Add support for selecting external destinations as egress peers

Some FTR things:

    1) As an egress peer a user can selector either namespaces, or pods or
       nodes or externalNetworks.
    In a given rule more than 1 type of selection is not allowed.
    2) An empty externalNetworks selector means it selects all externalNetworkSets in the cluster.
    3) externalNetworks can be set only from to.Peer

Signed-off-by: Surya Seetharaman <[email protected]>

Author: tssurya

apis/v1alpha1/externalnetworkset_types.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// All fields in this package are required unless Explicitly marked optional
+// +kubebuilder:validation:Required
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=ens,scope=Cluster
+// +kubebuilder:printcolumn:name="Networks",type=string,JSONPath=".spec.networks"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSet is a cluster level resource that is used to define
+// a set of networks outside the cluster which can be referred to from
+// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
+type ExternalNetworkSet struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// Specification of the desired behavior of ExternalNetworkSet.
+	Spec ExternalNetworkSetSpec `json:"spec"`
+}
+
+// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type ExternalNetworkSetSpec struct {
+	// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
+	// external destinations.
+	// A total of 100 CIDRs will be allowed in each NetworkSet instance.
+	// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
+	// to select a set of external networks
+	//
+	// Support: Core
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ExternalNetworkSetList contains a list of ExternalNetworkSet
+type ExternalNetworkSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalNetworkSet `json:"items"`
+}

apis/v1alpha1/shared_types.go

@@ -170,6 +170,15 @@ type AdminNetworkPolicyEgressPeer struct {
 	//
 	// +optional
 	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+	// ExternalNetworks defines a way to select ExternalNetworkSets
+	// that consist of network CIDRs that live outside the cluster as a peer.
+	// This field follows standard label selector semantics; if present
+	// but empty, it selects all ExternalNetworkSets defined in the cluster.
+	//
+	// Support: Core
+	//
+	// +optional
+	ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
 }
 
 // NamespacedPeer defines a flexible way to select Namespaces in a cluster.

apis/v1alpha1/zz_generated.deepcopy.go

@@ -164,6 +164,57 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                              \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"

apis/v1alpha1/zz_generated.register.go

@@ -156,6 +156,57 @@ spec:
                         maxProperties: 1
                         minProperties: 1
                         properties:
+                          externalNetworks:
+                            description: "ExternalNetworks defines a way to select
+                              ExternalNetworkSets that consist of network CIDRs that
+                              live outside the cluster as a peer. This field follows
+                              standard label selector semantics; if present but empty,
+                              it selects all ExternalNetworkSets defined in the cluster.
+                              \n Support: Core"
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
                           namespaces:
                             description: "Namespaces defines a way to select a set
                               of Namespaces. \n Support: Core"

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

@@ -0,0 +1,78 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/135
+    policy.networking.k8s.io/bundle-version: v0.1.1
+    policy.networking.k8s.io/channel: experimental
+  creationTimestamp: null
+  name: externalnetworksets.policy.networking.k8s.io
+spec:
+  group: policy.networking.k8s.io
+  names:
+    kind: ExternalNetworkSet
+    listKind: ExternalNetworkSetList
+    plural: externalnetworksets
+    shortNames:
+    - ens
+    singular: externalnetworkset
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.networks
+      name: Networks
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ExternalNetworkSet is a cluster level resource that is used to
+          define a set of networks outside the cluster which can be referred to from
+          the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external
+          peer
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the desired behavior of ExternalNetworkSet.
+            maxProperties: 1
+            minProperties: 1
+            properties:
+              networks:
+                description: "Networks is the list of NetworkCIDR (both v4 & v6) that
+                  can be used to define external destinations. A total of 100 CIDRs
+                  will be allowed in each NetworkSet instance. ANP & BANP APIs may
+                  use the .spec.in(e)gress.from(to).externalNetworks selector to select
+                  a set of external networks \n Support: Core"
+                items:
+                  type: string
+                maxItems: 100
+                minItems: 1
+                type: array
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null