Add support for selecting nodes as egress peers

Some FTR things:

1) As an egress peer a user can selector either namespaces, or pods or nodes.
In a given rule more than 1 type of selection is not allowed.
2) An empty node selector means it selects all nodes in the cluster.
3) nodes can be referred only from egress rule peers, since we only
support northbound use cases.

Signed-off-by: Surya Seetharaman <[email protected]>

Author: tssurya

apis/v1alpha1/shared_types.go

@@ -142,7 +142,7 @@ type AdminNetworkPolicyIngressPeer struct {
 	Pods *NamespacedPodPeer `json:"pods,omitempty"`
 }
 
-// AdminNetworkPolicyEgressPeer defines an in-cluster peer to allow traffic to/from.
+// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to/from.
 // Exactly one of the selector pointers must be set for a given peer. If a
 // consumer observes none of its fields are set, they must assume an unknown
 // option has been specified and fail closed.
@@ -162,6 +162,14 @@ type AdminNetworkPolicyEgressPeer struct {
 	//
 	// +optional
 	Pods *NamespacedPodPeer `json:"pods,omitempty"`
+	// Nodes defines a way to select a set of nodes in
+	// in the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	//
+	// Support: Core
+	//
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
 }
 
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.

apis/v1alpha1/zz_generated.deepcopy.go

@@ -156,11 +156,11 @@ spec:
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines a peer to
+                          allow traffic to/from. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -247,6 +247,55 @@ spec:
                                 maxItems: 100
                                 type: array
                             type: object
+                          nodes:
+                            description: "Nodes defines a way to select a set of nodes
+                              in in the cluster. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all Nodes. \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           pods:
                             description: "Pods defines a way to select a set of pods
                               in in a set of namespaces. \n Support: Core"

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

@@ -148,11 +148,11 @@ spec:
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines a peer to
+                          allow traffic to/from. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -239,6 +239,55 @@ spec:
                                 maxItems: 100
                                 type: array
                             type: object
+                          nodes:
+                            description: "Nodes defines a way to select a set of nodes
+                              in in the cluster. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all Nodes. \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           pods:
                             description: "Pods defines a way to select a set of pods
                               in in a set of namespaces. \n Support: Core"

config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

@@ -152,11 +152,11 @@ spec:
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines a peer to
+                          allow traffic to/from. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -218,6 +218,55 @@ spec:
                                 type: object
                                 x-kubernetes-map-type: atomic
                             type: object
+                          nodes:
+                            description: "Nodes defines a way to select a set of nodes
+                              in in the cluster. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all Nodes. \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           pods:
                             description: "Pods defines a way to select a set of pods
                               in in a set of namespaces. \n Support: Core"

config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml

@@ -144,11 +144,11 @@ spec:
                         is applied. This field must be defined and contain at least
                         one item. \n Support: Core"
                       items:
-                        description: AdminNetworkPolicyEgressPeer defines an in-cluster
-                          peer to allow traffic to/from. Exactly one of the selector
-                          pointers must be set for a given peer. If a consumer observes
-                          none of its fields are set, they must assume an unknown
-                          option has been specified and fail closed.
+                        description: AdminNetworkPolicyEgressPeer defines a peer to
+                          allow traffic to/from. Exactly one of the selector pointers
+                          must be set for a given peer. If a consumer observes none
+                          of its fields are set, they must assume an unknown option
+                          has been specified and fail closed.
                         maxProperties: 1
                         minProperties: 1
                         properties:
@@ -210,6 +210,55 @@ spec:
                                 type: object
                                 x-kubernetes-map-type: atomic
                             type: object
+                          nodes:
+                            description: "Nodes defines a way to select a set of nodes
+                              in in the cluster. This field follows standard label
+                              selector semantics; if present but empty, it selects
+                              all Nodes. \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           pods:
                             description: "Pods defines a way to select a set of pods
                               in in a set of namespaces. \n Support: Core"