Split peers into ingress&&egress

This resulted from discussions in network-policy-api
meetings and after consulting apiserver team for best
practices.
So far ingress and egress peer expressions were symmetric.
However moving forward, since we are adding support for
egress (northbound) peers and fqdn which might have
differences compared to what we want to allow for ingress,
we have decided to split the peers into ingress and egress.

Signed-off-by: Surya Seetharaman <[email protected]>

Author: tssurya

apis/v1alpha1/adminnetworkpolicy_types.go

@@ -128,15 +128,15 @@ type AdminNetworkPolicyIngressRule struct {
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the source of incoming
+	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	From []AdminNetworkPolicyPeer `json:"from"`
+	From []AdminNetworkPolicyIngressPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of ports which should be matched on
@@ -180,18 +180,18 @@ type AdminNetworkPolicyEgressRule struct {
 	Action AdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the List of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the destination of outgoing
+	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	To []AdminNetworkPolicyPeer `json:"to"`
+	To []AdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
-	// This field is a list of destination ports for the outging egress traffic.
+	// This field is a list of destination ports for the outgoing egress traffic.
 	// If Ports is not set then the rule does not filter traffic via port.
 	//
 	// Support: Core

apis/v1alpha1/baselineadminnetworkpolicy_types.go

@@ -112,15 +112,15 @@ type BaselineAdminNetworkPolicyIngressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// From is the list of sources whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the source of incoming
+	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	//
 	// Support: Core
 	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
-	From []AdminNetworkPolicyPeer `json:"from"`
+	From []AdminNetworkPolicyIngressPeer `json:"from"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of ports which should be matched on
@@ -160,15 +160,15 @@ type BaselineAdminNetworkPolicyEgressRule struct {
 	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`
 
 	// To is the list of destinations whose traffic this rule applies to.
-	// If any AdminNetworkPolicyPeer matches the destination of outgoing
+	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
 	// traffic then the specified action is applied.
 	// This field must be defined and contain at least one item.
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	//
 	// Support: Core
 	//
-	To []AdminNetworkPolicyPeer `json:"to"`
+	To []AdminNetworkPolicyEgressPeer `json:"to"`
 
 	// Ports allows for matching traffic based on port and protocols.
 	// This field is a list of destination ports for the outging egress traffic.

apis/v1alpha1/shared_types.go

@@ -120,13 +120,37 @@ type PortRange struct {
 	End int32 `json:"end"`
 }
 
-// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
+// AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
 // Exactly one of the selector pointers must be set for a given peer. If a
 // consumer observes none of its fields are set, they must assume an unknown
 // option has been specified and fail closed.
 // +kubebuilder:validation:MaxProperties=1
 // +kubebuilder:validation:MinProperties=1
-type AdminNetworkPolicyPeer struct {
+type AdminNetworkPolicyIngressPeer struct {
+	// Namespaces defines a way to select all pods within a set of Namespaces.
+	// Note that host-networked pods are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Namespaces *NamespacedPeer `json:"namespaces,omitempty"`
+	// Pods defines a way to select a set of pods in
+	// in a set of namespaces. Note that host-networked pods
+	// are not included in this type of peer.
+	//
+	// Support: Core
+	//
+	// +optional
+	Pods *NamespacedPodPeer `json:"pods,omitempty"`
+}
+
+// AdminNetworkPolicyEgressPeer defines an in-cluster peer to allow traffic to.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyEgressPeer struct {
 	// Namespaces defines a way to select all pods within a set of Namespaces.
 	// Note that host-networked pods are not included in this type of peer.
 	//

