721013
additionalProperties:
9731014
type: string

config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,11 +198,13 @@ spec:
198198
items:
199199
type: string
200200
type: array
201+
x-kubernetes-list-type: atomic
201202
required:
202203
- key
203204
- operator
204205
type: object
205206
type: array
207+
x-kubernetes-list-type: atomic
206208
matchLabels:
207209
additionalProperties:
208210
type: string
@@ -241,6 +243,27 @@ spec:
241243
maxItems: 100
242244
type: array
243245
type: object
246+
networks:
247+
description: "Networks defines a way to select peers via
248+
CIDR blocks (both v4 & v6). This is intended for representing
249+
entities that live outside the cluster, which can't
250+
be selected by pods, namespaces and nodes peers, but
251+
note that cluster-internal traffic will be checked against
252+
the rule as well. So if you Allow or Deny traffic to
253+
`\"0.0.0.0/0\"`, that will allow or deny all IPv4 pod-to-pod
254+
traffic as well. If you don't want that, add a rule
255+
that Passes all pod traffic before the Networks rule.
256+
\n Each item in Networks should be provided in the CIDR
257+
format and should be IPv4 or IPv6, for example \"10.0.0.0/8\"
258+
or \"fd00::/8\". \n Support: Extended \n <network-policy-api:experimental>"
259+
items:
260+
type: string
261+
maxItems: 100
262+
minItems: 1
263+
type: array
264+
x-kubernetes-validations:
265+
- message: Invalid CIDR provided
266+
rule: self.all(x, isCIDR(x))
244267
nodes:
245268
description: "Nodes defines a way to select a set of nodes
246269
in the cluster. This field follows standard label selector
@@ -274,11 +297,13 @@ spec:
274297
items:
275298
type: string
276299
type: array
300+
x-kubernetes-list-type: atomic
277301
required:
278302
- key
279303
- operator
280304
type: object
281305
type: array
306+
x-kubernetes-list-type: atomic
282307
matchLabels:
283308
additionalProperties:
284309
type: string
@@ -339,11 +364,13 @@ spec:
339364
items:
340365
type: string
341366
type: array
367+
x-kubernetes-list-type: atomic
342368
required:
343369
- key
344370
- operator
345371
type: object
346372
type: array
373+
x-kubernetes-list-type: atomic
347374
matchLabels:
348375
additionalProperties:
349376
type: string
@@ -417,11 +444,13 @@ spec:
417444
items:
418445
type: string
419446
type: array
447+
x-kubernetes-list-type: atomic
420448
required:
421449
- key
422450
- operator
423451
type: object
424452
type: array
453+
x-kubernetes-list-type: atomic
425454
matchLabels:
426455
additionalProperties:
427456
type: string
@@ -525,11 +554,13 @@ spec:
525554
items:
526555
type: string
527556
type: array
557+
x-kubernetes-list-type: atomic
528558
required:
529559
- key
530560
- operator
531561
type: object
532562
type: array
563+
x-kubernetes-list-type: atomic
533564
matchLabels:
534565
additionalProperties:
535566
type: string
@@ -617,11 +648,13 @@ spec:
617648
items:
618649
type: string
619650
type: array
651+
x-kubernetes-list-type: atomic
620652
required:
621653
- key
622654
- operator
623655
type: object
624656
type: array
657+
x-kubernetes-list-type: atomic
625658
matchLabels:
626659
additionalProperties:
627660
type: string
@@ -695,11 +728,13 @@ spec:
695728
items:
696729
type: string
697730
type: array
731+
x-kubernetes-list-type: atomic
698732
required:
699733
- key
700734
- operator
701735
type: object
702736
type: array
737+
x-kubernetes-list-type: atomic
703738
matchLabels:
704739
additionalProperties:
705740
type: string
@@ -841,11 +876,13 @@ spec:
841876
items:
842877
type: string
843878
type: array
879+
x-kubernetes-list-type: atomic
844880
required:
845881
- key
846882
- operator
847883
type: object
848884
type: array
885+
x-kubernetes-list-type: atomic
849886
matchLabels:
850887
additionalProperties:
851888
type: string
@@ -892,11 +929,13 @@ spec:
892929
items:
893930
type: string
894931
type: array
932+
x-kubernetes-list-type: atomic
895933
required:
896934
- key
897935
- operator
898936
type: object
899937
type: array
938+
x-kubernetes-list-type: atomic
900939
matchLabels:
901940
additionalProperties:
902941
type: string
@@ -939,11 +978,13 @@ spec:
939978
items:
940979
type: string
941980
type: array
981+
x-kubernetes-list-type: atomic
942982
required:
943983
- key
944984
- operator
945985
type: object
946986
type: array
987+
x-kubernetes-list-type: atomic
947988
matchLabels:
948989
additionalProperties:
949990
type: string

0 commit comments

Comments
 (0)