apis/v1alpha1/zz_generated.deepcopy.go

@@ -82,8 +82,8 @@ spec:
                     ports:
                       description: "Ports allows for matching traffic based on port
                         and protocols. This field is a list of destination ports for
-                        the outging egress traffic. If Ports is not set then the rule
-                        does not filter traffic via port. \n Support: Core"
+                        the outgoing egress traffic. If Ports is not set then the
+                        rule does not filter traffic via port. \n Support: Core"
                       items:
                         description: AdminNetworkPolicyPort describes how to select
                           network ports on pod(s). Exactly one field must be set.
@@ -151,16 +151,16 @@ spec:
                       type: array
                     to:
                       description: "To is the List of destinations whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        destination of outgoing traffic then the specified action
+                        rule applies to. If any AdminNetworkPolicyEgressPeer matches
+                        the destination of outgoing traffic then the specified action
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
+                          peer to allow traffic to. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -435,13 +435,13 @@ spec:
                       type: string
                     from:
                       description: "From is the list of sources whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        source of incoming traffic then the specified action is applied.
-                        This field must be defined and contain at least one item.
-                        \n Support: Core"
+                        rule applies to. If any AdminNetworkPolicyIngressPeer matches
+                        the source of incoming traffic then the specified action is
+                        applied. This field must be defined and contain at least one
+                        item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
+                        description: AdminNetworkPolicyIngressPeer defines an in-cluster
+                          peer to allow traffic from. Exactly one of the selector
                           pointers must be set for a given peer. If a consumer observes
                           none of its fields are set, they must assume an unknown
                           option has been specified and fail closed.

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

@@ -143,16 +143,16 @@ spec:
                       type: array
                     to:
                       description: "To is the list of destinations whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        destination of outgoing traffic then the specified action
+                        rule applies to. If any AdminNetworkPolicyEgressPeer matches
+                        the destination of outgoing traffic then the specified action
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
+                          peer to allow traffic to. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -422,13 +422,13 @@ spec:
                       type: string
                     from:
                       description: "From is the list of sources whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        source of incoming traffic then the specified action is applied.
-                        This field must be defined and contain at least one item.
-                        \n Support: Core"
+                        rule applies to. If any AdminNetworkPolicyIngressPeer matches
+                        the source of incoming traffic then the specified action is
+                        applied. This field must be defined and contain at least one
+                        item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
+                        description: AdminNetworkPolicyIngressPeer defines an in-cluster
+                          peer to allow traffic from. Exactly one of the selector
                           pointers must be set for a given peer. If a consumer observes
                           none of its fields are set, they must assume an unknown
                           option has been specified and fail closed.

config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

@@ -82,8 +82,8 @@ spec:
                     ports:
                       description: "Ports allows for matching traffic based on port
                         and protocols. This field is a list of destination ports for
-                        the outging egress traffic. If Ports is not set then the rule
-                        does not filter traffic via port. \n Support: Core"
+                        the outgoing egress traffic. If Ports is not set then the
+                        rule does not filter traffic via port. \n Support: Core"
                       items:
                         description: AdminNetworkPolicyPort describes how to select
                           network ports on pod(s). Exactly one field must be set.
@@ -147,16 +147,16 @@ spec:
                       type: array
                     to:
                       description: "To is the List of destinations whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        destination of outgoing traffic then the specified action
+                        rule applies to. If any AdminNetworkPolicyEgressPeer matches
+                        the destination of outgoing traffic then the specified action
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
+                          peer to allow traffic to. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -380,13 +380,13 @@ spec:
                       type: string
                     from:
                       description: "From is the list of sources whose traffic this
-                        rule applies to. If any AdminNetworkPolicyPeer matches the
-                        source of incoming traffic then the specified action is applied.
-                        This field must be defined and contain at least one item.
-                        \n Support: Core"
+                        rule applies to. If any AdminNetworkPolicyIngressPeer matches
+                        the source of incoming traffic then the specified action is
+                        applied. This field must be defined and contain at least one
+                        item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
+                        description: AdminNetworkPolicyIngressPeer defines an in-cluster
+                          peer to allow traffic from. Exactly one of the selector
                           pointers must be set for a given peer. If a consumer observes
                           none of its fields are set, they must assume an unknown
                           option has been specified and fail closed.